1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    H
    We installed haproxy on Netgate 8200 device 25.07.1-RELEASE (amd64) installed acme certificates and get certificate from letsencrypt, everything ok. checked ssl offload in frontend and selected the acme generated certificate under SSL Offloading. result after Apply Changes: Errors found while starting haproxy [NOTICE] (72045) : haproxy version is 2.9.14-7c591d5 [NOTICE] (72045) : path to executable is /usr/local/sbin/haproxy [ALERT] (72045) : config : Couldn't open the ca-file '/var/etc/haproxy_test/clientca_WAN_117.pem' (No such file or directory). [ALERT] (72045) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:15] : 'bind x.x.x.x:443' in section 'frontend' : 'ca-file' : unable to load /var/etc/haproxy_test/clientca_WAN_117.pem [ALERT] (72045) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg [ALERT] (72045) : config : Fatal errors found in configuration. also package _devel has the same issue. on other boxes where haproxy was configured on 24.11 - upgraded to 25.07.1 its working. BUG ?? so what can we do now -bolded text we need this function. thank you all in advance

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    RedDelPaPaR
    @bmeeks Understood. Thank for kindly for your help. I will likely be ordering a new unit soon.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    GertjanG
    @dma_pf said in DNSBL Resolving Some Domains To 10.10.10.1 But Does Not Log Them: "mobile.events.data.microsoft.com I couldn't find that host name in the "/var/db/pfblockerng/dnsbl/Max_MS.txt" file - where does your "/var/db/pfblockerng/dnsbl/Crazy_Max_Extra.txt:" come from ? I picked an host name from the Max_MS.txt file, and tested : C:\Users\Gauche>nslookup umwatsonc.events.data.microsoft.com Serveur : pfSense.brit-hotel-fumel.net Address: 2a01:cb19:907:dead:beef:fe29:392c Réponse ne faisant pas autorité : Nom : umwatsonc.events.data.microsoft.com Addresses: :: 0.0.0.0 and the request was 0.0.0.0 blocked - I'm not using "pfSense pfBlocker Web server logging" (DNSBL Webserver/VIP ) as the "you are blocked web page" only shows up when the end browser user visits http sites, something that doesn't exist anymore on the Internet. All sites are https these days, and https sites can be redirected to "another https web server" like the "pfSense pfBlocker Web server". [image: 1762186097369-04f9cfb4-d6ca-41f8-976c-b40f3c7e564b-image.png]

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    F
    I didn't say you should remove the override.ups.delay.shutdown directive, I said you should remove the ignorelb directive. Ok, I will test without ignorelb directive. Also, you do not have anything in the Advanced settings section, correct? Yes As to running a calibration test, consult your UPS manual or support from the manufacturer of your UPS. I find anything I will search tomorow

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    92 Topics
    639 Posts
    E
    Updated CE 2.8.1 to 1.90.4. Looks like they are already working on .6 Freshports pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.90.4.pkg Changelog

  • Discussions about WireGuard

    712 Topics
    4k Posts
    D
    @chpalmer okay so here is the update. I was able to get all my wireguard servers handshaking, my two personal tunnels and my one nord. I have full access to to my lan with my personal tunnels but I now dont have nord routing any traffic through its tunnel. I try to make a lan rule route one ip through nord and make one NAT rule and nothing. I lose internet on my one ip when I try and make a rule to use the nordvpn gateway
Log in to post
Load new posts
  • R

    Copy snort config to new interface?

    34
    0 Votes
    34 Posts
    7k Views
    bmeeksB
    @Hollander: So, Bill: is there perhaps a way to apply the settings from LAN to VLANx via a script in the CLI? Bye  :P Yes, this is technically possible, but the developers were not keen on the idea so I did not include it.  All of the settings for an interface are stored as XML data in the /conf/config.xml file on the firewall.  If you study that file and know XML, you can pretty quickly see how things work.  Just find the section for Packages and then Suricata (or Snort).  Each configured Suricata interface has its own sub-section in the file.  Copying one sub-section over to another, and adjusting for interface names and a couple of other interface-unique parameters is all that is required. Bill
  • D

    Rebooting pfsense router removes snort blocked hosts?

    5
    0 Votes
    5 Posts
    1k Views
    bmeeksB
    @dmitripr: … Based on the topic I link in my second message, looks like the blocked hosts are removed when filter is reset -- which would happen at reboot. That's outside of Snort's control. Thanks for the message, though! Correct.  On a reboot all of the pf tables are cleared, including the <snor2c>table utilized by Snort. Bill</snor2c>
  • S

    Can package be uninstalled on its own? …Spooky

    2
    0 Votes
    2 Posts
    658 Views
    BBcan177B
    I don't know of anything that would remove the CRON package after it was installed. Only thing, i could see is if you did a Restore of a Previous Configuration which rolled it back to before CRON was installed.
  • P

    Ssl/https squidguard extensions the video

    2
    0 Votes
    2 Posts
    710 Views
    KOMK
    You can use Squid's Traffic Mgmt tab to throttle particular extensions.  Set Per-host throttling to 2000 (KB), Throttle only specific extensions checked, and your list of extensions in Throttle other extensions
  • C

    Lightsquid stuck on text mode in bar scheme

    1
    0 Votes
    1 Posts
    517 Views
    No one has replied
  • R

    How to install Rsyslog on pfsense

    1
    0 Votes
    1 Posts
    874 Views
    No one has replied
  • N

    Installing RSYSLOGD on pfSense [WIP]

    8
    0 Votes
    8 Posts
    4k Views
    R
    I follow your post to install rsyslog on pfsense . But while I am restarting my machine the /etc/syslog.conf file restored to previous file that is one before installation of rsyslog.
  • M

    Squid Proxy Not Creating Logs? SARG & Lightsquid failing.

    9
    0 Votes
    9 Posts
    9k Views
    KOMK
    I suspect it was your browser cache.  I've seen this exact problem myself more than once, and a ctrl-F5 always fixed it.  You get the error page, hit F5 and see the same error page, hit ctrl-F5 and there it is.  It's weird like that, but you just remember the glitch if you do a lot of installs.
  • C

    Negative_Hit/404, Miss percentage is high than the hits

    10
    0 Votes
    10 Posts
    3k Views
    KOMK
    Run a Lightsquid report and see what your Hit% is after a week or so of normal usage for your cafe.  That will tell you how effective Squid is being about caching content and saving bandwidth.
  • bmeeksB

    Suricata IDS 1.4.6 BETA package update v0.3 released

    41
    0 Votes
    41 Posts
    14k Views
    bmeeksB
    @Cino: Noticed something else this morning, the cron job that removes IPs from snort2c seems to disappears after a reboot. I have to go to into the global tab and save it so the job is recreated. EDIT: Nevermind… Its not because of a reboot... When I make changes to snort, it removes the cron job because I deactivated blocking in snort You can have lots of weird issues if you run both Snort and Suricata in blocking mode because for the moment they share the same pf table (the snort2c table). Bill
  • R

    (New / Fixed) Widescreen Package Update

    102
    0 Votes
    102 Posts
    41k Views
    jimpJ
    @cyber7: To the pfSense Developers.  PLEASE STOP BREAKING THE WIDESCREEN ABILITY! It has never been broken intentionally. We can't hold back the base system because some unofficial and unsupported patch might break, especially when security and similar fixes are required. The original creator of the patch or someone with the skills to update it would have to keep up with the code changes in the base system. If someone wants to maintain the patch and bring it up to a current version, others may appreciate it, but if we wanted the patch in the base system for 2.1.x it would have been officially accepted there long ago. There is a widescreen theme in 2.2, and 2.2 is moving along, almost to BETA. That's the only place that officially contains widescreen support. Anything else only works by luck/chance. If it bothers you that much, put up a bounty to have someone fix the widescreen patch or fix it yourself for others to use.
  • N

    Can't get caching updates working

    2
    0 Votes
    2 Posts
    1k Views
    R
    I had to go here to get the full details: http://wiki.squid-cache.org/SquidFaq/WindowsUpdate not 100% it is actually working as intended with those recommendations as lightsquid logs are not totally clear as to whom is getting a hit on the cache for updates… so ya.  maybe that will help you some.
  • S

    Radius.log - encoding of the username

    1
    0 Votes
    1 Posts
    680 Views
    No one has replied
  • K

    Proxy settings

    4
    0 Votes
    4 Posts
    1k Views
    KOMK
    Using Squid and SquidGuard, go to Services - Proxy filter.  Click the Target categories tab and add a new one.  Give it a name and add your allowed domains to the Domain List.  Click Save.  Go to the Common ACL tab and click the green arrow button to expand the Target Rules List.  Make sure your Target category is listed at the top and its access is set to allow.  Underneath that (because the rules are processed in order from top down) make sure that Default access [all] is set to deny.  Set your Proxy Denied Error, Redirect mode, and Redirect info to whatever you need.  Click Save.  Go to the General settings tab.  Click Save, then click Apply.
  • T

    Suricata Packet Log Location

    3
    0 Votes
    3 Posts
    1k Views
    T
    @Cino: @Trel: I turned on packet logging for an interface to test with, but I can't find where to actually access those logs. I kept getting the "Suspicious User Agent" alert so I wanted to look at the packets to see what actually it's flagging. i get a ton of them, mostly false positives for me but look here /var/log/suricata/suricata_'interface id' Based on the port being used and the  machine it's coming from, I'm fairly certain I know what's triggering it and if I'm reading the rule right: http://doc.emergingthreats.net/bin/view/Main/2001891 That's being triggered by "3a" or " agent" being in the user agent?
  • S

    Unbound service start problem

    12
    0 Votes
    12 Posts
    5k Views
    T
    My unbound runs OK. (2.1.x, x64) Have you tried, without the cache restoration option turned on? With cache restoration turned on, my system reboot would take forever, because of unbound hanging/processing a maybe corrupt cache-file.
  • G

    NRPE2 | Icinga/nagios | check_load | Almost there

    2
    0 Votes
    2 Posts
    3k Views
    G
    http://www.smallbusinesstech.net/more-complicated-instructions/nagios/setting-up-nagios-on-a-debian-server-to-remotely-monitor-an-untangle-server define service{         use                            generic-service                host_name                      pfsense         service_description          Current Load         check_command check_nrpe_1arg!check_load }
  • R

    Snort - what does it do?

    2
    0 Votes
    2 Posts
    717 Views
    BBcan177B
    http://en.wikipedia.org/wiki/Snort_(software) https://doc.pfsense.org/index.php/Setup_Snort_Package https://forum.pfsense.org/index.php?topic=61018.0
  • S

    NTOP - Never really gets internal host names correct.

    1
    0 Votes
    1 Posts
    987 Views
    No one has replied
  • P

    Problem with Sarg application

    5
    0 Votes
    5 Posts
    3k Views
    K
    I don't use Dansguardian, so I am not sure if you have to configure SARG for either Dansguardian or Squid. You probably don't want to configure it for both. My guess, is that your configuration is correct now, cause you have an index that shows up and the realtime works. If you look under: Services - Proxy: Log rotate (this setting will conflict with SARG) Status - SARG Reports - Schedule - Schedule Options - Action after sarg From what I read, you should leave Squid to not rotate logs at all and have SARG do it instead. Or you can modify the CRON job for SARG so it runs right before Squid rotates logs. If you leave Squid rotating logs, what happens is that at midnight, it will restart and zero out the acess.log, so when SARG tries to read the access.log it will be empty, producing a blank report. You can test your configuration by going ahead and opening up the SARG schedule and clicking Force update now. Then check Status - System Logs and it should show any errors if SARG is having an issue. If it works, you should see updated reports.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.