1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    D
    Retested on 24.11-RELEASE (amd64) all seems to work. So it seems right to file a bug for this issue.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    cyb3rtr0nianC
    @rlrobs Yes it’s still working fine here.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K
    @pulsartiger The database name is vnstat.db and its location is under /var/db/vnstat. With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    M
    I resolved this by accepting the T+Cs via https://www.maxmind.com/en/accounts/1205389/geolite2/eula

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG
    @EChondo What's your pfSense version ? The instructions are shown here : [image: 1753262126227-1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png] A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate. @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy: I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess. No need to wait x days. You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    J
    @div444 i'm finding the same - did you find a solution or did reverting fix it? Hoping there is a patch fix or something to get it working! Rather not rollback if i can avoid it

  • Discussions about the Tailscale package

    90 Topics
    580 Posts
    T
    @Gertjan Thanks. This is a compiled binary the tailscale vpn network mesh using wireguard. So this is s definite no then.

  • Discussions about WireGuard

    692 Topics
    4k Posts
    F
    Hi, about 2 years ago I tried to setup a site-2-site VPN with WG between pfSense and a Fritzbox. But due the to weird Fritzbox WG implementation I dismissed that after several fails and continued to use IPsec. Now I have a new site with a new Fritzbox and again I am trying to setup WG. But I stuck at one point: as far as I remember during my trials 2 years ago, I was able to use for both tunnels the same interface assignment: [image: 1754322720877-dba32db1-75fa-4d24-9d50-d78ee39f8caa-grafik.png] But now I cant set the VPNWG on tun_wg1 too, no chance. Do I remembering wrong? Or was there change in pfSense/WG package? Regards
Log in to post
Load new posts
  • L

    Schema for certificate to use om HAProxy and internal websites

    1
    0 Votes
    1 Posts
    338 Views
    No one has replied
  • M

    Arpwatch enhancements -> Interface descriptions and email with interface information

    1
    1 Votes
    1 Posts
    540 Views
    No one has replied
  • P

    SG-1100 with AVAHI - Issues with SamSung SmartThings?

    4
    0 Votes
    4 Posts
    658 Views
    P
    Well, I realized after typing it was probably a better idea if I had placed the question on the Avahi Forum. @tman222 , thanks for the input. As it turns out just as I was diving in to try to tackle the issue, a day after I posted it, it all started working with no additional changes...
  • T

    Changing FreeRadius Framed-MTU Attribute

    2
    0 Votes
    2 Posts
    1k Views
    T
    Hi all - just thought I would follow up and bump this to the top to see if anyone had any idea where in the FreeRadius package configuration I would need to make an adjustment for the Framed-MTU attribute. Thanks again for your help, I really appreciate it.
  • P

    Beginner SG-1100 - Available packages null or fail to install Avahi

    10
    0 Votes
    10 Posts
    2k Views
    chrismacmahonC
    We were a bit late on twitter, we don't do RSS feeds, nor really have much on our blog for service issues. We are hoping the delay on twitter has been corrected.
  • A

    This topic is deleted!

    4
    0 Votes
    4 Posts
    77 Views
  • BiloxiGeekB

    Abandoned packages

    2
    0 Votes
    2 Posts
    680 Views
    GrimsonG
    https://www.netgate.com/docs/pfsense/development/submitting-a-pull-request-via-github.html start from there.
  • A

    Block downloads based on file extension

    4
    0 Votes
    4 Posts
    4k Views
    C
    @cheonne not working for me
  • B

    workaround for bug in tinc package

    4
    1 Votes
    4 Posts
    1k Views
    B
    with the result that the OS seemed to totally mess up the interface names. $ ifconfig -l [...] tnc0 $ ifconfig tnc0 ifconfig: interface tnc0 does not exist $ ifconfig (considered as spam by akismet) For some strange reason ifconfig does not show an interface name in front of the colon. It than occurred to me that maybe a bloody carriage return character is involved. And indeed $ ifconfig `printf "tnc0\r" ` (considered as spam by akismet) [...] The reason for the \r was this one... $ file /usr/local/etc/tinc/tinc-up /usr/local/etc/tinc/tinc-up: ASCII text, with CRLF, LF line terminators while the default tinc-up script (when the text field is left empty) is /usr/local/etc/tinc/tinc-up: ASCII text This is the actual problem that caused all the trouble and that definitely needs to be fixed in the tinc package for pfSense. As a workaround I added comment signs # at the end of each line, to the \r character is not appended to the interface name, e.g. ifconfig $INTERFACE name tnc0 # After a reboot the interface was finally named correctly, however, after adding the "tnc0" interface in the web interface the next boot hang with Warning: Configuration references interfaces that do not exist: tnc0 and the interfaces have to be manually reassigned first. I than finally noticed that renaming of the interface isn't actually necessary and the problem was that the \r was also appended to the group name, i.e. "pkg_tinc\r". My final working tinc-up script thus reads ifconfig $INTERFACE 192.168.21.7 netmask 255.255.255.255 # ifconfig $INTERFACE group pkg_tinc # route add -host 192.168.21.7 -interface $INTERFACE # route add -net 192.168.18.0/24 192.168.21.7 # (sorry for the partial postings, but as a single post it was considered as spam by stupid "akismet")
  • D

    stunnel question

    3
    0 Votes
    3 Posts
    761 Views
    D
    Who wrote the stunnel package? Why is only ip 127.0.0.1 accepted and not other IPs in "Listen on IP" field?
  • D

    Having difficulties with Squid and SquidGuard

    2
    0 Votes
    2 Posts
    353 Views
    GertjanG
    Hi, Just a wild guess : try setting up from LAN (it still has the default rules ? ).
  • L

    bind 9.12 on pfsense

    10
    0 Votes
    10 Posts
    1k Views
    L
    pss if i make a query like: dig @ns2.bicsa.co.cu -x 200.55.178.24/29.30 ;;## [root@temis ~]# dig @ns2.bicsa.co.cu -x 200.55.178.24/29.30 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> @ns2.bicsa.co.cu -x 200.55.178.24/29.30 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45248 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;30.24/29.178.55.200.in-addr.arpa. IN PTR ;; ANSWER SECTION: 30.24/29.178.55.200.in-addr.arpa. 1200 IN PTR ksmg.bicsa.cu. ;; AUTHORITY SECTION: 24/29.178.55.200.in-addr.arpa. 1200 IN NS ns1.bicsa.co.cu. ;; ADDITIONAL SECTION: ns1.bicsa.co.cu. 1200 IN A 200.55.178.28 ;; Query time: 287 msec ;; SERVER: 200.55.136.19#53(200.55.136.19) ;; WHEN: Fri Jan 18 14:20:58 2019 ;; MSG SIZE rcvd: 120 ;;## as i said if make a query: dig @ns2.bicsa.cu -x 200.55.178.30 it are refused so i missing some think ? or is is the correct behaivour or i had the name zone incorrect.. or i don't has been making the query correctly... sorry thanks in advansed.
  • J

    Which rules should be active is there enabling WAN and LAN interfaces on SNORT?

    3
    0 Votes
    3 Posts
    515 Views
    bmeeksB
    @john-the-ripper said in Which rules should be active is there enabling WAN and LAN interfaces on SNORT?: I am new to computer networking. I would like to setup SNORT for my small office. I was wondering what is the difference between enabling SNORT on WAN and LAN and Which rules should be active is there enabling WAN and LAN interfaces on SNORT? Thanks for your help in advance. Put Snort on the LAN interface only. Putting it on the WAN will just log a bunch of junk the firewall is going to drop anyway. Plus, as @NogBadTheBad said, on the WAN all of your LAN host IP addresses will show in alerts "after NAT", meaning they will have the WAN's public IP. This is not very helpful when you are trying to determine which local host triggered the alert. As for which rules, I suggest you do this to use a Snort Team provided IPS policy. Get a Snort Subscriber Rules account. There are free and paid versions. You have to register for both. The difference in the two is explained at the link you will find on the GLOBAL SETTINGS tab in Snort. You can also use this link. After you get your Snort Oinkcode, enable the Snort Subscriber Rules by clicking the checkbox and paste your Oinkcode into the box provided on the GLOBAL SETTINGS tab. Go to the UPDATES tab and click Update to get a fresh copy of the Snort rules. Be sure to wait until the pop-up modal dialog auto-closes before leaving the page. It will take several seconds to a minute or more to download the rules. Now click on the INTERFACES tab and add your LAN interface to Snort if you have not done that already. Leave things at their defaults initially. I recommend you do not enable blocking initially to give you some time to see what alerts your network generates. If you turn on blocking right away, expect some false positives and some headaches caused by blocking what are really OK things (those false positives). Save the new interface. You should get returned to the INTERFACES tab. Cilck the edit icon for your LAN and then click on to the CATEGORIES tab. Click the checkbox to "Enable IPS Policy" and then choose the "IPS - Connectivity" policy in the drop-down. Let that be it at first. That is a good starter set of rules put together by the Snort team. Click Save on the page. Return to the INTERFACES tab and click the "start" icon to start Snort on the LAN. Hover over the icons to see a pop-up tooltip of what each icon does. Wait for Snort to start. The icon will turn into a green gear when Snort is running. You're done for now. Let it run like that for a week or so to give you a chance to see what kinds of alerts you get. Decide if you are getting any false positives (those are very likely with some of the HTTP_INSPECT rules), and suppress or disable the false positive rules. There are numerous threads here about setting up Suppress Lists and which rules to disable in Snort. Search for them to get some Snort tuning advice from other experienced Snort users. After you get the rules tuned up, then you can go to the INTERFACE SETTINGS tab again for the LAN and enable blocking. Remember when you make changes on the INTERFACE SETTINGS tab, you need to restart Snort on the interface for the changes to take effect.
  • A

    pfsense / freeRADIUS

    Moved
    2
    0 Votes
    2 Posts
    515 Views
    NogBadTheBadN
    Do a radtest to verify its working:- root@unifi:~# radtest -4 andy password 172.16.0.1 1812 ClientSharedSecret Sending Access-Request of id 181 to 172.16.0.1 port 1812 User-Name = "andy" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 172.16.0.1 port 1812, id=181, length=34 Class = 0x61646d696e73 Service-Type = Administrative-User root@unifi:~# https://support.microfocus.com/kb/doc.php?id=7014552 You could also do a radsniff -x on pfSense.
  • L

    BIND DNS Package on pfsense

    1
    0 Votes
    1 Posts
    297 Views
    No one has replied
  • S

    BIND GUI is missing "advanced options"

    7
    0 Votes
    7 Posts
    1k Views
    S
    I reinstalled the package and it's there. [image: WId57Ne.png] I don't know why it wasn't in the first place but thanks for the help!
  • L

    Help with bind package and dynamic dns server by my own and ecme package

    2
    0 Votes
    2 Posts
    663 Views
    GertjanG
    @luisenrique said in Help with bind package and dynamic dns server by my own and ecme package: https://www.netgate.com/docs/pfsense/dns/rfc2136-dynamic-dns.html To get you started : check out the link again. Read everything several times. Using a script or program (like nsupdate) locally, or remotely, works great but every bit counts here : one slightest error and your ko. The big hint is here https://www.netgate.com/docs/pfsense/dns/rfc2136-dynamic-dns.html - the last line : And that should be it. Assuming the firewall has connectivity to the name server, and there are no other access policies that would prevent the update, RFC2136 DynDNS service is now working. Should anything not work as expected, check the system log and/or the log on the name server. The last 6 six words will gie you the solution : check out bind's log files (they have to be set up of course). They tell you how the update went, and what failed.
  • M

    How do I know what's new in a pfSense package update?

    3
    0 Votes
    3 Posts
    485 Views
    M
    @jimp Ok, thank you!
  • T

    Using Pfsense in aws with Freeradius and AD accounts for mfa/otp functionality

    1
    0 Votes
    1 Posts
    402 Views
    No one has replied
  • B

    HAProxy Maint Mode Page

    4
    0 Votes
    4 Posts
    1k Views
    P
    @brailyn Well.. ssl/https uses 'mode tcp'. And haproxy will not send the errorfile in that case. To make haproxy respond with a http error response, you would need it to 'offload' the ssl traffic with a certificate. Or if you can supply haproxy with the certificate you could still pass the main traffic as-is with the sni frontend and send it to a second 'local frontend' that does the decryption of the https request if a backend is down to serve the error reply.. Together with a nbsrv acl to switch to that second 'error frontend' if the webserver is down.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.