1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    I
    @andrew_cb said in haproxy 0.63_2 weird behavior, edits not working: @iSagen @TheCyborgWeasel The issue is likely the same as in https://forum.netgate.com/topic/178348/haproxy-backend-port-changes-are-not-applied/ Try adding load-server-state-from-file none to the Advanced Settings > Backend pass thru section of each backend. Great! I will do this.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    bmeeksB
    @NRgia said in Suricata on Pfsense: @bmeeks Thank you for what you did for Snort or Suricata. I'm not sure what you want me to do on Redmine, due to is a bug tracker. My question is for Product Management, which I will ask it here to be public: What is the plan for these 2 packages, Suricata and Snort? Thank you Yes, Redmine is for both bug reports and feature requests. Asking for the Suricata binary to be updated to the latest 7.0.11 version from upstream is a legitimate Redmine request. I would suggest simply asking for the binary version update instead of asking about future Netgate strategy (such as the support plans for the packages). Strategy discussions typically don't get very far because they deal with proprietary information or plans that a company may not want to publicly discuss. Redmine is where the Netgate developer team tracks all the code changes they make for pfSense. They will see Redmine reports much quicker than a forum post.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    dennypageD
    @Leon-Straathof Data retention settings are handled inside of ntopng. Documentation here. Pay attention to the RRD note. Also, if you've turned on some of the slice and dice time series information (is off by default), I'd suggest turning them back off. These balloon the storage requirements and are of little actual use.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    J
    @keyser Clarify "it makes sense if the GEOIP DB has that size" are you referencing the asn data as I have shown or the maxmind data? the asn data takes all of 15 seconds to download and process. Not really any "magic" going on there, you can see the mmdb is only a download referenced and the asn.csv.gz is basically just unzipped. I can't comment on the maxmind data specifically because I don't use for my geo location. But I can see what the code should be doing. seeing your actual log file will help determine where your specific spike may be coming from, but if I had to guess from looking at the code and my timing with respect to the asn parts of it I would guess this is most likely to be an issue with the maxmind parts - timing should be in the log. can you change when it runs ? no, not directly, there is no way to do this without changing the code to target a specific time when it creates the cron job in the first place. No you can't change the timing of the cron job and have it stick, it will eventually just go random again. On the other hand, yes, because I changed the code here so it always creates the same "not so random" time.. runnning at same time every day since this code change first became available in the pfblockerNG update for 24.11 that came out months ago, well before 25.07 curious you originally said "noticed this after upgrading to 25.07 and pfb 3.2.7" were you running the "new" format of asn data before? (would have only been possible if you upgraded from 24.11 with the latest version of pfb installed) you would have entered and ASN key at some point to make it work. did you do that under the prior version and just now with 25.07) it's likely not significant, but then again .... That likely won't help your spike, other than moving it to a different time. I moved it here to a static ("not so random") time for other reasons, nothing to do with system load at the time.. Log files would be helpful. (just the snippet that applies to this time, from extras, error and pfblockerng logs there may be nothing in error or pfblockerng related to the time it is running. .

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    495 Topics
    3k Posts
    M
    @raidflex said in updating to acme 1.0 breaks system beyond repair: need to restore from backup: maybe uninstall Crowdsec when applying other updates first. It seems like it doesn't help at least from what I see on my system... it changes something.. so it must be definitely reported to their github. I have never experienced that before and crowsec was installed.. maybe with 2.8.0 something have changed

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    yon 0Y
    said in Please update frr on Pfsense+ to FRR 10.3: https://redmine.pfsense.org/issues/15785 now frr 10.4.1

  • Discussions about the Tailscale package

    90 Topics
    595 Posts
    E
    Updated CE 2.7.2 to 1.86.2_1 Changelog pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/tailscale-1.86.2_1.pkg Freshports

  • Discussions about WireGuard

    693 Topics
    4k Posts
    lvrmscL
    Strangely enough, checking the system 4 days later, I now see that Wireguard service is reported running! The last thing I did 4 days ago was to disable Wireguard service monitoring by the Service Watchdog. Anyway, even when it was reported stopped at first, 4 days ago, the tunnels were working flawlessly. Very strange. I will keep an eye on it.
Log in to post
Load new posts
  • C

    FreeRADIUS 1st setup - authentication failed. How to troubleshoot?

    8
    0 Votes
    8 Posts
    3k Views
    C
    @NogBadTheBad @Gertjan : I received my spare SG-1100, set it up using the absolute basics and installed the FreeRADIUS package on that unit. Exact same issue. So the problem was the FreeRADIUS Server Certificate which was not created automatically, like in Tom's video. Right after installing the package I got the following notice: [image: 1637365313262-ce6fb673-565f-4701-99eb-2e839613f9dc-image.jpeg] This was exactly the same on my production SG-1100 unit. I don't understand why the SC could not be created where the CA was created just fine. I found this other post right here on the forums of another SG-1100 user running into the same issue. Could this be related to the SG-1100 specifically? Anyway I created a Server Certificate under de FreeRADIUS CA and boom the server is running and it is authenticating. Just one question as this is the first time I create my own certificate: The common name field cannot be left blank or I'll get an error creating the certificate: [image: 1637365674945-4a3ac69e-ad16-4081-838b-ffc96bf1bfa5-image.jpeg] However I didn't know what to enter there for this special FreeRADIUS use case. So I just entered a non-existing url. Will that be adequate? Thanks for your help! Pete
  • Z

    NUT disable anonymous access?

    4
    0 Votes
    4 Posts
    1k Views
    dotdashD
    @zoltrix It seems you are correct, if I load nut on a workstation, I can poll statistics if I know the configured name and address without any configuration on the client side. You could make this harder by choosing a unique name instead of the default 'ups'. I don't see this as a security risk, but the nut manual has a section 'Notes on securing NUT' which may be of use. An easy fix on pfsense would be to block LAN access to the NUT port for all but trusted workstations.
  • JonathanLeeJ

    Squid Proxy Server Clam AV showing outdated

    2
    1 Votes
    2 Posts
    931 Views
    GertjanG
    @jonathanlee said in Squid Proxy Server Clam AV showing outdated: Where would I update if the packages show up to date? You don't. Half the planet sees this message nearly daily (using ANY OS, using the 'clamav' package). Read the proposed : DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav Which explains the message.
  • M

    Interface Zabbix monitoring

    3
    0 Votes
    3 Posts
    2k Views
    M
    We tried to search for solution but unable to get it. Does anyone knows about the correct path for WAN interfaces.
  • P

    Unable to install git

    4
    0 Votes
    4 Posts
    1k Views
    P
    @jimp amazing. Thank you.
  • W

    [Solved] Login incorrect with FreeRADIUS to Google Authenticator

    1
    0 Votes
    1 Posts
    3k Views
    No one has replied
  • T

    Block Internet but allow Visual Studio Code

    1
    0 Votes
    1 Posts
    784 Views
    No one has replied
  • J

    NUT Config: Omron UPS BWxT

    1
    0 Votes
    1 Posts
    828 Views
    No one has replied
  • W

    FreeRadius Interfaces

    6
    0 Votes
    6 Posts
    1k Views
    NogBadTheBadN
    @whitetiger-it said in FreeRadius Interfaces: @nogbadthebad Let's see if I understand correctly. The switch, instead of querying the RADIUS on the firewall IP, queries a virtual (and therefore non-existent) IP that you have associated with the localhost of the firewall itself. Nope its a virual address tied to the localhost interface, if I had bound my FreeRadius to the LAN interface IP and I had shut it down then devices couldn't authenticate. [image: 1636629989624-screenshot-2021-11-11-at-11.24.29.png] Good idea, but I didn't understand why. The IP of the firewall is however known, for example because it is the Gateway of the network, there is DHCP, DNS, etc. However, my question remains open. Is the RADIUS interface the network on which the users are located or the one on which the servers/devices interrogated by the user are located? From what you have posted, it seems to me that it is the second answer. The radius interface is the IP address that Radius requests are sent to, as per "Enter the IP address (e.g. 192.168.100.1) of the listening interface. If you choose * then it means all interfaces. (Default: *)" You can point your devices to any IP address any pfSense interface you want if you leave the IP address as the default of *
  • A

    Avahi: "Failed to create client object: Daemon not running"

    12
    0 Votes
    12 Posts
    14k Views
    R
    @rajid Followup: I've also found that I need to add a filter to allow mdns packets to "pass", otherwise they end up blocked. I'm still not seeing any mdns responses using the avahi programs (such as "avahi-browse -a"), but "tcpdump" shows the packets are there on the wire.
  • B

    WireGuard multiple client bug

    wireguard
    20
    0 Votes
    20 Posts
    4k Views
    B
    @jimp thx for the hint it's working now, it totally make sense now. hope it will you @bbusa as well
  • F

    Suricata won't auto start on reboot

    2
    0 Votes
    2 Posts
    916 Views
    bmeeksB
    Did you look in the suricata.log for the interface to see why Suricata was failing to start? You can view that log on the LOGS VIEW tab. The log is overwritten with each startup attempt of Suricata. It will contain the status of the last startup attempt of Suricata for the interface. Was it complaining specifically about failure to allocate Stream Memcap memory? With lots of cores, that value must be increased substantially from the default. You can search on Google for info on configuring the value. I seem to recall running across a formula quite a long time ago that let you calculate how large that value needed to be for a given number of cores.
  • 4

    Bug in wireguard Package Addon config found, when generating wireguard config

    2
    0 Votes
    2 Posts
    1k Views
    4
    @4920441-0 If anyone is asking why this is a problem: I try to configure three tunnels which should connect 4 OSPF routers with each other.... For the first tunnel I could allow 224.0.0.0/6 but what should I do with the other tunnels? Thanks a lot.. Cheers 4920441
  • P

    Snort Inline Mode caused WAN to drop every few minutes

    8
    0 Votes
    8 Posts
    2k Views
    bmeeksB
    @tsmalmbe said in Snort Inline Mode caused WAN to drop every few minutes: @bmeeks A minute to review this question of mine and comment? Highly appreciated as always. The answer is very simple: switch to Legacy Mode if you want to use blocking with Snort (or Suricata) on your hardware. I've said on this board innumerable times that Inline IPS Mode relies on the kernel netmap device, and the kernel netmap device relies on well-written support within the hardware NIC driver. If that support is not well-written (meaning bug free), then netmap does not work reliably. That in turn means Inline IPS Mode does not work reliably. "Not working reliably" can manifest in ways from simple disruption of traffic on the configured interface to potentially a complete lockup of the firewall. There is a warning dialog that is displayed at the top of the INTERFACE SETTINGS page when you switch an interface to Inline IPS Mode and save the change. The message clearly says you may experience difficulties. You also have two installed packages that are likely not going to cooperate with the netmap kernel device: bandwidthd and softflowd. That's because when an interface is placed into netmap operation, it is disconnected from the kernel's control and placed under the the control of the app initiating the netmap connection. For the IPS/IDS packages, that would be Snort or Suricata.
  • A

    Problem with packages

    10
    0 Votes
    10 Posts
    1k Views
    A
    @gertjan with OpenVPN I think I can handle it, but the problem with multiWAN as far as I know has not been fixed yet.
  • A

    Sonos, Heos, Chromecast on subnet

    1
    0 Votes
    1 Posts
    774 Views
    No one has replied
  • T

    Captive Portal Freeradius MySql Max Daily data limit

    1
    0 Votes
    1 Posts
    592 Views
    No one has replied
  • I

    Wireguard Performance

    2
    0 Votes
    2 Posts
    934 Views
    Q
    @icarson without more details of hardware and configuration i’m not sure it’s actionable or useful feedback.
  • O

    Verification of packages

    3
    0 Votes
    3 Posts
    831 Views
    O
    @gertjan Well, this forum post indicates that it is possible to install packages while offline. I think 'pkg add' will do the trick after uploading the package to the pfSense system. But thanks for clarifying for me about the fingerprints.
  • JonathanLeeJ

    Watchdog needed for services to keep them running.

    11
    0 Votes
    11 Posts
    1k Views
    JonathanLeeJ
    @gertjan I just wish they used more of the SSD for items, it is alot faster over a hard drive of the past. Use that SSD for items that are not part of non stop scanning. Remember upper and lower memory blocks back with MS-DOS 3.11 in the 90s with a 14mhz 8088 processor? It seems to me the resources that are available like that huge SSD are not being used as much as they could. I do understand the need for speed with the packet processing. However I can't stop wondering what could be put on that drive and not be constantly ready in NVRAM.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.