Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    N

    Can I use pgblockerng aliases in Haproxy?

    80758505-9bad-4dad-a80b-c159be1045a2-image.png

    If it was a firewall rule, typing pfb would produce a dropdown to select.

    Here it has to be written, but will it work? Is it supported?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    cyb3rtr0nianC

    @bmeeks So after upgrading to the newest PfSense 2.8.0 everything is now working like a charm!

    Suricata no longer seems to strip off tags like it did before! Which means I can now use my network segmented by VLANs and still use the benefits of Suricata Inline IPS! Very niiize!

    I checked in the Alerts section and it is indeed generating the correct alerts from the different VLAN sections, I put Inline IPS on the parent interface of all the VLANs.

    I assume this is because the FreeBSD version is also updated with the new PfSense 2.8.0 version?

    Because before, as soon as I selected Inline IPS mode, my entire VLAN tagging would break and nothing was reachable until I switched back to Legacy mode.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K

    @pulsartiger
    The database name is vnstat.db and its location is under /var/db/vnstat.
    With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    GertjanG

    @AlexK-0 said in Can't receive GeoIP databases updates anymore, banned:

    Days ago, I received from MaxMind an email, notifying me that my country has been banned to receive GeoLite City database updates.

    You've found a reason to use a VPN.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    99 Topics
    2k Posts
    K

    @elvisimprsntr thanks for your suggestion. I will give it a try.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG

    @EChondo

    What's your pfSense version ?
    The instructions are shown here :

    1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png

    A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

    @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

    I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

    No need to wait x days.
    You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    R

    I had a similar issue with Routed VTI over IPsec recently. FRR lost its neighbors after rebooting or when a tunnel went down. It never re-discovered it automatically. Only restarting FRR (either in GUI or via CLI) brought the neighbors back.

    When I manually added those under the OSPF neighbors tab in the GUI it seems to solve the problem as well.

  • Discussions about the Tailscale package

    89 Topics
    574 Posts
    A

    Hello,
    I am unable to get the Tailscale package to work. The page at VPN > Tailscale > Authentication is stuck. It displays the error "Tailscale is not online," but also shows a "Logout and Clean" button, with no option to log in.
    link text

    This state persists even after performing the following troubleshooting steps:

    Rebooting the pfSense router.

    Completely uninstalling and reinstalling the Tailscale package multiple times.

    Clearing browser cache and using a private browser window.

    Toggling the main "Enable Tailscale" checkbox in the settings.

    Checking the logs, which show the service gets a "terminate" signal and shuts down cleanly; it does not crash.

    Manually trying to delete the state file with rm /var/db/tailscale/tailscaled.state, which failed because the file does not exist.

    It appears that the package's configuration is corrupted in a way that persists even after reinstallation. Can anyone advise on how to perform a complete manual cleanup of all Tailscale files and settings?

  • Discussions about WireGuard

    689 Topics
    4k Posts
    P

    @patient0 Thanks for further suggestions. The tunnel is definitely up and so I don't think this is a CGNAT issue after all. WAN firewall rule is in place for UDP on port 51823 (otherwise the tunnel wouldn't work, right?). I can ping from client 1 -> client 2 and visa versa and also ping all points in between like you suggest. I just can't open an HTTPS connection from pfSenseB from Client 1 using a browser. But I can do this the other way round i.e. from Client 2 to pfSenseA

    I will try and do some packet capture to see if that reveals anything.

  • Squidguard url-rewrite for Google safe search?

    14
    0 Votes
    14 Posts
    10k Views
    P

    Possibly the rewrite works as expected but then Google redirects the request to SSL, whereupon (without further tech) the rewrite isn't possible. You can workaround the SSL redirect by creating CNAME records for all Google domains you allow, pointing at nosslsearch.google.com.

    Rumours are that there is known way to circumvent that method, so can also try accepting the SSL but using the CNAME record method to force safe search forcesafesearch.google.com.

    Or just ban Google for being idiots and forcing SSL and use Bing instead.

  • Squid 3.3.4 + SSL Bump + HAVP + Squidguard

    2
    0 Votes
    2 Posts
    1k Views
    W

    Is no one having a clue?
    :o

  • Suricata 2.0.3 pkg v2.0.2 - Release Notes

    26
    0 Votes
    26 Posts
    5k Views
    bmeeksB

    @fsansfil:

    Hey there,

    Thanks for the quick reply. Just tested it again, this time with a newly created modify.config, did checked rebuild in front of the interface (LAN), still nothing. Seems the check rebuild button dont save, every refresh it goes back to uncheck…

    Thanks.

    F.

    BBcan177 is correct in describing the steps.  The new SID MGMT tab takes the configuration files and uses the instructions within to create a list of rules Suricata will use for inspecting traffic.  Literally, the primary purpose of the SID MGMT tab itself is to let you upload, edit and assign various text configuration files to your interfaces.  Saving simply does this part.  The actual creation of the new list of rules for Suricata to use for network traffic inspection happens in these three cases:

    1.  You click the REBUILD checkbox next to the interface on the SID MGMT tab.  That will not only save the file assignments as described above, but will trigger the creation of a new list of rules for the interface.  Once the list is created, the running Suricata process is sent a "live rule reload" signal.  You will see this in the suricata.log file viewed in the LOGS VIEW tab for the interface.  As BBcan177 said, you can then go to the CATEGORIES or RULES tabs for the interface and see the new color-coded icons beside the impacted text rules.

    2.  Once auto-SID management is enabled, every time you click SAVE on any other interface tabs, the list of rules is rebuilt using the logic in the assigned SID MGMT configuration files.

    3.  Finally, when an automatic download of updated rules occurs via the scheduled update job, a new rules list is generated and Suricata is signaled to load it.

    Bill

  • Export Client Utility not showing any servers

    2
    0 Votes
    2 Posts
    857 Views
    jimpJ

    What mode is the server set for?

  • NUT: shutdown LAN machines in the event of a power failure.

    15
    0 Votes
    15 Posts
    9k Views
    panzP

    It was easier than I thought: pfSense now needs a Port Forward from LAN to 127.0.0.1.

    Now works like a charm :)

  • Suricata, that randomly stops on interfaces

    6
    0 Votes
    6 Posts
    3k Views
    M

    Thx dear sir for your time, now i know that i can only wait for solution, because is over my knowledge.  :(

  • Step by step manually install a package

    1
    0 Votes
    1 Posts
    631 Views
    No one has replied
  • 0 Votes
    6 Posts
    4k Views
    D

    Hi Titus, could you please attach a few prints showing your configuration?
    I'm still trying to do it :(

    thanks.

  • Freeradius 2 Not showing in Pfsense 2.0.2 version

    4
    0 Votes
    4 Posts
    972 Views
    jimpJ

    Correct, 2.0.x is dead. Upgrade.

    We cannot rebuild packages for it, if a security issue happens (as happened here), they will be removed from 2.0.x. If something breaks, they will be removed from 2.0.x. If a package maintainer doesn't want to maintain compatibility that far back, it can be removed from 2.0.x also. Eventually, all packages for 2.0.x will be gone.

    There is little reason to stay on such an old version. The security issues alone that have been fixed since then should be enough of a motivator to upgrade.

  • Suricata config questions

    6
    0 Votes
    6 Posts
    4k Views
    bmeeksB

    @fsansfil:

    Right now I dont have full control over $HOME_NET… for an example, I have suricata on WAN, LAN and not on OPT1. But no matter what I do, I end up with the OPT1 network in the $HOME_NET (white/pass list) of the LAN Suricata...Let us use aliases to fully define $HOME_NET, $EXTERNAL... etc.

    Are you creating the custom HOME_NET list this way?

    1.  Go to Firewall…Alias and create one or more aliases as necessary to define your custom HOME_NET.  You might have to create several sub-aliases, and then combine them into a single master alias.

    2.  Create a Pass List on the PASS LIST tab.  Give it a name.  Maybe "my_homenet" or something.

    3.  Within that Pass List, uncheck all the checkboxes.  Then assign the alias created in step #1 to the ADDRESS field.  Save the Pass List.

    4.  Go to the INTERFACE SETTINGS tab for the interface you want to customize HOME_NET for.  In the HOME_NET drop-down, select the Pass List created in step #2.  Save the change.

    5.  Restart Suricata on the interface to pick up the change in HOME_NET.

    Following these steps should let you create a HOME_NET variable containing only exactly what you want.  You can also customize a number of the PORT_VARIABLEs on the VARIABLES tab.  Just first create one or more aliases to define your custom ports, then assign those aliases to the port variables on the VARIABLES tab.

    @fsansfil:

    Custom rules, It would be nice yo be able to invoke one of our list, not just copy-paste into the web interface (limited in numbers at this time)

    Providing the ability to upload and use a custom file should be pretty easy to implement.  I will put that on my TODO list of new features.

    Bill

  • NUT setup help

    4
    0 Votes
    4 Posts
    2k Views
    L

    I had posted up a long reply & got a error when I tried to post it & it got erased.

    In short, I have a 42U server rack with the 8 UPS. I run VMs on the other machines & they don't support passthrough for devices, so I can't monitor UPS from each server. Also it seems it would be more of a mess to have each managed individually than all by one main server, my pfSense box.

    My pfSense box is on dedicated hardware & I have two 4 port rs232 serial hubs hooked to it. It can relay when to shutdown via IP with WinNUT to my Windows VMs. Then I should be able to set ESXi to shutdown when it detects no running VMs.

  • HAProxy (1.4.24 pkg v 1.2.5) listener acl issue

    2
    0 Votes
    2 Posts
    743 Views
    P

    For haproxy 1.4 the only valid acl for https traffic (that is available in the webgui) is the source ip acl. If you shortly can select other acls that is indeed a (small) bug..

    If you want to do 'anything' with ssl then you should probably be switching to the haproxy-devel package that uses the haproxy 1.5.x release version. Then you can either use ssl-offloading on haproxy and have full http processing options, or use https with sni to select a backend.

  • Squid3-dev clamd not working

    5
    0 Votes
    5 Posts
    1k Views
    L

    Thanks for the suggestion I will , just have to find out the command :(

    Ok found the problem freshclam can't write

    getfile: Can't write 1448 bytes to /var/db/clamav/clamav-04e57fd99e8b1077eff2f11877c0cd60.tmp/clamav-8716b509fafdea26b5aa2d94dfd0f180.tmp

    :(

  • Squid / SquidGuard suddenly failing (October 3rd 2014) on multiple sites

    10
    0 Votes
    10 Posts
    2k Views
    K

    In my case, the machine has 2GB RAM, 104GB SSD. RRD graphs show that during the last 30 days, Minimum free Memory was 40% (that also accounts for the OS Cache, which is not included in the regular memory usage, as it will be drropped immediarely if an application demand more Memory). Real memory usage was typically at 10%, with Peaks going up to 20%. Disk usage: 11%. Most of this are probably pfSense backups. Yes, I maninly use squid/squidGuard for filtering, only a very specific set of files gets ever cached.

    On a third pfSense box, I has no SSH access, so I used a one-liner in the Daignostics : Command Prompt WebGUI:

    rm -R /var/db/squidGuard/blk*

    After that, re-download of the blacklist. However, on the third box, squid does not run in transparent mode, and I am not aware if any users dook the option of manually configuring the proxy. As I received no complaints, most probably none.

  • PfSense 2.1.5 + A.D (NTLM) + Dansguardian problem

    1
    0 Votes
    1 Posts
    981 Views
    No one has replied
  • Squid3-dev become suddenly very slow

    6
    0 Votes
    6 Posts
    1k Views
    F

    the idea came to me from "when the internet become slow i just click save in the squid proxy page and it works flawless"

    -k reconfigure Sends a HUP signal, which causes Squid to re-read its configuration files.

    http://wiki.squid-cache.org/SquidFaq/InstallingSquid

  • Squid 3 slow internet problems

    3
    0 Votes
    3 Posts
    1k Views
    R

    Thanks Finalcut,

    Unfortunately I've tried all that already with no luck.
    I've got another office running it no problems, though the environment is much simpler.

    Last time i had this problem I put it down to Squid not supporting multi-wan, though as squid monitors the LAN interface I can't see how this is a problem.

  • OSPF to 2 Data Centers

    1
    0 Votes
    1 Posts
    487 Views
    No one has replied
  • Postfix - can i use with exchange

    2
    0 Votes
    2 Posts
    583 Views
    BismarckB

    @robina80:

    hi all,

    i have postfix installed as a package on my pfsense firewall, i was wondering can i use this as a SMTP re layer/smart host connector for exchange

    if so can you please show me how?

    many thanks

    rob

    Works great and the setup is just straight forward, use the forum search for assistance….

    Quick step by step

    https://forum.pfsense.org/index.php?topic=46196.msg242056#msg242056

    All you need is in this thread

    https://forum.pfsense.org/index.php?topic=40622.0

    Good luck.

  • Ntopng 1.2.1 Alert via Email?

    2
    0 Votes
    2 Posts
    939 Views
    P

    Hello,

    I'm facing the same problem. Will be grateful if anyone have the answer.

    Best Regards,
    Pressian

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.