1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    N

    Can I use pgblockerng aliases in Haproxy?

    80758505-9bad-4dad-a80b-c159be1045a2-image.png

    If it was a firewall rule, typing pfb would produce a dropdown to select.

    Here it has to be written, but will it work? Is it supported?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    cyb3rtr0nianC

    @bmeeks So after upgrading to the newest PfSense 2.8.0 everything is now working like a charm!

    Suricata no longer seems to strip off tags like it did before! Which means I can now use my network segmented by VLANs and still use the benefits of Suricata Inline IPS! Very niiize!

    I checked in the Alerts section and it is indeed generating the correct alerts from the different VLAN sections, I put Inline IPS on the parent interface of all the VLANs.

    I assume this is because the FreeBSD version is also updated with the new PfSense 2.8.0 version?

    Because before, as soon as I selected Inline IPS mode, my entire VLAN tagging would break and nothing was reachable until I switched back to Legacy mode.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K

    @pulsartiger
    The database name is vnstat.db and its location is under /var/db/vnstat.
    With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    reza3swR

    @Gertjan
    Hello,
    Thank you.
    I had exactly the same issue, and your solution helped me fix it.

    Ask ChatGPT

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD

    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade:

    Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working.

    Glad you have it sorted.

    There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting.
    ...
    Question: What would tell me whether or not a driver was loaded?

    If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver).

    Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name).

    You can see the quirk with the following command:

    [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root:

    Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver.

    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade:

    You might consider adding this resolution to the release notes for 2.8.

    LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG

    @EChondo

    What's your pfSense version ?
    The instructions are shown here :

    1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png

    A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

    @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

    I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

    No need to wait x days.
    You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    R

    I had a similar issue with Routed VTI over IPsec recently. FRR lost its neighbors after rebooting or when a tunnel went down. It never re-discovered it automatically. Only restarting FRR (either in GUI or via CLI) brought the neighbors back.

    When I manually added those under the OSPF neighbors tab in the GUI it seems to solve the problem as well.

  • Discussions about the Tailscale package

    89 Topics
    576 Posts
    TommyMooT

    @elvisimprsntr Thanks, just updated, works fine! 👍 😊

  • Discussions about WireGuard

    690 Topics
    4k Posts
    J

    I've read through some other posts about this, but they either didn't say whether the proposed solution worked or they were very convoluted and difficult to understand. Here is our scenario: We have 6 locations--Las Cruces (LC), Sunland Park (SP), El Paso (EP), Abilene (ABI), Fort Worth (FW), and Plano (PL). LC and ABI have software that is accessed by the other 4 locations via VPN. There are WireGuard VPNs set up between LC and those 4 locations (SP, EP, FW, PL), and ABI and those 4 locations (SP, EP, FW, PL). There is also a WireGuard VPN connection between LC and ABI. LC and ABI have 2 internet connections. SP, EP, FW, and PL each have one internet connection.

    If the primary internet connection goes down at either LC or ABI and failover occurs to the secondary internet connection, is there a way to set up the WireGuard VPN connections so that they also failover without purchasing some 3rd party application?

    Thanks.

Log in to post
Load new posts
  • M

    Snort: Failing messages - FATAL ERROR: Failed to Lock PID

    Locked
    7
    0 Votes
    7 Posts
    3k Views
    M

    Good to know; Thank you Cino!

  • W

    Ntop

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    jimpJ

    If they both installed the exact same version of perl, it wouldn't be removed. You may have installed them at different times so they installed different (conflicting) versions of perl, so it took out one without realizing it was taking out the other.

    In the future we are working to completely isolate the packages and their dependencies from one another so they can't impact the base system or each other in that way, but it won't be happening for 2.0.

  • L

    Urlfilter

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    jimpJ

    The blacklists are not likely to work at all on NanoBSD. They are gone because /var is a RAM disk so it will be gone at reboot.

    The squidGuard package isn't coded to support them in that scenario.

  • N

    Squid slow to only some website…

    Locked
    4
    0 Votes
    4 Posts
    3k Views
    N

    well… I saw it was fast on my tablet... so It was related to my PC.

    I uninstalled BitDefender 2012... and tada!

    So... I will open a case at BitDefender.

    Thanks for the trick anyway! :)

  • A

    # pkg_add -r softflowd //File unavailable (e.g., file not found, no access)

    Locked
    5
    0 Votes
    5 Posts
    3k Views
    A

    That did it ! Thanks Jim.

  • H

    How to Proxy only 1 of 2 Lan Intranets Connected to PFSense Firewall

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    H

    Thanks for your help.

    I didn't realize you could control select in the proxy interface box. Thank you guys.

    Legends.  8)
  • T

    ? for pfsense Developers

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    jimpJ

    No.

    All you know is the IP from the firewall log - at best you can guess the country with something like GeoIP but it's just a guess - you cannot get the URL unless you luck out and find that the IP actually reverse resolves to something meaningful.

    Many sites are hosted as virtual hosts, so there are 10, 100, 1000 "URLs" on a single IP address. The only way to know the URL is to sniff/proxy the traffic. You cannot get that from the IP.

    To do reverse DNS on the entire firewall log would take far too long to be practical, even just the part shown in the GUI. There is already a link (a little i) that will take you to Diagnostics > DNS with that IP if you really want to do a reverse lookup.

  • P

    Intercepting HTTPS Proxy

    Locked
    4
    0 Votes
    4 Posts
    7k Views
    jimpJ

    There are very hackish ways to hijack ssl but it involves installing a certificate on the client machine, which essentially completely breaks the trust of SSL in such a way to make it useless. (There are also rumors that China/FBI/NSA/CIA/etc have "special" trusted CA certs on sniffer devices that essentially do the same… but I haven't seen any real evidence, though it is a fun theory)

    If you don't control the clients, you can't transparently proxy ssl. If you do control the clients, you're much better off doing as Nachtfalke suggested and hard coding the proxy information on the clients. Then you don't need to hack anything or install any certificates.

  • K

    Squid, squid guard

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • Z

    [Unbound]Error in system log after upgrading

    Locked
    12
    0 Votes
    12 Posts
    5k Views
    Z

    It should be no problem. I have installed the latest version.
    thanks for your quick help~~:)))

  • C

    Squidguard advanced source ACL ldap group lookup

    Locked
    3
    0 Votes
    3 Posts
    16k Views
    C

    Thanks for the response.

    Yes, that is correct, I want the user to be required to authenticate only if they try to go to a restricted site.

    For example, if a user navigates to http://someSiteThatIsRestricted.com it would prompt for a user name and password. If they are in a group in Active Directory that is allowed to go to that site it will of course let them otherwise they are redirected to a block page that tells them the reason.

    Thanks for the link. I have looked at that before but how do you do that in pfSense? I'm running a separate install to test with so I want to know how to do it even if it is not as secure and then I can decide whether to use a dedicated proxy instead of using pfsense for that.

    It is nice to be able to add functionality to pfSense through the packages because that allows for a more secure setup by default and the flexibility to customize it to fit almost any environment.

  • P

    Lightsquid users name

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    G

    Talking to a 2008 r2 box, if it's been configured in a domain with 2008 functionality is a no go for this. You get the warning during the promotion of the server to DC that it will break lots of open source stuff. Also if Squid is in transparent mode it's a no go.

    So what's your domain functionality set to?
    Are your users authenticating to Squid and if so what method are you using i.e NTLM
    How many users are we talking about?

  • F

    Help Me!! I need block download for extensions HTTP , FTP AND….

    Locked
    13
    0 Votes
    13 Posts
    9k Views
    F

    Steve thanks for the help

    As you know the squid3 not confirmed! The lock so I could do for l7.

    About UltraSurf had already read that document but so far the only way I found to be successful in blocking was blocking all networks.
    99.224.0.0/11
    63.241.6.64/28
    63.242.0.0/16
    63.240.0.0/15
    218.168.0.0/16
    125.176.0.0/12
    122.118.0.0/16
    69.64.144.0/20
    211.109.128.0/24
    59.120.0.0/14
    59.112.0.0/13
    97.112.0.0/13
    71.192.0.0/12
    219.137.112.224/27
    203.112.80.0/20
    162.138.0.0/16
    170.201.0.0/16
    156.40.0.0/16
    61.224.0.0/14
    61.220.0.0/14
    59.120.0.0/14
    59.112.0.0/13
    220.136.0.0/13
    220.132.0.0/14
    220.130.0.0/15
    220.129.0.0/16
    118.168.0.0/16
    122.120.0.0/13
    118.168.0.0/16
    122.120.0.0/13
    71.208.0.0/12
    61.231.0.0/16
    218.160.0.0/16
    61.62.74.0/24
    72.25.64.0/18
    66.245.192.0/18
    64.62.138.0/25
    64.62.128.0/17
    125.224.0.0/13

    Work but is not an efficient method because tomorrow there may be a new network.

  • F

    Block url that contain some text with lightsquid

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    jimpJ

    Lightsquid doesn't block, it just reports.

    SquidGuard is probably what you want, but it can't filter based on the text in the page, just the text in the URL itself.

    If you search the forum for SquidGuard you will probably find more useful information.

  • M

    Specific rules cause snort not to run.

    Locked
    8
    0 Votes
    8 Posts
    4k Views
    A

    How would one recompile a the zlib library from the Web Configurator? If it has to be done via command line, what is the pkg_add command that would do this?  ???

  • R

    IMspector not logging Gtalk chats. Please help!

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • T

    Dvserg P3Scan

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • T

    Chown -R -v havp Errors

    Locked
    9
    0 Votes
    9 Posts
    10k Views
    H

    @bluinside:

    Waiting for a bugfix… I have found this solution:

    make user "havp" (any password, I used "havp") using pfSense "User manager" from System menu

    than reboot and look into syslog. The error shuold be gone and the two Havp services should correctly start.

    :)

    Did this correct the issue?

  • C

    Snort Rules Download - 1.2.3

    Locked
    12
    0 Votes
    12 Posts
    7k Views
    H

    @compucoder:

    I bit the bullet and upgraded to 2.0 RC3 last night. So far it is working perfectly. Every feature I used in Snort before works. The updater works properly now too.

    I just did the 2.0 upgrade and it is using whichever version of Snort it had before and it all seems to be working fine.

    So far 2.0 seems like a good route to take.

    Have you looked at SNORT to see whats running, I have had an issue with SNORT not starting and refuseing to start doing it manually. I have tried reinstalling and uninstalling so far no go. I thing there is a bug with 2.0 RC3 and SNORT, also have had an issue with HAVP anti virus hanging the system. After hours of working with them, I removed both and all issues went away.

  • D

    Lightsquid with 2.0 RC3 - not showing anything - "SOLVED"

    Locked
    8
    0 Votes
    8 Posts
    11k Views
    P

    @jimp:

    pkg_delete -f perl-5.12.3, then reinstall the lightsquid package.

    i did that and reinstalled got same error
    i noticed that there is 3 version of perl loaded do i have to delete all of them

    perl-5.10.1_1      Practical Extraction and Report Language
    perl-5.12.3        Practical Extraction and Report Language
    perl-5.12.4        Practical Extraction and Report Language

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.