Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    JonathanLeeJ

    @tinfoilmatt Here you go

    https://forum.netgate.com/topic/195860/mnt-folder-question

    To quote: @stephenw10

    "Jan 6, 2025 at 5:43 AM I would still use a custom location to be sure. I can't find anything off hand but if would conflict with anything that did.

    I'm pretty sure the efi partition is mounted there to test at upgrade for example."

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    C

    @bmeeks That would explain it. Thank you.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    569 Topics
    3k Posts
    dennypageD

    @StealthNet said in Outgoing Portscans - ntopng?:

    Tbh I never thought a default package would do some kind of outbound network discovery based on class C scanning of internet hosts.

    I don´t think this is ok.

    I agree. I was rather shocked when I discovered this while diagnosing the same issue with another pfSense user who happens to be a close friend of min. He had also enabled it because ntopng's description made it sound like a good thing.

    Anyway, I appreciate your, and others, input on this. I believe I will add a set of warning to the next version of the package, to at least have put forth the information/warning.

    Thank you.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    dennypageD

    @Unoptanio said in I don't receive emails ONLY on Apple devices:

    Mail cannot function in IOS 18.2 if iCloud Private Relay is blocked at a network level

    https://discussions.apple.com/thread/255916395?sortBy=rank

    This reference is/was out of date. The linked discussion referrers to a specific bug introduced iOS 18.2 (December 11, 2024), which was corrected in iOS 18.3 (January 27, 2025). Apple stopped signing of 18.2.X a week later, almost 2 months before this thread began.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    94 Topics
    2k Posts
    V

    @Vancejo1 said in apcupsd causes restart:

    When I stop the apcupsd service and run apctest then select 10 battery calibration. It cause my router to reboot after reporting the calibration was aborted.

    Is it really rebooting? Or does the UPS cut the power?
    Check the logs to get sure.
    I've seen the latter already, but with old batteries, however.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    491 Topics
    3k Posts
    jimpJ

    Let's Encrypt is removing the TLS Client Authentication EKU from certificates they sign in the near future:

    https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/

    This shouldn't affect many, if any, users of ACME on pfSense as it isn't used as a client certificate, only as a server certificate in various context (e.g. GUI, Captive Portal, HAProxy)

    In the past we have discouraged using Let's Encrypt certificates in certain contexts (like for clients) since it wasn't typically a secure practice. For example, if you use a Let's Encrypt certificate for OpenVPN, it would trust any certificate signed by Let's Encrypt, which makes it useless as an authentication factor.

    So while this is something to be aware of and check, it's unlikely to be a problem for most people.

  • Discussions about the FRR Dynamic Routing package on pfSense

    290 Topics
    1k Posts
    F

    Hi Team,

    This is driving me crazy!

    I typically set up FRR manually under PFS, but would like to move to GUI to make life easier for 'new folks'.

    Here's a snippet of my config:

    router ospf
    ospf router-id id.id.id.id
    area 0.0.0.0 shortcut default
    redistribute kernel
    !
    ip prefix-list XXX seq 1 deny 10.0.0.0/16 le 32
    ip prefix-list XXX seq 2 permit any

    route-map XXX permit 10
    match ip address prefix-list XXX
    !
    ip protocol ospf route-map XXX

    I cannot for the life of me figure out how to get the last line into the config via the GUI.

    I've read that setting ABR filters in FFR-OSPF->Areas might be the answer, but that doesn't seem to be it.

    Could someone please explain what I'm missing here?

    Thanks

    ChIP

  • Discussions about the Tailscale package

    85 Topics
    546 Posts
    M

    @jacobhall @Defiling2063
    I think it has something to do with DNS over HTTPS DoH.

    I have all the same issues. For me it worked after setup until i rebooted.

    It seems that the clients are pushed a faulty dns config and thinks it can do dns over https:

    sudo tailscale dns status

    Resolvers (in preference order):

    1.1.1.1 9.9.9.9

    I can use dig to check that the dns resolves using these servers just fine.

    When the system uses tailscales dns servers, the issue arises:

    % tailscale dns query apple.com DNS query for "apple.com" (A) using internal resolver: failed to query DNS: 500 Internal Server Error: resolving using "/dns-query": unrecognized resolver type "/dns-query" unrecognized resolver type "/dns-query"

    My guess is that headscale is pushing a faulty dns config?

  • Discussions about WireGuard

    679 Topics
    4k Posts
    D

    @Bob-Dig yeah lol, but I'm pretty sure I've followed everything to the letter as the other services are working or it's something small I'm overlooking....

  • 0 Votes
    2 Posts
    694 Views
    S

    Hi @Finger79

    have you found any information about it?
    For me it looks like PFsense itself does also not support RadSec as it is defined in RFC from 2012. Nevertheless only a view vendors support it at all.

    Maybe this changes after the Radius-blast issue.

    br
    Thomas

  • 0 Votes
    3 Posts
    182 Views
    B

    @kprovost Good to know, thank you.

  • CVE-2024-7589

    6
    0 Votes
    6 Posts
    468 Views
    sokeadaS

    @Gertjan your instruction is make sense to me. I already applied that too except turn on/off ssh via GUI when needed. That's another tip. Thanks you so much.

  • 0 Votes
    4 Posts
    231 Views
    bmeeksB

    Suricata by default places the physical interface in promiscuous mode, so all traffic traversing the physical interface is seen by all Suricata instances running on the physical interface. That means there is no benefit to creating separate Suricata instances for each VLAN, because a single instance will see the traffic from all VLANs.

    You can, to a limited extent, tailor how a given Suricata instance responds to traffic by using customized HOME_NET and/or EXTERNAL_NET variables and making sure all the rules you are enabling use the $HOME_NET and $EXTERNAL_NET conditionals in the rule text.

  • Official Wazuh agent support?

    2
    2 Votes
    2 Posts
    333 Views
    B

    @buggz I second this. It would make things much easier than enabling the FreeBSD repos, if that still even works. I might end up giving it a whirl with one of my internal fws. I've also considered the syslog route but the agent seems like it may provide more info/customization etc.

  • Pfsense new install no software packages available

    38
    0 Votes
    38 Posts
    24k Views
    B

    Thanks for all the replies.

    I ran the upgrade in the command line

    pfSense-upgrade -y

    and am on 2.7.2 now.

    All packages seems to be populating again.

  • LCDproc

    5
    0 Votes
    5 Posts
    230 Views
    fireodoF

    Hi,

    there is another problem with LCDpros 0.12_1 (beside the increase processor activity since the update 12-13.05.24) when there is a Gateway latency problem or the WAN gets unexpectedly down,

    Aug 6 04:28:48 rc.gateway_alarm 23648 >>> Gateway alarm: WAN_PPPOE (Addr:217.xxx.xxx.xxx Alarm:0 RTT:9.355ms RTTsd:.223ms Loss:5%)
    LCDProc is flooding the log with this:

    Aug 6 04:30:03 php 25120 lcdproc: Connection to LCDd process lost ()
    Aug 6 04:28:55 php 25120 lcdproc: Connection to LCDd process lost ()
    Aug 6 04:28:54 php 25120 lcdproc: Connection to LCDd process lost ()
    Have a nice day,
    fireodo

  • LCDproc totally broken in 0.12_1?

    3
    0 Votes
    3 Posts
    132 Views
    fireodoF

    Hi,

    there is another problem with LCDpros 0.12_1 (beside the increase processor activity since the update 12-13.05.24) when there is a Gateway latency problem or the WAN gets unexpectedly down,

    Aug 6 04:28:48 rc.gateway_alarm 23648 >>> Gateway alarm: WAN_PPPOE (Addr:217.xxx.xxx.xxx Alarm:0 RTT:9.355ms RTTsd:.223ms Loss:5%)

    LCDProc is flooding the log with this:

    Aug 6 04:30:03 php 25120 lcdproc: Connection to LCDd process lost () Aug 6 04:28:55 php 25120 lcdproc: Connection to LCDd process lost () Aug 6 04:28:54 php 25120 lcdproc: Connection to LCDd process lost ()

    Have a nice day,
    fireodo

  • Troubleshooting telegraf - influxdb

    3
    0 Votes
    3 Posts
    3k Views
    F

    Might help someone, I had similar issues, but it turns out my pfsense didn't trust the self signed CA that signed the influxDB cert. Found out by stopping the service:

    ps aux | grep tele kill -9 <PID>

    And then running telegraf manually:

    /usr/local/bin/telegraf -config=/usr/local/etc/telegraf.conf

    Note that the service restart/stop buttons in the web gui did not work for me, only the start button (which shows up after I killed the process)

  • isc-bind package upgrade

    4
    0 Votes
    4 Posts
    340 Views
    K

    @allxi said in isc-bind package upgrade:

    https://github.com/pfsense/FreeBSD-ports/commit/279801056eb46b74ce3828a77a7b679225817a2d#diff-a69ffe76fc45ab53d7931b2ee22b96681a82a9ef3245d8ea08eb0a217db0bb60

    Thanks (sorry for the delayed response)

    However its great we have this but this doesnt show when it will hit CE at all, as this commit was 2 years ago, but 9.16 is still in CE

  • 0 Votes
    3 Posts
    947 Views
    P

    While looking for something else I found that I also have similar messages in my syslog. Looking further I found this recommendation for the vnStat package:

    "Every NIC is added on install. So if a NIC is added (or removed) on the firewall, remove the package and install again. If the firewall has data for a NIC vnStat will report the data even if the NIC has been removed.
    A reinstall of the package will not change this as the firewall has data pertaining to the non existent data and thus other packages such as vnstat2 will report the data it has or has found."

    Link: https://docs.netgate.com/pfsense/en/latest/packages/traffic-totals.html

    Indeed I changed my hardware and restored the configuration from the old one. Some NICs changed from 1Gb to 10Gb.

    However, after removing and installing the package I see this in the log:

    Monitoring (10): tun_wg0 (1000 Mbit) pppoe1 (1000 Mbit) pfsync0 (1000 Mbit) pflog0 (1000 Mbit) ix1 (10000 Mbit) ix0 (10000 Mbit) igb1 (10 Mbit) igb0 (10 Mbit) enc0 (1000 Mbit) em0 (1000 Mbit)

    And it's incorrect. My pppoe1 sits on ix0 and my fiber speed is 3/3Gbps, so higher than 1000Mbit vnStat thinks. Also igb0 and igb1 are 1000Mbit, not 10Mbit (they are not assigned yet, though).

    I suppose the log messages we see are no more than a minor nuisance but is there a way to assign correct interface speeds for vnStat or disable these messages?

  • Performance with widget Speedtest by ookla

    3
    0 Votes
    3 Posts
    204 Views
    P

    @Gertjan

    Thank you! I Understand activities use resources, but if we have 50%+ cpu idle, probably not causing a problem? Or is that misleading?

    I have the exact same hardware pfsense firmware/software all with the same speedtest gui in 3 different ISP/locations.

    One location I have ATT Dedicated Fiber (new Install) that basically has zero network load but speed tests are all over the map (and large majority of tests are below the 90% minimums)

    The other 2 locations have a lot of network traffic, have shared fiber and they are much more stable than the ATT dedicated fiber.

    Since I have those three comparisons, I feel that proves the issue is with the ATT Dedicated fiber service. Yes or No / Agree disagree? Thanks!

  • pfSense Repository down?

    6
    0 Votes
    6 Posts
    1k Views
    GertjanG

    @SteveITS said in pfSense Repository down?:

    https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#packages-netgate-com-has-no-a-aaaa-record

    Correct, no A or AAAA record.
    This time SRV records ("server records ?") are looked for.

    This is probably is, I'm just thinking out loud : everything is fine, but DNS isn't. pfSense can't call out for self. Seen that before, and I never understood how people to so. Default 'Netgate' DNS settings work, as I've shown above.

  • no Available Packages in Package Manager

    7
    1 Votes
    7 Posts
    547 Views
    K

    @dhenzler THANK YOU for posting this!!!!

    I had been fighting this (and losing) for months now but, ran across this thread today and decided to try it out.
    It WORKED!!!
    At first I was more confused because I went to the system update and it showed the version 2.7.2 BUT, didn't give me an option to do the update from 2.7.0.
    I ran the certctl rehash in the Diagnostics/Command Prompt box which then let me access the update.
    And even before I ran the update I tested to see if the package manager would populate the list and, it did!
    And it still works after doing the update! YAY!!!!

    So again, thank you!

  • Avahi service stops / won't start when enabling reflection

    5
    0 Votes
    5 Posts
    260 Views
    dennypageD

    @beechclose FWIW, it turns out the limit isn't number of reflectors, but just the line length. There is a hard coded line length limit of 256 characters for the ini file. It is a known issue.

    I put up a PR to increase this to 1024.

  • Squid migration from 5.8 to 6.6 issues

    3
    0 Votes
    3 Posts
    343 Views
    JonathanLeeJ

    It is working like a dream outside of the status pages it is 100x faster with browser traffic on my secure system that I hunt for bugs with.

  • Nrpe

    1
    0 Votes
    1 Posts
    159 Views
    No one has replied
  • SNORT no longer scanning Stopped 6/28/24 at 21 hour

    1
    0 Votes
    1 Posts
    78 Views
    No one has replied
  • Ping monitoring

    17
    0 Votes
    17 Posts
    944 Views
    dennypageD

    @bigjohns97 said in Ping monitoring:

    Help me understand what the risks are here, to me this is nothing more than what an nmap scan would do.

    Ntopng is an autonomous agent, whereas nmap is not. Consider that. You should look at the ntopng code and decide for your self. The best I can tell you is that I have, and I recommend against enabling it.

    FWIW, you may have different views on network security that I do.

  • Avahi : Windows not found my printer

    8
    0 Votes
    8 Posts
    523 Views
    johnpozJ

    @fjmp24 said in Avahi : Windows not found my printer:

    a rule IPv4 UDP VLAN_1 subnets * 224.0.0.251 5353 *
    a rule IPv4 TCP/UDP VLAN_2 subnets * Printer * *
    a rule IPv4 UDP VLAN_2 subnets * 224.0.0.251 5353 *

    Posting rules like doesn't help much to be honest.. Have no clue to what could be above that making those moot..

    Are those on the same interface even? You have 2 rules with vlan2 subnets as source, and another rule with vlan1 as source.. How would both networks be source into the same interface?

    Seems you got it sorted so that is good, but next time you need help a picture of your rules showing the interface they are on, etc. is worth 10k words..

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.