1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    tinfoilmattT
    @johnpoz said in Please help to configure HAProxy to serve certifficate on internal LAN too: Yeah - what part do you not understand if you always resolve nextcloud.domain.tld so that it hits your haproxy on your pfsense wan IP are you not getting? You have 2 options - use a different domain internally and always go to nextcloud.publicdomain.tld, or use the same domain internally as external and run into the problem of what IP it resolves to.. Change your local domain to say home.arpa or .internal or atleast something different than the public domain your using to point to pfsense wan IP on the public internet. You are shooting yourself in the foot trying to use the same domain externally as internally. There are ways around it, but they complicate the setup. For example you might be able to use views in unbound as one way to work around the problem. You could use only host entries for all your resources. But then again you run into a problem of using the fqdn for this service, now always pointing to your wan IP.. And that is great when you want to access the service haproxy is doing - but if you want to access that resource on some other service that haproxy doesn't handle - like say simple file sharing.. You are going to have problems. Since you clearly do not understand how any of this works - the simple solution is change the local domain you are using so it is not the same as the public domain you want to use to get to your nextcloud. This tone is outrageous directed at somebody who acknowledged right off the rip that English is not their first language. How many languages do you speak, John? And safely assuming it's only one—English of course—take it from a fellow English native that you'd do well to say more with less words. You otherwise were directing OP in the right direction in my opinion.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    tinfoilmattT
    Here. I think. Referenced as "github.com: vendor-provided URL vendor-advisory" in your link.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @netboy said in is something wrong with pfBlockerNG?: After my post, I "changed" DNSBL -> DNSBL mode from "unbound python mode" to "unbound mode" and so far i have no issues. Terrible idea. Moving backwards in development history there.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    649 Posts
    luckman212L
    @mightykong @CarlMRoss Looks like you might be experiencing https://github.com/tailscale/tailscale/issues/17793 I also have a 6100 + Tailscale 1.90.6 so I will test mine now. update: I don't seem to be having this problem, which is odd because I'm usually that one guy in a thousand who has the strange bug that nobody else can reproduce. Have you tried deleting the contents of /usr/local/pkg/tailscale/state ?

  • Discussions about WireGuard

    715 Topics
    4k Posts
    patient0P
    @andresbraga can show a diagram of your network layout (hand-draw is ok)? What was the reason to deactivate NAT? Did you decative it in general or only for the WG connection? Do you have firewall rule(s) for the WG connection that allows clients to access the firewall? relevant pfSense documentation: Remote Access VPN: https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html Wireguard help overview: https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/index.html
Log in to post
Load new posts
  • N

    Zebedee is removed?

    2
    0 Votes
    2 Posts
    770 Views
    BBcan177B
    The Devs have removed the package. See the following link: https://github.com/pfsense/pfsense-packages/commit/87019e8afcb46a9be8edc461168287f6a9b92cc4
  • D

    Help me get NTP fixed up properly!

    8
    0 Votes
    8 Posts
    12k Views
    johnpozJ
    Thanks for fixing that up for the next guy..  But I only have ntp listening on my lan..  But yeah that looks like a better setup for someone might have opened it up to the public internet sort of thing.
  • D

    NUT not starting (error included)

    4
    0 Votes
    4 Posts
    4k Views
    D
    @kdemaria: This did not work for me.  However, setting it to Tripplite AVR USB with Auto USB solved the problem completely, and seemed to also solve the stale data issue as well. NUT is now reporting correct Model, Status, Load, Charge, Voltages and Runtime. +metoo for a CyberPower 1000 model CP1000AVRLCD pfSense 2.1.5-RELEASE (amd64) and nut 2.6.5_1 pkg 2.0.2 This is an annoying bug. According to http://www.networkupstools.org/stable-hcl.html This model CyberPower should be using "powerpanel". But I'm not sure if that's correct for USB rather than serial connected models. The CyberPower CP1000AVDLCD has both USB and serial ports but ships with a USB cable.
  • S

    Squid - Sarg and IP-Adress in Hostname

    1
    0 Votes
    1 Posts
    880 Views
    No one has replied
  • H

    Installed packages missing version numbers

    4
    0 Votes
    4 Posts
    1k Views
    P
    I made it smarter - see this pull request for 2.2: https://github.com/pfsense/pfsense/pull/1359 We will see if the project managers think this is a reasonable idea… Edit: Pull request has been committed, so in 2.2 when the package server cannot be reached the version column will display something like: Latest: N/A Installed: 4.5.6 and put it all in red so it is obvious that something is not quite right.
  • SoloamS

    Pfblocker Tables

    7
    0 Votes
    7 Posts
    1k Views
    SoloamS
    This is a weird problem. I looked at "diag_tables.php" and the problem is on the code block" <a onclick="del_entry(&quot;<?=htmlspecialchars($entry)?>&quot;);">![](/themes/<?=$g['theme'];?>/images/icons/icon_x.gif)</a> If I remove it it works ok. But I cant seem to understand way. Because in other alias it works ok.
  • B

    SQUID3 Setup On Multiple Interfaces

    1
    0 Votes
    1 Posts
    658 Views
    No one has replied
  • F

    Snort false positives?

    8
    0 Votes
    8 Posts
    3k Views
    BBcan177B
    With SO, it all depends on how many Rules you enable and how much Traffic the sensors will see. But you are starting with some decent hardware. Download the ISO and try it out… Here are the Hardware Requirements -     https://code.google.com/p/security-onion/wiki/Hardware Google Group Forum -     https://groups.google.com/forum/#!forum/security-onion
  • SoloamS

    Snort Local IP Triggering Wan Rule

    3
    0 Votes
    3 Posts
    1k Views
    SoloamS
    Done :) it solved my problem. Thank You Best Regards
  • A

    NUT change action for low battery

    1
    0 Votes
    1 Posts
    517 Views
    No one has replied
  • ?

    Snort: Apply to LAN also applies to VLANs??

    2
    0 Votes
    2 Posts
    688 Views
    F
    Snort puts the interface into promiscuous mode and thus will see all traffic hitting that physical interface including VLAN's, PPPoE etc.
  • L

    Squid3-dev: Transparent Proxy + Invalid Bypass DNS entry = ALL Domains Bypassed

    3
    0 Votes
    3 Posts
    2k Views
    L
    @wcrowder: Squid3-dev is at Squid ver. 3.3.13, Squid is at ver. 3.4.9 about to go to 3.5? Thanks for your reply. Are you sure about that for Squid3-dev? Where are you finding these version numbers for Squid3-dev? Remember, I'm using pfsense 2.1.5, and that is still running on FreeBSD 8. When I look at the package info, pfSense seems to indicate that I'm on the most recent version (production version, not beta) and package. There is no option to upgrade when I look at the available packages via pfSense. Do you know the location of an official squid3-dev repository? I haven't been able to find one, so I've got to go with whatever I see in pfSense packages. Separate box or VM? Port forward? wpad? Dedicated box. No port forwarding. I don't know what a 'wpad' is. Diladele looks cool, and looks like it's actively developed, going to look at it. Thanks. (Edited to add the last line.) No problemo. It seemed like the best option as it allows SSL filtering and some decent ad removal features. I believe there is a 60-day  free trial period. After that you have to pay, but for personal use it's cheap ($1 / month).
  • ?

    PfSense + LDAP: Start TLS

    2
    0 Votes
    2 Posts
    1k Views
    ?
    Solved. Yes you can, the config option "start_tls" is used, independent of the protocol type. No you do not, however there is some "faf" you have to go through to get FreeRadius to operate with only the CA cert, see here: https://forum.pfsense.org/index.php?topic=84564.0 No rules appear to be required, the router services have access onto the VLAN without explicit rules. Regards, Rob.
  • W

    Snort POLICY PE EXE or DLL Windows file download alert

    2
    0 Votes
    2 Posts
    15k Views
    F
    In the alerts page, find the policy and click the suppress icon to add a suppress rule to the interface. You can find the surpress rule in the Services, Snort, Suppress tab, where you will see one or more entries like so wansuppress_5437e6139435f lansuppress_544229bb9e947 In side the suppress rule you will see something like #ET POLICY PE EXE or DLL Windows file download suppress gen_id 1, sig_id 2000419 This is your basic suppress rule which will not block any Windows PE file. PE is just the name given to the format of the windows exe and dll's.  http://en.wikipedia.org/wiki/Portable_Executable You can also tweak the rules a bit to suit your needs better. These threads might be useful. https://forum.pfsense.org/index.php?topic=61018.msg339645#msg339645 https://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417
  • N

    Enforcing filter rules in Smartphones and Tablets

    5
    0 Votes
    5 Posts
    1k Views
    N
    YouTube is tunneling the traffic in mobile mode. I just found a TEMPORARY SOLUTION, in mobile YouTube is redirected to "m.youtube.com". I f you block "m.youtube.com" and change the browser setting website preference in the smartphones/tablets to desktop mode then YouTube is redirected to "www.youtube.com/education" and it works fine. If you type "m.youtube.com" then the page is blocked. But this is just a temporary solution.
  • H

    Proxy HTTPS filtering

    4
    0 Votes
    4 Posts
    951 Views
    H
    @Derelict: The only way to get "in the middle" of an HTTPS conversation is to coerce your users to install a trusted root CA and generate certificates on-the-fly using that CA for every site they visit.  Or throw a certificate error for every site because you're generating certificates on-the-fly and your users don't have a trusted root for you installed.  That's the nature of HTTPS.  No magic pill. I'm fine with throwing cert errors, as long as I can achieve the blocking. I have an idea.  Put that guest network on a separate interface. Create a limiter to limit the damage the "guests"can do to your bandwidth. If they just can't behave themselves, kill their access every time they do things you have told them not to. Is there a way to use the limiter to completely block traffic instead of just limiting it?
  • D

    FreeRADIUS authentication

    2
    0 Votes
    2 Posts
    769 Views
    D
    to clarify, I am a student in Information Assurance and have never actually worked with RADIUS or pfSense before this semester. I eventually want to use a mySQL database for credential verification, but would like to ensure authentication can occur properly before taking that next step.
  • F

    Squidclamav.conf redirect being ignored

    3
    0 Votes
    3 Posts
    3k Views
    T
    [SOLVED] Clean your test browser's cache, cookies, history. Restart browser and "voila"It's working as it should.
  • F

    Suricata Q's & an error message

    3
    0 Votes
    3 Posts
    2k Views
    F
    @bmeeks: @firewalluser: Dont know where to post this, but running 2.2 Beta with Snort and Suricata. First Q. Is it ok to run snort and suricata side by side on the same machine? I've experimented with both installed, running and with snort interfaces disabled but cant seem to get any alerts or blocks from suricata. I have not uninstalled snort yet. I'm getting lots of these error messages in the system log FWIW. suricata[59742]: 24/11/2014 – 22:54:01 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap When I see "unimplemented", I wonder how far along suricata is, but also, where does it fit with snort? Is snort still superior to suricata or vice versa? It just snort has a few rules/options available which suggests more control with Snort, but I could be wrong? TIA</error> You must be running PPPoE on your WAN.  Suricata does not support PPPoE connections on FreeBSD.  Snort does.  The limitation is within the Suricata binary itself and not something caused by the GUI package on pfSense.  If you must use PPPoE, then use Snort instead of Suricata (or else don't try to run Suricata on the PPPoE interface). As for which is better or more mature, that's sure to bring out fan boys on both sides.  In my view neither is "better", they are just "different".  Suricata is a true multithreaded IDS, so in theory it should scale better with more CPUs and offer higher throughput.  In practice with today's hardware and network speeds, this only starts to matter at 10Gig and over.  Snort currently offers some rule options and keywords that Suricata does not support, so there are some Snort rules that will not load on Suricata (they cause an error and Suricata ignores them and skips loading them). Bill You must be running PPPoE on your WAN. Yes I am, didnt know about the pppoe restriction. As for which is better or more mature, that's sure to bring out fan boys on both sides.  In my view neither is "better", they are just "different".  Suricata is a true multithreaded IDS, so in theory it should scale better with more CPUs and offer higher throughput.  In practice with today's hardware and network speeds, this only starts to matter at 10Gig and over.  Snort currently offers some rule options and keywords that Suricata does not support, so there are some Snort rules that will not load on Suricata (they cause an error and Suricata ignores them and skips loading them). Thanks for that info, it explains a lot. I think for my uses, snort on wan and suricata and/or snort on lan is the way to go although I doubt my lan traffic will ever reach the rates that give suricata a chance to show off its capabilities over snort.
  • A

    Reverse PFBlocker option ?

    7
    0 Votes
    7 Posts
    2k Views
    F
    @atrocity: well, but we can't wait, because we have to filter out most of the world to some specific network equipements … :( Firewall: Aliases: Edit. Create two alias's Allowed IP's and Blocked IP's and link them to two txt files located on one of your internal webservers, then create all your rules you want and you dont need pfblocker then, but you do have more control with this approach. For example, you might have an alias for Allowed Email IP's where a txt file contains the ip address blocks you will accept email from (smtp/25) as you may do business abroad in that country, even your supplier might have their own ip address block reducing the constant updates which will invariable take place as IP's blocks get moved around. You could also have another alias file that contain ip address blocks for countries staff might have to visit including stop overs for connecting flights in other foreign countries, then you can have a rule to allow their iphone/android/windows phone communications with their imap/exchange servers for example. Maybe also allow some encrypted VOIP comms to avoid calls being listened into from foreign govt's when using their public telecoms infrastructure, or if you really want to be "silent", just have a vpn connection like openvpn, tunnel all traffic from your phones/laptops through the vpn and hide even more info from foreign govt's when abroad.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.