1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    M
    You have several choices depending on budget but none of them will be on your pfsense. Your options will be Replace pfsense with another vendor that can do content filtering Use another service while keeping pfsense in line .

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    RedDelPaPaR
    @bmeeks Understood. Thank for kindly for your help. I will likely be ordering a new unit soon.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    GertjanG
    @netboy said in is something wrong with pfBlockerNG?: arm64 That might be a factor. I said that our code base is "bit-wise" identical - and we use the same processors. Actually, that's wrong. X86/amd64 isn't arm64 at all. So, I'm not finger pointing, but I can't test the 'arm' version, as I'm using a 4100, a amd64 device. I has a new unbound version installed yesterday. The previous version was 1.23.x - the new version is 1.24.1. To get it : ssh or console, option 8, and then pkg update pkg upgrade and again, not sure if this is valid for arm.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    644 Posts
    C
    @elvisimprsntr Thank you. I would not be surprised if I ended up with a lengthy solution that works but needs significant improvement. I am using a Netgate 6100 with pfSense+, starting with version 24.x. I had updated Tailscale without trouble per this discussion by using pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-x.y.z.pkg. This worked until pfSense+ version 25.0.07 (FreeBSD 15-CURRENT) and Tailscale upgrade 1.88.3. After several attempts and web searches, I was only able to install that upgrade by using: fetch https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.88.3.pkg, and then IGNORE_OSVERSION=yes pkg-static add -f tailscale-1.88.3.pkg. Then, I could not restart Tailscale, no matter what I tried, including the sequence: service tailscaled stop, tailscale logout, service tailscaled start, and then tailscale up.

  • Discussions about WireGuard

    714 Topics
    4k Posts
    R
    I was on PfSense version 23.xx (don't recall the xx) and was able to start the Wireguard service. I upgraded to the 25.11 beta version and now the Wireguard service will not even start. I am on Wireguard version 2.1, and I see that there are versions that go up to 2.9. How do I upgrade to a later version? The only version in the pfSense updater is 2.1. Thank you
Log in to post
Load new posts
  • S

    Simple rule causes snort to crash

    4
    0 Votes
    4 Posts
    1k Views
    bmeeksB
    @Sander88: Thanks! It works now. I have added "classtype:bad-unknown; rev:1;" and the alert shows up now.  :) Quite some time back the Snort VRT folks must have changed the Snort binary such that now it requires a classtype: in a rule or it will segfault and crash when the rule fires.  I think in times past the classtype parameter was optional, but apparently not anymore.  Unfortunately very few if any of the Snort custom rules examples show the inclusion of the classtype parameter  :(
  • A

    WPAD not detected while pfSense on https in "webConfigurator"

    14
    0 Votes
    14 Posts
    7k Views
    A
    thank you all for helping me vHost working for me I create Host: wpad.dat Port : 80 Directory : /usr/local/www but squidGuard error pages not working, can you u give any idea to configure this
  • A

    Help with a squid transparent proxy install?

    1
    0 Votes
    1 Posts
    926 Views
    No one has replied
  • P

    Squid-dev v3.3.10 pkg 2.2 - squid.pid not being created or updated

    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • ?

    Snort SID 120:3 with antivirus updates

    16
    0 Votes
    16 Posts
    6k Views
    ?
    Snort keeps a previous log of alerts generated by a host, but doesn't actually act based on them. Let's take an example: host 1.1.1.1 was banned because of rule "I don't like this host because." That was considered a false positive and added to the suppression list (or rule disabled is actually the proper procedure). Snort restarted, host removed from blocked tab. A couple days later, the same host, host 1.1.1.1 gets banned because of rule "I don't like all same numbers in IP." Now the blocked tab will say: 1.1.1.1 "I don't like this host because." and a date/time stamp.             "I don't like all same numbers in IP." and a date/time stamp. The host appears to be blocked because of 2 reasons, but snort's most recent ban is based on the most recent alert generated ("I don't like all same numbers in IP."). The older data (I don't like this host because.") is just there to remind us that a host is really really bad. If a host gets banned again after adding some rule to the suppression list/disabling the rule, then snort's interface was not restarted. Or something else triggered on that host. If neither of those happens, then it's not the expected behaviour. Cisco? Is that a microwave oven maker? Can't remember…...oh, THAT cisco. Yeap, snort is pretty much doomed. After they add the remote update feature. Which is needed for the remote backdoor. For remote support of course. Disclaimer: cisco mentioned in the paragraph above is entirely fictional. Any similarities to an actual company are purely coincidental. cough
  • N

    Openvpn ip address conflict ?

    2
    0 Votes
    2 Posts
    2k Views
    P
    You are correct - the OpenVPN link will not route from work to-from home if both work and home have the same subnet (like 192.168.1.0/24). Packets will never get sent across the link, because the source device will think the (remote) target device is in its local LAN, because the target device has an IP address in the local subnet. Time to choose the easiest network to change, and change it. Or even better, during the holiday season, change both. No-one will notice, they will all be on leave  ;)
  • A

    Lightsquid error on pfSense on ESXi

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • F

    sites are blocked after upgraded snort

    9
    0 Votes
    9 Posts
    16k Views
    bmeeksB
    739 MB of RAM is a challenge for Snort with a full rule set.  Snort is a memory hog.  Depending on the number of rules active, RAM usage can quickly grow beyond 2 GB.  If your box begins swapping RAM out to the swap file, then performance will slow to a crawl.  Currently the Dashboard does not indicate any swap usage, so that may not be the problem. You can test Snort as the cause of your slowness issue by simply turning Snort off on the interfaces it is running on.  Just click the green arrow icon on the Snort Interfaces tab and wait for it to turn into a red X.  Snort is then stopped and is not consuming any resources nor doing anything to network traffic.  If things are still slow and you have web browsing issues, then Snort is not at fault and you know to look elsewhere. Now if Snort was blocking a number of web sites, that can also give the appearance of being slow.  What happens is most web sites use advertising, and that advertising is served up by external sources (meaning not from the same web server as the content you went to see is served from).  Sometimes those external sources are either known suspicious sites with poor reputations that are on a Snort block list, or the external site may use some non-standard HTTP encoding that the Snort HTTP_INSPECT preprocessor does not like.  Either way the incoming ad stream is blocked.  Some web pages will pause or simply not load when any of their embedded ads don't completely load.  You may be seeing some of that behavior as well.  Properly configuring a Suppress List will help in this area. Bill
  • E

    Antivirus solution required

    8
    0 Votes
    8 Posts
    2k Views
    E
    :-\ any news of squid-dev integration with antivirus. soooo  critical. Thanks and merry christmas
  • B

    Squid3 disappeared

    6
    0 Votes
    6 Posts
    2k Views
    B
    Hi Robert, I am amazed that there are not more reactions to this issues. It seems like a serious bug to me… regards.
  • C

    Snort WAN Interface generates multicast traffic.

    5
    0 Votes
    5 Posts
    2k Views
    C
    :) Thanks a lot again.
  • V

    PfSense 2.1 Dansguardian ACL Page not work

    2
    0 Votes
    2 Posts
    935 Views
    V
    It is working now but i don't understand how it is fixed.
  • denningsrogueD

    PfBlocker - unable to add list

    2
    0 Votes
    2 Posts
    1k Views
    denningsrogueD
    Solved my own problem (sort of).  When I set up pfSense, I created a new administrator account and made it part of the administrator group and disabled the default admin account.  Apparently, the group privileges for the administrator group are not applying to the new admin account.  If I use the default admin account, everything works.  Strange.
  • A

    Proxy Exceptions with Dansguardian

    5
    0 Votes
    5 Posts
    2k Views
    A
    the default status is off and it never comes on and it makes dansguardian unusable since it cant scan content. GUI notifies that freshclam is running but i know its not. By default freshcalm does not have any permissions to run updates, i had previously activated this and fixed all permission errors, but dansguardian always shows clamav status off I got pretty far but could not find clamd.conf as it didnt exist anywhere. Now i reinstalled everything and starting from square and need some directions. Update: On a side-note i got squid (non-transparent mode) working with dansguardian. Just like i want: all traffic is redirected based on my 1 NAT rule, instead of having rules+multiple exceptions. I made a mistake when testing dansguardian proxy which lead me to believe that proxy wasn't working. All i need is Clamav setup and ll be greatful!!! Update2: Got pretty far after finding a thread with same problem. Now i just need to know how to get blacklist working, DG does not download the specified list..
  • bmeeksB

    Dashboard Widget: Snort Alerts pkg v0.3.6 Update

    4
    0 Votes
    4 Posts
    1k Views
    bmeeksB
    @denningsrogue: Installed but the changes don't save. Try adding the widget first, then click the SAVE button for the Dashboard itself.  After that, go back into the Snort Alerts widget, click the wrench icon in the upper right, enter a number of rows to display and then click Save in the Alerts widget.  See if that works.  It did for me.  For some reason, trying to enter and save a value at the same time you add the widget to the Dashboard failed with a session state error. Bill
  • D

    Windows Activation

    3
    0 Votes
    3 Posts
    2k Views
    D
    Thank you very much! I made exception such as *microsoft.com. Everything is fine. Unfortunately direct links doesn't work, because IE don't understand CRL lists. Thanks again
  • ?

    Dansguardian Weighted Lists doesn't work

    2
    0 Votes
    2 Posts
    962 Views
    marcellocM
    What you get on logs?
  • B

    Postfix forwarder - quick start guide

    3
    0 Votes
    3 Posts
    6k Views
    B
    /your_domain_here/ REJECT [HELO01] marcelloc, Would it be sensible to add this as well? /127.0.0.1/ REJECT [HELO02]
  • bmeeksB

    Snort 2.9.5.5 pkg. v3.0.0 – Update Released

    67
    0 Votes
    67 Posts
    26k Views
    bmeeksB
    @BBcan17: Hi Bill, I have been going thru the Snort rules and disabling/Enabling the ones to suit my network and I came across a few ideas. My replies are below.  Thank you for the ideas.  Unfortunately, one of them I really don't think can ever work; however, the other two are possible. @BBcan17: Ability to create Multiple Snort Interfaces. Only one Interface per NIC would be online, the others could be offline.  It could also allow testing of Rulesets without compromising the Primary Interface settings. I think the template idea suggested by user Supermule is a way to accomplish this.  It sounds like what you are really talking about is a way to quickly switch on or off a group of rules for an interface. @BBcan17: The ability to Copy the "Snort Interface" to another pfSense Box. This would allow managing rulesets for several boxes with similar setups. This feature is available now thanks to user Marcelloc here on the forum.  He contributed the XML RPC sync part of Snort.  It is currently marked experimental, but in fact works quite well.  You can sync the Snort configuration across multiple boxes.  The one requirement for now is they must have the same NIC hardware so the real interface names match.  For example, em0, em1, etc.  I think the users currently making use of this sync feature are doing so on groups of virtual machines where the virtual hardware is identical. The template idea I mentioned above might also fill this need when implemented.  Maybe I can incorporate something into the template code that would handle automatically the change in real interface names. @BBcan17: In Global Settings, the option for "Remove Blocked Host Interval" could be set separately in each category so that we can better control how long the Block should last for. This one can't be done because it's not Snort that does the clearing.  Remember Snort is simply stuffing IP addresses into a pf table.  The table is called snort2c.  Once an IP is inserted there, it's the responsibility of the packet filter engine code to keep up with it.  The pf engine keeps a counter on "activity" by IP address.  In other words, it monitors the connections.  There is a cron job that the Snort package creates that calls the expiretable utility once per the interval you set (1 hr, 1 day, etc.).  The expiretable utility is given the pf table to clear and how many seconds of "no activity" must be in the stats for an entry to be removed.  The pf table has no way to store additional data about the IP address (such as what rule fired it, etc.).  This means Snort can't offer selective clear times based on rule origin. Bill
  • T

    Snort rules will not update - pfSense noobie

    6
    0 Votes
    6 Posts
    2k Views
    ?
    As none other than Mr. Allan Jude himself would have said; "Patch your shit!". (not a personal attack in any way, shape and/or form. A strong suggestion to keep up to date with all software) As suggested, always upgrade to the latest versions of everything (I'll do my psychic voodoo and say the web app being protected is something based on a no longer maintained version of a webserver, quite possibly IIS). The proper procedure to upgrade is: First upgrade, then notify the customers of what's not working. A golden rule in my case. Any system running 1month old software (of which a new version has been available for the past 3 weeks) is to be considered compromised, no questions asked. A zeroing of the drive and,if it's UEFI*,  a new motherboard, installed with a newer version of the software is the only industry accepted practice to recover it. As soon as a new update is available, start testing it. You have 24 hours to update the production systems, or they are to be considered highly likely to be compromised and should be treated as hostile to other hosts on the network. My personal suggestion is to stop looking for ways to work around a 2 year old appliance and start downloading the new version. *there are ways to flash a pre-OS exploit on a motherboard, have been publicly available for the past year. Not publicly available, well that's another story  ;)
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.