1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    tinfoilmattT
    @johnpoz said in Please help to configure HAProxy to serve certifficate on internal LAN too: Yeah - what part do you not understand if you always resolve nextcloud.domain.tld so that it hits your haproxy on your pfsense wan IP are you not getting? You have 2 options - use a different domain internally and always go to nextcloud.publicdomain.tld, or use the same domain internally as external and run into the problem of what IP it resolves to.. Change your local domain to say home.arpa or .internal or atleast something different than the public domain your using to point to pfsense wan IP on the public internet. You are shooting yourself in the foot trying to use the same domain externally as internally. There are ways around it, but they complicate the setup. For example you might be able to use views in unbound as one way to work around the problem. You could use only host entries for all your resources. But then again you run into a problem of using the fqdn for this service, now always pointing to your wan IP.. And that is great when you want to access the service haproxy is doing - but if you want to access that resource on some other service that haproxy doesn't handle - like say simple file sharing.. You are going to have problems. Since you clearly do not understand how any of this works - the simple solution is change the local domain you are using so it is not the same as the public domain you want to use to get to your nextcloud. This tone is outrageous directed at somebody who acknowledged right off the rip that English is not their first language. How many languages do you speak, John? And safely assuming it's only one—English of course—take it from a fellow English native that you'd do well to say more with less words. You otherwise were directing OP in the right direction in my opinion.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @netboy said in is something wrong with pfBlockerNG?: After my post, I "changed" DNSBL -> DNSBL mode from "unbound python mode" to "unbound mode" and so far i have no issues. Terrible idea. Moving backwards in development history there.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    654 Posts
    C
    @luckman212, Thanks for your suggestion. I will check what I have in /usr/local/pkg/tailscale/state, and also the RAM disk settings others have brought up. I could learn more about where Tailscale and pfSense store system files. If I find anything worth sharing, I will let you know.

  • Discussions about WireGuard

    715 Topics
    4k Posts
    S
    @LaUs3r Yeah, I added those IPs, but after restarting pfSense, the WireGuard status says “handshake failed.” Also, when I do nslookup us-bos.prod.surfshark.com, I get two different sets of IPs. For example: • The first time I get 43.225.189.108 and 43.225.189.118 • The next time I get 149.40.50.216 and 149.40.50.290 So I was wondering can I add both sets of IPs, and put a “0” at the end of each, and use /24 for both IPs? I reached out to Surfshark support, and they sent me their official pfSense WireGuard setup guide see the guide here in the guide they mention 10.14.0.2 for static routes
Log in to post
Load new posts
  • E

    Squid3 Antivirus Redirect to HTTPS

    3
    0 Votes
    3 Posts
    1k Views
    M
    Here is what i did: https://forum.pfsense.org/index.php?topic=87591.msg487817#msg487817
  • F

    Package Backup Removal

    1
    0 Votes
    1 Posts
    583 Views
    No one has replied
  • E

    Why is there enabling WAN and LAN interfaces on SNORT?

    11
    0 Votes
    11 Posts
    8k Views
    E
    Thanks guys for your replies. Just to clarify so pfSense allow users to have two interfaces (LAN and WAN ) on SNORT so users are able to choose whether to set SNORT on LAN/ WAN or both depending on where does pfSense is install (public facing servers or not?) and how do the user want to protect their network ?
  • Z

    Any howto or decent walk-through on setting up Dansguardian and Squid3 on 2.2?

    2
    0 Votes
    2 Posts
    780 Views
    Z
    Apparently these packages are all screwed up in 2.2. Getting nothing but TCP_Miss/503 and other similar errors with Squid3 all by itself. I'm not even touching dansguardian now and these are the issues that I am getting. So frustrated with this.
  • Y

    Siproxd 0.8.0_2 pkg v1.0.2 and pfsense 2.2

    3
    0 Votes
    3 Posts
    902 Views
    Y
    i never had to set up sip proxy on the phones to get it to work and everything worked fine on 2.1.5. ill try to upgrade to 2.2 again and set the proxy on the phones to see if that fixes anything. it's strange.
  • K

    HAProxy Service Won't Start With Warning Message

    3
    0 Votes
    3 Posts
    972 Views
    P
    It was broken and fixed a day later.. v0.20 should have had the correct files though.. the fix and version bump to 0.20 where both done in 1 commit: https://github.com/pfsense/pfsense-packages/commit/14f241199fde80e9e29b68ca4ceb3c046e7662c7
  • P

    BandwidthD bug

    2
    0 Votes
    2 Posts
    764 Views
    P
    There have been a few reports of this - something happens to php-fpm. It does not happen [often/for many people] and so the root cause and the fix have not been found. If you have any interesting observations about our system, and anything interesting in logs then please post. Sorry to not be of any direct help!
  • J

    Squid3 transparant + HAVP as parent: HAVP crashes :(

    1
    0 Votes
    1 Posts
    990 Views
    No one has replied
  • M

    Squid 3.4.10_2 Error On PfSense 2.2-RELEASE

    7
    0 Votes
    7 Posts
    1k Views
    M
    Yes. Re-installed many times. Tried a restart. Still the same error as seen here: Feb 15 13:33:45 php-fpm[94349]: /pkg_mgr_install.php: The command '/usr/pbi/squid-i386/sbin/squid -f /usr/pbi/squid-i386/local/etc/squid/squid.conf' returned exit code '1', the output was '/usr/pbi/squid-i386/local/sbin/squid: Undefined symbol "_ZN7libecap4NameC1ERKNSt3__112basic_stringIcNS1_11char_traitsIcEENS1_9allocatorIcEEEEi"'
  • T

    PFSense 2.2 & Snort

    14
    0 Votes
    14 Posts
    2k Views
    bmeeksB
    @power_matz: Thank you for your answer. Here are the facts: Filesystem          Size    Used  Avail Capacity  Mounted on /dev/ufs/pfsense0    1.8G    295M    1.4G    17%    / devfs                1.0K    1.0K      0B  100%    /dev /dev/ufs/cf          49M    1.4M    44M    3%    /cf /dev/md0              38M    680K    35M    2%    /tmp /dev/md1              58M    18M    35M    34%    /var devfs                1.0K    1.0K      0B  100%    /var/dhcpd/dev It should be sufficient, or? No, your /tmp and /var partitions are probably too small depending on the exact number of rules you have.  You want at least 100 MB available and you are showing only 35 MB available. Bill
  • F

    Unable to download any packages

    18
    0 Votes
    18 Posts
    3k Views
    F
    [bump] last call for help before I just nuke and pave. Update 28/02 for anyone who encounters a similar problem: Backed up configuration, nuked, paved, restored config. Issue was resolved. My guess is that an update failed in the middle of writing files or something similar and borked some download functions.
  • C

    Squid non-transparent local subnet bypass

    4
    0 Votes
    4 Posts
    1k Views
    marcellocM
    It's a browser related config. Not pfsense or proxy. If you are on internet explorer try a real browser instead.
  • E

    Pros and Cons of using Barnyard in SNORT.

    5
    0 Votes
    5 Posts
    2k Views
    F
    @enivre1717: Because my boss want to know what is the pros and cons of using barnyard in SNORT. I can't find any from google. https://github.com/firnsy/barnyard2 Read the description part. Basically you use barnyard2 to send alert and other data to a SQL database and then use something like Snorby (https://snorby.org/) to view that data. This isn't really something that you can make a pros/cons list off. It's something you need or don't.
  • M

    SquidGuard 3 gone?

    3
    0 Votes
    3 Posts
    1k Views
    jimpJ
    The "old" squidGuard package for 2.x didn't work. Not even for 2.x. However the -squid3 variant works for both 3.x and 2.x now, so I combined them back into one package. The current "squidGuard" is the same as the old "squidGuard-squid3" – only difference is the name. :-)
  • M

    [Snort] FATAL ERROR: Frag3 => only one non-bound engine can be specified

    13
    0 Votes
    13 Posts
    3k Views
    bmeeksB
    @jflsakfja: Don't care about real time lookups, but a per minute lookup would be nice to stick into a variable. Just saying… ;) Can't pfsense's existing setup be used for that? Since the majority will be doing their realtime lookups through unbound, it should be pretty fast, even when used in realtime, with regards to keeping up with traffic. Not talking about a 10Gbps snort (don't even know if it can push up to that)/suricata looking up a billion IPv6 addresses. Talking about sticking an alias to suricata, having it look up a single (or few) hosts to allow for a VPN for example to be tightened down. Used with an allow only VPN access from this host suricata rule, for example. Yes that can be done with normal pfsense rules, but it's an example.  :D Sorry for taking over the thread Mr. Jingles, but I fixed it near the end  ;D I have considered perhaps leveraging the filterdns daemon and its alias tables within pfSense to allow some small level of FQDN support for pass list entries.  It would take some significant mods to the way the old Spoink output plugin for Snort has been engineered.  Today it reads a simple text file of IP addresses and stores them in a linked list in memory once at startup.  Whenever a "block or no block" decision is required, that in-memory IP list is scanned to see if the source IP, destination IP or both are in the list.  If true, the block is not inserted into the <snort2c>alias table in pf.  Of course the "which IP to block" setting is also part of the logic. Bill</snort2c>
  • G

    PfblockerNG

    2
    0 Votes
    2 Posts
    3k Views
    marcellocM
    follow main pfblockerNG topic, there are a lot of information there. https://forum.pfsense.org/index.php?topic=86212.360 BTW, most config tabs has a lot of information on how to configure.
  • S

    Squid - ghostly settings

    3
    0 Votes
    3 Posts
    980 Views
    S
    Yes for the reverse proxy I don't think it's a domain issue Some settings are sticky. I remove them from the GUI but Squid RP still uses those settings.
  • V

    Squidguard3 not working

    13
    0 Votes
    13 Posts
    3k Views
    V
    ok, I believe I found a work around. First install Squid3 Second, disable the Antivirus and hit save If you are using Transparent proxy make sure you select your proxy interface and save Once you do this Squid should fire. If you want to use Squidgaurd then you'll need to install, check your configuration and then hit download to download your block list. For some reason squidguard won't fire if you hit apply or save in the main menu. If it still doesn't fire go back to the main menu, hit apply then save then go back and tell it to download the block list again and it should fire once it finishes downloading and installing the block list. This is the only way I can get squidgaurd to work. If you follow the download with hitting apply or save again squidgaurd will stop.
  • J

    SNORT vs Suricata Detection

    4
    0 Votes
    4 Posts
    6k Views
    bmeeksB
    Good advice above from jflsakfja and fsansfil. In my view it is sort of like preferring vanilla over chocolate when choosing an ice cream flavor.  It is a case of personal taste. If you have a paid Snort VRT subscription, then those rules are updated twice per week (on Tuesdays and Thursdays).  The Emerging Threats Open rules (ET-Open) are updated pretty much daily, but they cover a subset of the threats that are covered by the ET-Pro (paid) rules.  The ET-Pro rules are also updated daily.  Currently an ET-Pro subscription is $499/year.  The Snort VRT (for home use) is $29.99/year.  There are free Snort rules available that only require you to register, but they are 30-days old (meaning no protection for any threats newer than 30 days). So if you use the totally free rules from either Snort VRT or Emerging Threats, you have to accept the fact you are not protected from all of the current threats.  However, as jflsakfja said, you can compensate by writing your own custom rules for either package (Snort or Suricata) if you fully understand your network and have a good grasp of the signatures for current malware threats. In my view, neither package is necessarily "better". Bill
  • S

    Upgrade to pfsense 2.2 broke postfix forwarder

    2
    0 Votes
    2 Posts
    2k Views
    S
    Well, crap.  I found out my issue is this: https://forum.pfsense.org/index.php?topic=40622.msg479547#msg479547 Apparently pfsense 2.2 security sysctrl option does not allow non root users to listen on low ports - and /var/spool/postfix is owned by the postfix user.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.