1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    J
    @ha11oga11o Your LAN DNS returns both pfSense and Nextcloud IPs, so clients bypass HAProxy. Add a host override in DNS Resolver for nextcloud.mydomain.xx pointing only to 192.168.1.1. Flush DNS, restart Unbound, and all local traffic will use HAProxy with the correct certificate.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    RedDelPaPaR
    @bmeeks Understood. Thank for kindly for your help. I will likely be ordering a new unit soon.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    D
    @Gertjan Thanks a lot for your help. This really helped me: I'm not using "pfSense pfBlocker Web server logging" (DNSBL Webserver/VIP ) as the "you are blocked web page" only shows up when the end browser user visits http sites, something that doesn't exist anymore on the Internet. All sites are https these days, and https sites can be redirected to "another https web server" like the "pfSense pfBlocker Web server". With that hint I was able to resolve my issue by: Unchecking the Python Group Policy Enable checkbox for the DNSBL Webserver Configuration on the DNSBL tab in pfblockerng. Checking the Permit Firewall Rules Enable checkbox and selecting the appropriate interfaces for the DNSBL Configuration on the DNSBL tab in pfblockerng. Forced Update | All. It now appears that all the blocked domains are appearing on the Alerts tab in pfblockerng. I couldn't find that host name in the "/var/db/pfblockerng/dnsbl/Max_MS.txt" file - where does your "/var/db/pfblockerng/dnsbl/Crazy_Max_Extra.txt:" come from ? I get that DNSBL, and 2 others, from the original maintainer (https://github.com/crazy-max/WindowsSpyBlocker): https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/extra.txt https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/update.txt. I really appreciate your help!

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    92 Topics
    639 Posts
    E
    Updated CE 2.8.1 to 1.90.4. Looks like they are already working on .6 Freshports pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.90.4.pkg Changelog

  • Discussions about WireGuard

    713 Topics
    4k Posts
    M
    I have my wiregaurd up and running and can ping from firewall to devices on the vlan but cannot get clients to ping each other.
Log in to post
Load new posts
  • P

    Snort Pass List not auto created

    3
    0 Votes
    3 Posts
    1k Views
    bmeeksB
    @propel: I'm new to the Snort configurations, 1st time installing and using it. In snort, ' A Default Pass List ' was not automatically created. Do I actually need to create one then? Usually, in a home network setup, you do not need to create or set any specific Pass List.  The "defaults" that Snort will use if you do not create or set a list are generally sufficient.  It will not block your LAN IP block, or DNS servers, your default gateway nor your WAN IP address.  If you have multiple directly-connected networks (for example, DMZ, multiple LANs, VPNs, etc.), then they will be included as well.  You only need to create a Pass List when you have specific external hosts or networks you don't ever want blocked, or you have some internal hosts that are not on directly-attached networks that you don't want blocked. Bill
  • P

    Https connection getting stuck in squid for random clients

    1
    0 Votes
    1 Posts
    747 Views
    No one has replied
  • A

    Custom SquidGuard error [How-To]

    3
    0 Votes
    3 Posts
    5k Views
    P
    Nevermind, i'm dumb heh. got it working.
  • A

    HAVP proxy blocking an application

    5
    0 Votes
    5 Posts
    1k Views
    A
    It's been a while since I've had to address this issue.  I can resurrect old threads :) Now the pfSense is on version 2.1.4 and I'm still getting the same outbound blocking when I have HAVP enabled. Ideas?
  • A

    New HTTP+HTTPS Proxy / DNS Filter Package

    8
    0 Votes
    8 Posts
    3k Views
    A
    @networkinggeek please submit a support ticket and we'll get you straightened out. @Hollander we are working out some kinks but we intend to be in the main package repo. @rjcrowder & @Hollander We use a cloud based categorization service that has over 500 million urls categorized. We've made it so you can install the package and be filtering https traffic within 5 mins.
  • S

    Snort uses up all memory (12GB) [SOLVED]

    34
    0 Votes
    34 Posts
    14k Views
    S
    Thanks :)
  • C

    Strange SquidGuard problem.

    3
    0 Votes
    3 Posts
    1k Views
    C
    @golmaal: Maybe I haven't understood your problem correctly, but this may help: SquidGuard (and the firewall rules too) works on the basis of first-match. The filtering rules do not cascade. Let us say you have Group ACL X and Group ACL Y (in that order) and then Common ACL. When someone accesses the Internet, SquidGuard tries to first match it with Group ACL X. If the match is positive (i.e. if the IP or the user belongs to Group ACL X), the Group ACL X will apply to it irrespective of your Common ACL and other Group ACL. Once the match is positive, it won't filter it using any other Group ACL or Common ACL. If the first match fails, it will try to  match it to Group ACL Y; if it matches, Group ACL Y will apply to it. If there are no matches, Common ACL will apply. So you need something like this: Group ACL X: Block Porn, Block P2P, Allow All Group ACL Y: Allow All Common ACL: Block All I will try this as soon as I get time to use mess around with it again.. Thanks for the reply.  I will post what I find. DrClaw
  • A

    Separate squid cache drive/partition?

    4
    0 Votes
    4 Posts
    1k Views
    A
    Ok. So, I realized that 40 MB is just a teensey bit small for this kind of thing. I purchased 2 CF-style microdrives with PCMCIA adapters. I'll find a use for the other on someday, but for now, I am using one of the Microdrives (each drive is 2 GB) for the cache.
  • W

    NUT UPS with blazer_usb wont start

    2
    0 Votes
    2 Posts
    1k Views
    W
    Nobody?  :-\
  • M

    Squid Proxy Maximum object size

    4
    0 Votes
    4 Posts
    11k Views
    T
    I don't believe this had a separate topic in the old forum, here is a summary of the steps. The cachemgr.cgi page is a symbolic link to the file in the PBI folder. And external cache manager as your local box in the squid config. You create a symbolic of "cachemgr.cgi" in the /usr/local/www folder. Link that to "/usr/pbi/squid-amd64/libexec/squid/cachemgr.cgi" (or i386 when you installed 32-bit pfsense) Then add your pfsense box ip as a external cache manager in the Proxy server -> local cache ->"External Cache-Managers" (it works for me) Then you should be able to browse to http://pfsense-ip/cachemgr.cgi (login info is the same as the pfsense gui) (or you could need to edit "/usr/pbi/squid-amd64/etc/squid/cachemgr.conf" and change localhost to your pfsense-ip) With https you may need to add the portnumber https://pfsense-ip:666/cachemgr.cgi (whatever port your pfsense https responds to)
  • arrmoA

    Darkstat Settings Lost on Upgrade

    3
    0 Votes
    3 Posts
    1k Views
    arrmoA
    Makes sense, thanks!
  • M

    Squid3 clean install: no internet access

    8
    0 Votes
    8 Posts
    2k Views
    KOMK
    No idea.  Everyone goes for squid3-dev because that's the one that supports transparent HTTPS intercept.
  • M

    OpenVpn - Multiple instances

    4
    0 Votes
    4 Posts
    1k Views
    C
    I had enabled modem gui access from the firewall and had created an additional interface on WAN as per instructions given on https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewal …l hence there were two interfaces WAN & Modem Access which were having the same mac id, until ver 2.1 OPNVPN never created multiple instances but post 2.1.1-2.1.4 OPNVPN created multiple instances, then I removed the modem access and ( deleted modem access interface) and every thing worked fine.
  • A

    SSL Offloading with squid3 + HAProxy

    7
    0 Votes
    7 Posts
    3k Views
    A
    Well, ok I see what you mean. Thank you very much !
  • A

    Syslog-ng configuration

    9
    0 Votes
    9 Posts
    14k Views
    A
    thank you for your help  ;D
  • Z

    Squid authentication + Dansguardian (not NTLM)

    5
    0 Votes
    5 Posts
    2k Views
    R
    @ZGruk: You have to configure the proxy settings to point directly to dansguardian (port 8080) instead of port forwarding from 80 to 8080. Sorry for the thread resurrection. I'm not clear how to do this. Is the setting changed in squid? Or is it a firewall/NAT rule that I have to write. Any chance you (or anyone) can post more detailed steps. Thanks!
  • S

    OpenVPN Export doesn't work on alix board with 2.1.4

    4
    0 Votes
    4 Posts
    1k Views
    S
    Write 2.1.4 on a new CF card and boot pfsense. Install the OpenVPN Export package and reboot, works fine with default config. Restore my backup and reboot, works fine. Maybe the CF card was bad or something in the update process goes really wrong.
  • A

    Bypass proxy or allow domain on Squid [SSL]

    2
    0 Votes
    2 Posts
    2k Views
    D
    If I understand it correctly, you host your organization's email on Office 365? If so, do you have autodiscover.<your_domain>.com properly aliased (CANME) to autodiscover.outlook.com? Reason I am asking is that autodiscover.outlook.com does not respond on port 443 (and should not). In case it is configured correctly, you also have to be mindful of when to enter which credentials - some will ask you for your proxy credentials and some will ask for application (exchange) credentials. And another way to test this is to allow your test machine to connect directly - does it work or still prompts?</your_domain>
  • A

    Blocking HTTPS and Streaming

    11
    0 Votes
    11 Posts
    2k Views
    R
    @Legion: If you just want to block a short, fixed list of things, can't you use aliases and firewall rules? Absolutely. The hard part of doing it that way though is that some of the bigger sites can have multiple IP addresses and those addresses can change on a fairly regular basic. You really need something that keeps the list of addresses up to date if you are trying to block one of the large sites…
  • A

    Allowing mobile devices through proxy [Squid + AD Auth + WPAD]

    4
    0 Votes
    4 Posts
    3k Views
    A
    Sorry for the long come back. Been busy with some works though. @dig1234: transparent proxy? Nope it is not transparent. Both HTTP/HTTPS are filtered & using WPAD for auto proxy. @Cino: iphone/ipad, you can use wpad but you have to enable it in the wifi setting for automatic… android, you have to manually set the proxy server in the dhcp/wifi setting... but i dont think https will work right... This is a pain. May be I should use some sort of captive portal on a different subnet. But then again it break the whole point of having a proxy in place. :(
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.