1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    A

    i am using pfsense 2.8.0 with haproxy 0.63_10 and i have 4 sites that redirect to two different web server, i am using two frontend, one for http request redirect to https using rule: scheme https, and a second with type ssl/https(tcp mode) to redirect the request with the acl and the action, now i want to add a new site to one of the web servers i create a new backend (and even tried duplicate) and add the proper acl and action as always did but for some reason since the update to 2.8.0 the redirect keeps going to the wrong backend, i tried a test and rewrote and old backend and updated the acl and rule in the frontend and it works fine, is there a known bug since the update because it keeps happening even after reboot to pfsense and the haproxy service and reinstall of the package.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    cyb3rtr0nianC

    @bmeeks So after upgrading to the newest PfSense 2.8.0 everything is now working like a charm!

    Suricata no longer seems to strip off tags like it did before! Which means I can now use my network segmented by VLANs and still use the benefits of Suricata Inline IPS! Very niiize!

    I checked in the Alerts section and it is indeed generating the correct alerts from the different VLAN sections, I put Inline IPS on the parent interface of all the VLANs.

    I assume this is because the FreeBSD version is also updated with the new PfSense 2.8.0 version?

    Because before, as soon as I selected Inline IPS mode, my entire VLAN tagging would break and nothing was reachable until I switched back to Legacy mode.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K

    @pulsartiger
    The database name is vnstat.db and its location is under /var/db/vnstat.
    With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    M

    I resolved this by accepting the T+Cs via

    https://www.maxmind.com/en/accounts/1205389/geolite2/eula

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD

    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade:

    Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working.

    Glad you have it sorted.

    There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting.
    ...
    Question: What would tell me whether or not a driver was loaded?

    If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver).

    Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name).

    You can see the quirk with the following command:

    [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root:

    Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver.

    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade:

    You might consider adding this resolution to the release notes for 2.8.

    LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG

    @EChondo

    What's your pfSense version ?
    The instructions are shown here :

    1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png

    A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

    @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

    I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

    No need to wait x days.
    You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    R

    I had a similar issue with Routed VTI over IPsec recently. FRR lost its neighbors after rebooting or when a tunnel went down. It never re-discovered it automatically. Only restarting FRR (either in GUI or via CLI) brought the neighbors back.

    When I manually added those under the OSPF neighbors tab in the GUI it seems to solve the problem as well.

  • Discussions about the Tailscale package

    89 Topics
    576 Posts
    TommyMooT

    @elvisimprsntr Thanks, just updated, works fine! 👍 😊

  • Discussions about WireGuard

    690 Topics
    4k Posts
    J

    I've read through some other posts about this, but they either didn't say whether the proposed solution worked or they were very convoluted and difficult to understand. Here is our scenario: We have 6 locations--Las Cruces (LC), Sunland Park (SP), El Paso (EP), Abilene (ABI), Fort Worth (FW), and Plano (PL). LC and ABI have software that is accessed by the other 4 locations via VPN. There are WireGuard VPNs set up between LC and those 4 locations (SP, EP, FW, PL), and ABI and those 4 locations (SP, EP, FW, PL). There is also a WireGuard VPN connection between LC and ABI. LC and ABI have 2 internet connections. SP, EP, FW, and PL each have one internet connection.

    If the primary internet connection goes down at either LC or ABI and failover occurs to the secondary internet connection, is there a way to set up the WireGuard VPN connections so that they also failover without purchasing some 3rd party application?

    Thanks.

Log in to post
Load new posts
  • BBcan177B

    PfBlocker and .CSV File Format Solution

    7
    0 Votes
    7 Posts
    3k Views
    BBcan177B

    The little script in my first post needs to be updated to change the path to the user directory. As is, the Fetch (downloads) are going into

    /etc/cron directory.

    Please add

    #!/bin/sh

    cd /home/USERDIRECTORY (Or where ever you would like the downloads to go to. And also where pfBlocker will lookup.

  • B

    Loading blacklist file kills DansGuardian

    1
    0 Votes
    1 Posts
    687 Views
    No one has replied
  • E

    Problem with site with squid -3 development

    4
    0 Votes
    4 Posts
    1k Views
    T

    Maybe a "proxy.pac" file or "wpad.dat" would be an option. (create one in the usr/local/www folder and make a symb-link for the other)
    There are topics on how to serve this pac-file via extra http-service on port 80 in combination with DHCP and have the pfsense GUI run on https.

    How successful it will be that depends on how you roll out DCHP (additional option 252, text, location of proxy.pac) and if users are allowed to change their internet settings regarding proxy settings.
    You filter https or facebook requests to be redirected to a "denied page".

    Example "proxy.pac"

    function FindProxyForURL(url, host) {   url = url.toLowerCase();   host = host.toLowerCase();   isHttp = (url.substring(0,5) == "http:");   isHttps = (url.substring(0,6) == "https:") // If the requested website is hosted within the internal network, send direct.     if (isPlainHostName(host) ||           shExpMatch(host, "*.home") ||           shExpMatch(host, "*.local") ||           isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||           isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||           isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||           isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0")) { return "DIRECT"; } // Forward non-http(s) and some hosts to forward proxy (or DIRECT (or access denied page?)) if((!isHttp && !isHttps) // Skip all non http(s)   || dnsDomainIs(host, "microsoft.com")   || dnsDomainIs(host, "windowsupdate.com")   || dnsDomainIs(host, "eset.com")   || dnsDomainIs(host, "mcafee.com") // McAfee   || dnsDomainIs(host, "siteadvisor.com") // McAfee   || dnsDomainIs(host, "hackerwatch.com") // McAfee   || dnsDomainIs(host, "hackerwatch.org") // McAfee   || dnsDomainIs(host, "avg.com")   || dnsDomainIs(host, "grisoft.cz")   || dnsDomainIs(host, "avgfree.com")   || dnsDomainIs(host, "avg.cz")   || dnsDomainIs(host, "symantecliveupdate.com")   || dnsDomainIs(host, "thawte.com")) { return "DIRECT"; } if (isHttps)   // Skip HTTPS (or return access denied page?) { return "DIRECT"; } // Otherwise, go through our proxy or if it fails, through bypass return "PROXY 192.168.0.1:3128; DIRECT"; }

    Or you could try a squidguard filter with a redirect page, maybe add a "proxy-list" and "VPN-service-list" to the block list there so users won't be able to use or search for anonimous-proxy or VPN's to circumvent the restrictions.

  • X

    Blinkled memory leak? (Alix platform)

    3
    0 Votes
    3 Posts
    1k Views
    X

    I think I've found a semi-reliable way to reproduce the leak. But as this is an alix2d3 with 256mb box running extra stuff pushes it's memory limits tight.

    If the interface goes away, the following code to never hit the cleanup path (can't find the source on the git repos, so from that post linked in the first post.):

      for(ifp = TAILQ_FIRST(&ifh); ifp; ifp = TAILQ_NEXT(&ifc, if_list))   {       n = kvm_read(kd, (u_long)ifp, &ifc, sizeof(ifc));       if(n<0)       {         fprintf(stderr, "Error: kvm_read(element): %s\n", kvm_geterr(kd));         kvm_close(kd);         return -1;       }       if(strcmp(ifname, ifc.if_xname) == 0)       {         data->opackets = ifc.if_data.ifi_opackets;         data->ipackets = ifc.if_data.ifi_ipackets;         data->obytes = ifc.if_data.ifi_obytes;         data->ibytes = ifc.if_data.ifi_ibytes;         data->baudrate = ifc.if_data.ifi_baudrate;         kvm_close(kd);         return 0;       }   } }

    Note; there is no kvm_close(kd) if the interface isn't matched.

    I guess the package isn't being restarted in some conditions when the interface derps.

  • M

    Postfix - read only filesystem?

    2
    0 Votes
    2 Posts
    886 Views
    P

    pfSense recreates everything at boot time from data in its own config.xml - which is where all the GUI settings are saved. If you change any package conf file from the command line, the change will be lost when you reboot, or some other event happens that makes pfSense restart all the packages. You have to find a way to do your settings using the GUI provided with the package.

  • R

    Unbound package re-installation fails

    4
    0 Votes
    4 Posts
    930 Views
    W

    Nope that is an entirely different problem

  • G

    Unbound failing to install on 2.1.1 march 3

    4
    0 Votes
    4 Posts
    1k Views
    W

    A mistake on my part apologies on that - but fixed.

  • S

    PROBLEM: Unistall squid using console command

    3
    0 Votes
    3 Posts
    2k Views
    S

    Hi,
    I still haven't found a solution to the problem.
    I can't Uninstall squid using console but I can Uninstall it using web gui. I need to Uninstall it using console.
    Someone Can help me to find a solution.
    Thanks

  • B

    Vnstat2 Package Updated - Report/Feedback problems here.

    39
    0 Votes
    39 Posts
    8k Views
    B

    @petzi:

    @bryan.paradis:

    So you have received just one email from cron complaining that vnstat couldn`t create backups? Is it possible that the dyndns set the filesystem back to Read only after the vnstat script set it to read write and so it failed? This script gets run every minute by cron so I guess this may be possible that the timing just aligned perfectly.

    I've no idea. Probably mounting rw/ro isn't logged.

    If it happened only once? It must have been the fluke lining up of filesystem getting switched back after the rw call was made by the script.

  • D

    HAVP and PfBlocker - Malfunction ? Else ?

    1
    0 Votes
    1 Posts
    752 Views
    No one has replied
  • bmeeksB

    NEW – Suricata 1.4.6 pkg v0.1 BETA package released

    36
    0 Votes
    36 Posts
    8k Views
    bmeeksB

    @JWTrance:

    Thanks for the new Suri package, been looking forward to this for a bit. :)

    Feel free to disregard, but I was wondering how hard it would be to implement an options tab similar to the oldschool Snort IDSControl Center (see example)

    I like the idea of being able to quick select options for a custom starting command line and then being able to save that Suri/Snort profile for later use.

    Be on the lookout for a substantial update to the Suricata package to be posted sometime over the next few days. I will be submitting the Pull Request shortly.  This will be version v0.2-BETA of the package.  There are lots of bug fixes and some other enhancements (such as an included Dashboard Widget, better rule update management and logging, and a Bro output option for Barnyard2).

    As for some control over command-line options, that is certainly possible.  Right now a fair number of parameters are configurable in the GUI and then provided to the Suricata binary via the suricata.yaml conf file.  Are there some Suricata-specific command-line options you need that are not available in the GUI?  If so, post a list and I will see what I can do.

    Bill

  • U

    HAVP antivirus wont start;

    2
    0 Votes
    2 Posts
    1k Views
    U

    Bump? Really want to have this working, It worked before hand on my netbook setup, but not now ? :(

  • D

    Unbound denies queries from IPsec clients…

    6
    0 Votes
    6 Posts
    1k Views
    W

    yeah and the other vpns.

  • O

    Detection Ultrasurf's traffic

    3
    0 Votes
    3 Posts
    2k Views
    D

    dont work!

    I think I have the wrong or your system dosent work

    I've addes my screenshoots.

    snort_log1.jpg
    snort_log1.jpg_thumb
    snort_log2.jpg
    snort_log2.jpg_thumb

  • ?

    HAVP service doesn't start

    16
    0 Votes
    16 Posts
    8k Views
    ?

    It works now in standard and parent mode. my problem was slow download process at update time.

  • B

    Reverse Proxy Using Squid

    1
    0 Votes
    1 Posts
    791 Views
    No one has replied
  • L

    Squid 3.4?

    1
    0 Votes
    1 Posts
    833 Views
    No one has replied
  • S

    Squid 3.3.10 error

    5
    0 Votes
    5 Posts
    1k Views
    B

    https://forum.pfsense.org/index.php?action=post;quote=398495;topic=43687.270

    @serialdie:

    Under –- System ----- User Manager

    Add the user clamav.

    Worked for me.

  • B

    Voip server in ALIX

    1
    0 Votes
    1 Posts
    626 Views
    No one has replied
  • B

    Need to update file on http://files.pfsense.org (vnstat2 php front end)

    27
    0 Votes
    27 Posts
    7k Views
    A

    woo hoo! thanks!

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.