1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    tinfoilmattT
    @johnpoz said in Please help to configure HAProxy to serve certifficate on internal LAN too: Yeah - what part do you not understand if you always resolve nextcloud.domain.tld so that it hits your haproxy on your pfsense wan IP are you not getting? You have 2 options - use a different domain internally and always go to nextcloud.publicdomain.tld, or use the same domain internally as external and run into the problem of what IP it resolves to.. Change your local domain to say home.arpa or .internal or atleast something different than the public domain your using to point to pfsense wan IP on the public internet. You are shooting yourself in the foot trying to use the same domain externally as internally. There are ways around it, but they complicate the setup. For example you might be able to use views in unbound as one way to work around the problem. You could use only host entries for all your resources. But then again you run into a problem of using the fqdn for this service, now always pointing to your wan IP.. And that is great when you want to access the service haproxy is doing - but if you want to access that resource on some other service that haproxy doesn't handle - like say simple file sharing.. You are going to have problems. Since you clearly do not understand how any of this works - the simple solution is change the local domain you are using so it is not the same as the public domain you want to use to get to your nextcloud. This tone is outrageous directed at somebody who acknowledged right off the rip that English is not their first language. How many languages do you speak, John? And safely assuming it's only one—English of course—take it from a fellow English native that you'd do well to say more with less words. You otherwise were directing OP in the right direction in my opinion.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    V
    Ah, I changed the action to deny both and now I also have a wan firewall rule, which I also had on OPNsense. With this wan rule I can see the blocks already coming now! Is it a bad idea to have the action set to deny both instead of inbound only?

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    F
    @dennypage I tested it with a new UPS and I no longer have the problem. It was the UPS that wasn't working properly. Thanks for your help.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    654 Posts
    C
    @luckman212, Thanks for your suggestion. I will check what I have in /usr/local/pkg/tailscale/state, and also the RAM disk settings others have brought up. I could learn more about where Tailscale and pfSense store system files. If I find anything worth sharing, I will let you know.

  • Discussions about WireGuard

    715 Topics
    4k Posts
    patient0P
    @andresbraga that looks good, the same is needed for LAN.
Log in to post
Load new posts
  • S

    Configure sarg or lightsquid

    4
    0 Votes
    4 Posts
    2k Views
    KOMK
    Are the commands for lightsquid or sarg? Sorry, I'm an idiot.  I grabbed the wrong section from my pfSense cheat sheet.  Try this for Lightsquid: ln -s /usr/pbi/lightsquid-amd64/local/www/lightsquid /usr/local/www/lightsquid ln -s /usr/pbi/lightsquid-amd64/local/etc/lightsquid /usr/local/etc/lightsquid pkg install perl5 pkg install p5-gd /usr/bin/perl /usr/pbi/lightsquid-amd64/www/lightsquid/lightparser.pl today This works for getting Lightsquid working with 2.1.5.  I haven't played much with 2.2 packages for a few weeks now so I have no idea if this works with the latest stuff.
  • K

    Packages blocked after update

    2
    0 Votes
    2 Posts
    724 Views
    K
    I reinstalled the gui of the package and I have been able to uninstall it after that. So I presume my updated install is now clear.
  • A

    Dansquardian doens'nt really block access

    1
    0 Votes
    1 Posts
    366 Views
    No one has replied
  • jimpJ

    MOVED: asterisk sur pfsense

    Locked
    1
    0 Votes
    1 Posts
    505 Views
    No one has replied
  • D

    Squidguard 1.4 reporting garbage on redirect page

    1
    0 Votes
    1 Posts
    655 Views
    No one has replied
  • A

    Arpwatch pkg not starting….

    12
    0 Votes
    12 Posts
    5k Views
    F
    Same problem here, arpwatch service won't start. If I look inside <tt>/usr/local/etc/rc.d/arpwatch.sh</tt> I find /usr/local/sbin/arpwatch -d -f /var/log/arp.dat  -i bce2 > /var/log/arpwatch.reports 2>&1 & But executing this on the command line only gives "<tt>Ambiguous output redirect.</tt>" (although this may just be a shell problem). Anyway, arpwatch (2.1.a15_8 pkg v1.1.2) not working on pfSense 2.2-RELEASE (amd64) :(
  • A

    Squidguad not blocking anny traffic

    2
    0 Votes
    2 Posts
    887 Views
    KOMK
    Are you using Transparent mode?  Are the sites not being blocked HTTPS?
  • A

    Unable to configure haproxy. Need help please

    6
    0 Votes
    6 Posts
    3k Views
    A
    Thank you, My mistake was that i used clone option on first frontend, then you can't see shared option.  :'(
  • belleraB

    Squid and OpenVPN Road Warrior

    2
    0 Votes
    2 Posts
    1k Views
    S
    I have the exact same issue on pfSense 2.2-RELEASE (amd64) (built on Thu Jan 22 14:03:54 CST 2015 FreeBSD 10.1-RELEASE-p4) with squid 3.4.10_2 (pkg 0.2.6). The second number varies though, and it doesn't seem to always produce this error. I had it working for 2 weeks perfectly, but a few minutes ago my gateway went down and that led to this strange error again. For reference, my error was: Mar 1 20:14:29 php-fpm[42821]: /pkg_edit.php: The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf' returned exit code '1', the output was '2015/03/01 20:14:29| aclParseIpData: unknown netmask '0.20173389051966' in '0.40.0.0/0.20173389051966' FATAL: Bungled /usr/pbi/squid-amd64/local/etc/squid/squid.conf line 31: acl localnet src 10.0.0.0/8 172.16.0.0/24 172.16.1.0/24 172.16.2.0/24 0.40.0.0/0.20173389051966 0.40.0.0/0.20173389670071 Squid Cache (Version 3.4.10): Terminated abnormally. CPU Usage: 0.061 seconds = 0.031 user + 0.031 sys Maximum Resident Size: 45728 KB Page faults with physical i/o: 0' Mar 1 20:14:29 squid: Bungled /usr/pbi/squid-amd64/local/etc/squid/squid.conf line 31: acl localnet src 10.0.0.0/8 172.16.0.0/24 172.16.1.0/24 172.16.2.0/24 0.40.0.0/0.20173389051966 0.40.0.0/0.20173389670071
  • S

    System log full of snort errors without configuration change

    3
    0 Votes
    3 Posts
    1k Views
    S
    Ok, thanks for the info!!
  • N

    Squid3 + antivirus - freshclam not updating automatically

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • bmeeksB

    NOTICE: Snort or Suricata users with ET-Pro subscriptions or using ET-Open rules

    4
    0 Votes
    4 Posts
    2k Views
    JailerJ
    Mine had updated automatically last might at midnight as schedule but I did a manual update just to check it and see. Both seem to be functioning normally for me.
  • X

    Squid swaps in 2.2-memory leaking freebsd 10

    3
    0 Votes
    3 Posts
    1k Views
    X
    updated the first post…
  • S

    Clamav Update to 0.98.6?

    3
    0 Votes
    3 Posts
    885 Views
    S
    Hi, yes thats true. I forgot to write that. But the question still remain, why pfs or freebsd still on old version.
  • S

    Runing snort inline-test mode

    11
    0 Votes
    11 Posts
    4k Views
    bmeeksB
    @SenselessCow: First case WAN to get some experience but later preferably a setup as explained here: https://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417 To run Snort in a "test mode" of sorts, simply uncheck the Block Offenders box on the INTERFACE SETTINGS tab for each Snort interface.  The checkbox is within the Alert Settings section of the tab.  With that box unchecked, Snort will alert and log the incident, but it will not insert any blocks into the firewall's packet filter engine for the IP addresses in the alert. In the configuration described in the above paragraph, Snort is running as an IDS (Intrusion Detection System).  It detects a problem, but only alerts you to its presence.  When you check the Block Offenders checkbox and then restart Snort on the interface, it will insert blocks for the offending IP addresses (depending on the setting of the Which IP to Block drop-down) into the firewall's packet filter engine.  When the Block Offenders box is checked Snort behaves closer to an IPS (Intrusion Prevention System) within the limits described earlier in the thread relative to using libpcap and working from copies of packets, etc. For the majority of home networks, running Snort on the LAN only is probably the best solution.  I run some rules on the WAN solely for the purpose of seeing some alerts from Snort as part of my testing.  My firewall rules block pretty much all unsolicited inbound traffic anyway, so Snort on the WAN for me is not adding to security.  It is just there to gather some log data really. Bill
  • S

    Squid3 Crashing frequently

    7
    0 Votes
    7 Posts
    3k Views
    H
    @marcelloc: Better see cache.log and squid -k parse Squid3 on pfsense 2.2 32 bits still need a package compilation to work in transparent mode. I'll ping Renato again… how about 64bit version? non-transparent mode, cpu utilization going to 100% randomly and cache.log contains this: 2015/02/20 09:43:53 kid1| Starting new negotiateauthenticator helpers… 2015/02/20 09:43:53 kid1| Starting new negotiateauthenticator helpers... 2015/02/20 09:57:20 kid1| Starting new negotiateauthenticator helpers... 2015/02/20 09:57:20 kid1| Starting new negotiateauthenticator helpers... 2015/02/20 09:57:20 kid1| Starting new negotiateauthenticator helpers... 2015/02/20 10:03:25 kid1| helperDispatch: Helper memberof #Hlpr0 has crashed 2015/02/20 10:03:28 kid1| helperDispatch: Helper memberof #Hlpr0 has crashed 2015/02/20 10:03:47 kid1| helperDispatch: Helper memberof #Hlpr0 has crashed 2015/02/20 10:04:17 kid1| Starting new memberof helpers... 2015/02/20 10:04:46 kid1| helperDispatch: Helper memberof #Hlpr0 has crashed 2015/02/20 10:04:46 kid1| WARNING: memberof #Hlpr0 exited 2015/02/20 10:04:46 kid1| ERROR: The memberof helpers are crashing too rapidly, need help! 2015/02/20 10:04:47 kid1| WARNING: memberof #Hlpr0 exited 2015/02/20 10:04:47 kid1| ERROR: The memberof helpers are crashing too rapidly, need help! 2015/02/20 10:04:52 kid1| helperDispatch: Helper memberof #Hlpr0 has crashed 2015/02/20 10:04:52 kid1| helperDispatch: Helper memberof #Hlpr0 has crashed 2015/02/20 10:05:07 kid1| WARNING: memberof #Hlpr0 exited 2015/02/20 10:05:07 kid1| ERROR: The memberof helpers are crashing too rapidly, need help! 2015/02/20 10:06:12 kid1| WARNING: memberof #Hlpr0 exited 2015/02/20 10:06:15 kid1| WARNING: memberof #Hlpr0 exited FATAL: The memberof helpers are crashing too rapidly, need help! Squid Cache (Version 3.4.10): Terminated abnormally. CPU Usage: 38855.042 seconds = 38840.176 user + 14.866 sys Maximum Resident Size: 774000 KB Page faults with physical i/o: 11 2015/02/20 10:06:18 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1... "memberof" from squid.conf: external_acl_type memberof ttl=300 ipv4 %LOGIN /usr/local/libexec/squid/ext_ldap_group_acl -P -K -R -b "dc=,dc=local" -D "squid_k@.local" -W "/usr/local/etc/squid/squid_k.pass" -f "(&(objectclass=person)(sAMAccountName=%v)(memberOf:1.2.840.113556.1.4.1941:=cn=%g,OU=Internet,DC=***,DC=local))" -h 192.168.0.231 192.168.0.239 can i use "ext_ldap_group_acl" helper from squid version 3.3.10 for example, coz it's just an external (to squid) program if i understand correctly, and it working fine on pfsense 2.1.5?
  • N

    Snort - alerts tab - reference to sid (link) possible?

    10
    0 Votes
    10 Posts
    2k Views
    bmeeksB
    @fsansfil: This may be helpful when I have majority rules enabled for blocking, but still want to test how specific rules react without affecting connections… or just for some special logging purposes. Yes we need the log rule action ;) F. I have considered adding that feature.  Still trying to figure out the best way to expose it while at the same time not totally upsetting things for all the users that are accustomed to the legacy method of the package (where any alert is the same as a block).  I have tossed a few possibilities around in my head.  Whatever I do for Snort would likely also get rolled into Suricata. Bill
  • B

    Pfsesne 2.2 and Squid3+squidGuard-devel Error

    4
    0 Votes
    4 Posts
    2k Views
    B
    @mmjlz: Hi, are you using webconfigurator with https? if yes, this had always helped me: If you’re using SSL to secure your webConfigurator, pfSense sends the block page (sgerror.php) over an https connection. By default, any good browser will NOT load an http URL inside an iFrame on an https page (it’s a security thing) Solution Instead, you can set lighttpd to ignore sgerror.php when it redirects http requests to https. 1. Go to “Diagnostics > Edit File” and load /etc/inc/system.inc     Find the lines that modify your lighttpd config to redirect http to https, which should say:     $SERVER["socket"] == ":80" {     $HTTP["host"] =~ "(.)" {     url.redirect = ( "^/(.)" => "https://%1{$redirectport}/$1" )     }     } 2. Update them to NOT redirect the file beginning sgerror.php:     $SERVER["socket"] == ":80" {     $HTTP["host"] =~ "(.)" {     url.redirect = ( "^/^(sgerror)(.)" => "https://%1{$redirectport}/$1" )     }     } 3. Save. 4. Go to "Diagnostics > Edit File" and load /usr/local/pkg/squidguard_configurator.inc     Find the lines starting with: $guiport = (!empty     Make a new line below and enter: $guiport = '80'; 5. Save. Restart your webConfigurator (shell option 11). 6. Restart SquidGuard maybe it helps you too :) You are a star this fixed the problem for me Thank you very much :)
  • J

    Snort and OpenVPN

    3
    0 Votes
    3 Posts
    4k Views
    N
    Hi, I have a similar setup. I have one LAN and one WAN and the OpenVPN Server running. I use my mobile devices to redirect all traffic through the VPN and then browse the web using my internet connection. And I can confirm that snort cannot listen on the OpenVPN interface and snort cannot see something on LAN. But snort analyzes the traffic from OpenVPN to the web on the WAN interface. PS: It seems to be independent if the OpenVPN server is listening to the LAN or the WAN interface.
  • G

    Snort Configuration

    2
    0 Votes
    2 Posts
    1k Views
    bmeeksB
    @ghkrauss: I notice that just using ETPro with Snort will not allow configuration of the wan interface. That is not true.  You can use any rule set on any configured interface.  What leads you to think Snort does not support ETPro on the WAN interface? @ghkrauss: Does one have to use snort rules with ETPro rules? No, you can use just the Emerging Threats rules if you like (or just the Snort GPLv2 Community rules, or any combination of ET, VRT and Community rules). @ghkrauss: How does one configure Snort for use of Emerging Threat ETPro ruleset? On the GLOBAL SETTINGS tab click the checkbox to enable ETPro rules then type your subscription code into the text box that will appear.  The page uses dynamic HTML to show/hide form fields as different options are enabled.  Be sure you are using a current version browser that supports dynamic HTML (pretty much anything these days will). There is a sticky thread in the Packages forum for quickly setting up Snort for new users.  You may find it helpful. Bill
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.