1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    A

    i am using pfsense 2.8.0 with haproxy 0.63_10 and i have 4 sites that redirect to two different web server, i am using two frontend, one for http request redirect to https using rule: scheme https, and a second with type ssl/https(tcp mode) to redirect the request with the acl and the action, now i want to add a new site to one of the web servers i create a new backend (and even tried duplicate) and add the proper acl and action as always did but for some reason since the update to 2.8.0 the redirect keeps going to the wrong backend, i tried a test and rewrote and old backend and updated the acl and rule in the frontend and it works fine, is there a known bug since the update because it keeps happening even after reboot to pfsense and the haproxy service and reinstall of the package.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    cyb3rtr0nianC

    @bmeeks So after upgrading to the newest PfSense 2.8.0 everything is now working like a charm!

    Suricata no longer seems to strip off tags like it did before! Which means I can now use my network segmented by VLANs and still use the benefits of Suricata Inline IPS! Very niiize!

    I checked in the Alerts section and it is indeed generating the correct alerts from the different VLAN sections, I put Inline IPS on the parent interface of all the VLANs.

    I assume this is because the FreeBSD version is also updated with the new PfSense 2.8.0 version?

    Because before, as soon as I selected Inline IPS mode, my entire VLAN tagging would break and nothing was reachable until I switched back to Legacy mode.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K

    @pulsartiger
    The database name is vnstat.db and its location is under /var/db/vnstat.
    With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    M

    I resolved this by accepting the T+Cs via

    https://www.maxmind.com/en/accounts/1205389/geolite2/eula

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD

    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade:

    Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working.

    Glad you have it sorted.

    There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting.
    ...
    Question: What would tell me whether or not a driver was loaded?

    If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver).

    Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name).

    You can see the quirk with the following command:

    [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root:

    Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver.

    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade:

    You might consider adding this resolution to the release notes for 2.8.

    LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG

    @EChondo

    What's your pfSense version ?
    The instructions are shown here :

    1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png

    A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

    @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

    I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

    No need to wait x days.
    You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    R

    I had a similar issue with Routed VTI over IPsec recently. FRR lost its neighbors after rebooting or when a tunnel went down. It never re-discovered it automatically. Only restarting FRR (either in GUI or via CLI) brought the neighbors back.

    When I manually added those under the OSPF neighbors tab in the GUI it seems to solve the problem as well.

  • Discussions about the Tailscale package

    89 Topics
    576 Posts
    TommyMooT

    @elvisimprsntr Thanks, just updated, works fine! 👍 😊

  • Discussions about WireGuard

    690 Topics
    4k Posts
    J

    I've read through some other posts about this, but they either didn't say whether the proposed solution worked or they were very convoluted and difficult to understand. Here is our scenario: We have 6 locations--Las Cruces (LC), Sunland Park (SP), El Paso (EP), Abilene (ABI), Fort Worth (FW), and Plano (PL). LC and ABI have software that is accessed by the other 4 locations via VPN. There are WireGuard VPNs set up between LC and those 4 locations (SP, EP, FW, PL), and ABI and those 4 locations (SP, EP, FW, PL). There is also a WireGuard VPN connection between LC and ABI. LC and ABI have 2 internet connections. SP, EP, FW, and PL each have one internet connection.

    If the primary internet connection goes down at either LC or ABI and failover occurs to the secondary internet connection, is there a way to set up the WireGuard VPN connections so that they also failover without purchasing some 3rd party application?

    Thanks.

Log in to post
Load new posts
  • M

    Perl libraries to manipulate config.xml file?

    Locked
    7
    0 Votes
    7 Posts
    4k Views
    M

    Thank You very much everyone. I guess I'll write the perl modules myself.

  • M

    Squidguard with autoupdate

    Locked
    2
    0 Votes
    2 Posts
    4k Views
    D

    Autoupdate not a simple archive copy/paste.
    Need make steps for prepare archive's catalog-structure. And control config for correct blacklist names..

  • C

    Thresholds tab in snort - suppress not stopping alerts

    Locked
    6
    0 Votes
    6 Posts
    5k Views
    G

    Wow I feel like an idiot that I did not see that before. I guess I believed the drop down menus only had Default like my Home Net and external net has and ignored the rest while completely ignoring the fine text which is quite small on my laptop…. duuurr

  • JeanNoJ

    Sort test program

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    G

    You can enable the scan category and use "NMAP -sS window 4096" from a remote computer.

  • R

    Openbgpd status page

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    C

    Yeah that status page needs a lot of help, takes way too long in such circumstances (mostly people use the command line bgpctl instead).

    It's on our radar to get fixed up sometime in the future. Patches welcome if you have ideas on how to make it more usable.

  • JeanNoJ

    Little problem on Menu [snort]

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    G

    There is also a url error when traversing to the traffic shaper  from snort.

    With the following resulting URL
    http://192.168.153.1:8080/snort/firewall_shaper.php

  • _

    OpenBGPD restart script error

    Locked
    5
    0 Votes
    5 Posts
    3k Views
    _

    ok  ;)

    I agree with you, this script may not be used to start bgpd :) As you wrote, "Though I never investigated this issue and can't say anything" more ;)

    I found that error while deep testing a BGP configuration for OpenVPN/Link failover with carp, where openvpn may be started before bpgd, so that the tap device did not exist before, and for some obscure reasons (yet) bgpd was not started at boot time.
    So, I tested a script that check the existent of bgpd socket to restart it.
    It is not a standard configuration (unsupported).

  • G

    Internet -havp-squid-client

    Locked
    12
    0 Votes
    12 Posts
    9k Views
    Q

    @ColdFusion:

    I have squid/havp/squidguard and my config works this way.
    Try putting Havp in Transparent and Squid transparent unchecked.

    Havp…
    Transparent checked
    upstream proxy...lan IP:squid port.....example 192.168.1.1:3128
    Havp proxy port 3121
    enable x-forward...checked

    In squid:
    x forward unchecked
    disable Via unchecked
    transparent unchecked

    I have my configuration set up exactly like this, but it doesn't work…the IP address in the logs (and in the denied page), is the router's LAN address, and NOT the client PC.  What am I doing wrong?  Is there a bug?  Can someone shed some light on this?  Thanks!

  • nesenseN

    Squid+lusca+CDN+delay pools (pfs 1.2.3) ?

    Locked
    1
    0 Votes
    1 Posts
    3k Views
    No one has replied
  • M

    [patched] Apache + mod_security + proxy

    Locked
    3
    0 Votes
    3 Posts
    3k Views
    M

    Had to manual configure ProxyPass and ProxyPassReverse inside httpd.conf to get it working.

    Site Proxy | Site Name *Enter a short descriptive name for the site. (e.g. intranet)
    its misleading since what you enter there will go into httpd.conf, be aware its not just a description.
    It will end up in the ProxyPassReverse!

    Will see for any other issues, maybe fix them if time permit … cheers.

  • M

    Very urgent: Problem of updating of the SNORT rules

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    T

    update to the latest snort as you mentioned are are using snort-old

    There was a lot of discussion on the old snort.  Basically you updated to the latest rules based on the latest snort using an old snort version.

    See this as well as other threads.
    http://forum.pfsense.org/index.php/topic,23185.0.html

  • J

    LightSquid only updates manually

    Locked
    9
    0 Votes
    9 Posts
    6k Views
    J

    Here is the result of running pkg_info.

    $ pkg_info arc-5.21o_1        Create & extract files from DOS .ARC files arj-3.10.22_1      Open-source ARJ bandwidthd-2.0.1_1  Tracks bandwidth usage by IP address clamav-0.95.1      Command line virus scanner written entirely in C db41-4.1.25_4      The Berkeley DB package, revision 4.1 gd-2.0.35,1        A graphics library for fast creation of images gdbm-1.8.3_3        The GNU database manager gettext-0.17_1      GNU gettext package grub-0.97_3        GRand Unified Bootloader havp-0.90          HTTP Antivirus Proxy jpeg-6b_4          IJG's jpeg compression utilities lha-1.14i_6        Archive files using LZSS and Huffman compression (.lzh file libdnet-1.11_2      A simple interface to low level networking routines libiconv-1.11_1    A character set conversion library lightsquid-1.7.1_1  A light and fast web based squid proxy traffic analyser lua-5.1.3_3        Small, compilable scripting language providing easy access mbmon-205_4        A tty motherboard monitor for LM78/79, W8378x, AS99127F, VT mysql-client-5.0.77 Multithreaded SQL database (client) mysql-client-5.1.44_1 Multithreaded SQL database (client) nano-2.0.9          Nano's ANOther editor, an enhanced free Pico clone openldap-client-2.4.10 Open source LDAP client implementation p5-GD-2.39          A perl5 interface to Gd Graphics Library version2 packages            BSD Installer mega-package pcre-7.8            Perl Compatible Regular Expressions library pcre-8.00          Perl Compatible Regular Expressions library perl-5.10.1        Practical Extraction and Report Language perl-5.8.8_1        Practical Extraction and Report Language pkg-config-0.23_1  A utility to retrieve information about installed libraries sqlite3-3.6.10      An SQL database engine in a C library w/ Tcl wrapper squid-2.7.7        HTTP Caching Proxy squidGuard-1.3_1    A fast redirector for squid squid_radius_auth-1.10 RADIUS authenticator for squid proxy 2.5 and later unzoo-4.4_2        A zoo archive extractor vnstat-1.6_3        A console-based network traffic monitor

    That's interesting I thought I had removed havp through the web interface.

  • C

    2.0BETA1 - vHosts package install but service does not start - Logs are empty

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • 3

    Anyone interested in putting TCAR in Pfsense?

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    jimpJ

    It looks like that was written specifically for IPcop and uses its terminology and probably has specific requirements for that, and likely Linux-related conventions.

    pfSense uses FreeBSD, so it's unlikely that such a program would work properly without major work, if it can be done at all.

  • L

    Squid Setup

    Locked
    5
    0 Votes
    5 Posts
    3k Views
    L

    i am using 2.7.3 stable on debian and 2.7.8 on Pfsense.
    My ISP already allowed my IP address to bypass their proxy server. But i still want to redirect to my own proxy server.

    Thanks

  • T

    Cannot open one Url only

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    jimpJ

    If the site is hosted locally behind that same pfSense box, try checking the box in squid to bypass the proxy for RFC1918 networks.

  • D

    Freeradius startup problem

    Locked
    2
    0 Votes
    2 Posts
    3k Views
    jimpJ

    It's possible that this is falling victim to the same problem that several other packages have. On boot, they try to start up multiple times. First, they sync their settings and write out an rc script, and then start themselves. Then later in the boot process, the rc scripts get executed, starting them again. If you have a dynamic WAN (DHCP, PPPoE) sometimes it can happen one more time as the new IP will trigger another package sync.

    The package maintainer may need to add some more logic to handle this kind of situation.

  • A

    Snort Help

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    G

    I used my own suggestion and googled this page for you since you were lacking the necessary skills to do so yourself
    http://forum.pfsense.org/index.php?topic=18926.0;prev_next=prev

  • G

    Snort will not unblock a whitelisted IP

    Locked
    17
    0 Votes
    17 Posts
    16k Views
    G

    Reading another thread (spp_frag3) is a snort preprocessor error. Not sure how to fix it other than to suggest you turn on all the preprocessors to see if that fixes it.

    As far as whitelisting goes you need to find the offending rule that is blocking the address and create a suppress rule for it in the tab. I "believe" I got it to work by using this syntax.

    suppress gen_id 1, sig_id 11969, track by_src, ip 216.82.225.24

    I tried to get one rule to handle the same sig i.e.

    suppress gen_id 1, sig_id 11969, track by_src, ip 216.82.222.14
    suppress gen_id 1, sig_id 11969, track by_src, ip 216.82.212.10

    Edit: This doesn't work. I will try restarting the router and see if anything changes. It is still blocking a category I have recently unchecked.

    But I was not able to get it to work as above. Haven't had the time to test using a , or ; to separate due to time constraints.

  • ?

    Snort Memory Setting

    Locked
    5
    0 Votes
    5 Posts
    6k Views
    G

    I second that AC-BNFA is the only usable setting for most systems. (My inner geek would love to see a system the handles AC with moderate traffic) My system has 2GB Ram with 3 interfaces running at this setting @ 23% memory usage with low traffic. It is also wise only to choose the categories that are necessary for that particular interface not all categories need to be checked. Use only what you need otherwise you will be wasting CPU time and memory for nothing.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.