1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    N

    Can I use pgblockerng aliases in Haproxy?

    80758505-9bad-4dad-a80b-c159be1045a2-image.png

    If it was a firewall rule, typing pfb would produce a dropdown to select.

    Here it has to be written, but will it work? Is it supported?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    cyb3rtr0nianC

    @bmeeks So after upgrading to the newest PfSense 2.8.0 everything is now working like a charm!

    Suricata no longer seems to strip off tags like it did before! Which means I can now use my network segmented by VLANs and still use the benefits of Suricata Inline IPS! Very niiize!

    I checked in the Alerts section and it is indeed generating the correct alerts from the different VLAN sections, I put Inline IPS on the parent interface of all the VLANs.

    I assume this is because the FreeBSD version is also updated with the new PfSense 2.8.0 version?

    Because before, as soon as I selected Inline IPS mode, my entire VLAN tagging would break and nothing was reachable until I switched back to Legacy mode.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K

    @pulsartiger
    The database name is vnstat.db and its location is under /var/db/vnstat.
    With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    reza3swR

    @Gertjan
    Hello,
    Thank you.
    I had exactly the same issue, and your solution helped me fix it.

    Ask ChatGPT

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    J

    NUT version is 2.8.2_5 (I've already tried reinstalling the package)

    NUT seems to think it can't find the UPS, but usbconfig shows it to be present:

    [2.8.0-RELEASE][admin@janus.jhmg.pvt]/usr/local/etc/rc.d: usbconfig ... ugen0.5: <PR1500LCDRT2U UPS Cyber Power System, Inc.> at usbus0, cfg=0 md=HOST spd=FULL (12Mbps) pwr=ON (2mA) ...

    Below is the console log attempting to start NUT from the command line.

    [2.8.0-RELEASE][admin@janus.jhmg.pvt]/usr/local/etc/rc.d: ./nut.sh stop stopping NUT [2.8.0-RELEASE][admin@janus.jhmg.pvt]/usr/local/etc/rc.d: ./nut.sh start starting NUT Network UPS Tools - UPS driver controller 2.8.2 Network UPS Tools upsd 2.8.2 fopen /var/db/nut/upsd.pid: No such file or directory Could not find PID file '/var/db/nut/upsd.pid' to see if previous upsd instance is already running! Network UPS Tools - Generic HID driver 0.53 (2.8.2) listening on 127.0.0.1 port 3493 USB communication driver (libusb 1.0) 0.47 listening on ::1 port 3493 Can't connect to UPS [CyberPower-1500] (usbhid-ups-CyberPower-1500): No such file or directory libusb1: Could not open any HID devices: no USB buses found No matching HID UPS found upsnotify: failed to notify about state 4: no notification tech defined, will not spam more about it Driver failed to start (exit status=1) Found 1 UPS defined in ups.conf Network UPS Tools upsmon 2.8.2 kill: No such process UPS: CyberPower-1500 (primary) (power value 1) Using power down flag file /etc/killpower

    Also

    [2.8.0-RELEASE][admin@janus.jhmg.pvt]/usr/local/etc/nut: more ups.conf [CyberPower-1500] driver=usbhid-ups port=auto [2.8.0-RELEASE][admin@janus.jhmg.pvt]/usr/local/etc/nut: egrep -v '^#' nut.conf MODE=none

    and this, which singles out the usbhid-ups driver as the problem:

    [2.8.0-RELEASE][admin@janus.jhmg.pvt]/usr/local/etc/nut: /usr/local/libexec/nut/usbhid-ups -a CyberPower-1500 Network UPS Tools - Generic HID driver 0.53 (2.8.2) USB communication driver (libusb 1.0) 0.47 libusb1: Could not open any HID devices: no USB buses found No matching HID UPS found upsnotify: failed to notify about state 4: no notification tech defined, will not spam more about it

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG

    @EChondo

    What's your pfSense version ?
    The instructions are shown here :

    1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png

    A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

    @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

    I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

    No need to wait x days.
    You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    R

    I had a similar issue with Routed VTI over IPsec recently. FRR lost its neighbors after rebooting or when a tunnel went down. It never re-discovered it automatically. Only restarting FRR (either in GUI or via CLI) brought the neighbors back.

    When I manually added those under the OSPF neighbors tab in the GUI it seems to solve the problem as well.

  • Discussions about the Tailscale package

    89 Topics
    574 Posts
    A

    Hello,
    I am unable to get the Tailscale package to work. The page at VPN > Tailscale > Authentication is stuck. It displays the error "Tailscale is not online," but also shows a "Logout and Clean" button, with no option to log in.
    link text

    This state persists even after performing the following troubleshooting steps:

    Rebooting the pfSense router.

    Completely uninstalling and reinstalling the Tailscale package multiple times.

    Clearing browser cache and using a private browser window.

    Toggling the main "Enable Tailscale" checkbox in the settings.

    Checking the logs, which show the service gets a "terminate" signal and shuts down cleanly; it does not crash.

    Manually trying to delete the state file with rm /var/db/tailscale/tailscaled.state, which failed because the file does not exist.

    It appears that the package's configuration is corrupted in a way that persists even after reinstallation. Can anyone advise on how to perform a complete manual cleanup of all Tailscale files and settings?

  • Discussions about WireGuard

    690 Topics
    4k Posts
    J

    I've read through some other posts about this, but they either didn't say whether the proposed solution worked or they were very convoluted and difficult to understand. Here is our scenario: We have 6 locations--Las Cruces (LC), Sunland Park (SP), El Paso (EP), Abilene (ABI), Fort Worth (FW), and Plano (PL). LC and ABI have software that is accessed by the other 4 locations via VPN. There are WireGuard VPNs set up between LC and those 4 locations (SP, EP, FW, PL), and ABI and those 4 locations (SP, EP, FW, PL). There is also a WireGuard VPN connection between LC and ABI. LC and ABI have 2 internet connections. SP, EP, FW, and PL each have one internet connection.

    If the primary internet connection goes down at either LC or ABI and failover occurs to the secondary internet connection, is there a way to set up the WireGuard VPN connections so that they also failover without purchasing some 3rd party application?

    Thanks.

Log in to post
Load new posts
  • N

    404 Not found when browsing certains sites

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • A

    Rules broken squid

    12
    0 Votes
    12 Posts
    3k Views
    A

    I deny provisionally in squid, but I would like to know why it is jumping the firewall rule. I have a little crazy

  • M

    Squid3-dev v3.3.10 pkg 2.2.6,SSL MiM + Diladele = c-icap no file scanning

    3
    0 Votes
    3 Posts
    2k Views
    M

    huh, reply to myself  :P …..

    ok, permanent changes can make via pfsense UI.

    1. set listening port "Antivirus" in "c-icap.conf" to "Port 1345"

    2. set this in Custom ACLS (Before_Auth), with help of Diladele support:

    always_direct allow all ssl_bump server-first all icap_enable on icap_preview_enable on icap_preview_size 4096 icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Client-Username icap_service qlproxy1 reqmod_precache routing=0 bypass=0 icap://127.0.0.1:1344/reqmod icap_service qlproxy2 respmod_precache routing=0 bypass=0 icap://127.0.0.1:1344/respmod icap_service service_req reqmod_precache routing=0 bypass=0 icap://127.0.0.1:1345/squidclamav icap_service service_resp respmod_precache routing=0 bypass=0 icap://127.0.0.1:1345/squidclamav acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf" acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf" adaptation_service_chain chain1 qlproxy1 service_req adaptation_access chain1 deny qlproxy_icap_edomains adaptation_access chain1 allow all adaptation_service_chain chain2 qlproxy2 service_resp adaptation_access chain2 deny qlproxy_icap_edomains adaptation_access chain2 deny qlproxy_icap_etypes adaptation_access chain2 allow all

    but after save and restart squid service, in squid.conf remain this on end of file (always, because is autogenerated and i dont know where is template for generatin to delete these lines):

    icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all adaptation_access service_resp allow all

    Can you pleas verify my settings and tune it? Thx.

  • H

    Squid3 (3.1) Reverse Proxy & Exchange EWS attachments

    1
    0 Votes
    1 Posts
    899 Views
    No one has replied
  • Z

    Squid Reverse Proxy SSL Termination Problem

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • T

    Couple of questions about squid3-dev

    4
    0 Votes
    4 Posts
    1k Views
    T

    Where is "squid_monitor_log.php" file served from?
    Because if squid is configured with "Bypass proxy for Private Address destination" turned on, it should not be trying to cache when it is served from a private address space (10.x.x.x; 172.x.x.x.; 192.168.x.x ).
    But it seems it is served via 215.x.x.x, and that is not private address space.

    You could try and use a proxy script in the browsers. (proxy.pac or wpad.dat)

    function FindProxyForURL(url, host) {   url = url.toLowerCase();   host = host.toLowerCase();   isHttp = (url.substring(0,5) == "http:");   isHttps = (url.substring(0,6) == "https:") // If the requested website is hosted within the internal network, send direct.     if (isPlainHostName(host) ||           shExpMatch(host, "*.home") ||           shExpMatch(host, "*.local") ||           isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||           isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||           isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||           isInNet(dnsResolve(host), "169.254.0.0",  "255.255.0.0") ||           isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0")) { return "DIRECT"; } // Forward non-http(s) and some hosts to forward proxy (or DIRECT) if((!isHttp && !isHttps) // Skip all non http(s)   || dnsDomainIs(host, "microsoft.com")   || dnsDomainIs(host, "windowsupdate.com")   || dnsDomainIs(host, "eset.com")   || dnsDomainIs(host, "mcafee.com") // McAfee   || dnsDomainIs(host, "siteadvisor.com") // McAfee   || dnsDomainIs(host, "hackerwatch.com") // McAfee   || dnsDomainIs(host, "hackerwatch.org") // McAfee   || dnsDomainIs(host, "avg.com")   || dnsDomainIs(host, "grisoft.cz")   || dnsDomainIs(host, "avgfree.com")   || dnsDomainIs(host, "avg.cz")   || dnsDomainIs(host, "symantecliveupdate.com")   || dnsDomainIs(host, "thawte.com")) { return "DIRECT"; } if (isHttps)   // Skip HTTPS { return "DIRECT"; } // Otherwise, go through our proxy or if it fails, through bypass return "PROXY 192.168.0.1:3128; DIRECT"; }
  • A

    Quagga OSPFd DR election incorrectly

    1
    0 Votes
    1 Posts
    990 Views
    No one has replied
  • A

    [SOLVED] HTTP access

    4
    0 Votes
    4 Posts
    693 Views
    A

    In the end my solution is in this http://irj972.co.uk/articles/pfSense-WPAD PAC-configuration-management. Create a second web server lighttpd within pfsense own, and it's all in the same box.  :)

  • J

    Multi-Lan Squid 2.7 Transparent Firewalling

    6
    0 Votes
    6 Posts
    1k Views
    J

    I replied on your thread.

  • A

    Email Reports - DHCPLEASES limited to 50 entries

    1
    0 Votes
    1 Posts
    584 Views
    No one has replied
  • F

    Install Wireshark to run over X11 issue

    1
    0 Votes
    1 Posts
    764 Views
    No one has replied
  • K

    POP3 Mail Scanning ??

    1
    0 Votes
    1 Posts
    669 Views
    No one has replied
  • E

    Squid Automatically Generating

    1
    0 Votes
    1 Posts
    671 Views
    No one has replied
  • L

    Squid, WiFi, and "Sign in required"

    1
    0 Votes
    1 Posts
    865 Views
    No one has replied
  • bmeeksB

    Current Bugs in Suricata 1.4.6 package – help me make sure I have them listed

    24
    0 Votes
    24 Posts
    5k Views
    bmeeksB

    @wcrowder:

    Everyday, I go to the computer looking for the NEW Suricata update… :o Alas it's still not here...  :'(

    I know, I know, I need a life...  ;D

    Final testing is almost completed.  I posted a preview thread showing some screenshots of the new features coming in the updated package.  Here is a link to the thread: https://forum.pfsense.org/index.php?topic=80886.0

    Bill

  • M

    Siproxd Fun and Games

    1
    0 Votes
    1 Posts
    695 Views
    No one has replied
  • N

    Transparent Proxy Mode

    13
    0 Votes
    13 Posts
    2k Views
    N

    @wcrowder:

    Easiest way to have external proxy on another host on pfSense.

    Place this in /usr/local/www/wpad.dat on your pfSense router.

    function FindProxyForURL(url,host) {     // If the requested website is hosted within the internal network, send direct.     if (isPlainHostName(host) ||         shExpMatch(host, "localhost") ||         shExpMatch(host, "*.crowderfarm.local") ||         isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||         isInNet(dnsResolve(host), "127.0.0.0", "255.255.0.0"))         return "DIRECT";     return "PROXY 192.168.10.8:3128"; } ```. Add a <host override="">on DNS forwarder: Host: wpad Domain: crowderfarm.local IP addres: 192.168.1.1 Description: WPAD Autoconfigure Host Or you can simply point your browsers to the configuration file in connection settings by clicking "Automatic Proxy Configuration URL" in Firefox for example and entering "http://192.168.1.1/wpad.dat". Of course you have to set these settings to match your network.</host>

    So it means we need to manually select "Proxy Auto-Discovery" option in the browser even after placing this code in pfsense router?

  • R

    Squid , NAT using Virtual IP Pool

    1
    0 Votes
    1 Posts
    750 Views
    No one has replied
  • D

    Snort / Suricata Widget feature request

    11
    0 Votes
    11 Posts
    2k Views
    bmeeksB

    @Supermule:

    The customer has a fixed IP and it puzzles me as well.

    Is the fixed IP address IPv4 or IPv6?  And I assume the IP is confirmed to be in the PASS LIST for the interface.  You can verify that by going to the INTERFACE SETTINGS tab for that interface and then clicking the "View List" button beside the PASS LIST drop-down.  The IP address should be in there.

    Do you have confirmed alerts with that customer's IP address in either SRC or DST where there was no block inserted?  Might take correlating some dates and times to figure that out.  I'm trying to determine if perhaps there is a problem with the binary patch that reads the processes the PASS LIST internal to the Snort binary.  For example, it might be that the logic inside the binary is not always accurately matching the IP address with the PASS LIST and thus might insert a block when it was not supposed to.

    Bill

  • R

    Can't Remove / Re-install Snort

    24
    0 Votes
    24 Posts
    7k Views
    BBcan177B

    There is a table called "Snort2c" which you can see in Diagnostics:Tables

    If the file is there, you can open it and click the "all" icon at the bottom to clear it.

    If Snort is installed, you can clear the table by going to the Snort:Blocked Tab and hitting the "Clear" Icon.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.