1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    LaxarusL

    I am trying to use a rule to whitelist ips for a specific backend in my frontend.

    Basically use the X backend, if the host matches xxx.com and ip is whitelisted in a pfsense defined ip alias list.

    The problem is I am using the Cloudflare proxy and need to inspect the CF-Connecting-IP.

    And to do that I am using Custom ACL like this

    req.hdr(CF-Connecting-IP) -f /var/etc/haproxy/ipalias_Allowed_IPs.lst

    The Alias is defined in the firewall named Allowed_IPs.

    But this list does not get created unless I use something standard like "Source IP matches IP or IP Alias". Is there another way to refer to the created Aliases so that they are created properly?

    The workaround for this is to create a dummy acl with "Source IP matches IP or IP Alias" that does nothing but it is not a good solution.

    Edit: One more thing, I noticed is, when the alias list is updated, this does not get reflected to the HAProxy lists in /var/etc/haproxy/ until HAProxy is restarted.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    S

    oh ok. Thanks again

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K

    @pulsartiger
    The database name is vnstat.db and its location is under /var/db/vnstat.
    With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    W

    @Gertjan Thanks for the thoughts!!
    I find that most Windows PCs generate more traffic in general. There is lots of app and utilities that cause the traffic.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    98 Topics
    2k Posts
    J

    @dennypage said in NUT suddenly stops working every app. 6 minutes:

    Okay, that is entertaining to say the least. Does "66da6bc012db26058161" happen to be the locally generated password for local-monitor?

    I have not the slightest idea! Never seen this before!!!!

    Rest: Will be delighted to do so! Thanks for the instructions.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    492 Topics
    3k Posts
    GertjanG

    @luxor84

    Why editing the pork_burn.sh file ?
    You started with a more clean solution : a patch. Why not including a patch for pork burn file ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    B

    Hi,

    We are running 25.03-BETA and running into the issue of FRR and BGP processes disconnecting at the control level. It mitigates itself in BGP being stuck in the active state from the GUI and FRR point of view (even vtysh thinks so), while the BGP process is actively keeping the connection in the background. No routes are being populated into the routing table, but these are being announced as confirmed by our peer:

    Nothing in routing, BGP neighbor is active, so no routes should be in.

    10.206.238.225 4 65228 0 2309 0 0 0 never Active 0 Odido BGP via

    So far it looks good, but the session is already established:

    >>> tcpdump -i ipsec2 07:23:11.642870 IP 10.206.238.225.bgp > 10.206.238.226.49408: Flags [P.], seq 2440502671:2440502690, ack 2016892785, win 11, options [nop,nop,md5 shared secret not supplied with -M, can't check - 2ed14f304978416f8007afca427f988d], length 19: BGP 07:23:11.642939 IP 10.206.238.226.49408 > 10.206.238.225.bgp: Flags [.], ack 19, win 131, options [nop,nop,md5 shared secret not supplied with -M, can't check - 078b7005ba698e2b636e70eb2c37e234], length 0 >>> USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS ... frr bgpd 76872 22 tcp4 10.206.238.226:49408 10.206.238.225:179 The FRR restart doesn't help: /usr/local/etc/rc.d/frr restart Stopping watchfrr. Waiting for PIDS: 2357. Starting watchfrr. [58970|mgmtd] sending configuration Waiting for children to finish applying config... [59017|zebra] sending configuration [59963|bgpd] sending configuration [61500|staticd] sending configuration [61157|watchfrr] sending configuration [59017|zebra] done [58970|mgmtd] done [61157|watchfrr] done [61500|staticd] done [59963|bgpd] done

    The BGP process ID 59963 is different from 76872!!!

    >>>> ps -ax | grep 76872 76872 - Ss 0:02.09 /usr/local/sbin/bgpd -A 127.0.0.1 -F traditional -d 62041 0 S+ 0:00.00 grep 76872 >>>> sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS ... frr bgpd 76872 22 tcp4 10.206.238.226:49408 10.206.238.225:179

    After killing the process, restarting the FRR, and checkign for the traffic and routes:

    >>> kill -KILL 76872 >>> ps -ax | grep 76872 21650 0 S+ 0:00.00 grep 76872 >>> /usr/local/etc/rc.d/frr restart Stopping watchfrr. Waiting for PIDS: 88383. Starting watchfrr. [27380|mgmtd] sending configuration [27540|zebra] sending configuration [28677|bgpd] sending configuration Waiting for children to finish applying config... [27380|mgmtd] done [30560|staticd] sending configuration [30405|watchfrr] sending configuration [27540|zebra] done [28677|bgpd] done [30560|staticd] done [30405|watchfrr] done >>> ps -ax | grep bgp 11708 - Ss 0:05.87 /usr/local/sbin/bgpd -A 127.0.0.1 -F traditional -d 31648 0 S+ 0:00.00 grep bgp >>> tcpdump -i ipsec2 07:31:08.709787 IP 10.206.238.225.bgp > 10.206.238.226.26294: Flags [P.], seq 1180140056:1180140117, ack 3799507337, win 11, options [nop,nop,md5 shared secret not supplied with -M, can't check - d6b2c0bac2ebb8cf1058d365224d4c5c], length 61: BGP 07:31:08.709850 IP 10.206.238.226.26294 > 10.206.238.225.bgp: Flags [.], ack 61, win 131, options [nop,nop,md5 shared secret not supplied with -M, can't check - 9dec3ac243f71d5f90e285627b2cd9e5], length 0 >>> show bgp summary Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc 10.206.238.225 4 65228 3 494 5 0 0 00:00:48 4 5 Odido BGP via >>> show bgp ipv4 unicast Network Next Hop Metric LocPrf Weight Path *> 10.204.50.4/32 10.206.238.225 0 65228 ? *> 10.204.50.12/32 10.206.238.225 0 65228 ? *> 10.204.52.4/32 10.206.238.225 0 65228 ? *> 10.206.238.192/27 0.0.0.0 0 32768 ? *> 172.27.0.0/16 10.206.238.225 0 65228 ? >>> netstat -rn ... B>* 10.204.50.4/32 [20/0] via 10.206.238.225, ipsec2, weight 1, 03:42:44 B>* 10.204.50.12/32 [20/0] via 10.206.238.225, ipsec2, weight 1, 03:42:44 B>* 10.204.52.4/32 [20/0] via 10.206.238.225, ipsec2, weight 1, 03:42:44 B>* 172.27.0.0/16 [20/0] via 10.206.238.225, ipsec2, weight 1, 03:42:44

    Did anyone see anything like it? We could've lived with the BGP down and no routes, but it is announcing, and the traffic is being expected on the wrong interface in the destination FW.

    Regards

  • Discussions about the Tailscale package

    86 Topics
    560 Posts
    D

    @smurph82
    pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.84.0.pkg
    Latest

  • Discussions about WireGuard

    684 Topics
    4k Posts
    S

    QR code for pfSense WireGuard will be awesome!

Log in to post
Load new posts
  • D

    Crowdsec testing

    1
    0 Votes
    1 Posts
    566 Views
    No one has replied
  • S

    Snort Interface - The Green Arrow!

    1
    0 Votes
    1 Posts
    172 Views
    No one has replied
  • chpalmerC

    SIProxd Quick Howto

    2
    1 Votes
    2 Posts
    325 Views
    chpalmerC

    Just a side note.. I have not always set the "proxy" in my client devices and it still would work.. but sometimes the client device would bypass the proxy and cause me issues.

  • E

    HAProxy - Files

    1
    0 Votes
    1 Posts
    178 Views
    No one has replied
  • D

    HAProxy with ACME setup problems

    1
    0 Votes
    1 Posts
    237 Views
    No one has replied
  • P

    Rules for UDP Broadcast Relay?

    3
    0 Votes
    3 Posts
    752 Views
    P

    @jasch
    Thanks.
    I finally got around to try again. But to no avail. I allow everything through (any/any/any/any -you get the drift). It seems like both ends, music streamer on LAN and smartphone on OPT1, succeeds in passing multicast traffic to the multicast addresses. But the phone is still not aware of the streamer's existence unless I put them on the same subnet.
    I think I have to give up. I am too much fumbling in the dark.

  • J

    Clear state on fallback

    2
    0 Votes
    2 Posts
    244 Views
    kiokomanK

    @jwilli5646
    AFAIK this is normal behavior, old states remain on the backup until they expire, new one will be created on the primary WAN, if you search the forum there was someone who invented some script to automate this If my memory's correct

  • E

    net-snmpd service not starting

    1
    0 Votes
    1 Posts
    184 Views
    No one has replied
  • LPD7L

    pfBlockerNG Count and Packets Query - Seems like little being captured

    24
    0 Votes
    24 Posts
    2k Views
    LPD7L

    @Uglybrian Appreciate that feedback. Why would cpu usage be at 23% if at idle thats where I am getting confused. Cpu usage has for the most part been half this number or lower and system activity is not showing it working on anything to justify the 23%. I may be looking at this wrong but to my mind cpu usage would be a representation of how much the cpu is being put to work on a task/function. I am assuming idle is the correct state given the command column contents and everything else in the system activity is or was at 0.00%.

  • P

    freeradius3 seemed to use old certificate expiration date

    6
    0 Votes
    6 Posts
    616 Views
    johnpozJ

    @pfpv from what I remember the android was the biggest pain.. And someone at the time there was a thread going about on it couldn't get his android to add the ca at all.. But our versions were different.

    With ios, I do recall having to do something with the password on the cert or pk12 because it didn't like just blank so used openssl to add a password.. I think you can do it now in the gui.

    Windows I had to manually change the mode of the connection to enterprise I believe.

    Oh and think there was something about having to set legacy in the openssl cmd to get accepted as well.. But what I can tell you for sure is once their added it doesn't ask you to retrust them on every connection, etc.

    Haven't played with it long time, sorry.. But my iphone is using it - and its gone through multiple upgrades to the IOS and still working, etc.

  • V

    Freeradius3: No more automatic service restart upon config change?

    6
    0 Votes
    6 Posts
    545 Views
    P

    @Gertjan said in Freeradius3: No more automatic service restart upon config change?:

    But : where do you see them ? The command line ?

    I see these messages in the system log in the pfSense GUI.

    @Gertjan said in Freeradius3: No more automatic service restart upon config change?:

    are normal messages.
    When settings are changed in the pfSense GUI for Freeradius, the process gets restarted.

    I also thought they were normal and expected but the title of this thread is "no more automatic service restart upon config change". Somehow this is not happening to the OP.

  • S

    Telegraf stopped working after update to 2.7

    13
    0 Votes
    13 Posts
    2k Views
    P

    @pavlos said in Telegraf stopped working after update to 2.7:

    The question remains, why different built dates? 2.7.2 stable should have a frozen repo. All of us who d/l pfsense CE 2.7.2 should have the same built date.

    Very interesting. I stumbled upon this post looking for something else. Well, my build date is different from your two:
    2.7.2-RELEASE (amd64)
    built on Wed Dec 6 15:10:00 EST 2023
    FreeBSD 14.0-CURRENT

    I wonder what's up with that.

  • triksT

    Ram disk breaks ntopng

    1
    0 Votes
    1 Posts
    150 Views
    No one has replied
  • T

    [RESOLVED] Request for help HAPROXY redirection to subdirectory.

    4
    0 Votes
    4 Posts
    5k Views
    S

    @Tueurdragon Thanks!

  • G

    Speedtest CLI. Run speedtest on pfSense box

    167
    0 Votes
    167 Posts
    146k Views
    A

    with some minor changes this worked for me on version 24.03-release

    pkg search speedtest py311-speedtest-cli-2.1.3 Command line interface for testing internet bandwidth

    use this command to install

    pkg update ; pkg install -y py311-speedtest-cli && curl -o /usr/local/www/widgets/widgets/speedtest.widget.php https://raw.githubusercontent.com/aln-1/pfsense-speedtest-widget/master/speedtest.widget.php
  • G

    Disable Tailscale status page

    2
    0 Votes
    2 Posts
    233 Views
    E

    @gusIT

    Uninstall Tailscale package 🤣

    Seriously, why do you think you need to?

  • D

    Please add autossh

    1
    0 Votes
    1 Posts
    269 Views
    No one has replied
  • M

    HAproxy and Plex, help to understand

    4
    0 Votes
    4 Posts
    4k Views
    M

    @waffull
    I've been trying tot HAproxy to work how I want as well but I think I am missing a step.

    I can get it to work so long as I include the port number with the address. Which is what I was trying to avoid. I think the problem is that if youre using a port other than 80 or 443 it doesn't forward to those ports (e.g. 5055). The problem I seem to have is that I have a linux box with a handful of apps that all run on different ports. I could set one of them to 443 or another to 80 and I think HAproxy would work how I want, but that would really limit how many apps that box would be able to run. Unless I am missing some step.. With my understanding if plex is on its default 32400 then you couldn't go to plex.myhouse.com without adding the port to the end.. If I am wrong I would be happy to know where I am wrong and what I can do to fix it.

  • wgstarksW

    sshguard update question

    10
    0 Votes
    10 Posts
    863 Views
    GertjanG

    @Gertjan

    @wgstarks : you double clicked posted ?

  • wgstarksW

    How to use the filer package?

    3
    0 Votes
    3 Posts
    288 Views
    wgstarksW

    @mvikman
    Thanks. Looks like it has the ability to create a file but no way to add a file or edit/delete a file. There is also a sync tab but the documentation appears to be missing for that. It just links to the pfsense docs so no idea what that does or how to use filer to modify the auto config backup xml.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.