1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    A
    Adding load-server-state-from-file none to the Advanced Settings > Backend pass thru section of each backend overrides the behavior and makes backend changes apply immediately when reloading. I am also using the global GUI setting Force immediate stop of old process on reload. (closes existing connections). [image: 1754764767072-67de741e-7dbf-4766-8e17-1a550e6684b0-image.png]

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    bmeeksB
    @NRgia said in Suricata on Pfsense: @bmeeks Thank you for what you did for Snort or Suricata. I'm not sure what you want me to do on Redmine, due to is a bug tracker. My question is for Product Management, which I will ask it here to be public: What is the plan for these 2 packages, Suricata and Snort? Thank you Yes, Redmine is for both bug reports and feature requests. Asking for the Suricata binary to be updated to the latest 7.0.11 version from upstream is a legitimate Redmine request. I would suggest simply asking for the binary version update instead of asking about future Netgate strategy (such as the support plans for the packages). Strategy discussions typically don't get very far because they deal with proprietary information or plans that a company may not want to publicly discuss. Redmine is where the Netgate developer team tracks all the code changes they make for pfSense. They will see Redmine reports much quicker than a forum post.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K
    @pulsartiger The database name is vnstat.db and its location is under /var/db/vnstat. With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    GertjanG
    @rasputinthegreatest said in pfBlockerNG not logging anything by default?: its made up of multiple sources so it does make sense that it resolves some of these weird private hosts An public NTP pool like pool.ntp.org would not list host names with weird random paddings that reference local devices. "domaincontroller-gPHvwjYS.local,192.168.1.86" is a reverse PTR, and is requested by one of your local devices. Why , I don't know. @rasputinthegreatest said in pfBlockerNG not logging anything by default?: I find them in pfblockerNG dns_reply log under Logs No URLs there, only host names. [image: 1754736735409-c09607c2-c95a-4971-bdb4-f63fe08bebe8-image.png]

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG
    @EChondo What's your pfSense version ? The instructions are shown here : [image: 1753262126227-1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png] A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate. @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy: I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess. No need to wait x days. You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    yon 0Y
    said in Please update frr on Pfsense+ to FRR 10.3: https://redmine.pfsense.org/issues/15785 now frr 10.4.1

  • Discussions about the Tailscale package

    90 Topics
    594 Posts
    E
    @totalimpact Tailscale 1.54.0 is 2+ years out of date. Tailscale has made quite a number of changes since Tailscale 1.54.0, likely rendering it incompatible with their servers. I would consider manually updating the Tailscale FreeBSD package. FreshPorts does not maintain an archive of all the releases, only the latest compiled by the volunteer maintainers. The key to manually upgrading is knowing which FreeBSD version your pfSense release is running, i.e. 14 or 15. You can following along here.

  • Discussions about WireGuard

    692 Topics
    4k Posts
    M
    This is still an issue as of 2.8.0 / 25.07, and it drives me crazy. Gateway failure works as expected, the wireguard tunnels will fail over to the backup gateway and continue on as normal, but will never recover once the failed gateway comes back online. While a reboot will (usually) fix it, I usually just go into my routing settings and mark the secondary gateway as down, forcing it to revert back to the primary... the users tend to dislike it when I reboot the firewall in the middle of the day
Log in to post
Load new posts
  • panzP

    SNORT (spp_frag3) Fragmentation overlap (again and again and again)

    8
    0 Votes
    8 Posts
    7k Views
    bmeeksB
    @panz: Sorry, I didn't ask my question with the right words. Q: is there a method to setup SNORT in a manner that it will alert me for fragmented packets even if I disabled the frag3 engine detection? No, that frag3 engine is where those alerts come from. Bill
  • P

    Privileges by Groups of user

    4
    0 Votes
    4 Posts
    1k Views
    KOMK
    Well, Squid and SquidGuard are common FOSS packages for doing caching and filtering, so you could actually download those packages and try for yourself.  Or, you could use a search engine to read up on the documentation to get most of your answers. Yes, you can create custom groups.  No, there is not just one common profile/group.  Look into Group ACL.
  • J

    Unable to find "onatproto" package on the "available package" tab

    2
    0 Votes
    2 Posts
    1k Views
    BBcan177B
    Did you see this thread: https://forum.pfsense.org/index.php?topic=78935.msg431084#msg431084 "FreeBSD is moved them to ftp-archive since the release is no longer officially supported upstream."
  • Z

    Snort not working on the LAN interface?

    5
    0 Votes
    5 Posts
    2k Views
    bmeeksB
    @zerodamage: I am trying to figure out why my Snort will not work on the LAN interface. I originally had it running on the WAN interface and it worked fine. I noticed some alerts with regards to Trojan but the source IP was my WAN interface, not the culprit within my network. So I made a LAN interface and used the same IPS policy (connectivity) and rules (I have a Snort subscription) and I get no alerts. The interface goes active without any issues but I do not receive any alerts at all.  This is my home network so it isn't the end of the world but I would like for it to work. This is how my network is laid out: LAN => WAP / Switch => pfSense / Snort => Internet There may simply be nothing too nefarious happening in your LAN.  I get maybe one or two alerts per week on my LAN.  I get a ton on my WAN, but that's because I run some IP Reputation rules there and known spammer and other malicious IPs make connection attempts.  Also remember that Snort puts the interface it runs on in promiscuous mode, so that would mean the WAN sees a lot of extra stuff, for example. If you want to test Snort on your LAN, install a tool like nmap on a host and scan your firewall.  That should trigger some alerts. Bill
  • C

    Snort inline mode

    6
    0 Votes
    6 Posts
    4k Views
    BBcan177B
    While the packet can't be dropped, any open states in the firewall can be killed. I hope the devs implement those changes.
  • R

    NMAP doesn't scan all ports

    2
    0 Votes
    2 Posts
    871 Views
    jimpJ
    Unless your PC is actually listening for a connection from anywhere on port 21, then nmap won't see that as "open". To nmap, "open" means that a service is waiting for inbound connections and accepts them (listening on a port), such as a web server or FTP server on the IP being scanned. If your client has a connection "open" to a remote server, that isn't something nmap can see as it's a fundamentally different concept.
  • Z

    Suricata unable to install Snort VRT rules

    2
    0 Votes
    2 Posts
    2k Views
    BBcan177B
    See the following thread: https://forum.pfsense.org/index.php?topic=79918.0#lastPost
  • N

    Squid3-dev Transparent Mode

    5
    0 Votes
    5 Posts
    2k Views
    N
    @KOM: Enable Squid3-dev Transparent Proxy then disable SquidGuard3.  Does it work now?  Squid by itself doesn't do any blocking, only caching.  SquidGuard does the blocking. I have disabled the SquidGuard, Set the proxy interface as LAN in squid and enabled Transparent mode, No SSL filtering. It still gives the same error i.e TCP_MISS 403 @KOM: Here's the thing about SSL filtering.  To do it, you will need to do one of the following: install a certificate on every client, or set the proxy server on every client You have to touch the client one way or the other, so you may as well use Squid2 which is stable.  Block off outgoing port 80 so that only the proxy has web access, set the proxy server for all your static IP clients and then set up WPAD for DHCP clients. I believe that HTTPS bypasses Squid unless you have it manually set to be your proxy or you're running transparently with a cert installed.  Same reason why setting a domain block in SquidGuard doesn't work for HTTPS.  HTTPS creates a point-to-point encrypted tunnel between you and the external server.  Squid has no idea what's going on unless it's "inside" the encrypted tunnel, and it can only do that if you have your client it manually set to use pfSense as your web proxy, or if you're using a certificate on the client to trust your pfSense server. I will surely try this method. SquidGuard or SquidGuard-devel has to be used with Squid2. because those two SquidGuard versions might not work with Squid3
  • arrmoA

    Apache breaks WebConfigurator?

    8
    0 Votes
    8 Posts
    1k Views
    arrmoA
    Makes complete sense, and agree with you! This is a smaller (home) environment, so having a separate machine just to serve a web page or two is a bit of an overkill … ;). Thanks!
  • T

    Multiple problems with Suricata service - (instability and crashes)

    11
    0 Votes
    11 Posts
    4k Views
    T
    It crashed a few times on my guest wifi network. 3/8/2014 -- 14:37:18 - <info> -- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12 3/8/2014 -- 14:37:18 - <info> -- preallocated 65535 defrag trackers of size 88 3/8/2014 -- 14:37:18 - <info> -- defrag memory usage: 6553512 bytes, maximum: 33554432 3/8/2014 -- 14:37:18 - <info> -- AutoFP mode using "Active Packets" flow load balancer 3/8/2014 -- 14:37:18 - <info> -- preallocated 1024 packets. Total memory 3135488 3/8/2014 -- 14:37:18 - <info> -- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12 3/8/2014 -- 14:37:18 - <info> -- preallocated 1000 hosts of size 60 3/8/2014 -- 14:37:18 - <info> -- host memory usage: 109152 bytes, maximum: 16777216 3/8/2014 -- 14:37:18 - <info> -- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12 3/8/2014 -- 14:37:18 - <info> -- preallocated 10000 flows of size 144 3/8/2014 -- 14:37:18 - <info> -- flow memory usage: 2226432 bytes, maximum: 33554432 3/8/2014 -- 14:37:18 - <info> -- IP reputation disabled 3/8/2014 -- 14:37:18 - <info> -- Added "35" classification types from the classification file 3/8/2014 -- 14:37:18 - <info> -- Added "19" reference types from the reference.config file 3/8/2014 -- 14:37:18 - <info> -- using magic-file /usr/share/misc/magic 3/8/2014 -- 14:37:18 - <info> -- Delayed detect disabled 3/8/2014 -- 14:37:45 - <info> -- 2 rule files processed. 14865 rules successfully loaded, 0 rules failed 3/8/2014 -- 14:38:47 - <info> -- 14873 signatures processed. 891 are IP-only rules, 4227 are inspecting packet payload, 11353 inspect application layer, 0 are decoder event only 3/8/2014 -- 14:38:47 - <info> -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete 3/8/2014 -- 14:38:52 - <info> -- building signature grouping structure, stage 2: building source address list... complete 3/8/2014 -- 14:39:46 - <info> -- building signature grouping structure, stage 3: building destination address lists... complete 3/8/2014 -- 14:40:03 - <info> -- Threshold config parsed: 0 rule(s) found 3/8/2014 -- 14:40:03 - <info> -- Core dump size is unlimited. 3/8/2014 -- 14:40:03 - <info> -- fast output device (regular) initialized: alerts.log 3/8/2014 -- 14:40:03 - <info> -- http-log output device (regular) initialized: http.log 3/8/2014 -- 14:40:03 - <info> -- Using 1 live device(s). 3/8/2014 -- 14:40:04 - <info> -- using interface ath0_wlan1 3/8/2014 -- 14:40:04 - <info> -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets. 3/8/2014 -- 14:40:04 - <info> -- Found an MTU of 1500 for 'ath0_wlan1' 3/8/2014 -- 14:40:04 - <info> -- Set snaplen to 1500 for 'ath0_wlan1' 3/8/2014 -- 14:40:04 - <info> -- RunModeIdsPcapAutoFp initialised 3/8/2014 -- 14:40:04 - <info> -- stream "max-sessions": 262144 3/8/2014 -- 14:40:04 - <info> -- stream "prealloc-sessions": 32768 3/8/2014 -- 14:40:04 - <info> -- stream "memcap": 33554432 3/8/2014 -- 14:40:04 - <info> -- stream "midstream" session pickups: disabled 3/8/2014 -- 14:40:04 - <info> -- stream "async-oneside": disabled 3/8/2014 -- 14:40:04 - <info> -- stream "checksum-validation": disabled 3/8/2014 -- 14:40:04 - <info> -- stream."inline": disabled 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "memcap": 67108864 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "depth": 0 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "toserver-chunk-size": 2560 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "toclient-chunk-size": 2560 3/8/2014 -- 14:40:04 - <info> -- all 2 packet processing threads, 1 management threads initialized, engine started. 3/8/2014 -- 14:40:04 - <info> -- Signal Received.  Stopping engine. 3/8/2014 -- 14:40:04 - <info> -- 0 new flows, 0 established flows were timed out, 0 flows in closed state 3/8/2014 -- 14:40:04 - <info> -- time elapsed 0.261s 3/8/2014 -- 14:40:04 - <info> -- (RxPcapath0_) Packets 0, bytes 0 3/8/2014 -- 14:40:04 - <info> -- (RxPcapath0_) Pcap Total:0 Recv:0 Drop:0 (nan%). 3/8/2014 -- 14:40:04 - <info> -- AutoFP - Total flow handler queues - 1 3/8/2014 -- 14:40:04 - <info> -- AutoFP - Queue 0  - pkts: 0            flows: 0          3/8/2014 -- 14:40:04 - <info> -- Stream TCP processed 0 TCP packets 3/8/2014 -- 14:40:04 - <info> -- Fast log output wrote 0 alerts 3/8/2014 -- 14:40:04 - <info> -- HTTP logger logged 0 requests 3/8/2014 -- 14:40:04 - <info> -- host memory usage: 109152 bytes, maximum: 16777216 3/8/2014 -- 14:40:05 - <info> -- cleaning up signature grouping structure... complete 3/8/2014 -- 14:40:06 - <error> -- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> That's a wifi interface off Pfsense
  • N

    Enforcing Youtube Safety Mode

    17
    0 Votes
    17 Posts
    9k Views
    N
    @sowen: Well…yes, no and maybe.... the header rewrite $rewrite_item[] = array(F_TARGETURL => '(http://www.youtube.com/watch?v=.*)',        F_REPLACETO => '\1&edufilter=XXXXXXXXXXXXXXXXXXXXXXXX', F_MODE => 'i'); Forces the users to use your specific educational channel, which you can then control. However, I do not know how to rewrite the header to force all proxy users to use "safety mode". YouTube Safety Mode is enforced by rewriting a specific cookie in client request headers, while SafeSearch (for google etc...) is enforced by simply adding a string to the request URL (which is what the edufilter filtering does). a quick google of "rewrite youtube header to use safety mode" brings up some info, but most of it is at least a couple years old and I'm not sure how (or if) it could be implemented in pfSense / squidguard. Youtube Safe Search RewriteCond URL .youtube.com. RewriteHeader Cookie: (.*) PREF=f2=8000000 RewriteRule (.)?youtube.com(.?.*) $1youtube.com$2&safety_mode=true [I,L] ; === Safety Mode for YouTube ===     <proxy bc_safesearch_youtube_cookies="">url.domain=youtube.com     request.header.cookie="PREF=" action.BC_SafeSearch_YouTube_Cookie_Rewrite(yes)     action.BC_SafeSearch_YouTube_Cookie_append(yes)           define action BC_SafeSearch_YouTube_Cookie_Rewrite           rewrite( request.header.Cookie, "(PREF=[^,]+)", "$(1)&f2=8000000" )           end           define action BC_SafeSearch_YouTube_Cookie_append           append( request.header.Cookie, "PREF=f2=8000000" )           end ; === End of Safety Mode for YouTube === ***********************</proxy> Do I need edit cookies in the individual browser? If so, then its not an feasible option because cookies will erased if we clear the history. Somehow SquidGuard has to come up with the solution for this.
  • D

    Squid revers proxy with multiple domains

    1
    0 Votes
    1 Posts
    676 Views
    No one has replied
  • B

    [cron?] automatic Restart of HAPROXY if ping fails…

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • I

    SNORT Bug?

    14
    0 Votes
    14 Posts
    2k Views
    BBcan177B
    @canux: Thanks for the info.  Do you have a paid subscription as well? Yes I use a Snort VRT and ET Pro subscription. Some of the other boxes I have use the Open Snort and ET Rulesets. Did you upgrade Snort to the latest version? There were two releases fairly recently.
  • S

    Error 422 - Snort VRT Updates - SOLVED

    2
    0 Votes
    2 Posts
    3k Views
    S
    This issue can be corrected by upgrading to Snort 2.9.6.2 pkg v3.1.1. ;D
  • D

    Proxy blocking https

    1
    0 Votes
    1 Posts
    538 Views
    No one has replied
  • S

    Squid3-dev - disk cache problem

    1
    0 Votes
    1 Posts
    750 Views
    No one has replied
  • C

    Sarg Error on generating reports

    5
    0 Votes
    5 Posts
    1k Views
    C
    @KOM: If I rememebr right, you had to have users_sites and sites_users selected or it won't work. They are both currently selected.
  • B

    HVAP - HTTP Antivirus Proxy Version

    3
    0 Votes
    3 Posts
    1k Views
    B
    I was a bit confused because most of the tutorials online for HVAP show the version number being reported. I guess it's nothing to be worried about. Thanks for the reply. My HVAP Alert dashboard widget is working: [image: hvap3.jpg] I am running the 2.1.4-RELEASE (i386) inside Vmware esxi.
  • B

    Pfsense2.1.4+squid+dansguardian+Ldap

    3
    0 Votes
    3 Posts
    1k Views
    B
    Hello I found a solution for disabling default setting "http_access allow localhost", default settings are in /usr/local/pkg/squid.inc. Maybe someone can find this useful. I have second question I need some help. Now Dansguardian filter groups are working but asking user for credentials every time you start the browser. Is it possible to use domain login credentials with browser, so when you login to computer you automatically get rules for using the internet. Regards Binkec
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.