1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    tinfoilmattT
    @johnpoz said in Please help to configure HAProxy to serve certifficate on internal LAN too: Yeah - what part do you not understand if you always resolve nextcloud.domain.tld so that it hits your haproxy on your pfsense wan IP are you not getting? You have 2 options - use a different domain internally and always go to nextcloud.publicdomain.tld, or use the same domain internally as external and run into the problem of what IP it resolves to.. Change your local domain to say home.arpa or .internal or atleast something different than the public domain your using to point to pfsense wan IP on the public internet. You are shooting yourself in the foot trying to use the same domain externally as internally. There are ways around it, but they complicate the setup. For example you might be able to use views in unbound as one way to work around the problem. You could use only host entries for all your resources. But then again you run into a problem of using the fqdn for this service, now always pointing to your wan IP.. And that is great when you want to access the service haproxy is doing - but if you want to access that resource on some other service that haproxy doesn't handle - like say simple file sharing.. You are going to have problems. Since you clearly do not understand how any of this works - the simple solution is change the local domain you are using so it is not the same as the public domain you want to use to get to your nextcloud. This tone is outrageous directed at somebody who acknowledged right off the rip that English is not their first language. How many languages do you speak, John? And safely assuming it's only one—English of course—take it from a fellow English native that you'd do well to say more with less words. You otherwise were directing OP in the right direction in my opinion.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    RedDelPaPaR
    @bmeeks Understood. Thank for kindly for your help. I will likely be ordering a new unit soon.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @netboy said in is something wrong with pfBlockerNG?: After my post, I "changed" DNSBL -> DNSBL mode from "unbound python mode" to "unbound mode" and so far i have no issues. Terrible idea. Moving backwards in development history there.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    644 Posts
    C
    @elvisimprsntr Thank you. I would not be surprised if I ended up with a lengthy solution that works but needs significant improvement. I am using a Netgate 6100 with pfSense+, starting with version 24.x. I had updated Tailscale without trouble per this discussion by using pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-x.y.z.pkg. This worked until pfSense+ version 25.0.07 (FreeBSD 15-CURRENT) and Tailscale upgrade 1.88.3. After several attempts and web searches, I was only able to install that upgrade by using: fetch https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.88.3.pkg, and then IGNORE_OSVERSION=yes pkg-static add -f tailscale-1.88.3.pkg. Then, I could not restart Tailscale, no matter what I tried, including the sequence: service tailscaled stop, tailscale logout, service tailscaled start, and then tailscale up.

  • Discussions about WireGuard

    714 Topics
    4k Posts
    L
    @subhan2k said in [Guide] Setup a wireguard tunnel to VPN provider (multiple VPN tunnel setup): I tried following your guide to set up the Surfshark WireGuard server configuration in pfSense as default gateway, but I got stuck at the static routes step. In my case, the endpoint isn’t a numeric IP — it’s listed as us-bna.prod.surfshark.com. How should I add this to the static routes? In my configuration: Endpoint: us-bna.prod.surfshark.com Address: 10.14.0.2/16 So what exactly should I enter in the static routes? after switching the default gateway from WAN_DHCP to the WireGuard VPN my Interent doesn't work so adding static routes is mandotary (Im using inside vmware) nslookup us-bna.prod.surfshark.com Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: us-bna.prod.surfshark.com Address: 82.26.162.48 Name: us-bna.prod.surfshark.com Address: 82.26.162.53 That should do it Just take 1 of the 2. And in general, don't use domain names but only IP. Before you start, choose 1 of the 2 IPs and use it for the whole process
Log in to post
Load new posts
  • K

    Lighsquid not updating

    3
    0 Votes
    3 Posts
    803 Views
    K
    I seem to remember that lightsquid was sort of flakey with the latest greatest version 3 squid, So I tended to use the older more stable squid.  Not sure what you are using.
  • bmeeksB

    Suricata 2.0.3 Package Preview

    121
    0 Votes
    121 Posts
    36k Views
    bmeeksB
    @bonkas: Has this issue been resolved? I am also running a PPPoE Connection and trying to get Suricata configured but my logs are flooded with "SC_ERR_DATALINK_UNIMPLEMENTED" errors. Suricata will not start automatically after a pfsense restart, is this by design or caused by these errors? Regards, No, not resolved and can't be really resolved until there is an upstream patch to Suricata so it recognizes the DLT_NULL data link type that FreeBSD assigns to PPPoE interfaces.  This is a problem in the Suricata binary that comes from upstream. You can make it partially work by hand-editing the suricata.yaml file and telling it the interface is an Ethernet physical link (by using the real physical NIC driver name), but you will still get occasional errors due to the PPPoE frame headers since Suricata does not expect to see them on a physical Ethernet interface.  Also, I can't guarantee you that all the detection signatures will work properly.  In short, this kind of hack is unsupported and you would be on your own. If you have a PPPoE interface and want IDS/IPS on it, then you should use Snort instead of Suricata.  The Snort binary fully supports the DLT_NULL data link type that FreeBSD uses. Bill
  • F

    Dansguardian 2.12.0.3-i386 Will not start

    3
    0 Votes
    3 Posts
    904 Views
    R
    sounds like you are missing blacklists… try downloading them.
  • C

    Squid and Squid Guard Logs

    3
    0 Votes
    3 Posts
    2k Views
    T
    Squidguard rotates logs daily when enabled. Squidguard itself maintains 3 log files. /var/squidGuard/log/block.log /var/squidGuard/log/sg_configurator.log /var/squidGuard/log/squidGuard.log There is no setting in the GUI for days of number of kb in size. Maybe "dvserg" can add this option into Squidguard gui/package.
  • C

    Squidguard Blacklist

    6
    0 Votes
    6 Posts
    2k Views
    D
    @rjcrowder: @dvserg: No, its not suppurted. You could obviously write a shell script to download multiple and combine them… Hand-made way possible if you know how it may work. But many users know only GUI way.
  • A

    Snort interfaces not starting after rule update/service restart

    7
    0 Votes
    7 Posts
    2k Views
    bmeeksB
    @adiadasman: Bill, The UUID issue does appear to be my problem. Please check your PMs as I have replied back to your original message. Got your PM reply and answered.  We can communicate back and forth in PM land. Bill
  • S

    How to fix these Squid-3dev logs? i386 2.1.5 please help

    1
    0 Votes
    1 Posts
    854 Views
    No one has replied
  • S

    Some RRD Graphs not working

    2
    0 Votes
    2 Posts
    786 Views
    S
    I reset the data and it all came back.
  • P

    Apcupsd – need shutdown (not kill)

    2
    0 Votes
    2 Posts
    1k Views
    K
    I don't know your UPS, but my experience with other UPSes is: Upon line power loss, the system monitoring the UPS is informed about that event. The monitoring box remains running for the grace period (fpr example, 10 minutes). If line power has not returned within the grace period, machines get shut down (that may include the monitoring machine). There will be a preset time to allow all machines to shut down (for example, 5 minutes). At this point there a two options: 1. If line power remains offline, the UPS will eventually gt to the point where the battery runs flat and it will shutdown the output. When line power returns, the UPS will eventually restart the output and the machines will reboot-sfter-power-loss (as configured in the BIOS). 2. The line power returns before the UPS has shut down, this are a bit more interesting. Machines have been shut down already, but as they see no power loss, they will not reboot-after-power-loss. Ideally, the UPS would wait for the shutdown time period (5 minutes in my example), power cycle the outputs and everything is fine again. Regardless: I let the pfSense box run until the UPS power fails (no automatic shutdown or anything). Same for the modem, PBX, switches and even a few of the WLAN APs. I am aware that this causes additional drain on the battery of the UPS even after the server machines have shut down, but what the heck? Plus, with a communication infrastructure left online until the very last second, all remaining systems can continue to yell for help.
  • C

    PFBlocker List for IPV6

    2
    0 Votes
    2 Posts
    2k Views
    ?
    I have seen a couple of IPv6 lists floating around, but can't remember where. My honest opinion is IPv6 lists are useless, unless they are used to ban entire subnets. The ease with which you can jump from IP to IP on IPv6 renders a single bad host in a list useless. My recommendation is to use snort/suricata to keep track of bad hosts in IPv6, and based on repeated offenders in a subnet, ban the entire subnet in a list of your own. Bad IPv6 traffic is low, it's the perfect time to experiment and tweak your security systems.
  • H

    SNORT FATAL ERROR: (998) Unknown rule option: 'sip_header'.

    9
    0 Votes
    9 Posts
    5k Views
    bmeeksB
    @MilesDeep: At first, enabling the SIP Detection works.  The daemon starts.  After awhile, it the daemon stops and SIP detection is disabled. Does this have anything to do with fact that the update, which occurred last night, failed? No, a rules update will not disable nor enable a preprocessor.  I will check and be sure the default is enabled for future updates, but for now just look at the PREPROCESSORS tab and check all the preprocessors in the GENERAL section down towards the bottom of the page, then click SAVE.  You usually don't need the two SCADA preprocessors, but it hurts nothing to enable them as well. Bill
  • F

    Show user name in squid

    1
    0 Votes
    1 Posts
    485 Views
    No one has replied
  • N

    [SOLVED] Squid3 reverse proxy: problem with Microsoft Web Service - HTTP 417 err

    2
    0 Votes
    2 Posts
    2k Views
    N
    Ok I found 2 solutions: 1. the good one is to simply add the following line in PfSense web configuration, Services, Proxy server, General, Custom Settings, Custom Options: ignore_expect_100 on yes, it works also for the REVERSE proxy. 2. the bad one (just to know it exists) is to modify the source code of the web services' CLIENT SIDEs, in C#, by adding this line: System.Net.ServicePointManager.Expect100Continue = false; before instantiating the SoapClient object: MySoapClient My_WS_Client = new MySoapClient(); .
  • K

    No squid.conf (squid3) on pfsense 2.1

    8
    0 Votes
    8 Posts
    6k Views
    C
    I do have a local website (owncloud) that I do not want to be cached. Was thinking of adding an "include" in the squid.inc file so everytime the package gets reloaded / changed by pfsense the cache deny all will kick in for that specific site. Where can I set that up? So, in sum it the squid.inc will always overwrite the squid.conf, so in the squid.inc add an include cache_exceptions.conf with cache deny all for the sites I don't want cache enabled. How can that be accomplished?
  • O

    Adding a new secure port to Proxy Server Squid 3

    1
    0 Votes
    1 Posts
    625 Views
    No one has replied
  • F

    Squid exited due to repeated failures

    5
    0 Votes
    5 Posts
    8k Views
    KOMK
    I saw that initially but wasn't sure it was the root cause of your problem.  You could try checking your ACLs for obvious problems (like being blank or empty) and then recreating them.
  • R

    Replicating Dansguardian configuration

    3
    0 Votes
    3 Posts
    1k Views
    R
    Thanks, have done that for the initial config, but is there a method to keep things synchronised thereafter?
  • S

    Squid3 3.1 not found. Squid 3.3 development service not starting.

    2
    0 Votes
    2 Posts
    905 Views
    C
    did you forget to search? https://forum.pfsense.org/index.php?topic=81118.0 check out the 2.2 board.. there is a workaround https://forum.pfsense.org/index.php?topic=82232.0
  • F

    Kernel: Bump flowset buckets to 256 (was 0)

    3
    0 Votes
    3 Posts
    3k Views
    F
    thank you and Cino (great answer)Cino That is from Limter being enabled… Goto Traffic Shaper, Limter tab.. Click on first limter you created, Show Advance Options; change Bucket Size to 256. Do this to the rest of them and you shouldn't see that message anymore
  • S

    Color changing package pfsense?

    3
    0 Votes
    3 Posts
    926 Views
    S
    HAHAHAHAHA We just want to have fun :D @BBcan177: … You know that its a proven fact that Men are color blind... Or thats what the Women are telling us.... lol..
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.