1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    A
    Docker image for squid 7.3 and above https://hub.docker.com/r/fredbcode/squid If pfsense does not push the update.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @vicking said in No blocks on IP: Is it a bad idea to have the action set to deny both instead of inbound only? Question is squarely for admin. Per the infoblock which explains, in part, the "Deny Inbound", "Deny Outbound", and "Deny Both" actions: 'Deny' Rules: 'Deny' rules create high priority 'block' or 'reject' rules on the stated interfaces. They don't change the 'pass' rules on other interfaces. Typical uses of 'Deny' rules are: Deny Both - blocks all traffic in both directions, if the source or destination IP is in the block list Deny Inbound/Deny Outbound - blocks all traffic in one direction unless it is part of a session started by traffic sent in the other direction. Does not affect traffic in the other direction. One way 'Deny' rules can be used to selectively block unsolicited incoming (new session) packets in one direction, while still allowing deliberate outgoing sessions to be created in the other direction. In other words: When set to "Deny Inbound", incoming connection requests from WAN hosts are blocked and therefore no state will be created. However a LAN host can still establish state to an otherwise listed IP. If set to "Deny Outbound", outgoing connection requests from LAN hosts are blocked and therefore no state will be created. However an incoming connection request from an otherwise listed IP to an 'open' WAN port can still establish state. If set to "Deny Both", both incoming connection requests and outbound connections requests are blocked and therefore no state will be created regardless of connection direction.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    C
    @dennypage Nicely done sir!

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    654 Posts
    C
    @luckman212, Thanks for your suggestion. I will check what I have in /usr/local/pkg/tailscale/state, and also the RAM disk settings others have brought up. I could learn more about where Tailscale and pfSense store system files. If I find anything worth sharing, I will let you know.

  • Discussions about WireGuard

    715 Topics
    4k Posts
    patient0P
    @andresbraga if you still have the firewall rules as you posted, then I don't know why from the laptop you can't ping the pfSense Wireguard address 10.10.6.1 nor the pfSense gateway 10.10.1.1 What is the routing table of the laptop. And I would run a packet capture on pfSense and check what you see if you run the ping to 10.10.1.1 or 10.10.6.1.
Log in to post
Load new posts
  • I

    Oauth with Azure

    1
    0 Votes
    1 Posts
    356 Views
    No one has replied
  • manjotscM

    LLDP Page not accessible

    3
    1
    0 Votes
    3 Posts
    591 Views
    manjotscM
    @bingo600 I didn't notice another package for similar functionality. I switch to that. Thanks,
  • I

    Free Radius with Wifi and CBA

    1
    0 Votes
    1 Posts
    370 Views
    No one has replied
  • B

    Trouble with unbound and telegraf

    1
    0 Votes
    1 Posts
    491 Views
    No one has replied
  • chudakC

    snort - LEGACY MODE ?

    6
    1
    0 Votes
    6 Posts
    1k Views
    chudakC
    @bmeeks Thx! Happy Holidays!
  • Q

    STunnel multiwan support?

    1
    0 Votes
    1 Posts
    435 Views
    No one has replied
  • C

    How do I install packages manually ?

    4
    0 Votes
    4 Posts
    3k Views
    bmeeksB
    @canernecocaner said in How do I install packages manually ?: @bmeeks Thank you very much for your answer. I understood the warnings and vulnerabilities. But I use pfsense for the hotspot.(I'm recording local users' internet access) There is another firewall in front of the pfsense, for security purposes. The subject I still don't know is this; Where,why can I download these packages (with additional shared libraries they are dependent on) from any windows computer and then transfer,install them to pfsense? Thanks You will need to locate a repository that keeps pre-compiled pkg format *.txz archives of the programs you want to install. That repository will also have to be the same FreeBSD version as your pfSense firewall. Currently the pfSense-2.4.5_p1 release is based on FreeBSD-11.3/STABLE. It may prove difficult to find an 11.3/STABLE public repository of compiled packages. You can use the built-in pfSense package repository as the pkg utility on the firewall is pre-configured to point there. However, that repository may not have all of the packages you want or need. That's because it is geared to supporting only what pfSense and its officially supported packages require. Another option is create a FreeBSD-11.3/STABLE virtual machine, download and install the portsnap FreeBSD ports tree, and then compile the packages you need yourself into the required *.txz format for later transfer over to pfSense and then manual installation there. However, by the time you go to this much trouble you may as well just install the mysql DB server on that FreeBSD virtual machine (back to my original suggestion). This is "hard" because it is not a good thing to do, and few if any folks try it. Otherwise there would be a ton of "how-to" links on the web and everyone would have all kinds of other software applications running on their firewalls. I seriously doubt you will find an easy "click here, click there and presto it's done" way to do what you desire. Instead of trying to install all this on a pfSense machine, why not use the bare metal hardware running pfSense to run a hypervisor like Proxmox, ESXi, Hyper-V, etc.? Then on the hypervisor you can create a pfSense virtual machine for the Captive Portal function, then create a separate FreeBSD-11.3/RELEASE virtual machine and install the mysql stuff there. Easy-peasy to do that without needing to transfer files around, compile packages yourself, or try to find a compatible public repository of pre-compiled packages.
  • F

    FreeRadius and DNS Attribute

    1
    0 Votes
    1 Posts
    405 Views
    No one has replied
  • manjotscM

    Is HaProxy vulnerable to CVE 2007-6750 ?

    3
    0 Votes
    3 Posts
    821 Views
    manjotscM
    @kiokoman Thanks, for cleariying
  • S

    Squid keeps switching to require sign in for wifi network

    1
    0 Votes
    1 Posts
    403 Views
    No one has replied
  • R

    System Patches Fail to Install

    10
    2
    0 Votes
    10 Posts
    762 Views
    RicoR
    For a Firewall 8G is a LOT in 98% use cases. ;-) -Rico
  • S

    FreeRADIUS OVPN GAUTH

    6
    1 Votes
    6 Posts
    2k Views
    M
    While looking for a solution to this, I saw that it is now possible to set the OTP Label by adding a Description in the Users Edit page: [image: 1608129208713-21294a16-3167-474f-9564-339843f24e74-image.png] I'm using pfSense 2.4.5-RELEASE-p1 and freeradius3 0.15.7_20 Requested in Issue: https://redmine.pfsense.org/issues/8878 Corresponding Pull Request: https://github.com/pfsense/FreeBSD-ports/pull/779
  • M

    SQUID is installed but not started. Not installing "filter" rules

    3
    0 Votes
    3 Posts
    7k Views
    L
    Solution: Services > Squid Proxy Server SSL/MITM Mode: Splice All. Splice All: This configuration is suitable if you want to use the SquidGuard package for web filtering. All destinations will be spliced. SquidGuard can do its job of denying or allowing destinations according its rules, as it does with HTTP. You do not need to install the CA certificate configured below on clients. Content filtering (such as Antivirus) will not be available for SSL sites.
  • E

    2.4.5_1 PHP Error installing HAProxy

    php error haproxy package install
    8
    0 Votes
    8 Posts
    2k Views
    E
    @piba said in 2.4.5_1 PHP Error installing HAProxy: unset($config['installedpackages']['haproxy']); write_config("fix haproxy install, remove empty config"); print("config fixed?"); By Jove Sir, I think you got it. I was able to install HaProxy.
  • F

    AWS ssm agent for pfsense

    3
    0 Votes
    3 Posts
    2k Views
    F
    @bauerfyr to automate starting the service, create a wrapper file and place it in /usr/local/etc/rc.d, and you MUST have an extension of .sh, and it'll run. My file is "amazon-ssm-agent-wrapper.sh" and the contents are: #!/bin/sh DIR="$( cd "$( dirname "$0" )" && pwd )" sh $DIR/amazon-ssm-agent onestart For the LOGGING of ssm agent to cloudwatch (if you are interested) you have to take the wayback machine b/c the ssm agent 2.3.x is so ancient. go to /usr/local/etc/amazon/ssm, create a new file (start fresh) called seelog.xml (you'll see templates there), sample below. I wanted to split into two separate logs files, but it doesn't look possible. !--amazon-ssm-agent uses seelog logging --> <!--Seelog has github wiki pages, which contain detailed how-tos references: https://github.com/cihub/seelog/wiki --> <!--Seelog examples can be found here: https://github.com/cihub/seelog-examples --> <!--References to mods: --> <!--How to add cloudwatch: https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-ssm-agent.html --> <!--For "deep" examples: https://github.com/cihub/seelog/wiki/Example-config --> <seelog type="adaptive" mininterval="2000000" maxinterval="100000000" critmsgcount="500" minlevel="info"> <outputs formatid="fmtinfo"> <console/> <!-- <file path="/var/log/amazon/ssm/amazon-ssm-agent.log"/> --> <rollingfile type="size" filename="/var/log/amazon/ssm/amazon-ssm-agent.log" maxsize="10000000" maxrolls="5"/>- <filter levels="error,critical" formatid="fmterror"> <rollingfile type="size" filename="/var/log/amazon/ssm/errors.log" maxsize="10000000" maxrolls="5"/>- <!-- LINE BELOW DOESN'T WORK YET - it gets overwritten by next "cloudwatch_receiver stmt."--> <!-- <custom name="cloudwatch_receiver" data-log-group="ssm-agent-errors"/> --> </filter> <!-- ENTER THE CLOUDWATCH LOG GROUP NAME AFTER 'data-log-group' --> <custom name="cloudwatch_receiver" formatid="fmtinfo" data-log-group="ssm-agent-log"/> </outputs> <formats> <format id="fmterror" format="%Date %Time %LEVEL [%FuncShort @ %File.%Line] %Msg%n"/> <format id="fmtdebug" format="%Date %Time %LEVEL [%FuncShort @ %File.%Line] %Msg%n"/> <format id="fmtinfo" format="%Date %Time %LEVEL %Msg%n"/> </formats> </seelog>
  • J

    HAproxy config for Rancher

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • M

    PfSense and Parental Controls (using DNS blocking and Cron to bring interfaces up and down)

    1
    2
    0 Votes
    1 Posts
    4k Views
    No one has replied
  • M

    Bind - Setup pfSense as slave DNS server

    bind dns
    21
    0 Votes
    21 Posts
    7k Views
    johnpozJ
    @gertjan said in Bind - Setup pfSense as slave DNS server: your DNS zone has to be fully IPv6 and IPv4 Don't agree with this.. While sure if you have IPv6 then yeah be nice to do that.. But it sure doesn't have to do anything IPv6.. And while I agree you should do dnssec - again not a requirement.. You do not have to setup dnssec - and people using dnssec will still resolve you. Unless you try setup dnssec and you mess it up.. Then yeah if your dnssec fails you won't resolve. He is trying to show you that yes it gets complicated very quickly.. But when it comes down to setting up a slave. You tell your master what IP are you slaves, and you setup the zones on your slave and tell them the IP of the master. But he makes a good point about your PTR.. Can you even set that either of your NSers IPs? That really should be set.. Is where you running pfsense even a static IP? What are you going to do if someone attacks your dns? What are you going to do if someone tries to use your NSers for a amplification attack and you didn't secure for that? What your using for NS should not be recursive.. An authoritative NS should not do queries for other clients. They only should answer for the domains they are authoritative for..
  • L

    Freeradius LDAP auth problem

    3
    0 Votes
    3 Posts
    639 Views
    viktor_gV
    @legtpa what kind of modifications? maybe new WebGUI checkboxes needed? You can create a feature request: https://docs.netgate.com/pfsense/en/latest/development/feature-requests.html
  • D

    HAProxy Caused Total Network Outage - Dissecting What Went Wrong

    1
    0 Votes
    1 Posts
    291 Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.