1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    H
    Hello all, please dont shoot me on sight, im one of those who kinda set up things by following tutorials and actually see things how they look like on screen. And English is not my native language either. I setted up HAProxy with pfSense package for Nextcloud which works as VM at ip 192.168.1.214. It has self signed cert. I created ACME with Porkbun as wildcard and all that works totally fine. BUT i have big issue which i dont know how to solve. When im acessing by nextcloud.mydomain.xx in LOCAL LAN it serves page fine, but it uses self signed cert. Will someone, please, by example show me how to create working rule which will force pfSense to serve 192.168.1.214 and all its translation or whatever exclusively outside? Bare in mind that 214 has to be able to lurk in 192.168.1.0/24 also, since data storage is served by NFS on TrueNas. 192.168.1.1 (pfSense IP), 192.168.1.214 (Nextcloud IP) All works fine from outside, but from local LAN it bypase HAProxy, and serve nextcloud internal cert with correct domain name nextcloud.mydomain.xx . Well it seems that only bypas cert part since domain works. Somehow it resolve. This is what dig command does from local lan: ;; ANSWER SECTION: nextcloud.domain.xx. 3600 IN A 192.168.1.1 nextcloud.domain.xx. 3600 IN A 192.168.1.214 ;; Query time: 0 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP) ;; WHEN: Thu Oct 30 08:48:37 CET 2025 ;; MSG SIZE rcvd: 83 Main problem here is that Nextcloud app go stuck when we are on local network. It does not work since it gets different cert. It does not even ask do we want to accept it or not. Even if does it will be bit weird to do that every time we come home. Many thnx in advance!

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    B
    @Greyhat I think it's useful to work with what we've got and figure something out for the (i hope) edge cases later. So for the JSON I figured you can actually use an existing suricata integration by co-opting their pipelines.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @dma_pf Debt collector, or debt relief service?

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @netboy said in Docker container for nut server?: I am NOT installing docker in pfsense - offcourse this is a big security risk - I agree !!! My apologies. I interpreted your earlier question I think i need to explain what i am asking for. I am fully aware if your netgate router is attached to an UPS you can configure netgate. Let us say you 5 UPS's in your home and you want nut server to read all the UPS's and show me a dasboard about the status of all the UPS's ? - Is there a ready made docker container for client server nut with dashboard functionality? as a request to have something running on pfSense, which is why I responded I believe most people would say that the type of thing you are asking for isn't something you want to run on your firewall. I recommend using a general purpose operating system behind the firewall instead. Mutual misunderstanding I guess. If you want to explore general NUT monitoring, and not something particular to pfSense, I would recommend the NUT Users list as a better place to seek information.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    92 Topics
    638 Posts
    L
    @Vad-B Interesting indeed! I just tried to fill the Pre-authentication Key with file:/dev/null. I get an crash in pfsense after some time, but when I login again is saved. For me this for after service restarts at least this solves it, including the issue with the routes not being advertised even set in the WebUI. Havent done an full restart of pfsense (yet)

  • Discussions about WireGuard

    711 Topics
    4k Posts
    D
    Hello, I’m wondering if it’s possible to have a private vpn wireguard server on pfsense and to also have a personal wireguard server such that friends can link to your pfsense network but also be under the private vpn, nordvpn for example. Is that possible to with routing?
Log in to post
Load new posts
  • JSmoradaJ

    Is anyone working on a RustDesk package?

    2
    0 Votes
    2 Posts
    646 Views
    M
    @JSmorada I'm not using rustdesk, but there is a docker option if you don't want to spin up a VM.. https://rustdesk.com/docs/en/self-host/rustdesk-server-oss/docker/#install-your-own-server-with-docker
  • C

    Crowdsec finally comming to pfSense

    68
    2 Votes
    68 Posts
    20k Views
    Sergei_ShablovskyS
    @provels said in Crowdsec finally comming to pfSense: Have there been any more thoughts about including Crowdsec as an official pfSsense package? Upvoting this!
  • S

    BIND Package and RFC 2317 Classless IN-ADDR.ARPA delegation

    1
    1
    0 Votes
    1 Posts
    282 Views
    No one has replied
  • I

    Prometheus node_exporter - does not show up in Grafana

    1
    0 Votes
    1 Posts
    352 Views
    No one has replied
  • I

    zabbix connection failures

    2
    1
    0 Votes
    2 Posts
    454 Views
    A
    @isaaclondo09 SSH into your pfSense box and run this command: /usr/local/sbin/zabbix_agentd -f That will show any early output and the cause of the failure to start. Usually it will be a parameter error. What is the IP of your Zabbix server? It looks like the agent's the Server Active parameter is set to 192.168.13.148 for active checks but the server is rejecting the connection. Passive checks (from the server) are coming from 192.168.13.109 but the agent is rejecting them because the Server parameter is set to 192.168.13.190.
  • E

    How to run zenarmor locally in Pfsense?

    2
    0 Votes
    2 Posts
    574 Views
    M
    @enesas follow up with the zen armor team on an official pfsense package. https://www.zenarmor.com/contact
  • W

    [solved] FreeRADIUS 3.x package LDAP/OTP problem

    6
    0 Votes
    6 Posts
    2k Views
    W
    @lawern Good to hear :) I think I also updated it once or twice to be compatible, but we used it until we replaced the gateway. Until then I think there was no easy alternative to this.
  • M

    Telegraf Package needs an update

    1
    2
    0 Votes
    1 Posts
    212 Views
    No one has replied
  • mtarboxM

    Email Reports WebGUI crashes February 2025

    5
    0 Votes
    5 Posts
    662 Views
    GertjanG
    @mtarbox said in Email Reports WebGUI crashes February 2025: https://github.com/pfsense/FreeBSD-ports/commit/c49098e2900a9211de44dc0b9937235ce9d638a2.diff Ah, ok, the pfSense-pkg-mailreport package. [image: 1739975511317-fe37f9ae-869e-4abe-ae82-918dfe2d5ac7-image.png] Package make less - or, AFAIK, not use of the patches system. If a patch exists fro them, then package is rebuild and you are proposed to update it.
  • R

    Using stunnel with Google LDAP

    solved
    3
    0 Votes
    3 Posts
    948 Views
    R
    After clearing the Protocol field in stunnel config, which I had originally set to ldap, saving the change, and restarting stunnel service, executing a connection test from the Toshiba MFD was successful. And after adding the Google Workspace server entry in the Toshiba MFD LDAP Client settings as a directory/service option (click Server Assignment button, also in MFD LDAP Client settings), Google Workspace directory searches from the Toshiba MFD are working as expected.
  • K

    How to block specific webpage and not a all website

    7
    0 Votes
    7 Posts
    1k Views
    GertjanG
    @KelvinU said in How to block specific webpage and not a all website: sounds NL, right? Born over there, exact. Living in France for the last 3 decades. @KelvinU said in How to block specific webpage and not a all website: though it came somewhat pretentious, right?! What makes you assume I'm a newbie? Lol, you first : what makes you presume that I assume you are a newbie ? But I get your point ^^ It's true, I am and I was pushing a bit. My point of view : About the proxy solution : me talking about planes was just an very accessible way to make you understand what the (imho) real question is. A lot of people fly planes. It's feasible. It just needs a lot of work. It's just that you were asking about why "/this/" isn't accessible to pfSense and/or anything else other then your browser and the web server on the other side. So I kicked of my way of saying : go have a look. I good have finished the question with one question back : do you know what https is ? (I sometimes do - as this is not a ). And I'm hoping I waked up your curiosity, that you dive into it, and then come back here and tell us how you did it. Because I'm still waiting as I never had the patience and/or time to use a proxy set up myself. Also, I don't have the age neither the young kids at home that motivates me being able to see my own traffic, let alone traffic off other people. That makes me feel very uncomfortable. @KelvinU said in How to block specific webpage and not a all website: and I've learned that we should never say, "No one. Not pfSense. Nobody. Not on planet Earth." and I fully agree with you. And we also enter into the "computer politics" now. So no more black and white, all becomes suddenly 'gray'. And it always was. If TLS (real time) decoding was possible, while the private key is unknown, this would mean "some one" could listen into your TLS connections at any time. I get it, it's the role of every big (governmental ?!) organization to let us know, the big public, that it's a scandal according to them, that they can't do their job right (protecting all of us, the big public), that they can't access your phone's traffic, can't see what you are saying (writing) to some one else. as national security is at stake here. So they say, your traffic is hidden and that's a problem for them - and this for us. edit : still looking for the country where the usage of TLS or comparable is forbidden by law ^^ And at the same time, somewhere hidden, down deep, in zone 51, they have this quantum computer that can tap into everything all ready using, probably, a back door key ? Maybe. And they won't say any one of course that they actually can I get that (except for tiktok of course). Let's give the public the impression they are safe, so the will "speak" freely, not knowing that some one listens in after all. If that capability was known, then Internet as a communication method would fall .... world economy would fall. But real time brut-forcing their way in ? Well ... do the math yourself ^^ Keep in mind : most of what I said above is "afaik" and "imho". @KelvinU said in How to block specific webpage and not a all website: I know a ton of GertJan Oula ... why even bother posting here - come and see me !? As I've questions also, and not only pfSense.
  • B

    Zabbix Proxy on 2.7.3

    7
    1 Votes
    7 Posts
    3k Views
    steve.scotterS
    I've been forced to upgrade to Zabbix 7.0 due to the previous LTS version 6.0 going EOL on February 28, 2025. (https://www.zabbix.com/life_cycle_and_release_policy) The Zabbix Proxies I have are also 6.0 LTS and I've just discovered there is no 7.0 package. I'm also seeing a lot of the following messages in my zabbix logs... 9868:20250208:120811.048 Proxy "FW-1" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9861:20250208:120811.086 Proxy "FW-2" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9868:20250208:120811.269 Proxy "FW-3" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9868:20250208:120811.366 Proxy "FW-4" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9861:20250208:120811.393 Proxy "FW-5" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9861:20250208:120811.403 Proxy "FW-6" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9861:20250208:120811.436 Proxy "FW-7" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9868:20250208:120811.489 Proxy "FW-8" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9866:20250208:120811.644 Proxy "FW-9" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9866:20250208:120811.700 Proxy "FW-10" version 6.0.27 is outdated, only data collection and remote execution is available with server version 7.0.9. 9868:20250208:120811.911 Proxy "FW-11" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. So I'm basically stuff. Rolling my Zabbix server back isn't an option due to EOL/compliance issues. And I seem unable to install the Zabbix 7 agent or proxy on pfsense. It seems as though the pfsense communication edition is dead?
  • L

    Do I Need to Revert Patches Before Upgrading pfSense?

    6
    0 Votes
    6 Posts
    1k Views
    GertjanG
    @leeroy said in Do I Need to Revert Patches Before Upgrading pfSense?: We don’t have any custom packages Make : [image: 1738773582966-61aef0a2-815f-46fa-b99f-95174dc0a65f-image.png] an exception. It's made by Netgate, for pfSense. Even if you don't think you need it, you need it. Probably because Netgate knows more about pfSense then we do
  • I

    Packages showing as up to date - they are not. 2.7.2

    6
    0 Votes
    6 Posts
    861 Views
    S
    @iStuart said in Packages showing as up to date - they are not. 2.7.2: link that states what the latest version is? I don't think so. Usually it's discussed in the forum category here. There is https://www.patreon.com/pfBlockerNG but it isn't always posted there I think. Also https://www.reddit.com/r/pfBlockerNG/.
  • L

    cron package lead to boot issue

    3
    0 Votes
    3 Posts
    401 Views
    M
    I'm not seeing how the errors would trigger via the GUI - was the config.xml file manually modified?
  • T

    Suricata fails install

    9
    0 Votes
    9 Posts
    938 Views
    bmeeksB
    @TravisH said in Suricata fails install: @bmeeks That gave me the same errors, I might try a fresh install just to see if it has something else going on. Cheers I don't have any other suggestions, then. Those error messages appear to definitely originate from the pkg utility itself as it is creating the directories and copying the Suricata install files to the correct locations. The Suricata package is not even "alive" at that point (since it is in the process of being installed by the pkg utility). Have you monkeyed with any user permissions on the firewall? Can you remove and then successfully reinstall another package? What about trying to reinstall Snort again? What kind of hardware do you have? Is it something with an eMMC disk? Perhaps it has gone into "read only" mode ???
  • E

    haproxy does not start when pfsense start

    1
    0 Votes
    1 Posts
    527 Views
    No one has replied
  • J

    Avahi reflection filtering

    3
    1
    0 Votes
    3 Posts
    535 Views
    J
    @dennypage said in Avahi reflection filtering: You are conflating local services and service reflection between interfaces. They are unrelated. Thank you, I'll remove those entries.
  • T

    Telegraf service keeps stopping

    4
    0 Votes
    4 Posts
    696 Views
    C
    @Target-Bravo How did you enable debugging on this plugin?
  • L

    Avahi Crash on pfSense 2.7.2

    5
    0 Votes
    5 Posts
    531 Views
    stephenw10S
    Hmm, not familiar. Backtrace: db:0:kdb.enter.default> bt Tracing pid 87885 tid 100340 td 0xfffffe006a4e7ac0 kdb_enter() at kdb_enter+0x32/frame 0xfffffe0063881830 vpanic() at vpanic+0x163/frame 0xfffffe0063881960 panic() at panic+0x43/frame 0xfffffe00638819c0 trap_fatal() at trap_fatal+0x40c/frame 0xfffffe0063881a20 calltrap() at calltrap+0x8/frame 0xfffffe0063881a20 --- trap 0x9, rip = 0xffffffff80ee0935, rsp = 0xfffffe0063881af0, rbp = 0xfffffe0063881ba0 --- in_joingroup_locked() at in_joingroup_locked+0x335/frame 0xfffffe0063881ba0 inp_setmoptions() at inp_setmoptions+0x11c6/frame 0xfffffe0063881d30 sosetopt() at sosetopt+0xb4/frame 0xfffffe0063881d80 kern_setsockopt() at kern_setsockopt+0xa5/frame 0xfffffe0063881de0 sys_setsockopt() at sys_setsockopt+0x24/frame 0xfffffe0063881e00 amd64_syscall() at amd64_syscall+0x109/frame 0xfffffe0063881f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0063881f30 --- syscall (105, FreeBSD ELF64, setsockopt), rip = 0x82687dd0a, rsp = 0x8203704f8, rbp = 0x820370550 --- Panic: <6>vlan0: changing name to 'ixv0.7' <6>ixv0: link state changed to DOWN <6>ixv0: link state changed to UP arprequest_internal: cannot find matching address Fatal trap 9: general protection fault while in kernel mode cpuid = 6; apic id = 06 instruction pointer = 0x20:0xffffffff80ee0935 stack pointer = 0x28:0xfffffe0063881af0 frame pointer = 0x28:0xfffffe0063881ba0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 87885 (avahi-daemon) rdi: fffff80003c2c480 rsi: 0000000000000000 rdx: 00000000000000a0 rcx: 0000000000000020 r8: 0000000000000000 r9: 00000000000000f8 rax: 14d81dff33337b20 rbx: fffffe006a4e7ac0 rbp: fffffe0063881ba0 r10: 0000000000000000 r11: fffffe006a4e7fe0 r12: 0000000000000000 r13: fffffe0063881c04 r14: fffff800797d9800 r15: fffff80003c2c400 trap number = 9 panic: general protection fault cpuid = 6 time = 1734052404 KDB: enter: panic It's interesting that it seems to re-create the interface after boot. Did you resave something there? I'd have to guess it's some hardware off-loading in the ixv driver causing problem there when it tried to jpin the multicast group. What hardware offloading is shown as capable or enabled by ifconfig -m ixv0 or for ifconfig -m ixv0.7?
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.