1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    N

    Can I use pgblockerng aliases in Haproxy?

    80758505-9bad-4dad-a80b-c159be1045a2-image.png

    If it was a firewall rule, typing pfb would produce a dropdown to select.

    Here it has to be written, but will it work? Is it supported?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    bmeeksB

    I saw where the Netgate kernel developer updated the Suricata package in the pfSense 25.07 development branch to work with the new kernel PPPoE driver. But so far as I know that updated package has not been migrated to 2.8 CE.

    Here is the commit into the DEVEL branch: https://github.com/pfsense/FreeBSD-ports/commit/68a06b3a33c690042b61fb4ccfe96f3138e83b72.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K

    @pulsartiger
    The database name is vnstat.db and its location is under /var/db/vnstat.
    With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    M

    @Laxarus This worked for me as well. Though I had to search the web how to edit the file (the easiest way).

    Therefore:

    Addition for anyone struggling to find where to edit files on your pfsense system.

    Go to Diagnostics --> Edit File --> insert the location of the file:

    /usr/local/pkg/pfblockerng/pfblockerng.sh

    Go to line number 1232 by filling it in the Go to line field.

    That line should read:

    s1="$(grep -cv ^${ip_placeholder2}$ ${masterfile})"

    replace only (leave the rest intact):

    masterfile

    to

    mastercat

    Then follow the above instructions from @Laxarus https://forum.netgate.com/post/1219635

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    99 Topics
    2k Posts
    K

    @elvisimprsntr thanks for your suggestion. I will give it a try.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    johnpozJ

    @MacUsers

    https://help.zerossl.com/hc/en-us/articles/360060119933-Certificate-Revocation

    edit: oh you prob out of luck

    You can revoke any certificate issued via the ZeroSSL portal. Currently, certificates issued via ACME can not be revoked from inside the portal - please follow the instructions of your ACME client for revoking those certificates.

    the gui in pfsense does not have the ability to revoke - you prob have to move the certs to something you have certbot installed to and revoke that way.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    R

    I had a similar issue with Routed VTI over IPsec recently. FRR lost its neighbors after rebooting or when a tunnel went down. It never re-discovered it automatically. Only restarting FRR (either in GUI or via CLI) brought the neighbors back.

    When I manually added those under the OSPF neighbors tab in the GUI it seems to solve the problem as well.

  • Discussions about the Tailscale package

    88 Topics
    572 Posts
    A

    We have a very basic configuration between three locations. All are running Netgate firewalls (1x 4100, 1x 6100 & 1x 4200). All are on the latest firmware (03.00.00.01-2Ct-uc-15) and system versions (24.11-RELEASE).

    The local subnets are as follows:
    4100 - 192.168.5.0/24
    4200 - 192.168.4.0/24
    6100 - 192.168.1.0/24

    The VPN traffic between the 4100 and 4200 is functioning 100% as expected

    The traffic between 6100 and the 4100 works going from the 4100 subnet (192.168.5.0/24) to the 6100 subnet (192.168.1.0/24)

    Traffic from the firewall (i.e. the 6100 device) to the 4100 subnet works (i.e. I can ping any device on the 192.168.5.0/24 subnet from the 6100 firewall) but I cannot ping any device on the 4100 (192.168.5.0/24) subnet from any device on the 6100 subnet (192.168.1.0/24) - other than from the firewall itself.

    All routes are correct, but it seems that traffic from the 192.168.1.0/24 subnet hits the firewall and then gets lost - traceroute shows that it goes off into the internet.

    Note too that the 6100 has IPsec VPN configured on it as well

    Suggestions would be appreciated

    Attached is a zipped pdf file with the relevant screenshots
    Relevant screen shots.zip

  • Discussions about WireGuard

    689 Topics
    4k Posts
    P

    @patient0 Thanks for further suggestions. The tunnel is definitely up and so I don't think this is a CGNAT issue after all. WAN firewall rule is in place for UDP on port 51823 (otherwise the tunnel wouldn't work, right?). I can ping from client 1 -> client 2 and visa versa and also ping all points in between like you suggest. I just can't open an HTTPS connection from pfSenseB from Client 1 using a browser. But I can do this the other way round i.e. from Client 2 to pfSenseA

    I will try and do some packet capture to see if that reveals anything.

Log in to post
Load new posts
  • panzP

    Snort stupid question: whitelists and Suppress lists.

    29
    0 Votes
    29 Posts
    29k Views
    panzP

    OK!  :)

  • 2

    /etc/squid/squid.conf

    1
    0 Votes
    1 Posts
    661 Views
    No one has replied
  • M

    Offline package repository

    4
    0 Votes
    4 Posts
    1k Views
    B

    @Moosecall:

    I followed the steps listed in the wiki, it breaks at step 3 running the second php test script.  I am only following the steps for 2.0 setup as the firewalls that will be using it are 2.1.  I did try having a firewall pull from it but as expected no joy.

    The server is a fresh install of Ubuntu 12.04 lts server, that is doing nothing else.  I installed apache, git and php.

    You sure the git clones were successful?

  • D

    Squid3 looping issue

    1
    0 Votes
    1 Posts
    759 Views
    No one has replied
  • M

    Squidguard - multiple users/groups

    2
    0 Votes
    2 Posts
    1k Views
    jimpJ

    They must be independent. It's more work but that is what is required. Each ACL must define the exact list of actions for each category.

  • L

    Proxy on Alix ??

    6
    0 Votes
    6 Posts
    4k Views
    jimpJ

    It does work on ALIX, not for caching but for access control only (with squidGuard).

    Memory is the biggest drawback on those

  • S

    PfBlocker different on 2 installs

    3
    0 Votes
    3 Posts
    849 Views
    P

    In pfSense an interface without any rules is already blocking everything by default. pfBlocker is smart enough to understand this. If an interface (e.g. WAN) has no rules, then pfBlocker does not bother to add block rules.
    Maybe that is the difference between your WANs?

  • D

    Squid3-dev 3.3.10 pkg 2.2.1 & transparent ssl

    8
    0 Votes
    8 Posts
    2k Views
    belleraB

    I looked at squid.conf and it's using only error_default_language directive.

    I found only another squid directive for error pages:

    http://www.squid-cache.org/Doc/config/error_directory/

    But it doesn't help to solve the problem that you told us.

    I think the only solution is to modify the files at /usr/local/etc/squid/errors/en/ (en, if you use English) and put a redirect code to an alternative URL. Example:

    This will show http://www.yourdomain.tld/access_denied.html to the user.

  • S

    Squid is acting Strange

    4
    0 Votes
    4 Posts
    2k Views
    S

    So Lightsquid is saying the file i am downloading is cached. But when i redownload the file i get no speed boost, and the file is coming from the internet. But lightsquid is saying the file is 98% Cached. Headscracther for me! ty

  • perikoP

    Squid3 cachemgr vs squid -k parse differ.

    1
    0 Votes
    1 Posts
    773 Views
    No one has replied
  • M

    Using Squid/Squidguard as a whitelist proxy

    2
    0 Votes
    2 Posts
    843 Views
    jimpJ

    Yes, you can do that.

    If you're a Gold Subscriber we did a video presentation on Squid, Squidguard, and Lightsquid last Friday and it was mentioned how to set that up. It should be up for download soon.

    SquidGuard can be set to "deny" by default, add in your own whitelist on top of that and it does what you're wanting. Though it'll be more work than you might initially suspect.

  • S

    OpenVPN Client Export Utility

    8
    0 Votes
    8 Posts
    2k Views
    A

    I think Snort was causing this for some reason.  When I removed the package I was able to install the Export Client utility without trouble.

  • E

    LightSquid Removing Traffic From Previous Days

    3
    0 Votes
    3 Posts
    1k Views
    E

    Looks like the issue was with Squid. Setting my log rotation to blank instead of 28, LightSquid and Sarg are showing more than one day's worth of traffic.

  • belleraB

    Squid3-devel + squidGuard-squid3 - double https redirection

    5
    0 Votes
    5 Posts
    3k Views
    belleraB

    @dvserg:

    But http://squid-web-proxy-cache.1019090.n4.nabble.com/Squidguard-redirect-and-https-td4662707.html

    The problem is not Squid nor HTTPS.

    The problem is that the HTTP protocol has a standard that allows
    redirection and the HTTPS protocol does not.
    The HTTPS protocol was designed to be secure and does not allow
    any type of interference.

    The link refers to squid2, without SSL interception possibility.

    I'm using squid3-devel package with SSL interception (SSL Bump, man-in-the middle based). It's intercepting SSL without any troubles.

    http://translate.google.com/translate?hl=en&sl=es&tl=en&u=http%3A%2F%2Fforum.pfsense.org%2Findex.php%3Ftopic%3D73007.msg402349%23msg402349

    Google https pages with https links are also intercepted. But when I click the link the redirect page is not opened. However, opening the page in a new tab or window browser the redirect page appears.

    Curious! It's FireFox 27.0.1 fault? I just tried with Chromium 32.0.1700.107 and I've got the redirect page!

  • BBcan177B

    Add External Lookups to Diagnostics: DNS Lookup

    5
    0 Votes
    5 Posts
    2k Views
    BBcan177B

    The following Lookups would benefit anyone with a Local Mail Server.

    Mail Server DNSRBL Lookups

    SenderScore
    Spamhaus Blocklist
    SPAMcop Blocklist
    multirbl RBL Lookup
    MXToolbox

                    [](https://senderscore.org/lookup.php?lookup=<?php echo $ipaddr; ?>&ipLookup=Go)                 [](http://www.spamhaus.org/query/bl?ip=<?php echo $ipaddr; ?>)                 [](http://www.spamcop.net/w3m?action=checkblock&ip=<?php echo $ipaddr; ?>)                 [](http://multirbl.valli.org/lookup/<?php echo $ipaddr; ?>.html)                 [](http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a<?php echo $ipaddr; ?>&run=toolpage)
  • P

    Snort 2.9.5.6 v3.0.4 Block skype help?

    2
    0 Votes
    2 Posts
    1k Views
    BBcan177B

    The Emerging Threats Rules have P2P rules. Snort doesn't have anything in that Category.

  • bmeeksB

    Snort users – how would you like "templates" to work in the Snort package?

    12
    0 Votes
    12 Posts
    2k Views
    S

    If you use a file then it could be replicated across locations and you will always have a config file with you.

    Why not opt for both? Do as the core team wants and put an extra option in the GUI for creating a snort conf file.

  • belleraB

    SquidGuard bug ordering categories

    10
    0 Votes
    10 Posts
    2k Views
    belleraB

    [SOLVED]

    1. Commented lines:

      402         #file_put_contents($conf_file, $conf);   403         #file_put_contents(SQUID_LOCALBASE . '/etc/squid' . SQUIDGUARD_CONFIGFILE, $conf); # << squidGuard want config '/usr/local/etc/squid' by default

    https://github.com/pfsense/pfsense-packages/blob/master/config/squidGuard/squidguard_configurator.inc

    2. Modified pass line at:

    /usr/pbi/squid-i386/etc/squid/squidGuard.conf /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf

    3. [Apply] button to reconfigure squidGuard without writing a new squidGuard.conf

    In general I only need to modify my lists. So, the trick will work without troubles for me.

  • S

    Exclude IP from HAPV

    2
    0 Votes
    2 Posts
    810 Views
    P

    Try doing the following:

    Go to Services > Proxy Server > Access Control
    Then, in the Unrestricted IPs, type in the Roku's IP Address and test this out to see if it works.

    As for HAVP, under the HTTP Proxy tab, go to the whitelist and enter in *.netflix.com to exclude the site from scanning the site for viruses.

  • T

    HAVP for pfSense 2.1

    6
    0 Votes
    6 Posts
    2k Views
    S

    I too had a problem with pfS2.1-x64 with clamAV not starting and havp crashing.  After reading other posts I tried using the command "freshclam" from the console and got a gid/uid error for the /var/db/clamav directory.  I issued the command "chmod -R 0777 /var/db/calmav" and tried freshclam again with success.  I then issued the command "service calmd start" with success.  It has now been running for 4 hours. . . After posting this message I got to looking at the /var/db directory and noticed that most directories listed have a root:wheel ownership as opposed to clamav which has a havp:havp ownership.  I hope this info might be of some help.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.