Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    N

    Can I use pgblockerng aliases in Haproxy?

    80758505-9bad-4dad-a80b-c159be1045a2-image.png

    If it was a firewall rule, typing pfb would produce a dropdown to select.

    Here it has to be written, but will it work? Is it supported?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    bmeeksB

    I saw where the Netgate kernel developer updated the Suricata package in the pfSense 25.07 development branch to work with the new kernel PPPoE driver. But so far as I know that updated package has not been migrated to 2.8 CE.

    Here is the commit into the DEVEL branch: https://github.com/pfsense/FreeBSD-ports/commit/68a06b3a33c690042b61fb4ccfe96f3138e83b72.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K

    @pulsartiger
    The database name is vnstat.db and its location is under /var/db/vnstat.
    With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    GertjanG

    @AlexK-0 said in Can't receive GeoIP databases updates anymore, banned:

    Days ago, I received from MaxMind an email, notifying me that my country has been banned to receive GeoLite City database updates.

    You've found a reason to use a VPN.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    99 Topics
    2k Posts
    K

    @elvisimprsntr thanks for your suggestion. I will give it a try.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG

    @EChondo

    What's your pfSense version ?
    The instructions are shown here :

    1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png

    A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

    @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

    I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

    No need to wait x days.
    You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    R

    I had a similar issue with Routed VTI over IPsec recently. FRR lost its neighbors after rebooting or when a tunnel went down. It never re-discovered it automatically. Only restarting FRR (either in GUI or via CLI) brought the neighbors back.

    When I manually added those under the OSPF neighbors tab in the GUI it seems to solve the problem as well.

  • Discussions about the Tailscale package

    89 Topics
    574 Posts
    A

    Hello,
    I am unable to get the Tailscale package to work. The page at VPN > Tailscale > Authentication is stuck. It displays the error "Tailscale is not online," but also shows a "Logout and Clean" button, with no option to log in.
    link text

    This state persists even after performing the following troubleshooting steps:

    Rebooting the pfSense router.

    Completely uninstalling and reinstalling the Tailscale package multiple times.

    Clearing browser cache and using a private browser window.

    Toggling the main "Enable Tailscale" checkbox in the settings.

    Checking the logs, which show the service gets a "terminate" signal and shuts down cleanly; it does not crash.

    Manually trying to delete the state file with rm /var/db/tailscale/tailscaled.state, which failed because the file does not exist.

    It appears that the package's configuration is corrupted in a way that persists even after reinstallation. Can anyone advise on how to perform a complete manual cleanup of all Tailscale files and settings?

  • Discussions about WireGuard

    689 Topics
    4k Posts
    P

    @patient0 Thanks for further suggestions. The tunnel is definitely up and so I don't think this is a CGNAT issue after all. WAN firewall rule is in place for UDP on port 51823 (otherwise the tunnel wouldn't work, right?). I can ping from client 1 -> client 2 and visa versa and also ping all points in between like you suggest. I just can't open an HTTPS connection from pfSenseB from Client 1 using a browser. But I can do this the other way round i.e. from Client 2 to pfSenseA

    I will try and do some packet capture to see if that reveals anything.

  • Squid3 mutual authentification with client certificate

    9
    0 Votes
    9 Posts
    10k Views
    A

    HEllo
    I made a patch for reverse-proxy squid3-dev package to allow the peer authentification by certificate.
    the patch add in the general menu a section to choose the CA autority and the CRL.

    I didnt find way to call the regeneration of the crl after the crl was modified there are no hooks for that in crl manager

    the work arround is to save again the reverse-proxy config or to make a php script for the crontab who call squid_regenerate_crl()

    Regards

    squid_reverse_inc_patch.txt
    squid_reverse_general_xml_patch.txt

  • Squid and the Limiter

    6
    0 Votes
    6 Posts
    3k Views
    M

    https://forum.pfsense.org/index.php?topic=59600.30

  • Any news on updates for the Zabbix 2.2 Packages?

    10
    0 Votes
    10 Posts
    3k Views
    B

    Ok, thank you for your reply. I never built a pfSense package before, good to know how it works. Hope the next version will have fixed the glitches and the default will be fine.

  • SNORT Alerts

    9
    0 Votes
    9 Posts
    3k Views
    bmeeksB

    @FlashPan:

    Thanks bmeeks,

    I have a small lan but have only ever listened on my Wan interface.

    Are you saying it's better to listen on Lan just so you can see which internal client is being targeted or responding to something dodgy?

    I would have thought you would want Wan with all or most rules as it's better to capture or stop elements before it reaches your Lan interface?

    Hope I'm not starting a Lan, Wan War here now  :P

    My view for home users is it's better to analyze the LAN traffic so you can easily track down any internal problems by IP address.  Since the usual default for home users is "deny all unsolicited inbound" traffic on the WAN, there is not a huge risk for something coming in that an internal host did not first ask for.  Or stated another way, properly configured and not loaded down with tons of packages, your pfSense firewall itself  (the WAN IP) presents a very limited attack surface.  The bigger worry in my view is all the hosts on the internal networks.  Those are the ones that will be visiting potential problem web sites, downloading files, and opening possibly malicious e-mails.

    Bill

  • Snort Whitelist question

    3
    0 Votes
    3 Posts
    946 Views
    S

    Thanks Bill, I'll see if I can edit any additional rules or just wait for the newer version.

  • PfBlocker only for a ip range in our network ?

    2
    0 Votes
    2 Posts
    467 Views
    F

    Set pfBlocker to alias only and add firewall rules by hand.

    Edit: Firefox + Cookie for pfSense forum = Broken for me :|

  • HAProxy intermediate certificates (unknown issuer, missing chain)

    5
    0 Votes
    5 Posts
    7k Views
    M

    jimp's solution/workaround worked for me.

    thx

  • Can't update pfSense packages

    3
    0 Votes
    3 Posts
    682 Views
    H

    That worked! Thanks!

  • MailReport

    3
    0 Votes
    3 Posts
    2k Views
    luckman212L

    Having an alert sent out for power-related issues would indeed  be quite useful I think!  Also to tie in to this, it's good to get the alert for gateway failures but I do think it would be beneficial to also get an 'alert' when the failed gateway goes back online

  • Asterisk codec g729 installation

    2
    0 Votes
    2 Posts
    3k Views
    D

    Has anyone succeeded in making G729 run on pfSense??

  • Questions on Status - Squid

    2
    0 Votes
    2 Posts
    762 Views
    F

    One Of the best post i ever seen in this great forum
    squid is the "most wanted directly after pfsense "
    stable squid3-dev copy will add significant change to thew whole PFSENSE WORLD

  • Snort destination LAN IP

    2
    0 Votes
    2 Posts
    904 Views
    W

    The only way is to run snort also in LAN (as I do). I use the same rules for both WAN and LAN. There is a long sticky thread with some advises on that.

  • Alix 2d13&pfsense&freeswitch

    1
    0 Votes
    1 Posts
    577 Views
    No one has replied
  • MAilscanner 4.84.6 pkg v.0.2.10 doesn't start

    9
    0 Votes
    9 Posts
    2k Views
    W

    Thanks for the fast reply. It worked for me, thanks

  • Squid-dev 3, squidguard and icap issue recap

    2
    0 Votes
    2 Posts
    886 Views
    E

    Additional :

    I am using squid in transparent mode

  • Squid transparent proxy blocks skype calls

    8
    0 Votes
    8 Posts
    3k Views
    F

    Skype appears to use HTTPS for much of its connectivity. I expect that it exchanges keys for the call over HTTPS before switching to UDP with encrypted payloads or something like that to send the audio/video.

    Disabling for specific destination IPs isn't practical - I would have to know what IP addresses any of my friends had who I wanted to call/talk to.

  • Can't start Postfix

    5
    0 Votes
    5 Posts
    1k Views
    S

    thx, it start when I configured postfix via loopback interface

  • Solved: How do I limit IP RANGE downloads larger than 50MB?

    2
    0 Votes
    2 Posts
    715 Views
    cyber7C

    Sorry Guys, once again I asked the question and after some soul-searching ;) found it.

    The way I did it was to add the following ACL to my squid configuration:
    (Services/Proxy Server - Custom Options)

    acl sized-users src 10.0.0.157-10.0.0.165
    http_access allow sized-users
    reply_body_max_size 50 MB sized-users
    request_body_max_size 1 MB sized-users

    –- Explanation ---:
    line1: Create an ACL with an IP SOURCE RANGE.
    line2: Allow the ACL to use the defined access-list.
    line3: Maximum download size for the ACL.
    line4: Maximum upload size for the ACL.

    That's it.  Hope I helped someone else but myself :)
    kind regards
    cyber7 (aka Aubrey Kloppers, Cape Town, South Africa)

  • Squidguard Integrations Ordering Test

    2
    0 Votes
    2 Posts
    1k Views
    C

    its hard coded in the squidguard package.

    read the post and you'll get an idea how to manually get the files to your liking

    https://forum.pfsense.org/index.php?topic=73640.msg402286#msg402286

  • Troubleshooting Squid and Squid Guard

    2
    0 Votes
    2 Posts
    728 Views
    F

    install cron packages

    *    *    *    *    *    root    /usr/pbi/squid-amd64/sbin/squid -k reconfigure

    thats work for me

    for troubleshooting
    squid -z  >> any eror message
    squid -k rotate
    squid restart

    show the log
    delete  the cach

    check the squid guard log  / database
    cpu /  ram  /  mbuf

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.