pfSense Packages

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Subcategories

Cache/Proxy

Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

3.8k
Topics

20.7k
Posts

V

@sensewolf said in Can't protect certain path only with client certificate:

-- The expected outcome is that in order to access the specific path, a client certificate is required. Surprisingly, however, the path becomes publicly accessible again without the client certificate --

I don't understand why this doesn't work. The setup is basically the same as for my other accessible and protected domains with the only difference that in this case only a certain path should be protected.

Did you put this rule to the top, so that it is probed and executed before the other one?

For testing the ACLs just use a simple rule, which give a clear result like "http request deny".

Why isn't this working? What am I missing?

Maybe someone will see it if you post the whole configuration.
IDS/IPS

Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

2.3k
Topics

15.9k
Posts

B

@Dr-Monarch said in Suricata IDP/IDS on PFsense blocking all traffic:

What ideally i am aiming for is all traffic is dropped until particular rule is analyzed and cleared so it can be allowed.

That's not how Suricata works -- unless I am still not understanding what you want to do. You whitelist hosts (by IP address) not SIDs (rules). There is no construct I am aware of that mimics a "whitelist" SID (Signature ID). You can certainly enable or disable particular rules (SIDs), but that will apply to all hosts.

With Legacy Mode Blocking, all rules do block when triggered. The only exception is IP addresses in the Pass List which are not blocked. These are by default local LAN hosts, gateways, DNS servers, and the WAN interface's single public IP address. Inline IPS Mode requires that you manually change rule actions to DROP for all rules which you wish to block traffic when triggered. You can do this via SID MGMT or manually using the provided icons on the ALERTS or RULES tabs.

There is no concept of a Pass List with Inline IPS Mode because that mode does not block an IP address. It instead drops the particular offending packet (the one that triggered the rule). If you want to exclude a particular IP address from enforcement action, you can use a Suppress List or change the rule's action to PASS and edit the target IP addresses in the SID as necessary.

What you can do is selectively change the action of a given SID manually. You can set the action of a given SID to ALERT, DROP, REJECT, or PASS.
Traffic Monitoring

Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

567
Topics

2.8k
Posts

A

I am looking for a package that can show hits on a forwarded port specifically, as well as inbound traffic that was passed on that port. It will be tunnelled traffic being redirected to an internal wireguard server.
pfBlockerNG

Discussions about the pfBlockerNG package

2.6k
Topics

19.5k
Posts

T

@m2av This would massively improve pfB's DNSBL functionality—the ability to utilize a feed as a whitelist.
UPS Tools

Discussions about Network UPS Tools and APCUPSD packages for pfSense

92
Topics

2.4k
Posts

B

Thanks, all! Upgrading to the latest pfSense Beta fixed it!
ACME

Discussions about the ACME / Let’s Encrypt package for pfSense

490
Topics

2.8k
Posts

B

@Gertjan said in ACME using dynv6:

but I can't see the usefulness of publishing my "pfSense LAN-ipv6-address".

You don't publish it, you use it, to update only the prefix part of a given dns-record.

I for example changed to only use ULAs in my LANs. But also I have some "unused" VLANs set to "Track Interface" to get the daily changing prefixes to then use them with NPt for my ULA-LANs. I would benefit from what I have described before.
If you, as an expert user, found a solution, that works for you, that is great. I still wait for pfSense to bring a better solution to this for the rest of us.
FRR

Discussions about the FRR Dynamic Routing package on pfSense

290
Topics

1.2k
Posts

F

Hi Team,

This is driving me crazy!

I typically set up FRR manually under PFS, but would like to move to GUI to make life easier for 'new folks'.

Here's a snippet of my config:

router ospf
ospf router-id id.id.id.id
area 0.0.0.0 shortcut default
redistribute kernel
!
ip prefix-list XXX seq 1 deny 10.0.0.0/16 le 32
ip prefix-list XXX seq 2 permit any

route-map XXX permit 10
match ip address prefix-list XXX
!
ip protocol ospf route-map XXX

I cannot for the life of me figure out how to get the last line into the config via the GUI.

I've read that setting ABR filters in FFR-OSPF->Areas might be the answer, but that doesn't seem to be it.

Could someone please explain what I'm missing here?

Thanks

ChIP
Tailscale

Discussions about the Tailscale package

85
Topics

543
Posts

D

@jacobhall

I was on the stock version (pfsense community 2.7.2) of tailslcale connecting to headscale.

I upgraded tailscale client on pfsense to 1.82.5 while leaving headscale unchanged. I was able to reproduce the problem -- my android tailscale client cannot resolve dns when using the tailscale client on pfsense as an exit node. If I disable "Use tailscale DNS" on my android client, internet connectivity works.

I am going to leave it broken for now, if anyone wants me to try different things. Thanks.
WireGuard

Discussions about WireGuard

674
Topics

3.5k
Posts

E

I think I know the answer as I already searched on the AmneziaWG website and found no explicit support for freeBDS. However, people are busy bees always doing something on GitHub. Is there a way to implement AmneziaWG on Pfsense?

Just a small excerpt from the website.

AmneziaWG maintains high performance while adding an extra layer of stealth, making it a superb choice for those seeking a fast and discreet VPN connection.

Features of AmneziaWG include:
Availability with AmneziaVPN on all platforms. Low energy consumption. Minimal configuration needed. Undetectable by DPI analysis systems, resistant to blocking. Operates over the UDP network protocol.

M

Squid3-dev clamav test

• • mendilli

1

0
Votes

1
Posts

941
Views

No one has replied
S

Pfsense squid proxy, two times of refresh than it works

• • stegfeld

2

0
Votes

2
Posts

723
Views

S

the solution is to go to pfsense gui -> services -> proxy server -> general and set the "Resolv dns v4 first" checkbox
S

Squid3-dev service failing to start.

• • Sifter

2

0
Votes

2
Posts

896
Views

M

fetch missing libs.

i386 help thread
https://forum.pfsense.org/index.php?topic=62256.msg373791#msg373791
K

HAproxy-devel and http redirections

• • keyser

5

0
Votes

5
Posts

1.3k
Views

K

You sir, have my deepest respect.

I shall await your next release in the most humble way possible ;D
K

HAproxy-devel and multiple ACL's

• • keyser

2

0
Votes

2
Posts

2.9k
Views

P

if you add the two acl's with the same acl name, they will be combined. this should produce the wanted result.

Would look like this:
Result would be this for the acl name "MyAclCombined1", (didn't check if below config works..) :
acl 0_MyAclCombined1 hdr(host) -i vhost1.pfsense.local
acl 1_MyAclCombined1 path_beg -i /test/
use_backend test_http if 0_MyAclCombined1 1_MyAclCombined1
If you want more advanced combinations of acl's however i think you will need to write them in one of the passthrough sections as 'text'.
M

Block list

• • MilesDeep

3

0
Votes

3
Posts

754
Views

M

Thanks jfl…..
K

How to Reset All Monitoring Data?

• • KOM

4

0
Votes

4
Posts

3.6k
Views

K

pfSense Support is the bomb:

Uninstall all monitors, delete their data directories then reinstall:

Lightsquid: rm -rf /var/lightsquid/
Sarg: rm -rf /usr/local/sarg-reports/
Bandwidthd: rm -rf /usr/local/bandwidthd
Darkstat: Doesn't keep persistent data
B

Need help in conf SNORT to scan internal traffic

• • bwong3351

3

0
Votes

3
Posts

2.0k
Views

B

To add to Bills comments-

I use Mikrotik switches to mirror my traffic. They are not that expensive.. under a hundred dollars. Depending on how much traffic you are seeing, it should handle quite a bit of traffic. The good thing about this switch is that you can mirror multiple ports on a single switch.

http://routerboard.com/RB260GS

pfSense will monitor all traffic that passes thru the router. But if you want to capture traffic on the Lan, you
need to put a monitoring interface at every point where you want to look at. So if you want to monitor a file server, you need to mirror/span/tap infront of that interface to see it.

You can add a nic to pfSense and send the packets to it and use Snort, or another option is using a program called "Security Onion".

http://blog.securityonion.net/
G

Squid3 -Problem with configuration for authenticated users

• • ggamba

1

0
Votes

1
Posts

567
Views

No one has replied
M

Squid and squidguard not working

• • morash

4

0
Votes

4
Posts

1.6k
Views

T

Hmm, add the pidgin.im and skype.com IP's to the block lists?
Maybe the webservers of those sites aren't strict on the full domain name, so the squidguard is strict and won't recognize the address exactly.
www.skype.com skype.com (assumes "www." and goes to the site) whatever.skype.com (assumes "www." and is not recognized by squidguard)
X

Snort Warning

• • Xtern

3

0
Votes

3
Posts

1.1k
Views

B

@Xtern:

Hello,

I'm new here. Very cool forum. My problem with Snort is that it shows me this:

Warning:
New settings will not take effect until interface restart.

I did the setup like the guide (sticky above) told me, but I can't get rid of this warning message. It's there after restarting the whole machine, when I restart Snort, when I disable and enable the daemon and so on. Any idea what I'm doing wrong?

Best,
Xtern

Fragged is right. That's just a "reminder" sort of message to let you know that most changes to Snort interface parameters require a restart of Snort on the interface in order for the new settings to become active.

Bill
K

Squid in Transparent Mode Just Hangs

• • KOM

3

0
Votes

3
Posts

978
Views

K

I fixed my problem by installing HAVP. Not ideal, but at least it's working now.
M

Unbound TCP buffer settings not sticky

• • markn62

85

0
Votes

85
Posts

23.5k
Views

B

@markn62:

@wagonza:

@markn62 was this problem fixed for you? or is it still an issue?

Not much has changed. Seems that the package operates very much like it did since the question above was asked. The only change I noticed was a few more "do not's" that are important to adhere too for the package to work properly. I guess it is what it is.

I can't reproduce any of your current issues at all with the package even using all your custom options. Something else must be going on or you have something else as an additional problem. Try saving your whole pfsense configuration and loading that config onto a VM ands testing to give us information to go on. Or even for yourself. The devs are replacing dnsmasq with unbound afterall. If you copy your unbound.conf on your seperate box to your pfsense and only restart the service does it work?
D

TFTP - NEW OPTIONS

• • DiskWizard

1

0
Votes

1
Posts

865
Views

No one has replied
B

Enable Youtube for schools

• • bellera

1

0
Votes

1
Posts

702
Views

No one has replied
R

Zabbix proxy 2.2 not puling up anything

• • rajbps

2

0
Votes

2
Posts

2.5k
Views

D

Hi.

Zabbix Proxy and Agent were updated today to 2.2.2.

Could you reinstall proxy package?

Regards.
R

Zabbix-2 Proxy needs a misc command section.

• • rmiddle

2

0
Votes

2
Posts

696
Views

D

Thanks for the patch.

Also, both packages were updated today (proxy and agent) to 2.2.2.
D

HAVP Error page

• • Drekarg

1

0
Votes

1
Posts

573
Views

No one has replied
D

HAProxy ACL conditions

• • dps

2

0
Votes

2
Posts

4.6k
Views

P

Hi,

If your using haproxy-devel package, and you give the acl's the same name they will be combined into 1 condition. I think that will accomplish what you want.?

Result would be this for the acl name "MyAclCombined1", (didn't check if below config works..) :
acl 0_MyAclCombined1 hdr(host) -i vhost1.pfsense.local
acl 1_MyAclCombined1 path_beg -i /test/
use_backend test_http if 0_MyAclCombined1 1_MyAclCombined1

If you want more advanced combinations of acl's however i think you will need to write them in one of the passthrough sections as 'text'.

Greets
PiBa-NL
R

Need help with conf. Squid - problems with the WWW.

• • rocketdog

5

0
Votes

5
Posts

1.2k
Views

R

@Tikimotel:

Custom options
forwarded_for transparent

That line did it! Thanks alot!

190 / 463