1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    D
    Retested on 24.11-RELEASE (amd64) all seems to work. So it seems right to file a bug for this issue.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    S
    So since there is no version 25.03. There is an official 25.07 now but only get a 7.08.2 what happen to the rest up to Suricata 7.0.10 or 7.0.12?

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K
    @pulsartiger The database name is vnstat.db and its location is under /var/db/vnstat. With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    GertjanG
    @rasputinthegreatest said in pfBlockerNG not logging anything by default?: This IP does exist on my LAN but why it resolves some weird random desktop-sdshdsd.local? Then it's time to visit that device "192.168.1.85", and inspect it. pfSense was just replies on a DNS request coming from it. Loads of DNS request is 'normal' these days. Btw : buy yourself a big collection of connected devices (preference : 'foreign origin") and you wind up with loads of bizarre DNS requests. For example, a classic "Windows 11 Home" PC is already considered as 'bloated', which means that the list of all these xbox, candy store and other 'essential' processes is quiet big? And they all call 'home'. And ask yourself this question : "do you really know what users actually do with their devices" ? @rasputinthegreatest said in pfBlockerNG not logging anything by default?: Also no 192.168.51.5 exists on my network either Is "192.168.51.5" a typo ? It doesn't show up in any logs ... If your pfSense LAN uses the 192168.1.1/24 network, and a device connected to that LAN using the 192.168.51.5, it can't communicate. A network with statically assigned IP info (IP, mask/network, gateways and DNS) is hard to manage. That's why DHCP was invented, and activated by default for every device you buy. @rasputinthegreatest said in pfBlockerNG not logging anything by default?: I assume it is related to time servers? Why do you presume that ? Look them up and you'll see. "ntpns.org" is probably the NS server of ntp.org A lot of devices want to know the exact time. Even when DHCP can propose a time server - you can set up pfSense as a time server for your LAN devices - many devices will disregard this info, an insist in using their own hard coded time server source. For example, a Microsoft PC will default to time.microsoft.com, but you can set it to 192.168.1.1 or pfsense.your-sense-domaine.tld (which will point to 192.168.1.1 = pfSense). You could to do this for every LAN device. @rasputinthegreatest said in pfBlockerNG not logging anything by default?: .local addresses What is your pfSense domain set to ? @rasputinthegreatest said in pfBlockerNG not logging anything by default?: Its very mysterious and I only see this now with pfblockerNG. Set : Services > DNS Resolver > Advanced Settings : Log Level to : [image: 1754468971160-b17dd7a5-9427-497e-a3d0-5936024787b0-image.png] and save, apply. Now have a loo here : Status > System Logs > System > DNS Resolver or better : console : tail -f /var/log/resolver.log Don't forget to set back the Log Level to 1 !! ( !! ) as the resolver.log will get very big very fast. Conclusion : there is a lot of DNS traffic. These are all small packets, and finally just a small percentage of the total traffic.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG
    @EChondo What's your pfSense version ? The instructions are shown here : [image: 1753262126227-1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png] A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate. @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy: I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess. No need to wait x days. You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    yon 0Y
    said in Please update frr on Pfsense+ to FRR 10.3: https://redmine.pfsense.org/issues/15785 now frr 10.4.1

  • Discussions about the Tailscale package

    90 Topics
    585 Posts
    L
    @veddy254 said in How to update to the latest Tailscale version?: @lbm_ said in How to update to the latest Tailscale version?: https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.84.2_1.pkg pkg: An error occured while fetching package I would recommend verifying the DNS settings in PfSense and verifying date/time is correct. Barring that, try again later and see if it still fails. I was able to successfully run the command on my 2.8.0 install (I didn't install it because I've already installed it) so it seems localized. Interesting. After I (reinstalled) tailscale the /etc/resolv.conf was overwritten. So I just readded the DNS entries in the Pfsense WebUI, and not it worked. pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.84.2_1.pkg Fetching tailscale-1.84.2_1.pkg: 100% 11 MiB 11.9MB/s 00:01 Installing tailscale-1.84.2_1... Newer FreeBSD version for package tailscale: To ignore this error set IGNORE_OSVERSION=yes - package: 1500054 - running kernel: 1500029 Ignore the mismatch and continue? [y/N]: y package tailscale is already installed, forced install Extracting tailscale-1.84.2_1: 100% And pkg info tailscale tailscale-1.84.2_1 Name : tailscale Version : 1.84.2_1 Installed on : Wed Aug 6 09:17:23 2025 CEST Origin : security/tailscale Architecture : FreeBSD:15:amd64 Prefix : /usr/local Categories : security net-vpn Licenses : BSD3CLAUSE Maintainer : ashish@FreeBSD.org WWW : https://tailscale.com/ Comment : Mesh VPN that makes it easy to connect your devices Shared Libs required: libthr.so.3 libc.so.7 Annotations : FreeBSD_version: 1500054 build_timestamp: 2025-07-30T02:26:16+0000 built_by : poudriere-git-3.4.2-12-g74a54a88 port_checkout_unclean: no port_git_hash : 275975297bc ports_top_checkout_unclean: no ports_top_git_hash: 0cd2c078c1e Flat size : 35.4MiB Description : Tailscale is a mesh VPN alternative, based on WireGuard, that connects your computers, databases, and services together securely without any proxies.

  • Discussions about WireGuard

    692 Topics
    4k Posts
    F
    Hi again, to be honest: I guess, I did not remember exactly what I did 2 years ago. May I was mistaken by the interface name opt2 because the SG-3100 has a physical port OPT1 and I mixed up physical and virtual names. The goal was to use 2 different tunnels, one for the mobile clients and one for the site-2-site connection. And now all is running in that way . Regards
Log in to post
Load new posts
  • F

    Packages updates !!!!

    2
    0 Votes
    2 Posts
    914 Views
    KOMK
    To get details about a new package, click on its version number in the list.  That will take you to the change log. On your Installed Packages screen, if any package has a red Version column, it's means there is an update to that package.
  • J

    Postfix Forwarder package won't start

    6
    0 Votes
    6 Posts
    2k Views
    B
    @lautrecote: hello thank you for your post and details of configuration  :) What is correcting the problem is : have postfix forwarder listening to LAN instead of WAN write a NAT rule to redirect smtp traffic to LAN address of pfsense I think it's the same you recommend having postfix forwarder listening to loopback ? I don't understand why it works, why it suddenly didn't work anymore, and why this trick solves the problem. Can you explain that to me ? thank you again  :) It isn't the same as having the forwarder listening on loopback.  Did you mean to say "listen on WAN instead of LAN"? Are you relaying from an internal mail server to the outside world?  That might explain it but I don't know how you would get emails from outside if you're listening on LAN.
  • J

    Problem with authentication Squid3-dev + Captive

    1
    0 Votes
    1 Posts
    636 Views
    No one has replied
  • S

    Snort blocking wan ips

    2
    0 Votes
    2 Posts
    623 Views
    BBcan177B
    Please read the following thread: https://forum.pfsense.org/index.php?topic=61018.0 Goto Snort:Snort Interface WAN: WAN Settings: [ Choose the networks Snort should inspect and whitelist ] Make sure the Pass List is configured. Also in "Pass Lists", make sure you add a passlist for the WAN and check all of the Checkboxes (This is what needs to be referenced in the first part above.)
  • O

    [resolved] apcupsd daemon won't start

    2
    0 Votes
    2 Posts
    1k Views
    O
    I just finally solved this by using a USB cable. The serial cable had worked fine in with my other board and Ubuntu on this board, but for whatever reason, with pfSense on this board I can only get apcupsd to work with the USB cable.
  • D

    Snort Alerts-tab bug?

    8
    0 Votes
    8 Posts
    2k Views
    BBcan177B
    Thanks Bill, you would think that when you close the Whois page, the pfsense diag_dns.php page is still loaded in its own window. Why would it loose the session id for that? It shouldn't have anything to do with the other tab that was called by diag_dns.php? Also why does it only happen once on the Alert Interface section. If that was the case, you would expect the behavior to repeat for each lookup? Security is always a good thing!!  :)
  • G

    Wich encrypting method ?

    4
    0 Votes
    4 Posts
    1k Views
    C
    Glad you got it working, but for future reference: the base64_encode of the password is used as the salt parameter for crypt().  More details on php crypt are here: http://us1.php.net/manual/en/function.crypt.php
  • R

    Ntop error

    2
    0 Votes
    2 Posts
    924 Views
    R
    well.. i've just spent a while trying to understand what could be the issue on this one and am not finding any solution.  finally my logs seem to only show the following message: ntop[8154]: EPIPE while sending page to web client and that was it. so, since there is apparently no way to revert to a previous build, i guess i'll have to just run without ntop.. which stinks as I really liked the tool. :(
  • N

    Package install fails checksum

    3
    0 Votes
    3 Posts
    2k Views
    N
    It was NanoBSD. I finally just did a reinstall, configured the basics, and downloaded a package again to test. I downloaded Arping and the whole process was done in less than 8 seconds. Before it took almost a minute to download that package. I'm not sure what was going on but this was the 'fix'. Thanks for your time!
  • C

    Updated to Squid 3 3.1.20 pkg 2.1.0 web site not working

    1
    0 Votes
    1 Posts
    582 Views
    No one has replied
  • E

    Squid3-dev - Certificate Error, Despite Importing CA

    12
    0 Votes
    12 Posts
    10k Views
    M
    i have only one lan network 172.16.0.0/16 with 800 computers. i have same issue. first i say sorry to pfsense and all pfsense lover's if i m worng, if we correctly configured squid3-dev and squidguard-squid3 wihtout any error. and all other sites are works fine like if deny blk_socialnetwork then when to go to https facebook or youtube its access dined only when i go for gmail.com its not working given msg which is all aware. also when i go to banking https sites its working good. so i think its some problem in pfsense and i proud to say pfsense is very easily solve this problem but i thought pfsense is playing with his lover's (pfsense firewall user's) so we can only wait for new updates.. in between any expert solve this issue pls let me know mohanrao83@gmail.com Thanks
  • H

    NTOP wont Start after Upgrade to 5.0.1_1 v2.4

    6
    0 Votes
    6 Posts
    4k Views
    H
    @Cino: @ESPNSTI: I've noticed with NTOP; when you reinstall/install, you have to select interfaces and enter the password again. Some reason the settings are not retained. Hey Thank you so much, appreciated!  :D I was struggling to understand why i could not connect to Ntop (5.0.1 v2.5) after a reinstalled,  it was until i tried your suggestion of setting the password again and adding back the interface for Ntop again everything seems to be working again…............. ((MARK THIS  THREAD AS SOLVED!))  8)
  • A

    PfBlocker Limits

    3
    0 Votes
    3 Posts
    1k Views
    A
    Thank you for your help.
  • T

    Snort enabled cuases strange Firewall log

    8
    0 Votes
    8 Posts
    2k Views
    bmeeksB
    @fearnothing: Well looking at it logically, the default in pfSense is to deny all you do not have logging for this default turned on when snort is not present when snort is on, this rule starts logging My guess is that snort enables logging for this rule as part of its base configuration. Nope, Snort does not touch the firewall rules at all.  All it does is put the interface in promiscuous mode.  I promise it does not touch any firewall rules or pfSense logging options. Bill
  • JeanNoJ

    Snort[90724]: FATAL ERROR: fpcreate.c(1541) Failed to compile port group pattern

    11
    0 Votes
    11 Posts
    2k Views
    BBcan177B
    @Fmstrat: I have all of them enabled except sensitive data. My hardware setup is an internal NIC for LAN, and a USB NIC for WAN. I tried switching snort over to the LAN and it seems to function fine there, so I'm wondering if the issue is somehow related to the network card itself. Is that even physically possible given snort's architecture? As I look at the snort blocks', I'm actually curious as to if running on the LAN is better. When I run on WAN, I can't see which internal IP is engaged in the connection that causes the alert, making it very hard to trace sources. However, when it's on the LAN, all the alerts display the internal IP and the blocks show the external IP, which makes it much easier to debug. Is there any downside to running on the LAN end of things? Seems the benefit would be scanning internal traffic for infected machine, but the downside would be missing external attackers that are scanning ports that are already blocked by the firewall (which shouldn't matter, really.) Thoughts? Ben P.S. Unfortunately, I probably won't get back to the script we discussed until next week. I don't think you will get good success with USB NICs on pfSense. The LAN will show a little more detail. If you want more, you need a full IDS like "Security Onion" installed after pfSense or before it. Bill does recommend that a smaller list be put on the WAN like Port scans, Cins, Compromised, Drops, etc… and than as many rules on the LAN that it can handle (without the rules you don't require for your network) If you use pfBlocker (or my script  ;) ), you could also avoid the Cins, Drops, Compromised on the WAN as Snort sees a copy of the packets first before pfBlocker and they will both Log the same packets. Make sure you check out my Github Gist for recent changes to the script. Thanks.
  • S

    Squid 3 - Exchange 2013 SP1

    33
    0 Votes
    33 Posts
    7k Views
    T
    with the next release of the squid package, AutoDiscover HTTP is included ;-) so, no need to send the file anymore ;-)
  • C

    Help!–To analyse squid 3.3.10 access log

    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • B

    HAVP/Squid3 Permission denied. ERROR

    2
    0 Votes
    2 Posts
    1k Views
    B
    Really, no replies?
  • G

    Dansguardian Time limit not working ?

    3
    0 Votes
    3 Posts
    2k Views
    G
    i think problem come from upgrade. Timelimit in SquidGuard is not working on a pfsense 2.0 upgraded to 2.1.2 but it's working on a fresh installation of 2.1.3 … Anyway i found a solution, i put "/usr/pbi/squid-i386/sbin/squid -k reconfigure -f /usr/pbi/squid-i386/etc/squid/squid.conf" in cron job every 30min. "squid -k reconfigure" was not enough, it didn't work...
  • marcellocM

    Dansguardian package for 2.0

    492
    0 Votes
    492 Posts
    539k Views
    C
    if you really need ClamAV, use Squid 3-Dev. Works for me using i386 firmware.. I've read the link you sent but still dont get this statement: The "core team" now compile the packages. try https://lists.pfsense.org/mailman/listinfo/dev if you want to send an email to the pfsense developers or post a bug on redmine.pfsense.org
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.