pfSense Packages

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Subcategories

Cache/Proxy

Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

3.8k
Topics

20.6k
Posts

J

Update: Set your SSH on the wpad to only allow access during business hours. This can be done with the PAM

edit the following file
/etc/security/time.conf
add:
sshd;*;*;AL0500-2300
Meaning I can only access ssh into my wpad durring 5-2300

After adapt /etc/ssh/sshd_config

make sure your listenaddress is the ip of the wpad set your AllowUsers to your login

Example
Port 8085 #change port if needed AddressFamily inet #ipv4 only ListenAddress 192.168.1.6 #address of wpad AllowUsers Jonathan@192.168.1.* # any device that is 192.168.1.X
Change
PermitRootLogin no #no ssh login for root UsePam yes # turn on pam for use with time restrictions
after adapt
/etc/passwd

for added security also change your login to use the shell rbash and lock down the wad.

Also if you use ipv6 and ipv4 you will have a race condition and sshd will not start on reboots you must also adapt
sudo -i systemctl edit --full sshd.service
under [unit] add
Requires=network-only.target After=network-only.taget
This will only start sshd once the network target is running in my example 192.168.1.6 I also have ipv6 running so it would cause issues unless I changed this. If you do not use ipv4 forget about this.
IDS/IPS

Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

2.2k
Topics

15.7k
Posts

T

@tchadrack

Thermal Sensors
Zone 1: 29.9 °C
Zone 0: 27.9 °C

Name ..**
User admin@192.168..** (Local Database)
System pfSense
Netgate Device ID: ******************
BIOS Vendor: American Megatrends Inc.
Version: F2
Release Date: Mon Oct 7 2013
Version 2.7.2-RELEASE (amd64)
built on Fri Dec 8 17:55:00 -03 2023
FreeBSD 14.0-CURRENT

The system is on the latest version.
Version information updated at Sat Feb 1 9:35:25 -03 2025
CPU Type Intel(R) Pentium(R) CPU G3220 @ 3.00GHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: No
QAT Crypto: No
Hardware crypto Inactive
Kernel PTI Enabled
MDS Mitigation Inactive
Uptime 1 Day 03 Hours 20 Minutes 04 Seconds
Current date/time
Sat Feb 1 9:44:46 -03 2025
DNS server(s)
8.8.8.8
8.8.4.4
Last config change Sat Feb 1 9:05:02 -03 2025
State table size
0% (222/1000000) Show states
MBUF Usage
5% (18856/371768)
Temperature
27.9°C
Load average
0.47, 0.48, 0.42
CPU usage
4%
Memory usage
53% of 5980 MiB
SWAP usage
17% of 3851 MiB

DISKS:
Mount Used Size Usage
/ 28G 447G
7% of 447G (ufs)

SERVICES:
arpwatch Arpwatch Daemon
bandwidthd BandwidthD bandwidth monitoring daemon
captiveportal Captive Portal: **********
darkstat Darkstat bandwidth monitoring daemon
dpinger Gateway Monitoring Daemon
kea-dhcp4 Kea DHCP Server
ntopng ntopng Network Traffic Monitor
ntpd NTP clock sync
openvpn OpenVPN server: *************
pfb_dnsbl pfBlockerNG DNSBL service
pfb_filter pfBlockerNG firewall filter service
radiusd FreeRADIUS Server
sshd Secure Shell Daemon
suricata Suricata IDS/IPS Daemon
syslogd System Logger Daemon
unbound DNS Resolver
vnstatd Status Traffic Totals data collection daemon

S.M.A.R.T. Status
Drive Ident S.M.A.R.T. Status
ada0 WD-************ PASSED
Traffic Monitoring

Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

559
Topics

2.7k
Posts

M

@periko I agree with you. Most if not all firewalls today provide some ability to peak into what kind of traffic is flowing through your device.
pfBlockerNG

Discussions about the pfBlockerNG package

2.6k
Topics

19.4k
Posts

P

Hello,

I've been trying to find a way to use the same list of IP's in both pfB and snort, so I don't have to maintain two independent whitelists.

One would think that it would be easy but I couldn't get it to work.

Snort only allows system-wide aliases (Firewall > Aliases). It doesn't seem capable of retrieving IP's from an URL...

Using "Alias Native" in pfB allows to use the list in a FW rule but doesn't allow to be used in Snort for the above mentioned reason... (URL)

I thought creating a system wide alias with the IP's, then create a list in pfB (ipv4) and enter the alias name in the source but pfB wont let me do this.

Short of treating these two packages as completely independent and maintain two identical whitelists, how can I make them use the same IP list?
UPS Tools

Discussions about Network UPS Tools and APCUPSD packages for pfSense

90
Topics

2.3k
Posts

G

@rdibley said in Linefeed in pfSense email notifications (with Network UPS Tools):

So one more question: if most people don't use the Advanced section (and the users.conf is blank), how does a secondary system connect to the primary? Is it that most people don't define a user/password for monitoring, but that the primary is just open to any secondary system that might want to connect?

I'm using it 😊

b852fa0b-7f4c-4461-8c73-3867487db57f-image.png

The third entry is for my Synology NAS :

And the NAS side :

c67da02f-ce7a-456c-a7e1-fede22ed4b6b-image.png

and done.

I've also installed "Windows NUT Client" on two PC's nearby.
Example : PC 1 with user name "pcrecep1" and password "secret1" :

e41ec81d-1698-431f-98f9-17e142c93132-image.png

Works fine also.
So I've 4 devices protected with one big 1000 VA APC UPS, where pfSense is the NUT 'server' as it has a USB cabled UPS hooked up to it, and now 4 devices are controlled by this UPS instead of one.
ACME

Discussions about the ACME / Let’s Encrypt package for pfSense

484
Topics

2.7k
Posts

I

@Gertjan Thank you so much for the help. I've removed all of the child nodes of <acme>, reinstalled the package and it completed.

Thanks again!
FRR

Discussions about the FRR Dynamic Routing package on pfSense

283
Topics

1.2k
Posts

M

@michmoor said in FRR 10 coming with script support ?:

Yep yep that's right. Sorry for confusing issues.

Np, we need more people engaged in this, FRR is a great software but it is not working smoothly with pfsense IPsec VTIs.
Tailscale

Discussions about the Tailscale package

77
Topics

436
Posts

E

@atlmcw

I had no issues.
WireGuard

Discussions about WireGuard

649
Topics

3.4k
Posts

D

Ohhh i forgot the gateway.

Its working now.

thank you so much.

J

System Patches Package v2.2.20_1 / v2.2.11_17

• • jimp

11

12
Votes

11
Posts

720
Views

J

There was no issue with "apply all" in general, just some people who applied certain changes manually earlier may not have been able to apply one of the recommended patches, but that's always been the case if the patches change.

Update the package and look at the list again, if any of the recommended patches entries have an apply action, apply them.
1

DNS Broken for pkg.pfsense.org

• • 10101000

3

0
Votes

3
Posts

12.2k
Views

J

https://forum.netgate.com/topic/115789/pkg-pfsense-org-appears-to-be-dead/2
R

Packages wishlist?

• • rds_correia

661

0
Votes

661
Posts

1.3m
Views

O

PRTG
A

Prometheus Node Exporter gives log errors - fix or suppress in log

• • ameinild

5

0
Votes

5
Posts

1.3k
Views

N

Adding this here rather than a new topic since this is what comes up vv google when looking for why uname and zfs are throwing errors in the pfSense system log

Following the steps above from @ameinild does stop the messages from appearing, but only until you restart or touch the config in the ui.

After digging around here github and looking for some overly complicated way to override the default conf, a definite 🤦 was in order though... its so obvious once you see it, i.e. all of the selected options are all just flags in the config, and adding --no-collector.XX is just another flag, but from what I could find this wasnt called out anywhere, despite this issue being discussed in a number of forums.

The solution is simply to add --no-collector.zfs --no-collector.uname to Extra flags and save.

2b94e695-3dc2-4a2e-886e-87a09509605d-image.png

Which results in /usr/local/etc/rc.conf.d/node_exporter updated as follows, and the config persisting.

a49b3815-2788-43c7-802b-fa395d1b4812-image.png
N

LCDproc Looses Connection - Restarting service Fixes but goes down again shortly after

• • ngr2001

6

0
Votes

6
Posts

634
Views

J

Firewall states wouldn't affect LCDProc since it's not a TCP connection, it's local serial.

You should definitely be using cuaU0 or a cuaU<n> port, though, not a TTY.

I have LCDProc going on two systems, one with a crystalfontz display and another with an adafruit LCD+Backpack setup. Both work great and never lose connection.
R

How to update to the latest Telegraf version

• • rocket

5

0
Votes

5
Posts

298
Views

R

@rocket

Updated Jan 28-2025

pfsense 24.11 - Telegraf freebsd-15 
pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/telegraf-1.33.1.pkg

pfsense 2.7.2 - Telegraf freebsd-14 
pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/telegraf-1.33.1.pkg
F

Longstanding FreeRADIUS EAP-TLS security bug on validating client certificate common name

• • Finger79

8

1
Votes

8
Posts

846
Views

F

Can this security vulnerability get some love please?
I

Packages showing as up to date - they are not. 2.7.2

• • iStuart

6

0
Votes

6
Posts

127
Views

S

@iStuart said in Packages showing as up to date - they are not. 2.7.2:

link that states what the latest version is?

I don't think so. Usually it's discussed in the forum category here. There is https://www.patreon.com/pfBlockerNG but it isn't always posted there I think. Also https://www.reddit.com/r/pfBlockerNG/.
L

cron package lead to boot issue

• • luxopok

3

0
Votes

3
Posts

85
Views

M

I'm not seeing how the errors would trigger via the GUI - was the config.xml file manually modified?
T

Suricata fails install

• • TravisH

9

0
Votes

9
Posts

201
Views

B

@TravisH said in Suricata fails install:

@bmeeks That gave me the same errors, I might try a fresh install just to see if it has something else going on.

Cheers

I don't have any other suggestions, then. Those error messages appear to definitely originate from the pkg utility itself as it is creating the directories and copying the Suricata install files to the correct locations. The Suricata package is not even "alive" at that point (since it is in the process of being installed by the pkg utility).

Have you monkeyed with any user permissions on the firewall?

Can you remove and then successfully reinstall another package? What about trying to reinstall Snort again?

What kind of hardware do you have? Is it something with an eMMC disk? Perhaps it has gone into "read only" mode ???
E

haproxy does not start when pfsense start

• • ewok2

1

0
Votes

1
Posts

339
Views

No one has replied
J

Avahi reflection filtering

• • JonH

3

0
Votes

3
Posts

125
Views

J

@dennypage said in Avahi reflection filtering:

You are conflating local services and service reflection between interfaces. They are unrelated.

Thank you, I'll remove those entries.
T

Telegraf service keeps stopping

• • Target-Bravo

4

0
Votes

4
Posts

237
Views

C

@Target-Bravo How did you enable debugging on this plugin?
C

HAProxy - Include subdirectories in the HTTP Redirect

• • ColdBrew

9

0
Votes

9
Posts

157
Views

V

@ColdBrew
Check the log on the backend server, to see, what HAproxy requests exactly.
As mentioned above, HArproxy uses the IP and port, you've stated in the backend config.
And I guess, if you use this IP an port and append the subdirectory (e.g. http://10.65.10.5:3454/subdir) you get nothing from the backend device as well.
L

Avahi Crash on pfSense 2.7.2

• • LukeT

5

0
Votes

5
Posts

161
Views

S

Hmm, not familiar. Backtrace:
db:0:kdb.enter.default> bt Tracing pid 87885 tid 100340 td 0xfffffe006a4e7ac0 kdb_enter() at kdb_enter+0x32/frame 0xfffffe0063881830 vpanic() at vpanic+0x163/frame 0xfffffe0063881960 panic() at panic+0x43/frame 0xfffffe00638819c0 trap_fatal() at trap_fatal+0x40c/frame 0xfffffe0063881a20 calltrap() at calltrap+0x8/frame 0xfffffe0063881a20 --- trap 0x9, rip = 0xffffffff80ee0935, rsp = 0xfffffe0063881af0, rbp = 0xfffffe0063881ba0 --- in_joingroup_locked() at in_joingroup_locked+0x335/frame 0xfffffe0063881ba0 inp_setmoptions() at inp_setmoptions+0x11c6/frame 0xfffffe0063881d30 sosetopt() at sosetopt+0xb4/frame 0xfffffe0063881d80 kern_setsockopt() at kern_setsockopt+0xa5/frame 0xfffffe0063881de0 sys_setsockopt() at sys_setsockopt+0x24/frame 0xfffffe0063881e00 amd64_syscall() at amd64_syscall+0x109/frame 0xfffffe0063881f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0063881f30 --- syscall (105, FreeBSD ELF64, setsockopt), rip = 0x82687dd0a, rsp = 0x8203704f8, rbp = 0x820370550 ---
Panic:
<6>vlan0: changing name to 'ixv0.7' <6>ixv0: link state changed to DOWN <6>ixv0: link state changed to UP arprequest_internal: cannot find matching address Fatal trap 9: general protection fault while in kernel mode cpuid = 6; apic id = 06 instruction pointer = 0x20:0xffffffff80ee0935 stack pointer = 0x28:0xfffffe0063881af0 frame pointer = 0x28:0xfffffe0063881ba0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 87885 (avahi-daemon) rdi: fffff80003c2c480 rsi: 0000000000000000 rdx: 00000000000000a0 rcx: 0000000000000020 r8: 0000000000000000 r9: 00000000000000f8 rax: 14d81dff33337b20 rbx: fffffe006a4e7ac0 rbp: fffffe0063881ba0 r10: 0000000000000000 r11: fffffe006a4e7fe0 r12: 0000000000000000 r13: fffffe0063881c04 r14: fffff800797d9800 r15: fffff80003c2c400 trap number = 9 panic: general protection fault cpuid = 6 time = 1734052404 KDB: enter: panic
It's interesting that it seems to re-create the interface after boot. Did you resave something there?

I'd have to guess it's some hardware off-loading in the ixv driver causing problem there when it tried to jpin the multicast group.
What hardware offloading is shown as capable or enabled by ifconfig -m ixv0 or for ifconfig -m ixv0.7?
D

Email Reports WebGUI crashes when trying to edit the reports

• • Darkk

12

0
Votes

12
Posts

310
Views

D

@marcosm said in Email Reports WebGUI crashes when trying to edit the reports:

@Darkk You'll need to add and apply the diff yourself - it's not included.

I've applied the patch and it's working perfectly now.

Thank you!
S

WAF for pfSense/pfSense+ - eg. Coraza WAF via haproxy SPOE?

• • sandie

1

0
Votes

1
Posts

248
Views

No one has replied
N

Packages 24.11 Issue

• • NogBadTheBad

5

0
Votes

5
Posts

204
Views

M

@jimp said in Packages 24.11 Issue:

Plus 24.11 should be good now, the others are still rebuilding and will be fixed shortly.

Confirmed, thanks Jimp, 24.11 fixed already.
J

Vhosts

• • JonathanLee

1

0
Votes

1
Posts

74
Views

No one has replied
A

Freeradius with PIN+OTP plus group membership in AD

• • aldomoro

1

0
Votes

1
Posts

60
Views

No one has replied

1 / 462