1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    E
    I even tried deleting and creating a new certificate. Any suggestions?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    G
    As the title says. Any mirror or alternative ? https://feodotracker.abuse.ch/blocklist/ Error 503 certificate has expired certificate has expired Error 54113 Details: cache-scl2220043-SCL 1757230189 2309835888 Varnish cache server

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    572 Topics
    3k Posts
    keyserK
    @Antibiotic No it’s not possible with NtopNG as it is not a Netflow collector. You need nProbe for that which will “translate” recieved netflows into flows that NtopNG understands and can visualize (with very very little detail might I add as Netflows has no additonal information apart from sender/reciever and volume). The NtopNG package and the product in general is more geared towards visualising and recording traffic details from actual packet captures. This contains MUCH more metadata about the sessions than netflows (DNS names, protocol information and myriads of other things). But pffSense Plus has a builtin Netflow exporter if you have an external netflow collector on hand.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    BiloxiGeekB
    Making some changes in the DNSBL setup and noticed that the help info for IPv6 DNSBL seems a bit off. Enable DNSBL for IPv6 DNS Resolution filtering. Default IPv6 Webserver address [ ::10.10.10.1 ] and ports [80/443] The default address seems to be a combo of v4 and v6, possibly a typo. And there's also no entry field to change that address if needed. I do actually have a host on my LAN that uses 10.10.10.1 so there's a conflict right out of the box. Consulting the interwebs tells me that when I select the IPv6 option I should see an entry box to define the address but it does not pop up. Does it just follow the IPv4 address that is listed above that? In my case it would end up being ::10.0.0.86 [image: 1757251600612-8999e416-df99-47d6-9e65-c158ebbe2352-image.png]

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    501 Topics
    3k Posts
    A
    I had setup ACME cert with 2 domain, xxx.dpdns.org (cloudflare) and xxx.dynu.com on v24.11, there is no issue to renew let's encrypt cert on v25.07.01, I got following error. Once I disable the xxx.dynu.com domain, there is no problem to renew the cert. From the log, it seems adding TXT record to xxx.dpdns.org (cloudflare) using DNS-Dynu parameters, so Cloudflare api key not found. ===== Replace following ID / Token with <REMOVED>, and subdomain with "xxx" ===== Log ====== /usr/local/pkg/acme/acme.sh --issue --domain 'xxx.dpdns.org' --dns 'dns_cf' --domain '.xxx.dpdns.org' --dns 'dns_cf' --domain 'xxx.dynu.com' --dns 'dns_dynu' --domain '.xxx.dynu.com' --dns 'dns_dynu' --home '/tmp/acme/xxx.dpdns.org/' --accountconf '/tmp/acme/xxx.dpdns.org/accountconf.conf' --force --always-force-new-domain-key --reloadCmd '/tmp/acme/xxx.dpdns.org/reloadcmd.sh' --log-level 3 --log '/tmp/acme/xxx.dpdns.org/acme_issuecert.log' Array ( [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [SSL_CERT_DIR] => /etc/ssl/certs/ [Dynu_ClientId] => <REMOVED> [Dynu_Secret] => <REMOVED> ) [Sun Sep 7 20:05:54 HKT 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory [Sun Sep 7 20:05:54 HKT 2025] Using pre-generated key: /tmp/acme/xxx.dpdns.org/xxx.dpdns.org/xxx.dpdns.org.key.next [Sun Sep 7 20:05:54 HKT 2025] Generating next pre-generate key. [Sun Sep 7 20:05:55 HKT 2025] Multi domain='DNS:xxx.dpdns.org,DNS:.xxx.dpdns.org,DNS:xxx.dynu.com,DNS:.xxx.dynu.com' [Sun Sep 7 20:06:02 HKT 2025] Getting webroot for domain='xxx.dpdns.org' [Sun Sep 7 20:06:02 HKT 2025] Getting webroot for domain='.xxx.dpdns.org' [Sun Sep 7 20:06:02 HKT 2025] Getting webroot for domain='xxx.dynu.com' [Sun Sep 7 20:06:02 HKT 2025] Getting webroot for domain='.xxx.dynu.com' [Sun Sep 7 20:06:02 HKT 2025] Adding TXT value: -crt6nFvBjOQBfGTy-xc_sXPL1V5F6jem0W1YOoyeUo for domain: _acme-challenge.xxx.dpdns.org [Sun Sep 7 20:06:02 HKT 2025] You didn't specify a Cloudflare api key and email yet. [Sun Sep 7 20:06:02 HKT 2025] You can get yours from here https://dash.cloudflare.com/profile. [Sun Sep 7 20:06:02 HKT 2025] Error adding TXT record to domain: _acme-challenge.xxx.dpdns.org [Sun Sep 7 20:06:02 HKT 2025] Please check log file for more details: /tmp/acme/xxx.dpdns.org/acme_issuecert.log

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    yon 0Y
    said in Please update frr on Pfsense+ to FRR 10.3: https://redmine.pfsense.org/issues/15785 now frr 10.4.1

  • Discussions about the Tailscale package

    90 Topics
    610 Posts
    E
    Updated CE 2.7.2 to 1.86.4_1 Changelog pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/tailscale-1.86.4_1.pkg Freshports

  • Discussions about WireGuard

    699 Topics
    4k Posts
    S
    @Bob.Dig what's the right place?
Log in to post
Load new posts
  • D

    Snort Block Offenders kills interface.

    4
    0 Votes
    4 Posts
    1k Views
    bmeeksB
    @dola0056: would that be /var/log/system.log? I did check it out and have not seen any errors. The interface seems to come up and down but the red and white x remains. Also when I create a rule it doesn't work for the interface unless I remove the block offenders option and then the rule and the interface run fine. Look under Status…System Logs.  You may need to click the Settings tab once that page is displayed and tick the box to show newest events first (that is, show events in reverse order) and expand the number of entries displayed to like 250 or more. Now go back and try to start Snort with blocking enabled.  You should get an error message of some type in the system log.  My first thought is perhaps your system is missing the <snort2c>table.  That has happened to folks who have used the Traffic Shaper.  It seems to delete the <snort2c>system table that Snort needs for blocking – or at least it was doing that a while back. Bill</snort2c></snort2c>
  • S

    PfBlocker IP List

    20
    0 Votes
    20 Posts
    15k Views
    A
    @new_to_pfsense: Can I use this list: (Brute Force Blocker) http://danger.rulez.sk/projects/bruteforceblocker/blist.php In my pfsense aliases as a URLTABLE even though the URL does not end with .txt? new_to_pfsense - Did you ever try to add the list?  I came across the list as well, and interested in knowing what happens when its added through the gui. Thx Ash,
  • C

    Change block duration for Snort

    3
    0 Votes
    3 Posts
    1k Views
    C
    d'oh.  Thank you.  I looked at that page a dozen times but was always looking for a text field to type a value into so kept looking over that one.
  • C

    Possible to make Snort block IP on specific interface

    2
    0 Votes
    2 Posts
    857 Views
    F
    Snort and IPS/IDS in general is not a turn on once and leave it running kind of solution. You need to asses if the alerts being triggered are false positives or not and add suppress / pass lists based on your needs.
  • C

    Snort error when activating rules

    4
    0 Votes
    4 Posts
    1k Views
    bmeeksB
    @cjbujold: Thanks de-activate the rule and everything now works.  The rule # giving the problem is in emerging web-clients rule# 2011695. cjb That rule is disabled by default in both ET-Open and ET-Pro packages, so that's why not too many people run in to the syntax error.  I think it has been reported a number of times, but so far has not been fixed by the authors.  You can fix the error by deleting the backslash in front of the phrase "\object.data" so the pcre expression looks like this instead: "(obj.data|object.data).+file\x3A\x2F\x2F127\x2E[0-9]" Of course the next time your box downloads an updated Emerging Threats rules package your edit would be overwritten.  You could paste the "corrected" rule in as a custom rule and just leave it in the default disabled state in the ET web-client package. Bill
  • S

    Bandwidthd with PostgreSQL

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • U

    Squid 3 / Squidguard still blocks sites even after removal/issues with blocking

    5
    0 Votes
    5 Posts
    2k Views
    jimpJ
    For redirects, use "External URL Found" and redirect it to your own error page. The client browser is less likely to (but still can) cache a 302.
  • R

    Snort Catalog List is Truncated

    15
    0 Votes
    15 Posts
    2k Views
    R
    Ron, Thanks for responding.  Reboot does not fix the behavior either.  I'm going to try a fresh install at this point.  I believe there is an issue with my install.  I will report back later this evening. Thanks, Ryan
  • I

    TFTP Package

    2
    0 Votes
    2 Posts
    1k Views
    jimpJ
    Is the system running pfSense a full install or NanoBSD? NanoBSD's drive would be kept read only and thus wouldn't be good for working as a receiver. Also I can't remember if the server on pfSense works the same, but often a file must exist first on the server before a client can upload and write it out. Try uploading something via the GUI with the same target name and then see if the upload from the device works.
  • S

    Two questions about FreeRadius2

    2
    0 Votes
    2 Posts
    718 Views
    N
    What kind of permissions are you talking about? Do you mean different groups should be allowed to visit different websites? then this isn't possible with freeradius. If you want to give users different times or dates to access the internet then this can be done by freeradius. Changeing the password using the users file on freeradius ist not possible until the user has access to the GUI. So you can try with SQL database as user backend and check these documentation: https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#CaptivePortal_Self-Registration:FreeRADIUS.2B_MySQL Captive Portal Self Registration.
  • G

    Freeradous2 broken in pfsense 2.1.5

    3
    0 Votes
    3 Posts
    1k Views
    N
    Uninstall freeradius2 package and the delete this folder: /var/log/radacct/ Reinstall freeradius package.
  • T

    HAVP, SQUID, SQUIDGARD - allow streaming from iplayer, 4od, ITV Player etc

    2
    0 Votes
    2 Posts
    1k Views
    T
    I seem to have solved my own issue by selecting transparent proxy mode under HAVP - not sure how i managed to do it right for squid but not for HAVP! Case closed I guess.
  • bmeeksB

    Snort 2.9.6.2 v3.1.5 – Bug fix update release notes

    11
    0 Votes
    11 Posts
    2k Views
    S
    No worries dude! Running smooth on all the boxes at the hosting site and privately!
  • S

    Snort GUI wishlist

    9
    0 Votes
    9 Posts
    2k Views
    S
    HAHAHAHAHAHAHAHAAHAHA fooking hell! :D I need glasses….............. HEEEEEEEEEEEELP! HAHAHAHA Sorry for the "noise" :D
  • arrmoA

    Postfix Broken in v2.2?

    4
    0 Votes
    4 Posts
    1k Views
    B
    Tried this again today and get the following log: php-fpm[40792]: /pkg_mgr_install.php: The command '/usr/local/etc/rc.d/postfix.sh stop' returned exit code '1', the output was 'kill: 12044: No such process Shared object "libsasl2.so.3" not found, required by "master" Shared object "libsasl2.so.3" not found, required by "master" Shared object "libsasl2.so.3" not found, required by "master" Shared object "libsasl2.so.3" not found, required by "master" Shared object "libsasl2.so.3" not found, required by "master"'
  • D

    Automated notification of updated installed packages?

    5
    0 Votes
    5 Posts
    1k Views
    D
    @jwsmiths: @KOM: There is a dashboard widget for Installed Packages, but I don't know if it shows available upgrades or not. It does.  If there is an upgrade the package is highlighted in red and IIRC there is a button to click for upgrade right on the dashboard. Cool! Having just updated all my packages I couldn't tell… Doh!
  • 8

    Squid 2.7.9 pkg v.4.3.4 Seems to be Blocking Google.com only

    2
    0 Votes
    2 Posts
    990 Views
    8
    I just found a work around for the problem but I'll leave this up incase soemone has a better idea, or solution. WHat I did to remedy the issue was to create an exception in: Services -> Proxy Server -> Cache Mgmt -> Do not cache. Here I added: Google.com www.Google.com
  • perikoP

    Squid3 cachemgr cache_mem info different than config file(BUG?)

    2
    0 Votes
    2 Posts
    795 Views
    T
    It is not a good idea to offer more than 50% of your 8192 MB RAM for squid cache. Squid uses RAM for in transit objects for the disk cache. This process needs around 100MB of RAM per GB of disk cache. It is dynamically allocated depending on the object stored in the cache, so this is not an exact science. If you have a large disk cache set, 100GB for instance. You will need, when the disk cache is in full use, 10GB of RAM! Depending on your disk cache, set the memory cache to such a size you know will remain available after the disk cache is in full use. (other process also use RAM, bind etc.) I use around 25% of my RAM for the memory cache and use the 100MB per GB rule to size the disk cache.
  • F

    Squid3-dev erorr

    3
    0 Votes
    3 Posts
    936 Views
    F
    thans ,, after i update squid3-dev the script mised up  , i copy it from your post and every thing work perfectly thanks again
  • M

    PfBlocker not updating after initial list download and only trying once a day

    25
    0 Votes
    25 Posts
    7k Views
    A
    @BBcan177: wcrowder was leading you in the right direction  :) Take for example this Range from the IBlock BT Spyware List Range Format 221.181.73.214-221.181.73.221: Converts to the following in CIDR Notation 221.181.73.214/31 221.181.73.216/30 221.181.73.220/31 So comparing Line Count in Range to CIDR is not going to be exact depending on the Ranges in a particular list. Hope this makes it clearer. BBcan177 - Thanks, and I guess that settles that. :)  So it looks like the only way I have to validate that lists are updating is just if they change from time to time. wcrowder - Sorry, & Thank you.  I guess I had that backwards. Ash,
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.