1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    johnpozJ
    @ha11oga11o if you resolve nextcloud.mydomain.xx to your external IP, ie the same one public people do then it would be handled by your haproxy. Example I have ssl offloading for external users for the public fqdn something.mydomain.tld - this resolves externally to my public IP that hits pfsense wan, this also resolves to my public IP when on my local network, so again haproxy handles the ssl, etc. But if I wanted or needed to access that directly on my local lan then I use its name.home.arpa:port that the service is on that doesn't do ssl, etc. What is the point of using the same fqdn internally and externally? What do you think that gets you other than issues?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    RedDelPaPaR
    @bmeeks Understood. Thank for kindly for your help. I will likely be ordering a new unit soon.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    C
    Hi folks, Whenever I try to access a DNSBL blocked root domain it shows the block page but the moment it gets into a subfolder or file in the domain it only shows 1x1 px page. Meaning http://detectportal.firefox.com/ redirects to the DNSBL blockpage with the blocked domain info "This website detectportal.firefox.com has been blocked by the Network Administrator!" but if I try http://detectportal.firefox.com/canonical.html http://detectportal.firefox.com/success.txt http://detectportal.firefox.com/justatest it only shows 1x1pixel Is this by design? Is there anything I can do to make the rest of the pages show the alert? Regards

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    92 Topics
    639 Posts
    E
    Updated CE 2.8.1 to 1.90.4. Looks like they are already working on .6 Freshports pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.90.4.pkg Changelog

  • Discussions about WireGuard

    713 Topics
    4k Posts
    M
    I have my wiregaurd up and running and can ping from firewall to devices on the vlan but cannot get clients to ping each other.
Log in to post
Load new posts
  • N

    404 Not found when browsing certains sites

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • A

    Rules broken squid

    12
    0 Votes
    12 Posts
    3k Views
    A
    I deny provisionally in squid, but I would like to know why it is jumping the firewall rule. I have a little crazy
  • M

    Squid3-dev v3.3.10 pkg 2.2.6,SSL MiM + Diladele = c-icap no file scanning

    3
    0 Votes
    3 Posts
    2k Views
    M
    huh, reply to myself  :P ….. ok, permanent changes can make via pfsense UI. 1. set listening port "Antivirus" in "c-icap.conf" to "Port 1345" 2. set this in Custom ACLS (Before_Auth), with help of Diladele support: always_direct allow all ssl_bump server-first all icap_enable on icap_preview_enable on icap_preview_size 4096 icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Client-Username icap_service qlproxy1 reqmod_precache routing=0 bypass=0 icap://127.0.0.1:1344/reqmod icap_service qlproxy2 respmod_precache routing=0 bypass=0 icap://127.0.0.1:1344/respmod icap_service service_req reqmod_precache routing=0 bypass=0 icap://127.0.0.1:1345/squidclamav icap_service service_resp respmod_precache routing=0 bypass=0 icap://127.0.0.1:1345/squidclamav acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf" acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf" adaptation_service_chain chain1 qlproxy1 service_req adaptation_access chain1 deny qlproxy_icap_edomains adaptation_access chain1 allow all adaptation_service_chain chain2 qlproxy2 service_resp adaptation_access chain2 deny qlproxy_icap_edomains adaptation_access chain2 deny qlproxy_icap_etypes adaptation_access chain2 allow all but after save and restart squid service, in squid.conf remain this on end of file (always, because is autogenerated and i dont know where is template for generatin to delete these lines): icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all adaptation_access service_resp allow all Can you pleas verify my settings and tune it? Thx.
  • H

    Squid3 (3.1) Reverse Proxy & Exchange EWS attachments

    1
    0 Votes
    1 Posts
    939 Views
    No one has replied
  • Z

    Squid Reverse Proxy SSL Termination Problem

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • T

    Couple of questions about squid3-dev

    4
    0 Votes
    4 Posts
    1k Views
    T
    Where is "squid_monitor_log.php" file served from? Because if squid is configured with "Bypass proxy for Private Address destination" turned on, it should not be trying to cache when it is served from a private address space (10.x.x.x; 172.x.x.x.; 192.168.x.x ). But it seems it is served via 215.x.x.x, and that is not private address space. You could try and use a proxy script in the browsers. (proxy.pac or wpad.dat) function FindProxyForURL(url, host) {   url = url.toLowerCase();   host = host.toLowerCase();   isHttp = (url.substring(0,5) == "http:");   isHttps = (url.substring(0,6) == "https:") // If the requested website is hosted within the internal network, send direct.     if (isPlainHostName(host) ||           shExpMatch(host, "*.home") ||           shExpMatch(host, "*.local") ||           isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||           isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||           isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||           isInNet(dnsResolve(host), "169.254.0.0",  "255.255.0.0") ||           isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0")) { return "DIRECT"; } // Forward non-http(s) and some hosts to forward proxy (or DIRECT) if((!isHttp && !isHttps) // Skip all non http(s)   || dnsDomainIs(host, "microsoft.com")   || dnsDomainIs(host, "windowsupdate.com")   || dnsDomainIs(host, "eset.com")   || dnsDomainIs(host, "mcafee.com") // McAfee   || dnsDomainIs(host, "siteadvisor.com") // McAfee   || dnsDomainIs(host, "hackerwatch.com") // McAfee   || dnsDomainIs(host, "hackerwatch.org") // McAfee   || dnsDomainIs(host, "avg.com")   || dnsDomainIs(host, "grisoft.cz")   || dnsDomainIs(host, "avgfree.com")   || dnsDomainIs(host, "avg.cz")   || dnsDomainIs(host, "symantecliveupdate.com")   || dnsDomainIs(host, "thawte.com")) { return "DIRECT"; } if (isHttps)   // Skip HTTPS { return "DIRECT"; } // Otherwise, go through our proxy or if it fails, through bypass return "PROXY 192.168.0.1:3128; DIRECT"; }
  • A

    Quagga OSPFd DR election incorrectly

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • A

    [SOLVED] HTTP access

    4
    0 Votes
    4 Posts
    709 Views
    A
    In the end my solution is in this http://irj972.co.uk/articles/pfSense-WPAD PAC-configuration-management. Create a second web server lighttpd within pfsense own, and it's all in the same box.  :)
  • J

    Multi-Lan Squid 2.7 Transparent Firewalling

    6
    0 Votes
    6 Posts
    1k Views
    J
    I replied on your thread.
  • A

    Email Reports - DHCPLEASES limited to 50 entries

    1
    0 Votes
    1 Posts
    619 Views
    No one has replied
  • F

    Install Wireshark to run over X11 issue

    1
    0 Votes
    1 Posts
    804 Views
    No one has replied
  • K

    POP3 Mail Scanning ??

    1
    0 Votes
    1 Posts
    685 Views
    No one has replied
  • E

    Squid Automatically Generating

    1
    0 Votes
    1 Posts
    712 Views
    No one has replied
  • L

    Squid, WiFi, and "Sign in required"

    1
    0 Votes
    1 Posts
    889 Views
    No one has replied
  • bmeeksB

    Current Bugs in Suricata 1.4.6 package – help me make sure I have them listed

    24
    0 Votes
    24 Posts
    5k Views
    bmeeksB
    @wcrowder: Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here...  :'( I know, I know, I need a life...  ;D Final testing is almost completed.  I posted a preview thread showing some screenshots of the new features coming in the updated package.  Here is a link to the thread: https://forum.pfsense.org/index.php?topic=80886.0 Bill
  • M

    Siproxd Fun and Games

    1
    0 Votes
    1 Posts
    730 Views
    No one has replied
  • N

    Transparent Proxy Mode

    13
    0 Votes
    13 Posts
    3k Views
    N
    @wcrowder: Easiest way to have external proxy on another host on pfSense. Place this in /usr/local/www/wpad.dat on your pfSense router. function FindProxyForURL(url,host) {     // If the requested website is hosted within the internal network, send direct.     if (isPlainHostName(host) ||         shExpMatch(host, "localhost") ||         shExpMatch(host, "*.crowderfarm.local") ||         isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||         isInNet(dnsResolve(host), "127.0.0.0", "255.255.0.0"))         return "DIRECT";     return "PROXY 192.168.10.8:3128"; } ```. Add a <host override="">on DNS forwarder: Host: wpad Domain: crowderfarm.local IP addres: 192.168.1.1 Description: WPAD Autoconfigure Host Or you can simply point your browsers to the configuration file in connection settings by clicking "Automatic Proxy Configuration URL" in Firefox for example and entering "http://192.168.1.1/wpad.dat". Of course you have to set these settings to match your network.</host> So it means we need to manually select "Proxy Auto-Discovery" option in the browser even after placing this code in pfsense router?
  • R

    Squid , NAT using Virtual IP Pool

    1
    0 Votes
    1 Posts
    761 Views
    No one has replied
  • D

    Snort / Suricata Widget feature request

    11
    0 Votes
    11 Posts
    2k Views
    bmeeksB
    @Supermule: The customer has a fixed IP and it puzzles me as well. Is the fixed IP address IPv4 or IPv6?  And I assume the IP is confirmed to be in the PASS LIST for the interface.  You can verify that by going to the INTERFACE SETTINGS tab for that interface and then clicking the "View List" button beside the PASS LIST drop-down.  The IP address should be in there. Do you have confirmed alerts with that customer's IP address in either SRC or DST where there was no block inserted?  Might take correlating some dates and times to figure that out.  I'm trying to determine if perhaps there is a problem with the binary patch that reads the processes the PASS LIST internal to the Snort binary.  For example, it might be that the logic inside the binary is not always accurately matching the IP address with the PASS LIST and thus might insert a block when it was not supposed to. Bill
  • R

    Can't Remove / Re-install Snort

    24
    0 Votes
    24 Posts
    8k Views
    BBcan177B
    There is a table called "Snort2c" which you can see in Diagnostics:Tables If the file is there, you can open it and click the "all" icon at the bottom to clear it. If Snort is installed, you can clear the table by going to the Snort:Blocked Tab and hitting the "Clear" Icon.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.