1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    tinfoilmattT
    @johnpoz said in Please help to configure HAProxy to serve certifficate on internal LAN too: Yeah - what part do you not understand if you always resolve nextcloud.domain.tld so that it hits your haproxy on your pfsense wan IP are you not getting? You have 2 options - use a different domain internally and always go to nextcloud.publicdomain.tld, or use the same domain internally as external and run into the problem of what IP it resolves to.. Change your local domain to say home.arpa or .internal or atleast something different than the public domain your using to point to pfsense wan IP on the public internet. You are shooting yourself in the foot trying to use the same domain externally as internally. There are ways around it, but they complicate the setup. For example you might be able to use views in unbound as one way to work around the problem. You could use only host entries for all your resources. But then again you run into a problem of using the fqdn for this service, now always pointing to your wan IP.. And that is great when you want to access the service haproxy is doing - but if you want to access that resource on some other service that haproxy doesn't handle - like say simple file sharing.. You are going to have problems. Since you clearly do not understand how any of this works - the simple solution is change the local domain you are using so it is not the same as the public domain you want to use to get to your nextcloud. This tone is outrageous directed at somebody who acknowledged right off the rip that English is not their first language. How many languages do you speak, John? And safely assuming it's only one—English of course—take it from a fellow English native that you'd do well to say more with less words. You otherwise were directing OP in the right direction in my opinion.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    RedDelPaPaR
    @bmeeks Understood. Thank for kindly for your help. I will likely be ordering a new unit soon.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @netboy said in is something wrong with pfBlockerNG?: After my post, I "changed" DNSBL -> DNSBL mode from "unbound python mode" to "unbound mode" and so far i have no issues. Terrible idea. Moving backwards in development history there.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    645 Posts
    E
    Updated CE 2.8.1 to 1.90.6. Freshports pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.90.6.pkg Changelog

  • Discussions about WireGuard

    714 Topics
    4k Posts
    S
    do you have a guide for setting up a Multi-Hop VPN inside pfSense (running on VMware)? Right now, I have an extra server running OpenVPN, and I want to route it through a Multi-Hop setup. Do you know how to do it? I’ve also heard that Multi-Hop setups are prone to more leaks, so it needs to be configured properly.
Log in to post
Load new posts
  • M

    Snort generating alert but not blocking

    8
    0 Votes
    8 Posts
    9k Views
    N
    @bmeeks: @NPDF: So, pardon my ignorance here as I am new to Snort, but I am having the same issue.  I recently enabled blocking.. And an event popped up as ET DROP Dshield Block, under Alerts but was not blocked.  You recommended to scan any IP in the alert in the block list, but the destination is the WAN IP, so it is listed - Does that mean it'll never get blocked? On the INTERFACE SETTINGS tab where you configure blocking, there is a combo-select box for choosing which offending IP address will be blocked.  Those choices are SRC, DST, or BOTH.  SRC means block the source IP in the alert packet.  DST means block the destination IP.  BOTH means block both the source and destination IP addresses.  The next thing that comes into play is the PASS LIST.  By default, your WAN IP, Default Gateway, DNS servers and a few other IPs are never blocked. So now, to see how the alert you mentioned would be treated, look at the SRC and DST IP addresses.  Next, look at that combo-box setting I mentioned.  Determine if it is set to SRC, DST or BOTH.  Comparing all that information should show you how Snort would have made a block decision.  For example, if you had DST selected in the combo-box control, and the DST of the alert was your WAN IP, then Snort would not block because your WAN IP is in the default "never block" PASS LIST.  However, if you had the combo set to BOTH, then Snort would insert a block for the SRC IP of the alert (assuming that IP was not also in the default PASS LIST). Finally, remember that there is a cron job that periodically clears blocked IP addresses.  So if enough time has elapsed, it is possible that job cleared the block.  Any time the packet filter is reloaded by pfSense, that will also clear all blocks Snort may have inserted.  A number of system events can cause the filter (firewall) to reload.  Examples are a change in your WAN IP due to DHCP renewal, temporary latency or issues with apinger, etc.  Snort does not have its own block list.  It simply stuffs any offending IP into the <snort2c>alias table in the pfSense packet filter firewall.  Other things outside of Snort's control may clear that alias table.  One of those is a filter reload event.  As mentioned previously, there are many things that can trigger a filter reload. Bill</snort2c> Thanks for the great response! It was at the end of the day, a restart fixing my issue; But this information will help in the future if need be.
  • Z

    Snort-2.9.7.0 released, will we see the package updates for 2.1.5 sense?

    6
    0 Votes
    6 Posts
    2k Views
    bmeeksB
    Well, some potentially bad news on the File Inspection feature.  It appears to be broken.  It is marked as "Experimental" in the README files included with the Snort source code.  I could not get it to detect even simple PDF files, and when it was enabled, Snort would die on every soft-restart command.  I have decided to pull this feature for now from the 2.9.7.0 update. I am now about to test out OpenAppID.  Hopefully it will work better …  :-\ Bill
  • cyber7C

    How do I get the full URL of the Youtube video being watched?

    2
    0 Votes
    2 Posts
    884 Views
    cyber7C
    Not to worry I fixed it by adding to the "Custom Options": strip_query_terms off Now I am getting the full url.  Much better kind regards cyber7 (aka Aubrey Kloppers, Cape Town, South Africa)
  • C

    Inject a HTML to HTML response with squid

    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • H

    Lightsquid sqstat http error

    11
    0 Votes
    11 Posts
    20k Views
    P
    The same situation was at https://forum.pfsense.org/index.php?topic=50366.0 And NOT only "https://www.altsec.com/2013/10/pfsense-http1-0-403-forbidden-proxy-report/" recipe can help you. So, you can also receive the same error at next accidents: when your's Proxy filter SquidGuard blocked web-access for the "Proxy Squid: Realtime stat (sqstat)", for example in such a case, as if you at "Proxy filter SquidGuard: Common Access Control List (Common ACL)" adventitiously set "Default access" [all] to "deny"! when your's Proxy server Squid (version >= 3) at the tab "Real Time" displays NOTHING, this can be reached when your's parameters for the Proxy server Squid was WRONG and Squid can't serve web-requests from clients (and writes nothing - it's logs EMPTY). For example, it can be when you fill TEXT aliases in the fields for IP addresses.
  • 1

    Problem with Snort 3.1.3

    7
    0 Votes
    7 Posts
    2k Views
    V
    @1kevinm: I upgraded to snort 3.1.3 today.  After upgrade, snort is no longer on the services menu.  It shows as installed under packages. I uninstalled and reinstalled.  It still does not show up on the services drop down menu nor on the services menu on the status drop down. I also tried rebooting multiple times. Thoughts?  or where can I find 3.1.2? Thanks, Kevin This happen to me as well, the install page stopped at a starting up snort message. Once reload, it does not show in service menu nor the statues page in service. But for me the fix was simplely uninstall snort and reinstall it again everything went smoothly. Not sure what could be the cause of this.
  • J

    Squid 3.3.10 error

    2
    0 Votes
    2 Posts
    727 Views
    A
    Have a read through this https://forum.pfsense.org/index.php?topic=73640.0 and its https://forum.pfsense.org/index.php?topic=79389.0 Let me know how you went.
  • B

    Cron does not function correctly with Ramdisk

    6
    0 Votes
    6 Posts
    1k Views
    C
    within the actual .py I mean, what you're showing as the cron entry is fine, that part won't have any path issues.
  • D

    If you could install just one package - which would it be?

    15
    0 Votes
    15 Posts
    2k Views
    K
    It would be very stable with openvpn.
  • M

    Setup VideoCache in Squid PFSense 2.1.5 not working

    2
    0 Votes
    2 Posts
    1k Views
    BBcan177B
    Hi m4st3rc1p0, Take a look at this link: https://forum.pfsense.org/index.php?topic=78935.msg431084#msg431084
  • N

    How to block teh googles with squid guard?

    5
    0 Votes
    5 Posts
    1k Views
    A
    To block the pics load this list in squidguard http://urlblacklist.com/?sec=download And to have ssl filtering follow this https://forum.pfsense.org/index.php?topic=73640.0 Hope this helps
  • S

    SquidGuard Ldap search group

    1
    0 Votes
    1 Posts
    914 Views
    No one has replied
  • L

    Scp config via cron not working

    1
    0 Votes
    1 Posts
    880 Views
    No one has replied
  • G

    Squidguard Group ACL LDAP Client Source cache refresh

    2
    0 Votes
    2 Posts
    2k Views
    P
    I apologize if this is my first post, but I am also having problems with SquidGuard + AD with users having multiple groups. Scenario: **SquidGuard Common ACL: Deny all SquidGuard Group ACLs:   FacebookAccess     - Only Facebook is allowed, the rest blocked.   EmailAccess     - Only company email is allowed, the rest blocked. AD Groups:   FB_InternetAccess   Email_InternetAccess AD Users:   JohnDoe     memberOf: FB_InternetAccess   SamSmith:     memberOf: FB_InternetAccess and Email_InternetAccess** If JohnDoe opens facebook.com and auth is success, the site loads fine. If SamSmith opens facebook.com, it will load fine, but opening his company email will not be allowed. Checking the SG blocked logs seems to point that SG will do a first-match-forget-all basis. It would not check if the user still has other groups that will match other Groups ACLs. If this is not possible, please let me know. Any help would be greatly appreciated. TIA!
  • N

    APU1D4-Squid bug?

    5
    0 Votes
    5 Posts
    1k Views
    N
    I managed to find a PHP command (under Diagnostics> command prompt> php) which restarts SQUID: filter_configure (); But how to execute it until the startup of pfsense? How to run a PHP command with a shell script?( I'm an amateur-no professionnal)
  • C

    HAProxy does not reload after upgrade

    6
    0 Votes
    6 Posts
    2k Views
    P
    Just installing the pbi should have created a symlink for /usr/local/sbin/haproxy to the executable /usr/pbi/haproxy-amd64/.sbin/haproxy Can you try uninstalling and then re-installing the haproxy-full package?
  • C

    Enable module ecap for squid3

    1
    0 Votes
    1 Posts
    758 Views
    No one has replied
  • W

    Strange IP in Squid.conf

    1
    0 Votes
    1 Posts
    653 Views
    No one has replied
  • J

    Transparent HTTP/HTTPs filtering with NSFilter

    11
    0 Votes
    11 Posts
    3k Views
    J
    Just wanted to update the thread to let everyone know that we have added support for pfSense 2.2, the installation is exactly the same as the previous versions.  Here is a brief rundown of current features: DNS Filtering:   Domain name categorization using realtime cloud categorization service   User/Group/IP based policies   Local Domain Override (*New, overrides DNS lookups to alternate server for specified domains, ie mydomain.com uses 192.168.1.1 vs 8.8.8.8 for everything else).   Customizable Block Pages HTTP/HTTPS filtering:   URL categorization using realtime cloud categorization service   Transparent mode supported   User/Group/IP based policies   Force Safesearch (Google/Yahoo/Bing)   Youtube for Schools   URL Black/White lists   Content Type Black/White lists   File Pattern Black/White lists   Customizable Block Pages Authentication:   LDAP integration   Domain Controller Agent (In development, this will allow users to automatically authenticate to NSFilter when logging in successfully to the domain). Please let us know if there are any features you would be interested in trying or like to see about having added to NSFilter, we are always looking to improve. Also if there are any of you testing 2.2 if you would like to give NSFilter a try, we would love to get some more data points on running on the new platform. Thanks, Adam
  • F

    Exclude user from safe search

    2
    0 Votes
    2 Posts
    512 Views
    F
    ;D I found the solution : for safe search the Common ACL group take the precedence over Group ACl so you need to disable it in Common ACL and apply it in whatever group inside Group ACl that's work for me
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.