1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    JonathanLeeJ
    @firefox I don’t think so, to be honest with you I am on an older version also. Just make sure you do the patch package and install all the system patches.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    M
    Hi, I had a problem with my home network today, so I checked pfsense and discovered that suricata had blocked the wan ip. After some tests and triggering some suricata alerts, the wan ip was blocked. I restarted pfsense and ran some more tests, but the problem no longer occurred. I then checked the wan interface settings and indeed the ip list does not include the wan ip, both now that it's working and before, when it was blocked. I'm using pfsense 2.8.0 and suricata 7.0.8_2. I use PPPoE to access the Internet.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    dennypageD
    @Leon-Straathof Data retention settings are handled inside of ntopng. Documentation here. Pay attention to the RRD note. Also, if you've turned on some of the slice and dice time series information (is off by default), I'd suggest turning them back off. These balloon the storage requirements and are of little actual use.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    keyserK
    @jrey said in pfBlockerNG syslog logentries to remote SIEM: @keyser I so want to answer this, but then at the same time (no I don't) ... pfblocker using syslog messaging in real time. no tailing of files, no other packages, just code. Huuuh? That seems very very interesting I noticed your name in other posts around the forum where you seemed to be QUITE proficient at coding/developing. Are you by any chance considering involvement in developing and refining the pfBlockerNG package? It would be SO great if you are looking into adding native syslog to the pfBlockerNG package - or an easy workaround that does not require additional packages and “temporary” edits in files that does not survive service restarts or pfSense updates. Here’s that you will fill me/us in on the solution you are using to your Greylog - please, pretty please with sugar on top

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    496 Topics
    3k Posts
    R
    @provels said in updating to acme 1.0 breaks system beyond repair: need to restore from backup: This same mess happened to me, even w/o Acme, going from 25.07 to *.1. Blew, reinstalled w/ Crowdsec, blew again, reinstalled, clipped all the Crowdsec info from config.xml, restored config, back to normal. Crowdsec is a great concept, but I think I'm out. I never had this issue with Crowdec before the ACME update, even with updating from 2.7 to 2.8 there was no issues. In fact after restoring from a backup after the ACME update, Crowdsec reinstalled just fine, and this was before the recent release a couple days ago that contained a fix.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    yon 0Y
    said in Please update frr on Pfsense+ to FRR 10.3: https://redmine.pfsense.org/issues/15785 now frr 10.4.1

  • Discussions about the Tailscale package

    90 Topics
    606 Posts
    M
    @yobyot I've SSHed into pfsense and for the sake of testing I've simply run the command: tailscale up --auth-key=tskey-client-kQ_THE_REST_IS_A_SECRET\?preauthorized=true\&ephemeral=false --accept-dns=false --accept-routes --advertise-exit-node --advertise-routes=X.X.X.X/24 --advertise-tags=tag:pfsense Note the preauthorized=true and ephemeral=false I gave this key all permissions (temporarly as I just wanted to verify it's working) of course I had to register the tag used also in the ACL tags pane: https://login.tailscale.com/admin/acls/visual/tags so far so good

  • Discussions about WireGuard

    697 Topics
    4k Posts
    lvrmscL
    Same here. It started after I installed 25.07. Then it settled down by itself after a few days. It started again after upgrading to 25.07.1. WireGuard works fine (it merely connects to the remote site from this one). However, I am refraining from upgrading the remote, because if the 'service' does not start, I fear it will not listen to incoming connections, which would leave me in a difficult situation. The other topic I had opened before finding this: https://forum.netgate.com/topic/198449/25.07-release-amd64-wireguard-service-reported-stopped-yet-tunnel-trafic-clearly-is-ok
Log in to post
Load new posts
  • F

    Squidclamav.conf redirect being ignored

    3
    0 Votes
    3 Posts
    3k Views
    T
    [SOLVED] Clean your test browser's cache, cookies, history. Restart browser and "voila"It's working as it should.
  • F

    Suricata Q's & an error message

    3
    0 Votes
    3 Posts
    2k Views
    F
    @bmeeks: @firewalluser: Dont know where to post this, but running 2.2 Beta with Snort and Suricata. First Q. Is it ok to run snort and suricata side by side on the same machine? I've experimented with both installed, running and with snort interfaces disabled but cant seem to get any alerts or blocks from suricata. I have not uninstalled snort yet. I'm getting lots of these error messages in the system log FWIW. suricata[59742]: 24/11/2014 – 22:54:01 - <error>-- [ERRCODE: SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 0 not yet supported in module DecodePcap When I see "unimplemented", I wonder how far along suricata is, but also, where does it fit with snort? Is snort still superior to suricata or vice versa? It just snort has a few rules/options available which suggests more control with Snort, but I could be wrong? TIA</error> You must be running PPPoE on your WAN.  Suricata does not support PPPoE connections on FreeBSD.  Snort does.  The limitation is within the Suricata binary itself and not something caused by the GUI package on pfSense.  If you must use PPPoE, then use Snort instead of Suricata (or else don't try to run Suricata on the PPPoE interface). As for which is better or more mature, that's sure to bring out fan boys on both sides.  In my view neither is "better", they are just "different".  Suricata is a true multithreaded IDS, so in theory it should scale better with more CPUs and offer higher throughput.  In practice with today's hardware and network speeds, this only starts to matter at 10Gig and over.  Snort currently offers some rule options and keywords that Suricata does not support, so there are some Snort rules that will not load on Suricata (they cause an error and Suricata ignores them and skips loading them). Bill You must be running PPPoE on your WAN. Yes I am, didnt know about the pppoe restriction. As for which is better or more mature, that's sure to bring out fan boys on both sides.  In my view neither is "better", they are just "different".  Suricata is a true multithreaded IDS, so in theory it should scale better with more CPUs and offer higher throughput.  In practice with today's hardware and network speeds, this only starts to matter at 10Gig and over.  Snort currently offers some rule options and keywords that Suricata does not support, so there are some Snort rules that will not load on Suricata (they cause an error and Suricata ignores them and skips loading them). Thanks for that info, it explains a lot. I think for my uses, snort on wan and suricata and/or snort on lan is the way to go although I doubt my lan traffic will ever reach the rates that give suricata a chance to show off its capabilities over snort.
  • A

    Reverse PFBlocker option ?

    7
    0 Votes
    7 Posts
    2k Views
    F
    @atrocity: well, but we can't wait, because we have to filter out most of the world to some specific network equipements … :( Firewall: Aliases: Edit. Create two alias's Allowed IP's and Blocked IP's and link them to two txt files located on one of your internal webservers, then create all your rules you want and you dont need pfblocker then, but you do have more control with this approach. For example, you might have an alias for Allowed Email IP's where a txt file contains the ip address blocks you will accept email from (smtp/25) as you may do business abroad in that country, even your supplier might have their own ip address block reducing the constant updates which will invariable take place as IP's blocks get moved around. You could also have another alias file that contain ip address blocks for countries staff might have to visit including stop overs for connecting flights in other foreign countries, then you can have a rule to allow their iphone/android/windows phone communications with their imap/exchange servers for example. Maybe also allow some encrypted VOIP comms to avoid calls being listened into from foreign govt's when using their public telecoms infrastructure, or if you really want to be "silent", just have a vpn connection like openvpn, tunnel all traffic from your phones/laptops through the vpn and hide even more info from foreign govt's when abroad.
  • K

    /etc/inetd.conf vs /var/etc/inetd.conf

    3
    0 Votes
    3 Posts
    1k Views
    K
    Thanks for the explanation.  I'll look at it, but no promises …
  • F

    Snort/Suricata Suggestion

    4
    0 Votes
    4 Posts
    1k Views
    bmeeksB
    @fsansfil: Hey BBcan, I know, its really well done too… But just wanted a simple way to add more $ operator with aliases ;) F. This idea would require changes within the pfSense code itself, and not just the Snort or Suricata package code. Bill
  • S

    Help with latest Snort + Barnyard2

    6
    0 Votes
    6 Posts
    2k Views
    bmeeksB
    @hescalona: mv /usr/pbi/snort-amd64/bin/barnyard2 /usr/local/bin/barnyard2 Yep, this should fix it by copying the latest barnyard2 binary over top of any older version lurking in /usr/local/bin. Bill
  • W

    Snort on Lan & Wan

    5
    0 Votes
    5 Posts
    3k Views
    bmeeksB
    @wbennett77: Thanks Bill, How would I identify which ET rules that are direct IP drops besides the three you spoke about? The rule text will just be a long list of IP addresses.  It's not terribly critical that they go on just the WAN, though. As another poster mentioned, there is some debate on the merits of where to put IDS rules (WAN, LAN or both).  I find that for most home users with NAT, putting the rules on the LAN side helps you better find any infected hosts without a lot of searching.  On the other hand, most home networks are small enough that even a brute-force search of all the machines would not take very long.  For me I just like the convenience of having the offending host's real IP immediately available in the alert message on the ALERTS tab. Bill
  • P

    Pfsense + freeradius2: wifi simultaneous login not working

    6
    0 Votes
    6 Posts
    3k Views
    N
    I am not familar with actual pfsense version and CaptivePortal. But if I remember correct there is a possibility to give a user some credits so that this user can access the internet without logging in on CP. So you you try to use a high number of credits for each user and low timeout for resetting these credits and enabling Accounting on CP. Not sure at all if this works. When you are searching for "radutmp" file you find some interesting information: http://opensource.apple.com/source/freeradius/freeradius-25/freeradius/raddb/modules/radutmp Accounting information may be lost, so the user MAY #  have logged off of the NAS, but we haven't noticed. #  If so, we can verify this information with the NAS, #  If we want to believe the 'utmp' file, then this #  configuration entry can be set to 'no'. check_with_nas = yes So this part will tell us that accounting is used for simultaneous use checks and it tells us, that if the user logs of or is disconnected and the NAS (Access-Point is your case) will not tell freeradius that this user has disconnected, then freeradius will never know and this user will still exist in radutmp file. So when trying to use DD-WRT you should make sure that it works like it should and that you don't fix one problem and get a new one ;) Perhaps you should enable CaptivePortal and use this accounting feature and authentication. On CP add the Access-Points itself to bypass so that authentication with PEAP works. Users then authenticate against freeradius to get WLAN Access and then - this is not so comfortable but should work - again on CP to get internet access. With the same username and password and then simultaneous checks can be done on freeradius with accounting enabled on CP or better use the CP built-in feature of simultaneous-checks. Good Luck!
  • B

    Snort 2.9.6.2 pkg v3.1.4 - Preprocessors blocks my WAN IP

    16
    0 Votes
    16 Posts
    4k Views
    bmeeksB
    @Hollander: I had the same problem, so I wil do the XML-reinstall as you said, Bill, to see if it fixes anything. (Disabling portscan preprocessors and rebooting did not solve anything). What is weird in my case is: it only happens on WAN1 (VDSL), not on WAN2 (Cable); And, of course, being the noob that I am, I have no clue why my WAN1-IP would be detected as doing a port scan on some remote IP at all. And, something even more weirder: Source: 122.225.97.66 Destination: 81.x.x.x. => my WAN SID: 136:1 ((spp_reputation) packets blacklisted) And then my WAN gets blocked by Snort, and not the 122.225.97.66  ??? The update to 3.1.5 should fix the WAN IP getting blocked.  The bug fixed in that update causes Snort to ignore the new WAN IP change, so that means your new WAN IP does not get put into the default automatic PASS LIST.  As for portscan sensitivity, I have a noticed a few more than I used to get many months ago.  The GUI package code I maintain has nothing to do with that, however.  That is something triggered by the Snort binary that comes from the snort.org folks. Bill
  • ?

    FreeRADIUS + LDAP: Client Storage?

    1
    0 Votes
    1 Posts
    640 Views
    No one has replied
  • S

    SQUID: Proxy monitor

    2
    0 Votes
    2 Posts
    727 Views
    S
    Found it. /usr/local/www/ Edit Squid_monito.php using filemanager or other. Find <form id="paramsForm" name="paramsForm" method="post"> | Max lines: | <select name="maxlines" id="maxlines"><option value="5">5 lines</option> <option value="200" selected="selected">200 lines</option> <option value="15">15 lines</option> <option value="20">20 lines</option> <option value="25">25 lines</option> <option value="100">100 lines</option> <option value="200">200 lines</option></select> | | String filter: | ! to invert the sense of matching, to select non-matching lines.");?> | </form> Edit highlighted section from 10 to any other preferred number and refresh the squid monitor page. Voila!
  • P

    AutoConfigBackup - user-config-readonly priv still does backup

    2
    0 Votes
    2 Posts
    730 Views
    P
    Related bug report: https://redmine.pfsense.org/issues/4034
  • P

    AutoConfigBackup - Do not overwrite previous backups for this hostname

    2
    0 Votes
    2 Posts
    662 Views
    P
    Bug report for "Do not overwrite previous backups for this hostname" checkbox: https://redmine.pfsense.org/issues/4033 Feature request to differentiate automatic and manual backups: https://redmine.pfsense.org/issues/4035
  • A

    PfSense 2.1.5 + Squid3 + Multi-WAN

    2
    0 Votes
    2 Posts
    805 Views
    A
    Hey guys, anyone got an idea? :/ Greets
  • S

    Caching Windows 8.1 Updates

    1
    0 Votes
    1 Posts
    744 Views
    No one has replied
  • W

    Squid3 custom error pages

    1
    0 Votes
    1 Posts
    882 Views
    No one has replied
  • S

    Turn off package filtering, what happens to Squid?

    1
    0 Votes
    1 Posts
    506 Views
    No one has replied
  • P

    Strikeback Is Not Logging

    1
    0 Votes
    1 Posts
    515 Views
    No one has replied
  • P

    Snort does not show trojan traffic

    16
    0 Votes
    16 Posts
    3k Views
    P
    Hey guys! Just wanted to let you know that with the modified rule I was able to get an alert on the interface I supected to be the source of the conficker traffic. I still have to investigate the PC to confirm that it actualy is infected but the whole issue seems pretty plausible now. Thanks again for the great help! Malte
  • D

    Snort Block Offenders kills interface.

    4
    0 Votes
    4 Posts
    1k Views
    bmeeksB
    @dola0056: would that be /var/log/system.log? I did check it out and have not seen any errors. The interface seems to come up and down but the red and white x remains. Also when I create a rule it doesn't work for the interface unless I remove the block offenders option and then the rule and the interface run fine. Look under Status…System Logs.  You may need to click the Settings tab once that page is displayed and tick the box to show newest events first (that is, show events in reverse order) and expand the number of entries displayed to like 250 or more. Now go back and try to start Snort with blocking enabled.  You should get an error message of some type in the system log.  My first thought is perhaps your system is missing the <snort2c>table.  That has happened to folks who have used the Traffic Shaper.  It seems to delete the <snort2c>system table that Snort needs for blocking – or at least it was doing that a while back. Bill</snort2c></snort2c>
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.