1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    tinfoilmattT
    @johnpoz said in Please help to configure HAProxy to serve certifficate on internal LAN too: Yeah - what part do you not understand if you always resolve nextcloud.domain.tld so that it hits your haproxy on your pfsense wan IP are you not getting? You have 2 options - use a different domain internally and always go to nextcloud.publicdomain.tld, or use the same domain internally as external and run into the problem of what IP it resolves to.. Change your local domain to say home.arpa or .internal or atleast something different than the public domain your using to point to pfsense wan IP on the public internet. You are shooting yourself in the foot trying to use the same domain externally as internally. There are ways around it, but they complicate the setup. For example you might be able to use views in unbound as one way to work around the problem. You could use only host entries for all your resources. But then again you run into a problem of using the fqdn for this service, now always pointing to your wan IP.. And that is great when you want to access the service haproxy is doing - but if you want to access that resource on some other service that haproxy doesn't handle - like say simple file sharing.. You are going to have problems. Since you clearly do not understand how any of this works - the simple solution is change the local domain you are using so it is not the same as the public domain you want to use to get to your nextcloud. This tone is outrageous directed at somebody who acknowledged right off the rip that English is not their first language. How many languages do you speak, John? And safely assuming it's only one—English of course—take it from a fellow English native that you'd do well to say more with less words. You otherwise were directing OP in the right direction in my opinion.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    RedDelPaPaR
    @bmeeks Understood. Thank for kindly for your help. I will likely be ordering a new unit soon.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @netboy said in is something wrong with pfBlockerNG?: After my post, I "changed" DNSBL -> DNSBL mode from "unbound python mode" to "unbound mode" and so far i have no issues. Terrible idea. Moving backwards in development history there.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    644 Posts
    C
    @elvisimprsntr Thank you. I would not be surprised if I ended up with a lengthy solution that works but needs significant improvement. I am using a Netgate 6100 with pfSense+, starting with version 24.x. I had updated Tailscale without trouble per this discussion by using pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-x.y.z.pkg. This worked until pfSense+ version 25.0.07 (FreeBSD 15-CURRENT) and Tailscale upgrade 1.88.3. After several attempts and web searches, I was only able to install that upgrade by using: fetch https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.88.3.pkg, and then IGNORE_OSVERSION=yes pkg-static add -f tailscale-1.88.3.pkg. Then, I could not restart Tailscale, no matter what I tried, including the sequence: service tailscaled stop, tailscale logout, service tailscaled start, and then tailscale up.

  • Discussions about WireGuard

    714 Topics
    4k Posts
    L
    @subhan2k said in [Guide] Setup a wireguard tunnel to VPN provider (multiple VPN tunnel setup): I tried following your guide to set up the Surfshark WireGuard server configuration in pfSense as default gateway, but I got stuck at the static routes step. In my case, the endpoint isn’t a numeric IP — it’s listed as us-bna.prod.surfshark.com. How should I add this to the static routes? In my configuration: Endpoint: us-bna.prod.surfshark.com Address: 10.14.0.2/16 So what exactly should I enter in the static routes? after switching the default gateway from WAN_DHCP to the WireGuard VPN my Interent doesn't work so adding static routes is mandotary (Im using inside vmware) nslookup us-bna.prod.surfshark.com Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: us-bna.prod.surfshark.com Address: 82.26.162.48 Name: us-bna.prod.surfshark.com Address: 82.26.162.53 That should do it Just take 1 of the 2. And in general, don't use domain names but only IP. Before you start, choose 1 of the 2 IPs and use it for the whole process
Log in to post
Load new posts
  • H

    XML Extension not found *error*

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • D

    Snort alert not reproducable

    7
    0 Votes
    7 Posts
    4k Views
    bmeeksB
    @digidax: So, after sniffing with tcpdump I can reproduce the problem now: There is a bug in the IMAP preprocessor during handling TLS communication: http://seclists.org/snort/2013/q3/453 Is there a bug tracker where I can see the status of this reported bug? I my case, User 1 has a bad DSL-Line. If during the TLS session snort gets a hiccup, the mail server gets a broken TLS login and so it's close the session. Until this bug is not fixed, there are two ways: disable the IMAP preprocessor OR switch of TLS for IMAP auth. best regards Frank I have a new Snort package based on the 2.9.5.5 binary that is being reviewed by the pfSense Core Team now.  Hopefully they approve and merge it soon.  I believe some TLS fixes are in the new binary. Bill
  • S

    Squid 3.3.10 upgrade stuck on Creating squid cache pools… One moment please...

    7
    0 Votes
    7 Posts
    3k Views
    S
    Thanks It's working now Remove then install then reboot
  • P

    Captive Portal/FreeRADIUS/WPA Enterprise/Segmenting Users

    11
    0 Votes
    11 Posts
    4k Views
    N
    @thermo: ssh into your pfsense & into the shell. killall radiusd /usr/local/sbin/radiusd -X and watch the output. No need to kill the process just stop it on GUI. radiusd -X  will run freeradius in debug mode and tells you everything. In freeradius GUI you can enable the logging of good and bad authentications - passwords and usernames will be shown in pfsense syslog. Further make sure that the switches and WLAN AP have the same shared secret as in freeradius NAS/Clients. Make sure that your switches and APs send its correct NAS-IP to freeradizs and configured in Users. Freeradius - View config could help you to find out if your Users file looks correct and represets all your paramwters. The order in the users file is important. So if there is one user added twice the first match will win.
  • S

    Haproxy-1.4.24 installation/re-installation hangs

    3
    0 Votes
    3 Posts
    1k Views
    marcellocM
    I've updated haproxy-full package to 1.1. It's working fine on 2.0.3 and 2.1 as well.
  • R

    Package vhosts: allow Regex

    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • bmeeksB

    Snort 2.9.4.6 pkg v2.6.1

    59
    0 Votes
    59 Posts
    16k Views
    S
    Use the suppress icon to filter away blocks because of that SID.
  • D

    Different SquidGuard setting for each Ip/User

    2
    0 Votes
    2 Posts
    1k Views
    M
    of course it is possible, in squidguard using group acl feature you can create different user profiles by source or captiveportal usernames(squid3-dev required) with different filtering options
  • R

    BUG: As feared… New Unbound version 1.4.21_1, new bugs for free ...

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • T

    Squid exited due to signal 6 (NOOB QUSTION)

    4
    0 Votes
    4 Posts
    18k Views
    N
    Hi, you could try this: http://wiki.squid-cache.org/SquidFaq/ClearingTheCache Pruning the Cache Down and Changing the Cache Levels Perhaps downsizing the HDD cache could solve the problem. But you changed the path and if it works it will be ok :)
  • S

    How to update Sarg package without losing my existing setting?

    5
    0 Votes
    5 Posts
    2k Views
    S
    Thank You for your help :)
  • E

    HAVP config

    2
    0 Votes
    2 Posts
    1k Views
    E
    I have a workaround which involves modifying havp.inc - I know it will get overwritten when I reinstall HAVP package. I wasn't able to get internal and NAT rules to work so I modified the rule / filter using supernetting so it will not redirect to HAVP if destination IP falls within the IP range. If anyone has gotten internal and NAT rules to work, please let me know.
  • M

    Lightsquid - Error (1): Cannot get data. Server answered: HTTP/1.0 403 Forbidden

    8
    0 Votes
    8 Posts
    17k Views
    B
    hi.. i followed it and its working fine at squid 3.3.5 http://forum.pfsense.org/index.php?topic=65102.0
  • X

    Cron 0.1.8 wont run reboot command

    12
    0 Votes
    12 Posts
    4k Views
    X
    i reinstalled the cron package, it was the latest one though, and the error disappeared, use the below works for me so will stick with it command = /etc/rc.reboot (works in both crons)
  • J

    Ntop warning: Max num TCP sessions, setting seems to have no effect

    2
    0 Votes
    2 Posts
    3k Views
    J
    Looks like this setting will always be ignored: https://github.com/pfsense/pfsense-packages/blob/4e3879cf61b174570a0a27ab84fd32040e044222/config/ntop2/ntop.xml
  • ?

    Snort blocking

    3
    0 Votes
    3 Posts
    1k Views
    bmeeksB
    @Amirkabir: Hi I want to know how pfsense snort package block attacking hosts. Is there a plugin like snortsam in snort package? Snort on pfSense makes use of an old third-party open-source plugin called Spoink.  This is compiled into the Snort binary on pfSense as an output plugin.  It sees all of the alerts and examines the IP addresses and compares them to an internal whitelist table.  Any IP address not matching up with a whitelist entry is then "blocked".  This blocking is done by calling the BSD pf (packet filter) API to insert the offending IP address into a block table called snort2c.  Currently snortsam is not used. Bill
  • L

    Squid reverse - redirects?

    11
    0 Votes
    11 Posts
    17k Views
    P
    I was working on this exact problem with preserving the URI during redirect and had stumbled upon this thread.  I thought I would share the solution to help others who may be in the same boat.  Squid 3.2 required. pfsense 2.0-RELEASE (i386) squid3-dev 3.3.8 pkg 2.2 Use '^/.*$' in the Path regex field to match on domain + whatever. http://wiki.squid-cache.org/Features/CustomErrors#deny_info_URL_codes_for_embedding Simply add %R to the 'URL to redirect to' field so it looks like this: 'https://pfsense.org%R'  In this case, http://pfsense.org/mysuperpage.php redirects to https://pfsense.org/mysuperpage.php
  • S

    How run pftop on VLAN Interfaces

    2
    0 Votes
    2 Posts
    847 Views
    jimpJ
    pftop -i (real name of the interface) e.g. pftop -i em1_vlan22 Seems to work for me.
  • S

    Block file sharing inside the LAN

    3
    0 Votes
    3 Posts
    2k Views
    O
    marcelloc is right, a Firwall or Gateway can't filter LAN to LAN because it is normally Layer3 device. You should use something like Asymmetric VLAN, so you dont need a lot of subnets to filter. Ceep it simple Here is something to read: ftp://ftp.dlink.es/FAQs/TS_AV.pdf ftp://ftp.dlink.de/anleitungen/Switch/DGS-12xxT_Howto_de_overlapping_vlan_Rev_D.pdf Edit: Cisco explains it too http://www.cisco.com/en/US/docs/switches/connectedgrid/cgs2520/software/release/15_0_2_ed/configuration/guide/cgs_asym-vlan.pdf
  • L

    Squid 3.1.20 pkg 2.0.6 - custom option question

    4
    0 Votes
    4 Posts
    1k Views
    marcellocM
    @Legion: Thanks marcelloc. Doing that at least changed the error message to: TCP_MISS/503 0 CONNECT some_rfc_1918_address_but_not_in_my_local_net:utorrent's_port - DIRECT/some_rfc_1918_address_but_not_in_my_local_net Maybe it's something to do with the CONNECT method? Where I'd normally expect the GET method? This torrent maybe trying to connect via ssl, that's why you only see CONNECT on logs
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.