1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    tinfoilmattT
    @johnpoz said in Please help to configure HAProxy to serve certifficate on internal LAN too: Yeah - what part do you not understand if you always resolve nextcloud.domain.tld so that it hits your haproxy on your pfsense wan IP are you not getting? You have 2 options - use a different domain internally and always go to nextcloud.publicdomain.tld, or use the same domain internally as external and run into the problem of what IP it resolves to.. Change your local domain to say home.arpa or .internal or atleast something different than the public domain your using to point to pfsense wan IP on the public internet. You are shooting yourself in the foot trying to use the same domain externally as internally. There are ways around it, but they complicate the setup. For example you might be able to use views in unbound as one way to work around the problem. You could use only host entries for all your resources. But then again you run into a problem of using the fqdn for this service, now always pointing to your wan IP.. And that is great when you want to access the service haproxy is doing - but if you want to access that resource on some other service that haproxy doesn't handle - like say simple file sharing.. You are going to have problems. Since you clearly do not understand how any of this works - the simple solution is change the local domain you are using so it is not the same as the public domain you want to use to get to your nextcloud. This tone is outrageous directed at somebody who acknowledged right off the rip that English is not their first language. How many languages do you speak, John? And safely assuming it's only one—English of course—take it from a fellow English native that you'd do well to say more with less words. You otherwise were directing OP in the right direction in my opinion.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    tinfoilmattT
    Here. I think. Referenced as "github.com: vendor-provided URL vendor-advisory" in your link.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @netboy said in is something wrong with pfBlockerNG?: After my post, I "changed" DNSBL -> DNSBL mode from "unbound python mode" to "unbound mode" and so far i have no issues. Terrible idea. Moving backwards in development history there.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    648 Posts
    C
    @mightykong Yes, my system also requires a restart after reboot, and what has worked for me is: service tailscaled stop && tailscale logout || true && service tailscaled start && tailscale up What has worked for updates included a [sysrc tailscaled_enable="YES"] that is supposed to handle tailscale restart after reboot, but it has not worked for me. I am looking into it, and others will be as well. In the meantime, this is my update one-liner command line: service tailscaled stop && tailscale logout || true && fetch https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.90.6.pkg || exit 1 && IGNORE_OSVERSION=yes pkg-static add -f tailscale-1.90.6.pkg && rm -f tailscale-1.90.6.pkg && service tailscaled start && tailscale up Options: add && tailscale version && tailscale status to automate a first check; and, the "rm -f tailscale-1.90.6.pkg" is not needed, but once I saw the suggestion, I decided to keep it.

  • Discussions about WireGuard

    715 Topics
    4k Posts
    A
    Hi everyone, This is a noob question but already tried multiple and I hope some one can help with this. I have a Wireguard Tunnel configured and handshake is successfully performed and I can ping the server from the laptop but can't do it otherwise. Already deactivate the NAT feature and all the rules and no luck. Pfsense and this server is located in a Proxmox Server, laptop is a local. Any ideas? Thank you.
Log in to post
Load new posts
  • M

    [SOLVED] Firewall/NAT setting breaks Radius

    1
    0 Votes
    1 Posts
    739 Views
    No one has replied
  • G

    Ntopng error showing in syslog on 2.2 10/10/14

    4
    0 Votes
    4 Posts
    3k Views
    C
    Copy the .dat files to /usr/pbi/ntopng-amd64/local/share/ntopng/httpdocs/geoip instead of the path listed in the error message.  Something like: pushd  /usr/pbi/ntopng-amd64/local/share/ntopng/httpdocs mkdir geoip cp -vp /root/*dat ./geoip/ The geoip stuff works for me after that.  Note you will have to do this after every package reinstall or pfSense update. I also noticed the two methods for setting the password don't play nice together (ntopng gui 'manage users' vs pfsense 'ntopng settings').  Actually there's a third method too, via the console: http://blog.redbranch.net/2013/12/12/reset-ntopng-admin-password/
  • ?

    Snort - not starting anymore

    28
    0 Votes
    28 Posts
    8k Views
    ?
    I have AC-BNFA-NQ as standard.. "The rules update process will only restart Snort if it is detected as running during the update process." That's what I expected, therefore I controlled this box some minutes ago, but all three snort-interfaces were up and running, strange indeed…
  • T

    Lightsquid mac address

    6
    0 Votes
    6 Posts
    2k Views
    T
    Ok, thank you for answer
  • O

    Squid on 2.1.5 not installing

    4
    0 Votes
    4 Posts
    2k Views
    K
    In the future, with a botched for some reason squid, try: squid -k shutdown cd /var/squid/cache rm -rf * squid -z Then reboot and reinstall squid package.
  • G

    Configuring HAproxy

    2
    0 Votes
    2 Posts
    872 Views
    P
    I'm afraid there are no guides for the pfSense haProxy gui that are really usefull.. Anyway you should really consider using the haproxy 1.5 package. It has way more options than all 1.4 packages combined.. If you find a bug, (there aren't any critical left that i know of), let me know.. Create 1 backend for the 2 servers. Then create 1 frontend to listen on the desired port, and use the backend, and it should already start working.. Enable checking on the backend to have haproxy actually perform checks, and activate stats to see if backends are seen as 'up'. That should basically be enough to get started.
  • bmeeksB

    Snort 2.9.6.2 pkg v3.1.4 – Bug Fix Update Release Notes

    25
    0 Votes
    25 Posts
    4k Views
    bmeeksB
    @Hollander: Thanks Bill  ;D ps -ax came back empty, and the directory is gone too: both good. CPU is normal at 4% now. I just tried again: install Snort: CPU back to 100% due to fetch. I know that if you say it isn't Snort then it isn't Snort, yet it's a weird coincident that keeps on repeating itself. So I had to uninstall Snort again. I am eagerly awaiting until JFL will find the time to write the SuricataTutorialNG (NG = BB ;D ), so I can try to replace Snort with Suricata. You have something wrong in your configuration someplace.  I don't know what it may be, though.  I have never seen that behavior with any of VM testing over the last two years.  Are you using IPv4 or IPv6 addresses? Bill
  • D

    Snort can't download Snort VRT Rules [solved]

    25
    0 Votes
    25 Posts
    20k Views
    bmeeksB
    @ypmict: Hi… I am also facing this problem, I am using : pfsense 2.0.1 snort 2.9.6.2 pkg v3.1.4 (using the free oinkcode) the error log says : Starting rules update...  Time: 2014-11-10 10:33:28 Downloading Snort VRT rules md5 file snortrules-snapshot-2923.tar.gz.md5... Snort VRT rules md5 download failed. Server returned error code 422. Server error message was: Snort VRT rules will not be updated. ...anyone know what the problem is? I also try to register different account for oinkcode.. but still shows error... thanks Snort is no longer supported on pfSense versions older than 2.1.  You say you are running 2.0.1, so Snort is now broken and unsupported on that version.  You should upgrade your pfSense to version 2.1.5. Bill
  • SoloamS

    Squid Not Sharing Cache Between Clients

    2
    0 Votes
    2 Posts
    915 Views
    SoloamS
    Any one haves any idea? Thank you Best Regards
  • E

    Squid does not cache large files

    1
    0 Votes
    1 Posts
    786 Views
    No one has replied
  • B

    Squid not generating Access.log

    8
    0 Votes
    8 Posts
    4k Views
    B
    Hi there, /var/squid/logs/access.log exists. But the problem is that I cannot generate reports please see the images below for more information [image: 2.png_thumb] [image: 2.png] [image: 1.png_thumb] [image: 1.png]
  • panzP

    Snort 2.9.6.2 pkg v3.1.4 causing There were error(s) loading the rules: pfctl…

    3
    0 Votes
    3 Posts
    1k Views
    panzP
    Thank you Bill, it seems that reverting the pfSense conf to the previous one before Snort update solved the problem: pfSense reinstalled all the packages (including Snort but omitting NUT!) and all seems working now. Strange thing the failed reinstall of the NUT package: my machine is not "messed up" with a lot of configurations or packages. The log said "unable to reinstall nut, take appropriate action". I simply reinstalled the NUT package and the configuration was there! Edit: now pfSense is dropping the PPPoE connection approximately every 30 minutes :(
  • H

    PfBlocker Lists

    6
    0 Votes
    6 Posts
    4k Views
    F
    You can try this too : https://www.countryipblocks.net/country_selection.php Altho it offers a false sense of security; your malware these days will come from G5 hosting compagnies or amazonaws, cloudfront, cloudflare…etc.... F.
  • A

    Squid with diskd won't start

    5
    0 Votes
    5 Posts
    1k Views
    D
    this config ran for about a week, then the same "out of space' error occurred again. something is screwy with diskd vs freebsd for now ive gone back to the ufs option, but im sure i will be inspired to fiddle again soon
  • S

    Cron problem swap.state

    4
    0 Votes
    4 Posts
    2k Views
    SoloamS
    Thanks! Best regards
  • F

    Squid3-dev new update

    3
    0 Votes
    3 Posts
    840 Views
    F
    Thanks man
  • D

    Squid does ignore firewall (routing)rules

    1
    0 Votes
    1 Posts
    663 Views
    No one has replied
  • ?

    Pfsense: Snort configuration advice wanted

    3
    0 Votes
    3 Posts
    1k Views
    bmeeksB
    I agree with Wolf666.  Enabling Snort on the LAN for a home firewall is the best choice.  You don't usually have any unsolicited inbound traffic allowed on a home setup, so Snort on the WAN does not really help any more than having it just on the LAN.  What you are more worried about is an internal machine picking up malware and/or that malware calling home to the mother ship for additional instructions.  Snort on the LAN would see this and alert you.  Plus, if you configure the blocking IP to BOTH on the SETTINGS tab for the interface, then the far-end of the conversation will be blocked but the LAN end will not be as it is generally in the default PASS LIST unless you change something.  However, you will see the local IP address as well as the far-end IP in the alert. Bill
  • J

    Snort Blocking IP addresses in my trusted alias list

    2
    0 Votes
    2 Posts
    949 Views
    bmeeksB
    @JohnKap: Hi all. I have an alias set up "Trusted_IPs", with a list of IP addresses I want snort to ignore - 3 in total. Under the Pass Lists tab, I have created a single pass list and included the "Trusted_IPs" alias. (see attached). Snort will block an IP address in the trusted alias list, error messages are: (http_inspect) UNKNOWN METHOD - 11/07/14-09:24:08 (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 11/07/14-09:54:34 I have restarted both snort & pfsense to ensure cache's are cleared and tables are updated, yet snort will continue to block. Any ideas what I've overlooked. thanks The best course of action here is to disable those rules entirely.  Click the X beside the GID:SID on the ALERTS tab. That will permanently disable them.  They are well known false positives. The reason you still see blocks may be because of the setting for WHICH IP TO BLOCK on the SETTINGS tab for the interface.  If set to BOTH (the new default), then your PASS LIST IP should not be blocked, but the other end of the conversation will be blocked and thus communcations will still be stopped. Bill
  • H

    Snort UDP Filtered Portscan with OpenVPN

    4
    0 Votes
    4 Posts
    3k Views
    bmeeksB
    @Heli0s: If that's the case, is there a good way to protect my network from port scans? I've tried a few online port scans and some are picked up and some are not. Not that I am aware of.  On the other hand, if you have a carefully configured firewall that allows only exactly what is necessary to get in, why worry about a port scan?  If those ports are not open, so what?  What seems to happen a lot recently is the port scan preprocessor is overly sensitive and triggers on some normal and harmless stuff.  I think in an attempt to reduce the sensitivity and prevent those false positives, some of the older port scans are no longer detected.  So all in all the utility of the port scan preprocessor seems to be degrading in my view. If you still want to use it, then you will need to tinker with all the settings for the preprocessor.  That's why I added them to the GUI several revisions back.  They will allow you to tweak it so maybe it works for you without triggering on too many false positives. Bill
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.