1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    H
    We installed haproxy on Netgate 8200 device 25.07.1-RELEASE (amd64) installed acme certificates and get certificate from letsencrypt, everything ok. checked ssl offload in frontend and selected the acme generated certificate under SSL Offloading. result after Apply Changes: Errors found while starting haproxy [NOTICE] (72045) : haproxy version is 2.9.14-7c591d5 [NOTICE] (72045) : path to executable is /usr/local/sbin/haproxy [ALERT] (72045) : config : Couldn't open the ca-file '/var/etc/haproxy_test/clientca_WAN_117.pem' (No such file or directory). [ALERT] (72045) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:15] : 'bind x.x.x.x:443' in section 'frontend' : 'ca-file' : unable to load /var/etc/haproxy_test/clientca_WAN_117.pem [ALERT] (72045) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg [ALERT] (72045) : config : Fatal errors found in configuration. also package _devel has the same issue. on other boxes where haproxy was configured on 24.11 - upgraded to 25.07.1 its working. BUG ?? so what can we do now -bolded text we need this function. thank you all in advance

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    B
    @Greyhat I think it's useful to work with what we've got and figure something out for the (i hope) edge cases later. So for the JSON I figured you can actually use an existing suricata integration by co-opting their pipelines.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    N
    @netboy Most probaly a configuration regression. You really need to dig deeper. From which pf version did you upgrade? Have you tried removing and reinstalling pfblockerng? Looking to the moon for craters with naked eye doesn't show the one that the crashed spaceship created. Use a telescope instead. FWIW, I see quite a few pfblockerng instances on 25.07.1 running with no (apparent) issues τοο

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    johnpozJ
    @netboy do you have this docker available - this is actually pretty slick. I didn't think about monitoring the one connected to my nas.. It monitors it for shutdown of the nas, but it be nice to see such info off of it. I have one behind my tv I monitor with pi I have connected, that is my ntp server as well. I keep meaning to put another pi I have for the one in my av cab to monitor that one - just haven't gotten around to it. I have 4 total in the house of the cyberpower ones.. Be nice to throw them all into 1 place to monitor.. One I monitor on my pc, with misc network gear plugged into that, one my nas monitors for its own use, pretty sure the pfsense is on that ups along with my APs I think - but didn't think of turning on its server function and point pfsense to it. You have inspired me to to a better job of monitoring mine.. Mine are all cyber power 1500s, would have to double check models but I know at least 2 of them are the cCP1500PFCLCD I think your docker would be perfect for my use as well.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    92 Topics
    638 Posts
    L
    @Vad-B Interesting indeed! I just tried to fill the Pre-authentication Key with file:/dev/null. I get an crash in pfsense after some time, but when I login again is saved. For me this for after service restarts at least this solves it, including the issue with the routes not being advertised even set in the WebUI. Havent done an full restart of pfsense (yet)

  • Discussions about WireGuard

    712 Topics
    4k Posts
    D
    I feel like I’ve followed every guide there was. I was able to get nordvpn via wireguard on my pfsense but for the life of me I can’t get my own wireguard server working. I can’t even get a handshake. I have all the firewall rules mentioned, the gateway, interfaces. Etc. I got no clue what to do at this point. Can anyone please help? I’ll provide any information required I just don’t even know where to start I’ve tried every YouTube video possible and guide it’s strange. I was able to get nordvpn working but I can’t get my own.
Log in to post
Load new posts
  • F

    Developing a DNS block via httpBL and ZEN: Question about connection detection

    1
    0 Votes
    1 Posts
    682 Views
    No one has replied
  • L

    Squid/Sarg truthful?

    2
    0 Votes
    2 Posts
    809 Views
    L
    Ignore me  :o I have a small error in my code (OK major), which is saving my log files a day behind…. All the IP's I see were yesterdays.
  • M

    Captive portal quirk

    1
    0 Votes
    1 Posts
    548 Views
    No one has replied
  • C

    FreeRadius2 and OTP

    4
    0 Votes
    4 Posts
    2k Views
    N
    @cthurner: Hello, thanx for your reply. I have used the radtest tool on the command line to test the OTP authentication as described here https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package. As password I have used the OTP that has been created by DroidOTP on my Android phone. I don't think I have mistyped anything. Furthermore I have compared the otpverify.sh from http://motp.sourceforge.net/bash/otpverify.sh with the version provided by the freeradius2 package. The original script uses "OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 1-6" (in line 104) whereas the freeradius version uses "OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 6". In my understanding the second version is wrong, as it only uses the 6th character instead of the first 6 characters. Therefore any authentication request via radius will be rejected. With my modifaction it works. So I think this is indeed a bug. CU Christian I try to explain it again for you. On the GUI YOU probably typed: 6 This is "wrong" because it only uses character 6 (just one character) On the GUI you MUST type: 1-6 This uses characters 1, 2, 3, 4, 5, 6
  • D

    TCP request redirection in HAProxy

    2
    0 Votes
    2 Posts
    1k Views
    H
    TCP does not have a notion of a "request". TCP is just a binary stream of data, like a file stream. What you would need is a reverse proxy that could forward based on mysql protocol. My guess is this has not been done as it sounds like there is a better way to handle this, but I could be wrong. Hopefully someone can help you with if this can be done.
  • E

    Remote Pfsense without Dynamic Ip

    8
    0 Votes
    8 Posts
    2k Views
    jimpJ
    If your WAN IP is public, DynDNS will let you reach it. If your WAN IP is private and you control your modem/router ahead of you, then set it to pass the traffic into your pfSense (e.g. port forward, "DMZ", etc) and you can still use DynDNS. If your WAN IP is private and your ISP is performing Carrier-Grade NAT then in all likelihood you have no way to receive inbound traffic for remote management. If you have another location that has a public address, you could do a site-to-site tunnel to there, and then have a remote access VPN connect to that and hop across a site-to-site VPN to reach the router that's stuck behind NAT.
  • A

    Squid-2.7.9_3-amd64 package will not install

    2
    0 Votes
    2 Posts
    2k Views
    J
    I had the same issue, i386 version though. After two retries it worked for me.
  • P

    Dansguardian Web Upload banned

    3
    0 Votes
    3 Posts
    1k Views
    C
    @percyiii: fetch -o /usr/pbi/dansguardian-amd64/sbin/dansguardian "http://e-sac.siteseguro.ws/pfsense/8/amd64/dansguardian" save one of the dansguardian pages.. check make sure it started… check make sure the web ulpload is now working Now the how-to had fetch to e-sac.siteseguro.ws going into /usr/local/sbin /usr/local/sbin is symlinked to /usr/pbi/dansguardian-amd64/.sbin/dansguardian But the only way I could get it to work was to fetch to /usr/pbi/dansguardian-amd64/sbin not .sbin.. Does Dans use both executables? Whick one runs? I fetch to  /usr/pbi/dansguardian-amd64/sbin  which seems to work fine for me.
  • F

    Help me explain and fix this problem

    2
    0 Votes
    2 Posts
    848 Views
    KOMK
    This has been answered in previous forum posts: https://forum.pfsense.org/index.php?topic=43154.0 https://forum.pfsense.org/index.php?topic=64264.0 https://forum.pfsense.org/index.php?topic=54180.0 https://forum.pfsense.org/index.php?topic=48139.0 etc etc
  • R

    Squidguard question

    3
    0 Votes
    3 Posts
    980 Views
    KOMK
    In the menu, look at Services - proxy filter.  From there, use Times to create your schedule.  Then go to Groups ACL to create groups of IP addresses and what they are allowed to access, and link them to the schedule.
  • E

    HAVP - Problem virus not alert but detect

    2
    0 Votes
    2 Posts
    1k Views
    E
    https://forum.pfsense.org/index.php?topic=18714.msg96295#msg96295 same probem with me  , but still no solution . btw after restart it will be false again . and my will be like this "can't connect to clamd: No such file or directory" i fix using this mkdir /var/run/clamav ln -s /var/run/clamd.pid /var/run/clamav/clamd.pid ln -s /var/run/clamd.sock /var/run/clamav/clamd.sock every reboot
  • H

    Pfsense freeradius webGUI vs config files (proxy.conf /

    3
    1 Votes
    3 Posts
    2k Views
    A
    I'd be interested in how to do this too??
  • E

    SNORT - Reverse , dnstunnel block help

    4
    0 Votes
    4 Posts
    2k Views
    bmeeksB
    @BBcan177: I would suggest that you block all outgoing LAN DNS requests unless they are originating from your DNS Server(s) or pfSense DNS apps. This is a very effective way to handle the potential issue.  Restrict all LAN DNS traffic to just your internal DNS server (or servers), then further restrict outbound DNS (on WAN) to designated forwarders. There are some DNS policy rules in the Emerging Threats family that can help as well, but in my view the easiest method is restricting outbound DNS to only authorized hosts. Bill
  • Z

    Squid Proxy stops working after 2 minutes??

    5
    0 Votes
    5 Posts
    2k Views
    KOMK
    I'm no expert either.  I just try to help people if I can. To get to the log, first login to the shell (option 8 in the pfSense text menu). From there, go to /var/log and look for squidGuard.log.  Maybe take a look at the system.log while you're at it. I can't even begin to tell you what to look for other than obvious errors.
  • B

    Squid install not working

    2
    0 Votes
    2 Posts
    1k Views
    jimpJ
    1.2.3 is no longer supported. Squid+SquidGuard on NanoBSD on 1.2.3 even less so. There could be some remnant of a past installation somewhere on the drive in /usr/local/pkg/ or in the config.xml that needs cleaned out. Not enough info to say, but you should really be running the latest version (2.1.x) and not 1.2.x.
  • T

    Many havp processes. OK?

    3
    0 Votes
    3 Posts
    927 Views
    T
    It is a pity that I did not get any answer…  :'( Havp seems to be running, although I can see many log entries. havp[35911]: connect() failed: Address family not supported by protocol family havp[78165]: connect() failed: Operation not permitted havp[19896]: connect() failed: Address family not supported by protocol family
  • T

    Squid 3.3.10 pkg 2.2.4 not starting

    4
    0 Votes
    4 Posts
    2k Views
    T
    Updated to pkg 2.2.5 yesterday, Squid refuses to start. However the error message has changed, it is now : php: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '2014/06/10 13:23:33| parse_peer: token='round-robinssl' FATAL: Bungled /usr/pbi/squid-i386/etc/squid/squid.conf line 98: cache_peer 10.0.0.10 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robinssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_exchange Squid Cache (Version 3.3.10): Terminated abnormally. CPU Usage: 0.015 seconds = 0.007 user + 0.007 sys Maximum Resident Size: 29312 KB Page faults with physical i/o: 0' and then : squid: Bungled /usr/pbi/squid-i386/etc/squid/squid.conf line 98: cache_peer 10.0.0.10 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robinssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_exchange Obviously there is some code in the config pointing to a server that does not exist any more. Can I delete this line ? I could not find any point in the GUI pointing to this retired server and I have never configured a chache_peer. Thank you for your hints cheers thafener
  • C

    TCP_DENIED/411 POST

    3
    0 Votes
    3 Posts
    1k Views
    C
    Sorry everyone… Bump
  • bmeeksB

    Suricata 1.4.6 pkg v1.0.2 – Update Release Notes

    41
    0 Votes
    41 Posts
    7k Views
    bmeeksB
    @jflsakfja: Bug: Blocked tab: Warning: inet_pton(): Unrecognized address TCP in /usr/local/www/suricata/suricata_blocked.php on line 247 Warning: inet_pton(): Unrecognized address TCP in /usr/local/www/suricata/suricata_blocked.php on line 247 Rule that caused it: files.rules: 1:22 FILE pdf claimed, but not pdf <<< fires up when spiders (eg googlebot) try to download a part of a pdf, therefore DELETE UPSTREAM (part after <<< is in the upcoming suricata topic) It also breaks the alerts tab, with text all over the place. Thanks for the report.  I will add this to my list.  I'm holding the next Suricata hoping the Ports tree on FreeBSD will soon update to the 2.0.x Suricata branch. Bill
  • S

    Squid not working in no-transparent mode

    5
    0 Votes
    5 Posts
    1k Views
    S
    KOM I use the no-transparent mode to block internet connection  in a user
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.