1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    D
    Retested on 24.11-RELEASE (amd64) all seems to work. So it seems right to file a bug for this issue.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    cyb3rtr0nianC
    @rlrobs Yes it’s still working fine here.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K
    @pulsartiger The database name is vnstat.db and its location is under /var/db/vnstat. With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    M
    I resolved this by accepting the T+Cs via https://www.maxmind.com/en/accounts/1205389/geolite2/eula

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG
    @EChondo What's your pfSense version ? The instructions are shown here : [image: 1753262126227-1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png] A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate. @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy: I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess. No need to wait x days. You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    J
    @div444 i'm finding the same - did you find a solution or did reverting fix it? Hoping there is a patch fix or something to get it working! Rather not rollback if i can avoid it

  • Discussions about the Tailscale package

    90 Topics
    578 Posts
    T
    Re: How to update to the latest Tailscale version? I am on latest released Netgate 6100 pfSense PLUS v24 ( pfSense_plus-v24_11_amd64-pfSense_plus_v24_11 ) pkg config abi FreeBSD:15:amd64 pkg -vv | grep -A 3 "pfSense:" pfSense: { url : "pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v24_11_amd64-pfSense_plus_v24_11", enabled : yes, priority : 0, cat /usr/local/etc/pkg.conf ABI=FreeBSD:15:amd64 ALTABI=freebsd:15:x86:64 PKG_ENV { SSL_CA_CERT_FILE=/etc/ssl/netgate-ca.pem SSL_CLIENT_CERT_FILE=/usr/local/etc/pfSense/pkg/repos/pfSense-repo-0001-cert.pem SSL_CLIENT_KEY_FILE=/usr/local/etc/pfSense/pkg/repos/pfSense-repo-0001-key.pem } This firewall is obviously running on FreeBSD 15 no longer on 14. But can I use the freshports link for FreeBSD 14 amd64 quarterly which is at tailscale 1.86.2 or can I only go up to version tailscale 1.84.2_1, and need to wait until they have a version of tailscale 1.86.2 or higher for the FreeBSD 15? Would it be good enough to tell it to ignore the OSVERSION? export IGNORE_OSVERSION=yes Note: use of 14 and not 15 ? pkg add https://pkg.freebsd.org/FreeBSD:14:amd64/quarterly/All/tailscale-1.86.2.pkg service tailscaled restart tailscale up

  • Discussions about WireGuard

    690 Topics
    4k Posts
    J
    I've read through some other posts about this, but they either didn't say whether the proposed solution worked or they were very convoluted and difficult to understand. Here is our scenario: We have 6 locations--Las Cruces (LC), Sunland Park (SP), El Paso (EP), Abilene (ABI), Fort Worth (FW), and Plano (PL). LC and ABI have software that is accessed by the other 4 locations via VPN. There are WireGuard VPNs set up between LC and those 4 locations (SP, EP, FW, PL), and ABI and those 4 locations (SP, EP, FW, PL). There is also a WireGuard VPN connection between LC and ABI. LC and ABI have 2 internet connections. SP, EP, FW, and PL each have one internet connection. If the primary internet connection goes down at either LC or ABI and failover occurs to the secondary internet connection, is there a way to set up the WireGuard VPN connections so that they also failover without purchasing some 3rd party application? Thanks.
Log in to post
Load new posts
  • bmeeksB

    Suricata 1.4.6 pkg v1.0.1 Update – Release Notes

    30
    0 Votes
    30 Posts
    5k Views
    bmeeksB
    @gscasny: Nice on the 2.0.. Do you know if it's compiled with JSON (libjansson) support? My first private test of 2.0 was not, but I think I can include it in the production release. Bill
  • P

    Disabled snort, now settings are blown away

    11
    0 Votes
    11 Posts
    1k Views
    bmeeksB
    @BBcan17: Thanks Bill we all appreciate the work you do in Maintaining these packages so well ! I just tested in a VM with multiple engines (HTTP_INSPECT for my test).  All the previous settings are now retained when Snort is disabled on an interface.  When you enable it again, the old settings are still there. Note this behavior is different for a DELETE operation.  If you delete a Snort interface on the INTERFACES tab, then all Snort settings belonging to that deleted interface are permanently removed.  It does prompt for a confirmation before deleting the interface, though. Bill
  • N

    FreeRaDIUS+OpenVPN

    6
    0 Votes
    6 Posts
    2k Views
    N
    Thank you for replying me , i`m already use "SSL/TLS + Uther-Auth" on OpenVPN server, but simultaneous check is not working. Openvpn was configured with Road-Warrior Tutorial that i found on https://doc.pfsense.org/index.php/Tutorials.
  • S

    [solved] How can I use the user management/right management in packages

    1
    0 Votes
    1 Posts
    659 Views
    No one has replied
  • P

    Bind package Howto

    3
    0 Votes
    3 Posts
    3k Views
    P
    no but i test it now with making a view Recursion=no Match-clients: any Allow-recursion: any but still not working. can you post some pictures of your frontend so that i can see what ist wrong. if there is any critical you can cut it out or make it black. that would be very nice, i think i am not the only one with this start problems  ::)
  • L

    Squid3 and squidguard not intercepting traffic or blocking blacklist

    5
    0 Votes
    5 Posts
    2k Views
    L
    @BujangLapok: Had the same issue today with squidguard3-squid. The issue was the path being used for squidguard.conf was not correct. A workaround: ln -s  /usr/pbi/squidguard-squid3-amd64/etc/squidGuard/squidGuard.conf /usr/pbi/squidguard-squid3-amd64/etc/squid/squidGuard.conf Then rebuild blocklist DB manually with: squidGuard -db -C all I had had ineffective squidGuard set up for a while. Investigating today and this fixed it. I'm not sure if I had some config sitting around from messing with different combinations of squid 2 and 3 and their respective squidguards over time and something hanging around. But anyway, I also had a messed up squidGuard.conf path and the ln -s fixed it.
  • ?

    EMail report DynDNS service

    2
    0 Votes
    2 Posts
    770 Views
    ?
    Solution: Changed the eMail address to my "local" mailserver (on the other side of VPN tunnel) at the same time. It takes 3-4 minutes to re-establish the tunnel (although DynDNS service is up to date the open VPN client repeatedly tries with the old IP…) and in this time the eMail gets lost somewhere...
  • K

    Added 2nd Interface on Snort 2.9.6.0 pkg v3.0.8 and got "no-go" until…..

    1
    0 Votes
    1 Posts
    644 Views
    No one has replied
  • Q

    Snort - transfer config from one port to another?

    6
    0 Votes
    6 Posts
    1k Views
    BBcan177B
    @irj972: thanks for the prompt response. I'll grab some beers and start setting up then….second thoughts, might be best to lay off the beer whilst setting up snort rules  :o As long as you are still drinking beers when you turn Snort back on ….  :)
  • G

    Disabling (http_inspect) snort alerts

    2
    0 Votes
    2 Posts
    24k Views
    BBcan177B
    @G.D.: Is there some other configuration option I am missing to make disabling HTTP_INSPECT alerts work? From the following link, there are some recommendations to add some suppress actions to certain Sids leaving the HTTP_Pre-processer enabled. https://forum.pfsense.org/index.php?topic=64674.90 You should review them before applying. But generally they are ok to suppress. Here are the suppressions that I am using: #(http_inspect) SIMPLE REQUEST suppress gen_id 119, sig_id 32 #(http_inspect) UNKNOWN METHOD suppress gen_id 119, sig_id 31 #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE suppress gen_id 120, sig_id 8 #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 #(http_inspect) DOUBLE DECODING ATTACK suppress gen_id 119, sig_id 2 #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED suppress gen_id 120, sig_id 6 #(http_inspect) IIS UNICODE CODEPOINT ENCODING suppress gen_id 119, sig_id 7 #(http_inspect) BARE BYTE UNICODE ENCODING suppress gen_id 119, sig_id 4 #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1 suppress gen_id 120, sig_id 9 #(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED suppress gen_id 120, sig_id 10 #(http_inspect) UNESCAPED SPACE IN HTTP URI suppress gen_id 119, sig_id 33 #(http_inspect) U ENCODING suppress gen_id 119, sig_id 3 Or find the rule  #427  /usr/pbi/snort-amd64/etc/snort/snort_28491_igb3/rules/snort.rules(427)  and disable this rule as it depends on the HTTP_Preprocessor. There may be others. The link below has details on how to do that. https://forum.pfsense.org/index.php?topic=74930.msg410285#msg410285 When the HTTP_Pre-Processor is disabled, I don't think that Snort can Automatically Disable rules that are "Enabled" and require the HTTP_Processor to be Enabled.
  • R

    Unbound can't start when …

    5
    0 Votes
    5 Posts
    2k Views
    R
    What are you trying to do? my situation is so, i dont have have any write storeage on my pfsense (embedded) , and i dont want any additional storage on the pfsense, so everytime when pfSense is booting up, and connected successfully to "WAN" ,  pfSense is downloading the "ads" file, called "unbound_ad_servers"(aka /tmp/mydnsfile), from an additional host. How would "/tmp/mydnsfile" be created? only working with the workaround which i posted before What is in that file that cant be placed in the custom options section? inside the file i have over 40000 "ads" domains (not static, no static IP's or HOST's)which id like to redirect to 127.0.0.1 some like this: local-zone: “adserver.yahoo.com” redirect local-data: “adserver.yahoo.com A 127.0.0.1″ after the "ads" file has been downloaded to his place like "/tmp/unbound_ad_servers" , unbound automaticly uses the new domains thats nice :) so i hope you understand now what id like to do. and some additional thinking: but even if you have a something else/different inside the "ads" file, can be also used as configuration file instead of holding hosts to block, like a home network configuration … and if you have as example 3 different configuration files for 3 different scenarios , 3 include custom options are then needed, but you like to use only 1 of these 3(1file filled with information the 2 others are 0bytes files and unbound can run,  for your home office and everytime to like to change/switch the configuration you can do this by a file which unbounds reads and is setting the configuration. this should be a really flexible way to use unbound to set up configuration for different host, depending if the file has information inside or not. best regards
  • T

    Clamdscan not working under Dansguardian 2.12.0.3_2

    16
    0 Votes
    16 Posts
    5k Views
    P
    Hi RJ, In private emails to Marcello (using this forum), Marcello suspected ClamD support was also not being compiled and requested that i contact the coreteam directly. I have not been successful in contacting them. I have tried contacting them via the the forum - but the forum does not recognise the address coreteam or coreteam@pfsense.org. I have also tried emailing coreteam@pfsense.org from my gmail account. I know fully understand your previous posts expressing your frustration about the coreteam / package building. I much preferred it when Marcello was building these packages - but obviously i understand that he cant do everything! Would you know how i can contact the coreteam and asked them to compile DG with ClamD support?
  • A

    Dansguardian - Web upload is banned

    30
    0 Votes
    30 Posts
    10k Views
    P
    It's been 10 months since the last activity on this thread. Just checking that: 1. This is still the correct procedure, on 2.1.2 with the current Dansguardian, to fix the banned uploads? 2. The huge difference in the size of the replacement binary (971K) vs the original one (11.1K) is of no concern? (actually, I replaced the file in /usr/pbi/dansguardian-amd64/.sbin) [just noticed, this is my first post, though I've been a member here a long time]
  • M

    PfBlocker Fatal error!

    6
    0 Votes
    6 Posts
    2k Views
    M
    I rolled back from 2.1.3 to 2.1.2 and it fixed the issue I was having, then updated to 2.1.3 again and it works!
  • W

    Creating dedicated cache drives for squid

    2
    0 Votes
    2 Posts
    568 Views
    jimpJ
    There isn't support for that in the GUI, but it can be done manually. If you have the option, and the know how, it's best to run the proxy outside of the firewall on a dedicated machine.
  • ?

    Squid SSL Transparent Proxy shows CA-Cert in Browser

    2
    0 Votes
    2 Posts
    833 Views
    P
    You need to export the CA cert from pfSense and import it to the Trusted Root Certificate repository on all your clients.
  • BBcan177B

    Snort 2.9.6.0 pkg v3.0.8 - Restart issue after update

    5
    0 Votes
    5 Posts
    2k Views
    ?
    …throughout the last days sometimes not all interfaces come up after the update (one box had that yesterday and today). Trying to restart the respective interface manually results in lengthy procedures (build new sig-msg.map for ALL interfaces, re-start of ALL interfaces) on the embedded system and in the end, another interface might be down...
  • C

    Snort fails to start with ETOpen rules after update

    18
    0 Votes
    18 Posts
    6k Views
    bmeeksB
    @Ramosel: @bmeeks: I'm surprised.  I have not retested since my last post, though.  The gentleman I corresponded with is quite high up in the ET management hierarchy, and he acknowledged the problem with the pcre in the rule.  He did say he was, at that time, on the road.  He may still be out of the office. Bill Bill, he's either on a real long trip or forgot your conversation.  It's still broken. :( Rick Sorry.  I don't know if he forgot or if they decided that since the rule was default disabled anyway, to let it slide.  I think there is a link for support on the Emerging Threats web site.  You can give that a try if you like.  Maybe you will have better luck than I did. Bill
  • ?

    Squid - transparent proxy does not work after midnight

    3
    0 Votes
    3 Posts
    2k Views
    ?
    how do i call squid_reconfigure().php through cron? i didn't find any files: find / -name "*squid*.php" searching for proxy only gives me these files: /usr/local/www/services_igmpproxy_edit.php /usr/local/www/services_igmpproxy.php
  • N

    Freeradius Name field utf-8 support

    3
    0 Votes
    3 Posts
    1k Views
    N
    woohoo! :) I changed xmlparse.inc at line 65 and it working! line 65: file xmlparse.inc before: array_push($curpath, strtolower($name)); after: array_push($curpath, utf8_encode(strtolower($name)));
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.