pfSense Packages

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Subcategories

Cache/Proxy

Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

3.8k
Topics

20.6k
Posts

A

@viragomann yeah, it was enough of a nightmare to get this VPN setup originally, anytime you involve TCS in something IT related you can add an extra hundred hours!
IDS/IPS

Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

2.2k
Topics

15.7k
Posts

B

@Alessiottero said in Uknown VLAN Traffic with Suricata IPS Inline Mode:

Ciao @bmeeks, thank you again, I have write right know on the Suricata forum!

If you are interested this is the topic.

Thank you very much again, we will update soon I hope!

I checked on your Suricata forum post. Excellent way to phrase your question. It leaves the focus on why that rule would trigger and does not muddy up the water by mentioning pfSense.

There are several key Suricata developers that frequent the forum. Hopefully one of them will answer soon. I am curious myself about the answer to your question.
Traffic Monitoring

Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

559
Topics

2.7k
Posts

M

@periko I agree with you. Most if not all firewalls today provide some ability to peak into what kind of traffic is flowing through your device.
pfBlockerNG

Discussions about the pfBlockerNG package

2.6k
Topics

19.4k
Posts

G

@tibere86 said in Null blocking SERVFAIL:

When I have NULL BLOCK enabled, DNSBL v6 returns SERVFAIL instead of ::

Hummmm.

I just tested with "006.freecounters.co.uk" which is part of DNSBL_ADs_Basic.

When I test with

ca23059c-ccd3-441a-9434-b918db763d10-image.png
I saw also a "ServFail".

Then I started to "play" with the python script ... and now I see :
(adding logs lines on what I think are interesting places ), like on line 1614:
log_info("{} Blocked {} Returned IP {} {}".format(q_name, b_ip, q_type_str, q_type))
I saw :
<30>1 2025-01-29T17:56:09.484605+01:00 pfSense.hf.tld unbound 13346 - - [13346:0] info: 006.freecounters.co.uk Blocked :: AAAA 28
98421505-6341-4765-9a80-f261744be26f-image.png

... But then humm again.
If unbound return "::" then what can the browser do with this ?
It should be the, to be useful, an IPv6 GUA of pfSense .....
And &@/{#, as I'm in null blocking mode ...
Done. back to Web server mode.

Now I see :
info: 006.freecounters.co.uk Blocked ::10.10.10.1 Returned IP AAAA 28
But https://[::10.10.10.1]:443 doesn't really work.

Also : https://serverfault.com/questions/698369/what-is-the-ipv6-equivalent-of-0-0-0-0-0
UPS Tools

Discussions about Network UPS Tools and APCUPSD packages for pfSense

90
Topics

2.3k
Posts

G

@rdibley said in Linefeed in pfSense email notifications (with Network UPS Tools):

So one more question: if most people don't use the Advanced section (and the users.conf is blank), how does a secondary system connect to the primary? Is it that most people don't define a user/password for monitoring, but that the primary is just open to any secondary system that might want to connect?

I'm using it 😊

b852fa0b-7f4c-4461-8c73-3867487db57f-image.png

The third entry is for my Synology NAS :

And the NAS side :

c67da02f-ce7a-456c-a7e1-fede22ed4b6b-image.png

and done.

I've also installed "Windows NUT Client" on two PC's nearby.
Example : PC 1 with user name "pcrecep1" and password "secret1" :

e41ec81d-1698-431f-98f9-17e142c93132-image.png

Works fine also.
So I've 4 devices protected with one big 1000 VA APC UPS, where pfSense is the NUT 'server' as it has a USB cabled UPS hooked up to it, and now 4 devices are controlled by this UPS instead of one.
ACME

Discussions about the ACME / Let’s Encrypt package for pfSense

484
Topics

2.7k
Posts

G

Make sure this :

89177f2d-3cdf-4a1f-b7eb-39878b32631d-image.png

is unchecked.
Checked means , after Mai 7, 2025 : renewal error.

Mail from Letsencrypt (2025-01-29) :

.....
The certificates for the hostnames below (issued by the Let's Encrypt account associated with this email address) use a feature called "OCSP Must Staple." We are ending our support for that feature (https://letsencrypt.org/2024/12/05/ending-ocsp), along with our support for OCSP in general, and replacing it with Certificate Revocation Lists (https://letsencrypt.org/2022/09/07/new-life-for-crls).

After May 7th, 2025, requests for certificates with "OCSP Must Staple" will fail.

To ensure your certificates continue to automatically renew, please change your ACME client configuration to not request OCSP Must Staple.
....
FRR

Discussions about the FRR Dynamic Routing package on pfSense

283
Topics

1.2k
Posts

M

@michmoor said in FRR 10 coming with script support ?:

Yep yep that's right. Sorry for confusing issues.

Np, we need more people engaged in this, FRR is a great software but it is not working smoothly with pfsense IPsec VTIs.
Tailscale

Discussions about the Tailscale package

77
Topics

436
Posts

E

@atlmcw

I had no issues.
WireGuard

Discussions about WireGuard

649
Topics

3.4k
Posts

P

Was looking through the system logs around the last failure point in time, and may have found a clue.

The issue with the service/widget appears to happen after reboots of the pfSense appliance.

any other logs I can look through? there doesn't appear to be package level logging.

J

System Patches Package v2.2.20_1 / v2.2.11_17

• • jimp

11

12
Votes

11
Posts

691
Views

J

There was no issue with "apply all" in general, just some people who applied certain changes manually earlier may not have been able to apply one of the recommended patches, but that's always been the case if the patches change.

Update the package and look at the list again, if any of the recommended patches entries have an apply action, apply them.
1

DNS Broken for pkg.pfsense.org

• • 10101000

3

0
Votes

3
Posts

12.2k
Views

J

https://forum.netgate.com/topic/115789/pkg-pfsense-org-appears-to-be-dead/2
R

Packages wishlist?

• • rds_correia

661

0
Votes

661
Posts

1.3m
Views

O

PRTG
A

Prometheus Node Exporter gives log errors - fix or suppress in log

• • ameinild

5

0
Votes

5
Posts

1.3k
Views

N

Adding this here rather than a new topic since this is what comes up vv google when looking for why uname and zfs are throwing errors in the pfSense system log

Following the steps above from @ameinild does stop the messages from appearing, but only until you restart or touch the config in the ui.

After digging around here github and looking for some overly complicated way to override the default conf, a definite 🤦 was in order though... its so obvious once you see it, i.e. all of the selected options are all just flags in the config, and adding --no-collector.XX is just another flag, but from what I could find this wasnt called out anywhere, despite this issue being discussed in a number of forums.

The solution is simply to add --no-collector.zfs --no-collector.uname to Extra flags and save.

2b94e695-3dc2-4a2e-886e-87a09509605d-image.png

Which results in /usr/local/etc/rc.conf.d/node_exporter updated as follows, and the config persisting.

a49b3815-2788-43c7-802b-fa395d1b4812-image.png
N

LCDproc Looses Connection - Restarting service Fixes but goes down again shortly after

• • ngr2001

6

0
Votes

6
Posts

597
Views

J

Firewall states wouldn't affect LCDProc since it's not a TCP connection, it's local serial.

You should definitely be using cuaU0 or a cuaU<n> port, though, not a TTY.

I have LCDProc going on two systems, one with a crystalfontz display and another with an adafruit LCD+Backpack setup. Both work great and never lose connection.
R

How to update to the latest Telegraf version

• • rocket

5

0
Votes

5
Posts

294
Views

R

@rocket

Updated Jan 28-2025

pfsense 24.11 - Telegraf freebsd-15 
pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/telegraf-1.33.1.pkg

pfsense 2.7.2 - Telegraf freebsd-14 
pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/telegraf-1.33.1.pkg
F

Longstanding FreeRADIUS EAP-TLS security bug on validating client certificate common name

• • Finger79

8

1
Votes

8
Posts

834
Views

F

Can this security vulnerability get some love please?
I

Packages showing as up to date - they are not. 2.7.2

• • iStuart

6

0
Votes

6
Posts

122
Views

S

@iStuart said in Packages showing as up to date - they are not. 2.7.2:

link that states what the latest version is?

I don't think so. Usually it's discussed in the forum category here. There is https://www.patreon.com/pfBlockerNG but it isn't always posted there I think. Also https://www.reddit.com/r/pfBlockerNG/.
L

cron package lead to boot issue

• • luxopok

3

0
Votes

3
Posts

75
Views

M

I'm not seeing how the errors would trigger via the GUI - was the config.xml file manually modified?
T

Suricata fails install

• • TravisH

9

0
Votes

9
Posts

190
Views

B

@TravisH said in Suricata fails install:

@bmeeks That gave me the same errors, I might try a fresh install just to see if it has something else going on.

Cheers

I don't have any other suggestions, then. Those error messages appear to definitely originate from the pkg utility itself as it is creating the directories and copying the Suricata install files to the correct locations. The Suricata package is not even "alive" at that point (since it is in the process of being installed by the pkg utility).

Have you monkeyed with any user permissions on the firewall?

Can you remove and then successfully reinstall another package? What about trying to reinstall Snort again?

What kind of hardware do you have? Is it something with an eMMC disk? Perhaps it has gone into "read only" mode ???
E

haproxy does not start when pfsense start

• • ewok2

1

0
Votes

1
Posts

336
Views

No one has replied
J

Avahi reflection filtering

• • JonH

3

0
Votes

3
Posts

119
Views

J

@dennypage said in Avahi reflection filtering:

You are conflating local services and service reflection between interfaces. They are unrelated.

Thank you, I'll remove those entries.
T

Telegraf service keeps stopping

• • Target-Bravo

4

0
Votes

4
Posts

237
Views

C

@Target-Bravo How did you enable debugging on this plugin?
C

HAProxy - Include subdirectories in the HTTP Redirect

• • ColdBrew

9

0
Votes

9
Posts

151
Views

V

@ColdBrew
Check the log on the backend server, to see, what HAproxy requests exactly.
As mentioned above, HArproxy uses the IP and port, you've stated in the backend config.
And I guess, if you use this IP an port and append the subdirectory (e.g. http://10.65.10.5:3454/subdir) you get nothing from the backend device as well.
L

Avahi Crash on pfSense 2.7.2

• • LukeT

5

0
Votes

5
Posts

159
Views

S

Hmm, not familiar. Backtrace:
db:0:kdb.enter.default> bt Tracing pid 87885 tid 100340 td 0xfffffe006a4e7ac0 kdb_enter() at kdb_enter+0x32/frame 0xfffffe0063881830 vpanic() at vpanic+0x163/frame 0xfffffe0063881960 panic() at panic+0x43/frame 0xfffffe00638819c0 trap_fatal() at trap_fatal+0x40c/frame 0xfffffe0063881a20 calltrap() at calltrap+0x8/frame 0xfffffe0063881a20 --- trap 0x9, rip = 0xffffffff80ee0935, rsp = 0xfffffe0063881af0, rbp = 0xfffffe0063881ba0 --- in_joingroup_locked() at in_joingroup_locked+0x335/frame 0xfffffe0063881ba0 inp_setmoptions() at inp_setmoptions+0x11c6/frame 0xfffffe0063881d30 sosetopt() at sosetopt+0xb4/frame 0xfffffe0063881d80 kern_setsockopt() at kern_setsockopt+0xa5/frame 0xfffffe0063881de0 sys_setsockopt() at sys_setsockopt+0x24/frame 0xfffffe0063881e00 amd64_syscall() at amd64_syscall+0x109/frame 0xfffffe0063881f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0063881f30 --- syscall (105, FreeBSD ELF64, setsockopt), rip = 0x82687dd0a, rsp = 0x8203704f8, rbp = 0x820370550 ---
Panic:
<6>vlan0: changing name to 'ixv0.7' <6>ixv0: link state changed to DOWN <6>ixv0: link state changed to UP arprequest_internal: cannot find matching address Fatal trap 9: general protection fault while in kernel mode cpuid = 6; apic id = 06 instruction pointer = 0x20:0xffffffff80ee0935 stack pointer = 0x28:0xfffffe0063881af0 frame pointer = 0x28:0xfffffe0063881ba0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 87885 (avahi-daemon) rdi: fffff80003c2c480 rsi: 0000000000000000 rdx: 00000000000000a0 rcx: 0000000000000020 r8: 0000000000000000 r9: 00000000000000f8 rax: 14d81dff33337b20 rbx: fffffe006a4e7ac0 rbp: fffffe0063881ba0 r10: 0000000000000000 r11: fffffe006a4e7fe0 r12: 0000000000000000 r13: fffffe0063881c04 r14: fffff800797d9800 r15: fffff80003c2c400 trap number = 9 panic: general protection fault cpuid = 6 time = 1734052404 KDB: enter: panic
It's interesting that it seems to re-create the interface after boot. Did you resave something there?

I'd have to guess it's some hardware off-loading in the ixv driver causing problem there when it tried to jpin the multicast group.
What hardware offloading is shown as capable or enabled by ifconfig -m ixv0 or for ifconfig -m ixv0.7?
D

Email Reports WebGUI crashes when trying to edit the reports

• • Darkk

12

0
Votes

12
Posts

303
Views

D

@marcosm said in Email Reports WebGUI crashes when trying to edit the reports:

@Darkk You'll need to add and apply the diff yourself - it's not included.

I've applied the patch and it's working perfectly now.

Thank you!
S

WAF for pfSense/pfSense+ - eg. Coraza WAF via haproxy SPOE?

• • sandie

1

0
Votes

1
Posts

229
Views

No one has replied
N

Packages 24.11 Issue

• • NogBadTheBad

5

0
Votes

5
Posts

201
Views

M

@jimp said in Packages 24.11 Issue:

Plus 24.11 should be good now, the others are still rebuilding and will be fixed shortly.

Confirmed, thanks Jimp, 24.11 fixed already.
J

Vhosts

• • JonathanLee

1

0
Votes

1
Posts

73
Views

No one has replied
A

Freeradius with PIN+OTP plus group membership in AD

• • aldomoro

1

0
Votes

1
Posts

59
Views

No one has replied

1 / 462