1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    D
    Retested on 24.11-RELEASE (amd64) all seems to work. So it seems right to file a bug for this issue.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    cyb3rtr0nianC
    @rlrobs Yes it’s still working fine here.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K
    @pulsartiger The database name is vnstat.db and its location is under /var/db/vnstat. With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    M
    I resolved this by accepting the T+Cs via https://www.maxmind.com/en/accounts/1205389/geolite2/eula

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG
    @EChondo What's your pfSense version ? The instructions are shown here : [image: 1753262126227-1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png] A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate. @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy: I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess. No need to wait x days. You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    J
    @div444 i'm finding the same - did you find a solution or did reverting fix it? Hoping there is a patch fix or something to get it working! Rather not rollback if i can avoid it

  • Discussions about the Tailscale package

    90 Topics
    578 Posts
    T
    Re: How to update to the latest Tailscale version? I am on latest released Netgate 6100 pfSense PLUS v24 ( pfSense_plus-v24_11_amd64-pfSense_plus_v24_11 ) pkg config abi FreeBSD:15:amd64 pkg -vv | grep -A 3 "pfSense:" pfSense: { url : "pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v24_11_amd64-pfSense_plus_v24_11", enabled : yes, priority : 0, cat /usr/local/etc/pkg.conf ABI=FreeBSD:15:amd64 ALTABI=freebsd:15:x86:64 PKG_ENV { SSL_CA_CERT_FILE=/etc/ssl/netgate-ca.pem SSL_CLIENT_CERT_FILE=/usr/local/etc/pfSense/pkg/repos/pfSense-repo-0001-cert.pem SSL_CLIENT_KEY_FILE=/usr/local/etc/pfSense/pkg/repos/pfSense-repo-0001-key.pem } This firewall is obviously running on FreeBSD 15 no longer on 14. But can I use the freshports link for FreeBSD 14 amd64 quarterly which is at tailscale 1.86.2 or can I only go up to version tailscale 1.84.2_1, and need to wait until they have a version of tailscale 1.86.2 or higher for the FreeBSD 15? Would it be good enough to tell it to ignore the OSVERSION? export IGNORE_OSVERSION=yes Note: use of 14 and not 15 ? pkg add https://pkg.freebsd.org/FreeBSD:14:amd64/quarterly/All/tailscale-1.86.2.pkg service tailscaled restart tailscale up

  • Discussions about WireGuard

    690 Topics
    4k Posts
    J
    I've read through some other posts about this, but they either didn't say whether the proposed solution worked or they were very convoluted and difficult to understand. Here is our scenario: We have 6 locations--Las Cruces (LC), Sunland Park (SP), El Paso (EP), Abilene (ABI), Fort Worth (FW), and Plano (PL). LC and ABI have software that is accessed by the other 4 locations via VPN. There are WireGuard VPNs set up between LC and those 4 locations (SP, EP, FW, PL), and ABI and those 4 locations (SP, EP, FW, PL). There is also a WireGuard VPN connection between LC and ABI. LC and ABI have 2 internet connections. SP, EP, FW, and PL each have one internet connection. If the primary internet connection goes down at either LC or ABI and failover occurs to the secondary internet connection, is there a way to set up the WireGuard VPN connections so that they also failover without purchasing some 3rd party application? Thanks.
Log in to post
Load new posts
  • C

    Crowdsec finally comming to pfSense

    68
    2 Votes
    68 Posts
    17k Views
    Sergei_ShablovskyS
    @provels said in Crowdsec finally comming to pfSense: Have there been any more thoughts about including Crowdsec as an official pfSsense package? Upvoting this!
  • S

    BIND Package and RFC 2317 Classless IN-ADDR.ARPA delegation

    1
    0 Votes
    1 Posts
    210 Views
    No one has replied
  • I

    Prometheus node_exporter - does not show up in Grafana

    1
    0 Votes
    1 Posts
    309 Views
    No one has replied
  • I

    zabbix connection failures

    2
    0 Votes
    2 Posts
    405 Views
    A
    @isaaclondo09 SSH into your pfSense box and run this command: /usr/local/sbin/zabbix_agentd -f That will show any early output and the cause of the failure to start. Usually it will be a parameter error. What is the IP of your Zabbix server? It looks like the agent's the Server Active parameter is set to 192.168.13.148 for active checks but the server is rejecting the connection. Passive checks (from the server) are coming from 192.168.13.109 but the agent is rejecting them because the Server parameter is set to 192.168.13.190.
  • E

    How to run zenarmor locally in Pfsense?

    2
    0 Votes
    2 Posts
    472 Views
    M
    @enesas follow up with the zen armor team on an official pfsense package. https://www.zenarmor.com/contact
  • W

    [solved] FreeRADIUS 3.x package LDAP/OTP problem

    6
    0 Votes
    6 Posts
    2k Views
    W
    @lawern Good to hear :) I think I also updated it once or twice to be compatible, but we used it until we replaced the gateway. Until then I think there was no easy alternative to this.
  • M

    Telegraf Package needs an update

    1
    0 Votes
    1 Posts
    185 Views
    No one has replied
  • mtarboxM

    Email Reports WebGUI crashes February 2025

    5
    0 Votes
    5 Posts
    560 Views
    GertjanG
    @mtarbox said in Email Reports WebGUI crashes February 2025: https://github.com/pfsense/FreeBSD-ports/commit/c49098e2900a9211de44dc0b9937235ce9d638a2.diff Ah, ok, the pfSense-pkg-mailreport package. [image: 1739975511317-fe37f9ae-869e-4abe-ae82-918dfe2d5ac7-image.png] Package make less - or, AFAIK, not use of the patches system. If a patch exists fro them, then package is rebuild and you are proposed to update it.
  • R

    Using stunnel with Google LDAP

    solved
    3
    0 Votes
    3 Posts
    613 Views
    R
    After clearing the Protocol field in stunnel config, which I had originally set to ldap, saving the change, and restarting stunnel service, executing a connection test from the Toshiba MFD was successful. And after adding the Google Workspace server entry in the Toshiba MFD LDAP Client settings as a directory/service option (click Server Assignment button, also in MFD LDAP Client settings), Google Workspace directory searches from the Toshiba MFD are working as expected.
  • K

    How to block specific webpage and not a all website

    7
    0 Votes
    7 Posts
    885 Views
    GertjanG
    @KelvinU said in How to block specific webpage and not a all website: sounds NL, right? Born over there, exact. Living in France for the last 3 decades. @KelvinU said in How to block specific webpage and not a all website: though it came somewhat pretentious, right?! What makes you assume I'm a newbie? Lol, you first : what makes you presume that I assume you are a newbie ? But I get your point ^^ It's true, I am and I was pushing a bit. My point of view : About the proxy solution : me talking about planes was just an very accessible way to make you understand what the (imho) real question is. A lot of people fly planes. It's feasible. It just needs a lot of work. It's just that you were asking about why "/this/" isn't accessible to pfSense and/or anything else other then your browser and the web server on the other side. So I kicked of my way of saying : go have a look. I good have finished the question with one question back : do you know what https is ? (I sometimes do - as this is not a ). And I'm hoping I waked up your curiosity, that you dive into it, and then come back here and tell us how you did it. Because I'm still waiting as I never had the patience and/or time to use a proxy set up myself. Also, I don't have the age neither the young kids at home that motivates me being able to see my own traffic, let alone traffic off other people. That makes me feel very uncomfortable. @KelvinU said in How to block specific webpage and not a all website: and I've learned that we should never say, "No one. Not pfSense. Nobody. Not on planet Earth." and I fully agree with you. And we also enter into the "computer politics" now. So no more black and white, all becomes suddenly 'gray'. And it always was. If TLS (real time) decoding was possible, while the private key is unknown, this would mean "some one" could listen into your TLS connections at any time. I get it, it's the role of every big (governmental ?!) organization to let us know, the big public, that it's a scandal according to them, that they can't do their job right (protecting all of us, the big public), that they can't access your phone's traffic, can't see what you are saying (writing) to some one else. as national security is at stake here. So they say, your traffic is hidden and that's a problem for them - and this for us. edit : still looking for the country where the usage of TLS or comparable is forbidden by law ^^ And at the same time, somewhere hidden, down deep, in zone 51, they have this quantum computer that can tap into everything all ready using, probably, a back door key ? Maybe. And they won't say any one of course that they actually can I get that (except for tiktok of course). Let's give the public the impression they are safe, so the will "speak" freely, not knowing that some one listens in after all. If that capability was known, then Internet as a communication method would fall .... world economy would fall. But real time brut-forcing their way in ? Well ... do the math yourself ^^ Keep in mind : most of what I said above is "afaik" and "imho". @KelvinU said in How to block specific webpage and not a all website: I know a ton of GertJan Oula ... why even bother posting here - come and see me !? As I've questions also, and not only pfSense.
  • B

    Zabbix Proxy on 2.7.3

    7
    1 Votes
    7 Posts
    2k Views
    steve.scotterS
    I've been forced to upgrade to Zabbix 7.0 due to the previous LTS version 6.0 going EOL on February 28, 2025. (https://www.zabbix.com/life_cycle_and_release_policy) The Zabbix Proxies I have are also 6.0 LTS and I've just discovered there is no 7.0 package. I'm also seeing a lot of the following messages in my zabbix logs... 9868:20250208:120811.048 Proxy "FW-1" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9861:20250208:120811.086 Proxy "FW-2" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9868:20250208:120811.269 Proxy "FW-3" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9868:20250208:120811.366 Proxy "FW-4" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9861:20250208:120811.393 Proxy "FW-5" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9861:20250208:120811.403 Proxy "FW-6" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9861:20250208:120811.436 Proxy "FW-7" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9868:20250208:120811.489 Proxy "FW-8" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9866:20250208:120811.644 Proxy "FW-9" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9866:20250208:120811.700 Proxy "FW-10" version 6.0.27 is outdated, only data collection and remote execution is available with server version 7.0.9. 9868:20250208:120811.911 Proxy "FW-11" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. So I'm basically stuff. Rolling my Zabbix server back isn't an option due to EOL/compliance issues. And I seem unable to install the Zabbix 7 agent or proxy on pfsense. It seems as though the pfsense communication edition is dead?
  • L

    Do I Need to Revert Patches Before Upgrading pfSense?

    6
    0 Votes
    6 Posts
    815 Views
    GertjanG
    @leeroy said in Do I Need to Revert Patches Before Upgrading pfSense?: We don’t have any custom packages Make : [image: 1738773582966-61aef0a2-815f-46fa-b99f-95174dc0a65f-image.png] an exception. It's made by Netgate, for pfSense. Even if you don't think you need it, you need it. Probably because Netgate knows more about pfSense then we do
  • A

    Prometheus Node Exporter gives log errors - fix or suppress in log

    5
    0 Votes
    5 Posts
    2k Views
    N
    Adding this here rather than a new topic since this is what comes up vv google when looking for why uname and zfs are throwing errors in the pfSense system log Following the steps above from @ameinild does stop the messages from appearing, but only until you restart or touch the config in the ui. After digging around here github and looking for some overly complicated way to override the default conf, a definite was in order though... its so obvious once you see it, i.e. all of the selected options are all just flags in the config, and adding --no-collector.XX is just another flag, but from what I could find this wasnt called out anywhere, despite this issue being discussed in a number of forums. The solution is simply to add --no-collector.zfs --no-collector.uname to Extra flags and save. [image: 1738107043119-2b94e695-3dc2-4a2e-886e-87a09509605d-image.png] Which results in /usr/local/etc/rc.conf.d/node_exporter updated as follows, and the config persisting. [image: 1738107322479-a49b3815-2788-43c7-802b-fa395d1b4812-image.png]
  • I

    Packages showing as up to date - they are not. 2.7.2

    6
    0 Votes
    6 Posts
    665 Views
    S
    @iStuart said in Packages showing as up to date - they are not. 2.7.2: link that states what the latest version is? I don't think so. Usually it's discussed in the forum category here. There is https://www.patreon.com/pfBlockerNG but it isn't always posted there I think. Also https://www.reddit.com/r/pfBlockerNG/.
  • L

    cron package lead to boot issue

    3
    0 Votes
    3 Posts
    332 Views
    M
    I'm not seeing how the errors would trigger via the GUI - was the config.xml file manually modified?
  • T

    Suricata fails install

    9
    0 Votes
    9 Posts
    719 Views
    bmeeksB
    @TravisH said in Suricata fails install: @bmeeks That gave me the same errors, I might try a fresh install just to see if it has something else going on. Cheers I don't have any other suggestions, then. Those error messages appear to definitely originate from the pkg utility itself as it is creating the directories and copying the Suricata install files to the correct locations. The Suricata package is not even "alive" at that point (since it is in the process of being installed by the pkg utility). Have you monkeyed with any user permissions on the firewall? Can you remove and then successfully reinstall another package? What about trying to reinstall Snort again? What kind of hardware do you have? Is it something with an eMMC disk? Perhaps it has gone into "read only" mode ???
  • E

    haproxy does not start when pfsense start

    1
    0 Votes
    1 Posts
    475 Views
    No one has replied
  • J

    Avahi reflection filtering

    3
    0 Votes
    3 Posts
    424 Views
    J
    @dennypage said in Avahi reflection filtering: You are conflating local services and service reflection between interfaces. They are unrelated. Thank you, I'll remove those entries.
  • T

    Telegraf service keeps stopping

    4
    0 Votes
    4 Posts
    563 Views
    C
    @Target-Bravo How did you enable debugging on this plugin?
  • L

    Avahi Crash on pfSense 2.7.2

    5
    0 Votes
    5 Posts
    409 Views
    stephenw10S
    Hmm, not familiar. Backtrace: db:0:kdb.enter.default> bt Tracing pid 87885 tid 100340 td 0xfffffe006a4e7ac0 kdb_enter() at kdb_enter+0x32/frame 0xfffffe0063881830 vpanic() at vpanic+0x163/frame 0xfffffe0063881960 panic() at panic+0x43/frame 0xfffffe00638819c0 trap_fatal() at trap_fatal+0x40c/frame 0xfffffe0063881a20 calltrap() at calltrap+0x8/frame 0xfffffe0063881a20 --- trap 0x9, rip = 0xffffffff80ee0935, rsp = 0xfffffe0063881af0, rbp = 0xfffffe0063881ba0 --- in_joingroup_locked() at in_joingroup_locked+0x335/frame 0xfffffe0063881ba0 inp_setmoptions() at inp_setmoptions+0x11c6/frame 0xfffffe0063881d30 sosetopt() at sosetopt+0xb4/frame 0xfffffe0063881d80 kern_setsockopt() at kern_setsockopt+0xa5/frame 0xfffffe0063881de0 sys_setsockopt() at sys_setsockopt+0x24/frame 0xfffffe0063881e00 amd64_syscall() at amd64_syscall+0x109/frame 0xfffffe0063881f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0063881f30 --- syscall (105, FreeBSD ELF64, setsockopt), rip = 0x82687dd0a, rsp = 0x8203704f8, rbp = 0x820370550 --- Panic: <6>vlan0: changing name to 'ixv0.7' <6>ixv0: link state changed to DOWN <6>ixv0: link state changed to UP arprequest_internal: cannot find matching address Fatal trap 9: general protection fault while in kernel mode cpuid = 6; apic id = 06 instruction pointer = 0x20:0xffffffff80ee0935 stack pointer = 0x28:0xfffffe0063881af0 frame pointer = 0x28:0xfffffe0063881ba0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 87885 (avahi-daemon) rdi: fffff80003c2c480 rsi: 0000000000000000 rdx: 00000000000000a0 rcx: 0000000000000020 r8: 0000000000000000 r9: 00000000000000f8 rax: 14d81dff33337b20 rbx: fffffe006a4e7ac0 rbp: fffffe0063881ba0 r10: 0000000000000000 r11: fffffe006a4e7fe0 r12: 0000000000000000 r13: fffffe0063881c04 r14: fffff800797d9800 r15: fffff80003c2c400 trap number = 9 panic: general protection fault cpuid = 6 time = 1734052404 KDB: enter: panic It's interesting that it seems to re-create the interface after boot. Did you resave something there? I'd have to guess it's some hardware off-loading in the ixv driver causing problem there when it tried to jpin the multicast group. What hardware offloading is shown as capable or enabled by ifconfig -m ixv0 or for ifconfig -m ixv0.7?
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.