1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    johnpozJ
    @ha11oga11o said in Please help to configure HAProxy to serve certifficate on internal LAN too: Just to add again, that blo***dy nextcloud app has to be on same domain name connection and same cert. Yeah - what part do you not understand if you always resolve nextcloud.domain.tld so that it hits your haproxy on your pfsense wan IP are you not getting? You have 2 options - use a different domain internally and always go to nextcloud.publicdomain.tld, or use the same domain internally as external and run into the problem of what IP it resolves to.. Change your local domain to say home.arpa or .internal or atleast something different than the public domain your using to point to pfsense wan IP on the public internet. You are shooting yourself in the foot trying to use the same domain externally as internally. There are ways around it, but they complicate the setup. For example you might be able to use views in unbound as one way to work around the problem. You could use only host entries for all your resources. But then again you run into a problem of using the fqdn for this service, now always pointing to your wan IP.. And that is great when you want to access the service haproxy is doing - but if you want to access that resource on some other service that haproxy doesn't handle - like say simple file sharing.. You are going to have problems. Since you clearly do not understand how any of this works - the simple solution is change the local domain you are using so it is not the same as the public domain you want to use to get to your nextcloud.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    RedDelPaPaR
    @bmeeks Understood. Thank for kindly for your help. I will likely be ordering a new unit soon.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    C
    @Gertjan yes, that was an example, a false positive from a list that is not being blocked anymore.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    641 Posts
    L
    For some odd reason, even though the service seems UP, and routes (apparently from tailscale) looks fine, the service itself is not working. E.g. I cannot connect to other hosts on my tailscale network. From pfsense itself it works, but not from my e.g. my LAN. As soon as I restart the tailscale service in the UI it works immediately after.

  • Discussions about WireGuard

    714 Topics
    4k Posts
    R
    I was on PfSense version 23.xx (don't recall the xx) and was able to start the Wireguard service. I upgraded to the 25.11 beta version and now the Wireguard service will not even start. I am on Wireguard version 2.1, and I see that there are versions that go up to 2.9. How do I upgrade to a later version? The only version in the pfSense updater is 2.1. Thank you
Log in to post
Load new posts
  • R

    BandwidthD Not showing correct version.

    3
    0 Votes
    3 Posts
    1k Views
    C
    pfSense 2.2 is a rather big change from 2.1, due to the change from FreeBSD 8.3 to 10.1.  This brings benefits of better hardware support.  2.2 has been fairly stable for me, but I don't use many packages or advanced features of pfSense.  If 2.1.5 is running and you're happy, stick with it.  If you have hardware not supported in 2.1.x, or you like to test and report issues as you find them, try out 2.2. Keep a copy of your 2.1.5 configuration as a backup in case you need to downgrade; you can update 2.1.x -> 2.2, but AFAIK you can't use a 2.2 config to go back to 2.1.x
  • F

    Any tutorial about how to authenticate squid3-dev by freeradius

    1
    0 Votes
    1 Posts
    518 Views
    No one has replied
  • P

    Snort stopped working for unknown reasons

    7
    0 Votes
    7 Posts
    2k Views
    bmeeksB
    @lpallard: Hey bmeeks, I PM'ed you! I replied with a request and my e-mail address. Bill
  • ?

    Snort alarm - confirm false positive?

    16
    0 Votes
    16 Posts
    3k Views
    BBcan177B
    That IP is currently listed on a Threat Source called "Alienvault" http://kb.bothunter.net/ipInfo/nowait.php?IP=93.184.220.20 –-------------------------------------------------------       IP Address        = 93.184.220.20       Threat Level      = Unverified       Threat Category    = Malware Propagator       Threat Description = Malware drive-by exploit site       Hostname          =       Service Provider  = EDGECAST NETWORKS INC       Domain Name        = EDGECASTCDN.NET       ASN Number        =       ASN Name          =       Network Speed      = DSL       Country CC        = US       Country            = UNITED STATES       Region            = CALIFORNIA       City              = LOS ANGELES       Longitude          = -118.283996582031       Latitude          = 34.0452003479004       Zipcode            = 90001       TimeZone          = -08:00       BestAnswer        = 1 --------------- thank you for asking -------------------- Would be wise to use pfBlocker with that Threat source and block that from your network completely. https://reputation.alienvault.com/reputation.snort
  • Z

    Continuous packet capture?

    3
    0 Votes
    3 Posts
    2k Views
    BBcan177B
    @zinzara: I have some experience analyzing traffic and was wondering if there's a way (package or otherwise) to continuously capture and save packets. Reason is, I also have some experience writing snort signatures and would like to look through my traffic from time to time and if I find anything I don't like and it wasn't caught by snort, I could write a signature on it. So, is there a way to do this? I would prefer to save onto the pfsense box but if I have to setup an external server that would be ok too. I realize this would add up quickly in storage requirements but this is on my home network which I don't do a whole lot on and I have a big hard drive. Thanks. There is a Solution Called "Security Onion" that will do Full Packet Capture and more… http://blog.securityonion.net/p/securityonion.html https://code.google.com/p/security-onion/wiki/IntroductionToSecurityOnion
  • P

    PfBlocker does not block like CountryBlocker

    5
    0 Votes
    5 Posts
    1k Views
    BBcan177B
    The country Codes in pfBlocker has not been updated for two years. They are out of date.
  • J

    Pfblocker IP Address

    2
    0 Votes
    2 Posts
    663 Views
    BBcan177B
    @jay4linux: I am trying to unblock an IP address in one of the pfblocker country lists.  Is this possible. Hi Jay, You can't remove one of those IPs from the Lists as each update it could come back into the list. So what you should do is create a "Safe Pass List" and add all IPs that should not be Blocked by a List. This rule should be above the Blocked Rules to allow it thru.
  • S

    Squid is eating all my memory FIXED

    8
    0 Votes
    8 Posts
    13k Views
    S
    See HERE for how to get Cache Manager stats. Select General Runtime Information from the menu to get the stats above. Steve
  • J

    Apu1c4 and snort

    10
    0 Votes
    10 Posts
    3k Views
    J
    @Bulldogg: is your apu1c4 still running stable with HAVP antivirus, snort and squid3? what kind of speed do you get? Yes, still running stable since months now. Speedtest reaches my provider limited bandwith maximum of 20 Mbps download and 2 Mbps upload.
  • M

    Bind fails to start after upgrade

    10
    0 Votes
    10 Posts
    7k Views
    rbgargaR
    Try latest version 9.9.5P1_5 pkg v 0.3.5 and let me know if you find any issues.
  • G

    Freeeradius package bug report - Mobile OTP Configuration

    1
    0 Votes
    1 Posts
    991 Views
    No one has replied
  • K

    OPIE for the 2.1.5

    1
    0 Votes
    1 Posts
    652 Views
    No one has replied
  • F

    Squid Access list

    9
    0 Votes
    9 Posts
    2k Views
    F
    thats was so easy you just  put the file(which contain the list of ip's) inside  "/var/squid/acl" why is that [2.1.5-RELEASE][admin@******.localdomain]/root(69): ls -l /var/squid/acl/ total 4 -rw-r–r--  1 proxy  proxy  84 Sep 16 07:53 throttle_exts.acl -rwxr-xr-x  1 proxy  proxy  992 Sep 15 12:47 youtube.acl to make it read from the file the proxy user should have permissions
  • A

    SquidGuard stopped blocking sites

    2
    0 Votes
    2 Posts
    2k Views
    A
    *Solved, I think I was looking in the Log/Filter Config and found a syntax error src Test { 192.168.2.7192.168.2.24 } Edited the Group ACL "Test" client list by adding a space between IP Addresses.  Saved and applied the change, which modified the Log/Filter Config… src Test { ip    192.168.2.7 ip    192.168.2.24 } Ads are blocked again Both the Common ACL and Test ACL are behaving as expected Thinking back, this started around the time I created a new VM 192.168.2.24. When I added the VM to the Test group, I probably hit Enter in the Client IP address text box. The Client UI either doesn't or can't check for Returns in the text box, so it read the entry as 192.168.2.7192.168.2.24 instead of 192.168.2.7 192.168.2.24
  • L

    IPTraf

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • W

    Whitelist sub-domain and domain Squid Guard3

    2
    0 Votes
    2 Posts
    2k Views
    F
    try to choose allow instead of whitelist and make sure that website aren't in some of squidguard blocked list
  • W

    Squid 3 + Guard 3 blocking all http?

    8
    0 Votes
    8 Posts
    7k Views
    W
    @finalcut: squidguard(web filtering) work with squid3 (as poxy) after you install squidguard and choose which to block and which allow you should then save then go to the first tab of squidguard and click apply and then save from squid3 you must add the allowed subnet for example 192.168.1.0/24 in addition to choose lan interface and 3128 as port also there is tow type of proxy non-transparent (you should add the ip and the port in each browser(firefox it be or any other flavor ) for user transparent you shouldn't add the ip and port in the browser but you choose it from squid configuration Cheers will test it soon.
  • J

    Cannot Uninstall squid 2.7.9_3

    3
    0 Votes
    3 Posts
    1k Views
    J
    Reset to factory defaults and started over before I saw your post. But thank you for the reply. jclarkv
  • J

    Sarg 2.3.6_2 with squid3 3.1.20 on pfsense 2.1.5

    1
    0 Votes
    1 Posts
    968 Views
    No one has replied
  • R

    Setting up Bind

    2
    0 Votes
    2 Posts
    2k Views
    C
    If you turn on DNS to listen on WAN, then you want to hide version as precaution to avoid targeted attacks. This would make it easier for attackers to figure out what your BIND is vulnerable to if vulnerable based on version number. I recommend only listen on your internal networks. You don't want to expose your internal zones to the internet and/or get flooded by people using your DNS server. Notify is used if your BIND is the primary DNS server and you have slave DNS servers configured in Zone(s). If notify is enabled, it will immediately notify the slave servers when changes occur to the zone(s). This will help keep your DNS servers in sync quicker. You will only need this if you are setting up DNS zones.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.