1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    tinfoilmattT
    @johnpoz said in Please help to configure HAProxy to serve certifficate on internal LAN too: Yeah - what part do you not understand if you always resolve nextcloud.domain.tld so that it hits your haproxy on your pfsense wan IP are you not getting? You have 2 options - use a different domain internally and always go to nextcloud.publicdomain.tld, or use the same domain internally as external and run into the problem of what IP it resolves to.. Change your local domain to say home.arpa or .internal or atleast something different than the public domain your using to point to pfsense wan IP on the public internet. You are shooting yourself in the foot trying to use the same domain externally as internally. There are ways around it, but they complicate the setup. For example you might be able to use views in unbound as one way to work around the problem. You could use only host entries for all your resources. But then again you run into a problem of using the fqdn for this service, now always pointing to your wan IP.. And that is great when you want to access the service haproxy is doing - but if you want to access that resource on some other service that haproxy doesn't handle - like say simple file sharing.. You are going to have problems. Since you clearly do not understand how any of this works - the simple solution is change the local domain you are using so it is not the same as the public domain you want to use to get to your nextcloud. This tone is outrageous directed at somebody who acknowledged right off the rip that English is not their first language. How many languages do you speak, John? And safely assuming it's only one—English of course—take it from a fellow English native that you'd do well to say more with less words. You otherwise were directing OP in the right direction in my opinion.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    RedDelPaPaR
    @bmeeks Understood. Thank for kindly for your help. I will likely be ordering a new unit soon.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @netboy said in is something wrong with pfBlockerNG?: After my post, I "changed" DNSBL -> DNSBL mode from "unbound python mode" to "unbound mode" and so far i have no issues. Terrible idea. Moving backwards in development history there.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    645 Posts
    E
    Updated CE 2.8.1 to 1.90.6. Freshports pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.90.6.pkg Changelog

  • Discussions about WireGuard

    714 Topics
    4k Posts
    L
    @subhan2k said in [Guide] Setup a wireguard tunnel to VPN provider (multiple VPN tunnel setup): I tried following your guide to set up the Surfshark WireGuard server configuration in pfSense as default gateway, but I got stuck at the static routes step. In my case, the endpoint isn’t a numeric IP — it’s listed as us-bna.prod.surfshark.com. How should I add this to the static routes? In my configuration: Endpoint: us-bna.prod.surfshark.com Address: 10.14.0.2/16 So what exactly should I enter in the static routes? after switching the default gateway from WAN_DHCP to the WireGuard VPN my Interent doesn't work so adding static routes is mandotary (Im using inside vmware) nslookup us-bna.prod.surfshark.com Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: us-bna.prod.surfshark.com Address: 82.26.162.48 Name: us-bna.prod.surfshark.com Address: 82.26.162.53 That should do it Just take 1 of the 2. And in general, don't use domain names but only IP. Before you start, choose 1 of the 2 IPs and use it for the whole process
Log in to post
Load new posts
  • A

    Uninstall snort.

    8
    0 Votes
    8 Posts
    6k Views
    A
    Thank you Bill, I will try it over the weekend.
  • U

    to squid

    1
    0 Votes
    1 Posts
    843 Views
    No one has replied
  • M

    Syslog-ng doesn't start properly

    6
    0 Votes
    6 Posts
    5k Views
    C
    I fixed the problem noted here in this package (was brought to my attention by a support customer), so the above manual edit is no longer necessary.
  • R

    Squid/Squidguard feature request

    2
    0 Votes
    2 Posts
    1k Views
    R
    No, I want to bypass Squid entirely for certain trusted sites, ie banking and Microsoft.  Also have to bypass SSL filtering for email and IM so the client will connect properly.  Otherwise you the user/app gets a cert error (since it's MIM SSL). After researching this a bit more I see it's not possible on the Squid/Squidguard side.  Squid is capturing the initial Connect of the SSL session and therefore can't bypass it.  It must be done at the firewall redirect level. Any chance a more robust alias option is in the works?  Something that could pull categories for bypass like Squidguard does to block?  Have no idea what loading 100k entries into a firewall rule does… Thoughts?
  • N

    Ntop taking a lot of disk space

    6
    0 Votes
    6 Posts
    4k Views
    N
    Everything looks fine after the deletion. Will try to re-install ntop and see. Is it OK to choose all the interfaces during the configuration?
  • N

    Run pfsense infront of another router for only the snort capability

    3
    0 Votes
    3 Posts
    1k Views
    N
    So you went away from this.  How did you configure the bridge? Any details?  This is new to me. Thanks.
  • K

    Squid reverse proxy - accessible from lan, not wan

    1
    0 Votes
    1 Posts
    825 Views
    No one has replied
  • R

    Squidguard redirect URL not working

    2
    0 Votes
    2 Posts
    4k Views
    R
    Well it was pretty easy - I had to check "Do not use the DNS Forwarder as a DNS server for the firewall" on the General Setup page.  Restarted Squid and with just the ? at the end of the redirect URL it works fine.
  • belleraB

    Binary file /var/syslog-ng/default.log matches

    2
    0 Votes
    2 Posts
    2k Views
    A
    Hola Bellera , tengo todo igual que en las capturas que me indicas y no me registra en los logs
  • D

    PfBlocker not cleaning up removed lists (tables)

    2
    0 Votes
    2 Posts
    1k Views
    D
    Fixed it myself by adding a new list in pfBlocker like this: Create a new list in pfBlocker with the exact same name as the orphan table (see under Diagnostics -> Table). Filled in an existing url and 1 hour update, deny inbound Waited until the table was full in Diagnostics -> Tables Went back to pfBlocker Selected the newly created list and selected "Disabled" Checked in Diagnostics -> Tables (table has been deleted!) Finally deleted the list in pfBlocker. And now the orphaned table is gone!  ;D
  • S

    Squid LDAP authentication problem!

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • B

    Squid3 + Dansguardian Clarification / help

    3
    0 Votes
    3 Posts
    2k Views
    Z
    In theory, Dansguardian is capable of doing what you suggest. There is an option in the group settings to enable it. From what I could find on the forums, this feature is not working on Dansguardian. Marcelloc would know for sure. It is working with squid3-dev, so you can do basic blocking and caching with that.
  • C

    HAProxy scenario - desperate for advise

    2
    0 Votes
    2 Posts
    2k Views
    P
    With haproxy you should be able to put the lines below in a 'advanced' section: reqrep ^([^\ :]*)\ /(.*)    \1\ /path/\2 reqirep ^Host:\ sub1.domain.ltd  Host:\ 192.168.10.10 I think that will take care of the rewriting.. However i think the rewriting of the host is actually not a nice thing to do, i think its better to configure a virtual directory which checks the proper domain name on the webserver. Also read about this in the manual: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-reqrep
  • N

    Can't stop or restart haproxy 1.4.24 on pfsense 2.1

    2
    0 Votes
    2 Posts
    5k Views
    P
    Hi nublaii, That haproxy doesnt 'respond' to service-stop service-start requests seems to be 'by design'.. This because the restarting of haproxy is not a combination of 'stop' and 'start', but haproxy does a pretty much seamless restart while transferring persistence information and finishing old connections through the old process. However when you apply a new good configuration the process should restart with a new PID. Could try and see if you use the haproxy-devel package you get that same behavior? I've done quite a bit of modifications to that -devel package, also in the startup / config-checking. It can be if you configured something 'wrong' that haproxy doesnt start a new process and keeps the old one running.. If you've got the same problems there maybe i can help getting it diagnosed /fixed. Greets PiBa-NL
  • N

    Snort on nano with cf - how often is it read only?

    7
    0 Votes
    7 Posts
    2k Views
    N
    Thank you Jim and Bill.
  • D

    Snort - limiting log directory size

    13
    0 Votes
    13 Posts
    7k Views
    bmeeksB
    @mallison01: ok sounds good, thanks. if you need some one to test your new code id be interested. Thank for the offer, but I was able to test the fix in my VMware environment.  The fix for auto-log rotation is ready and should be posted in a few days.  I found several issues in that old code.  Thank you for pointing out the problem.  I'm glad I looked… :) Bill
  • C

    Dansguardian with multi-groups

    3
    0 Votes
    3 Posts
    1k Views
    C
    Thanks for reply. I think I found what was the problem. While making lists and groups I was saving lists and groups individually, but did not use "global" Save button. Seems like it's working now. All the best.
  • O

    Package that could poll the num of users via CP

    1
    0 Votes
    1 Posts
    606 Views
    No one has replied
  • K

    Snort still clearing blocked ip's even though it is set to "never"

    3
    0 Votes
    3 Posts
    1k Views
    K
    Well whether the problem I had was real or not. I happened to try out binding to the Lan (instead of wan) for my snort interface. And I had the results I expected with blocked ip's staying blocked. I set it to "both" for direction. That seemed to fix it. Only problem is snort cannot perform a portscan from this side of the network (lan). So I created two with this one on wan as a  rule-less snort interface (with portscan enabled). Which seemed to work. But annoying to see it warn me about no rules on the interface. And I probably have redundant preprocessing now. So not sure why I had the problem originally, but there is a solution in case anybody has had problems. Hopefully one day snort for pfsense will create the block list as a simple "Alias" table. Then snort2C wont be needed. And if Snort could be part of the rules chain order. (instead of first) Then the Whitelist inside of snort won't be needed either. Along with speeding it up since it will not process ip's destined to be blocked by the rule chain ahead of it. including ip's it has previously blocked.
  • A

    [Squid] Bypass Maximum download size for specific IPs

    2
    0 Votes
    2 Posts
    1k Views
    N
    go to -=> Proxy server: General settings - Bypass proxy for these source IPs - insert you ip (192.168.0.x
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.