1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    N

    Can I use pgblockerng aliases in Haproxy?

    80758505-9bad-4dad-a80b-c159be1045a2-image.png

    If it was a firewall rule, typing pfb would produce a dropdown to select.

    Here it has to be written, but will it work? Is it supported?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    cyb3rtr0nianC

    @bmeeks So after upgrading to the newest PfSense 2.8.0 everything is now working like a charm!

    Suricata no longer seems to strip off tags like it did before! Which means I can now use my network segmented by VLANs and still use the benefits of Suricata Inline IPS! Very niiize!

    I checked in the Alerts section and it is indeed generating the correct alerts from the different VLAN sections, I put Inline IPS on the parent interface of all the VLANs.

    I assume this is because the FreeBSD version is also updated with the new PfSense 2.8.0 version?

    Because before, as soon as I selected Inline IPS mode, my entire VLAN tagging would break and nothing was reachable until I switched back to Legacy mode.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K

    @pulsartiger
    The database name is vnstat.db and its location is under /var/db/vnstat.
    With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    reza3swR

    @Gertjan
    Hello,
    Thank you.
    I had exactly the same issue, and your solution helped me fix it.

    Ask ChatGPT

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD

    @jhg Please post the output of the following commands:

    pkg info | grep nut usbconfig dump_all_desc

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG

    @EChondo

    What's your pfSense version ?
    The instructions are shown here :

    1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png

    A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

    @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

    I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

    No need to wait x days.
    You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    R

    I had a similar issue with Routed VTI over IPsec recently. FRR lost its neighbors after rebooting or when a tunnel went down. It never re-discovered it automatically. Only restarting FRR (either in GUI or via CLI) brought the neighbors back.

    When I manually added those under the OSPF neighbors tab in the GUI it seems to solve the problem as well.

  • Discussions about the Tailscale package

    89 Topics
    574 Posts
    A

    Hello,
    I am unable to get the Tailscale package to work. The page at VPN > Tailscale > Authentication is stuck. It displays the error "Tailscale is not online," but also shows a "Logout and Clean" button, with no option to log in.
    link text

    This state persists even after performing the following troubleshooting steps:

    Rebooting the pfSense router.

    Completely uninstalling and reinstalling the Tailscale package multiple times.

    Clearing browser cache and using a private browser window.

    Toggling the main "Enable Tailscale" checkbox in the settings.

    Checking the logs, which show the service gets a "terminate" signal and shuts down cleanly; it does not crash.

    Manually trying to delete the state file with rm /var/db/tailscale/tailscaled.state, which failed because the file does not exist.

    It appears that the package's configuration is corrupted in a way that persists even after reinstallation. Can anyone advise on how to perform a complete manual cleanup of all Tailscale files and settings?

  • Discussions about WireGuard

    690 Topics
    4k Posts
    J

    I've read through some other posts about this, but they either didn't say whether the proposed solution worked or they were very convoluted and difficult to understand. Here is our scenario: We have 6 locations--Las Cruces (LC), Sunland Park (SP), El Paso (EP), Abilene (ABI), Fort Worth (FW), and Plano (PL). LC and ABI have software that is accessed by the other 4 locations via VPN. There are WireGuard VPNs set up between LC and those 4 locations (SP, EP, FW, PL), and ABI and those 4 locations (SP, EP, FW, PL). There is also a WireGuard VPN connection between LC and ABI. LC and ABI have 2 internet connections. SP, EP, FW, and PL each have one internet connection.

    If the primary internet connection goes down at either LC or ABI and failover occurs to the secondary internet connection, is there a way to set up the WireGuard VPN connections so that they also failover without purchasing some 3rd party application?

    Thanks.

Log in to post
Load new posts
  • J

    Unable to find "onatproto" package on the "available package" tab

    2
    0 Votes
    2 Posts
    1k Views
    BBcan177B

    Did you see this thread:

    https://forum.pfsense.org/index.php?topic=78935.msg431084#msg431084

    "FreeBSD is moved them to ftp-archive since the release is no longer officially supported upstream."

  • Z

    Snort not working on the LAN interface?

    5
    0 Votes
    5 Posts
    2k Views
    bmeeksB

    @zerodamage:

    I am trying to figure out why my Snort will not work on the LAN interface. I originally had it running on the WAN interface and it worked fine. I noticed some alerts with regards to Trojan but the source IP was my WAN interface, not the culprit within my network. So I made a LAN interface and used the same IPS policy (connectivity) and rules (I have a Snort subscription) and I get no alerts. The interface goes active without any issues but I do not receive any alerts at all.  This is my home network so it isn't the end of the world but I would like for it to work.

    This is how my network is laid out:

    LAN => WAP / Switch => pfSense / Snort => Internet

    There may simply be nothing too nefarious happening in your LAN.  I get maybe one or two alerts per week on my LAN.  I get a ton on my WAN, but that's because I run some IP Reputation rules there and known spammer and other malicious IPs make connection attempts.  Also remember that Snort puts the interface it runs on in promiscuous mode, so that would mean the WAN sees a lot of extra stuff, for example.

    If you want to test Snort on your LAN, install a tool like nmap on a host and scan your firewall.  That should trigger some alerts.

    Bill

  • C

    Snort inline mode

    6
    0 Votes
    6 Posts
    4k Views
    BBcan177B

    While the packet can't be dropped, any open states in the firewall can be killed.

    I hope the devs implement those changes.

  • R

    NMAP doesn't scan all ports

    2
    0 Votes
    2 Posts
    866 Views
    jimpJ

    Unless your PC is actually listening for a connection from anywhere on port 21, then nmap won't see that as "open".

    To nmap, "open" means that a service is waiting for inbound connections and accepts them (listening on a port), such as a web server or FTP server on the IP being scanned. If your client has a connection "open" to a remote server, that isn't something nmap can see as it's a fundamentally different concept.

  • Z

    Suricata unable to install Snort VRT rules

    2
    0 Votes
    2 Posts
    2k Views
    BBcan177B

    See the following thread:

    https://forum.pfsense.org/index.php?topic=79918.0#lastPost

  • N

    Squid3-dev Transparent Mode

    5
    0 Votes
    5 Posts
    2k Views
    N

    @KOM:

    Enable Squid3-dev Transparent Proxy then disable SquidGuard3.  Does it work now?  Squid by itself doesn't do any blocking, only caching.  SquidGuard does the blocking.

    I have disabled the SquidGuard, Set the proxy interface as LAN in squid and enabled Transparent mode, No SSL filtering.
    It still gives the same error i.e TCP_MISS 403

    @KOM:

    Here's the thing about SSL filtering.  To do it, you will need to do one of the following:

    install a certificate on every client, or set the proxy server on every client

    You have to touch the client one way or the other, so you may as well use Squid2 which is stable.  Block off outgoing port 80 so that only the proxy has web access, set the proxy server for all your static IP clients and then set up WPAD for DHCP clients.

    I believe that HTTPS bypasses Squid unless you have it manually set to be your proxy or you're running transparently with a cert installed.  Same reason why setting a domain block in SquidGuard doesn't work for HTTPS.  HTTPS creates a point-to-point encrypted tunnel between you and the external server.  Squid has no idea what's going on unless it's "inside" the encrypted tunnel, and it can only do that if you have your client it manually set to use pfSense as your web proxy, or if you're using a certificate on the client to trust your pfSense server.

    I will surely try this method. SquidGuard or SquidGuard-devel has to be used with Squid2.
    because those two SquidGuard versions might not work with Squid3

  • arrmoA

    Apache breaks WebConfigurator?

    8
    0 Votes
    8 Posts
    1k Views
    arrmoA

    Makes complete sense, and agree with you!

    This is a smaller (home) environment, so having a separate machine just to serve a web page or two is a bit of an overkill … ;).

    Thanks!

  • T

    Multiple problems with Suricata service - (instability and crashes)

    11
    0 Votes
    11 Posts
    4k Views
    T

    It crashed a few times on my guest wifi network.

    3/8/2014 -- 14:37:18 - <info> -- allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12 3/8/2014 -- 14:37:18 - <info> -- preallocated 65535 defrag trackers of size 88 3/8/2014 -- 14:37:18 - <info> -- defrag memory usage: 6553512 bytes, maximum: 33554432 3/8/2014 -- 14:37:18 - <info> -- AutoFP mode using "Active Packets" flow load balancer 3/8/2014 -- 14:37:18 - <info> -- preallocated 1024 packets. Total memory 3135488 3/8/2014 -- 14:37:18 - <info> -- allocated 49152 bytes of memory for the host hash... 4096 buckets of size 12 3/8/2014 -- 14:37:18 - <info> -- preallocated 1000 hosts of size 60 3/8/2014 -- 14:37:18 - <info> -- host memory usage: 109152 bytes, maximum: 16777216 3/8/2014 -- 14:37:18 - <info> -- allocated 786432 bytes of memory for the flow hash... 65536 buckets of size 12 3/8/2014 -- 14:37:18 - <info> -- preallocated 10000 flows of size 144 3/8/2014 -- 14:37:18 - <info> -- flow memory usage: 2226432 bytes, maximum: 33554432 3/8/2014 -- 14:37:18 - <info> -- IP reputation disabled 3/8/2014 -- 14:37:18 - <info> -- Added "35" classification types from the classification file 3/8/2014 -- 14:37:18 - <info> -- Added "19" reference types from the reference.config file 3/8/2014 -- 14:37:18 - <info> -- using magic-file /usr/share/misc/magic 3/8/2014 -- 14:37:18 - <info> -- Delayed detect disabled 3/8/2014 -- 14:37:45 - <info> -- 2 rule files processed. 14865 rules successfully loaded, 0 rules failed 3/8/2014 -- 14:38:47 - <info> -- 14873 signatures processed. 891 are IP-only rules, 4227 are inspecting packet payload, 11353 inspect application layer, 0 are decoder event only 3/8/2014 -- 14:38:47 - <info> -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete 3/8/2014 -- 14:38:52 - <info> -- building signature grouping structure, stage 2: building source address list... complete 3/8/2014 -- 14:39:46 - <info> -- building signature grouping structure, stage 3: building destination address lists... complete 3/8/2014 -- 14:40:03 - <info> -- Threshold config parsed: 0 rule(s) found 3/8/2014 -- 14:40:03 - <info> -- Core dump size is unlimited. 3/8/2014 -- 14:40:03 - <info> -- fast output device (regular) initialized: alerts.log 3/8/2014 -- 14:40:03 - <info> -- http-log output device (regular) initialized: http.log 3/8/2014 -- 14:40:03 - <info> -- Using 1 live device(s). 3/8/2014 -- 14:40:04 - <info> -- using interface ath0_wlan1 3/8/2014 -- 14:40:04 - <info> -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets. 3/8/2014 -- 14:40:04 - <info> -- Found an MTU of 1500 for 'ath0_wlan1' 3/8/2014 -- 14:40:04 - <info> -- Set snaplen to 1500 for 'ath0_wlan1' 3/8/2014 -- 14:40:04 - <info> -- RunModeIdsPcapAutoFp initialised 3/8/2014 -- 14:40:04 - <info> -- stream "max-sessions": 262144 3/8/2014 -- 14:40:04 - <info> -- stream "prealloc-sessions": 32768 3/8/2014 -- 14:40:04 - <info> -- stream "memcap": 33554432 3/8/2014 -- 14:40:04 - <info> -- stream "midstream" session pickups: disabled 3/8/2014 -- 14:40:04 - <info> -- stream "async-oneside": disabled 3/8/2014 -- 14:40:04 - <info> -- stream "checksum-validation": disabled 3/8/2014 -- 14:40:04 - <info> -- stream."inline": disabled 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "memcap": 67108864 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "depth": 0 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "toserver-chunk-size": 2560 3/8/2014 -- 14:40:04 - <info> -- stream.reassembly "toclient-chunk-size": 2560 3/8/2014 -- 14:40:04 - <info> -- all 2 packet processing threads, 1 management threads initialized, engine started. 3/8/2014 -- 14:40:04 - <info> -- Signal Received.  Stopping engine. 3/8/2014 -- 14:40:04 - <info> -- 0 new flows, 0 established flows were timed out, 0 flows in closed state 3/8/2014 -- 14:40:04 - <info> -- time elapsed 0.261s 3/8/2014 -- 14:40:04 - <info> -- (RxPcapath0_) Packets 0, bytes 0 3/8/2014 -- 14:40:04 - <info> -- (RxPcapath0_) Pcap Total:0 Recv:0 Drop:0 (nan%). 3/8/2014 -- 14:40:04 - <info> -- AutoFP - Total flow handler queues - 1 3/8/2014 -- 14:40:04 - <info> -- AutoFP - Queue 0  - pkts: 0            flows: 0          3/8/2014 -- 14:40:04 - <info> -- Stream TCP processed 0 TCP packets 3/8/2014 -- 14:40:04 - <info> -- Fast log output wrote 0 alerts 3/8/2014 -- 14:40:04 - <info> -- HTTP logger logged 0 requests 3/8/2014 -- 14:40:04 - <info> -- host memory usage: 109152 bytes, maximum: 16777216 3/8/2014 -- 14:40:05 - <info> -- cleaning up signature grouping structure... complete 3/8/2014 -- 14:40:06 - <error> -- [ERRCODE: UNKNOWN_ERROR(87)] - Child died unexpectedly</error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info>

    That's a wifi interface off Pfsense

  • N

    Enforcing Youtube Safety Mode

    17
    0 Votes
    17 Posts
    9k Views
    N

    @sowen:

    Well…yes, no and maybe....

    the header rewrite

    $rewrite_item[] = array(F_TARGETURL => '(http://www.youtube.com/watch?v=.*)',        F_REPLACETO => '\1&edufilter=XXXXXXXXXXXXXXXXXXXXXXXX', F_MODE => 'i');

    Forces the users to use your specific educational channel, which you can then control.

    However, I do not know how to rewrite the header to force all proxy users to use "safety mode".

    YouTube Safety Mode is enforced by rewriting a specific cookie in client request headers, while SafeSearch (for google etc...) is enforced by simply adding a string to the request URL (which is what the edufilter filtering does).

    a quick google of "rewrite youtube header to use safety mode" brings up some info, but most of it is at least a couple years old and I'm not sure how (or if) it could be implemented in pfSense / squidguard.

    Youtube Safe Search

    RewriteCond URL .youtube.com.
    RewriteHeader Cookie: (.*) PREF=f2=8000000

    RewriteRule (.)?youtube.com(.?.*) $1youtube.com$2&safety_mode=true [I,L]

    ; === Safety Mode for YouTube ===
        <proxy bc_safesearch_youtube_cookies="">url.domain=youtube.com
        request.header.cookie="PREF=" action.BC_SafeSearch_YouTube_Cookie_Rewrite(yes)
        action.BC_SafeSearch_YouTube_Cookie_append(yes)
              define action BC_SafeSearch_YouTube_Cookie_Rewrite
              rewrite( request.header.Cookie, "(PREF=[^,]+)", "$(1)&f2=8000000" )
              end
              define action BC_SafeSearch_YouTube_Cookie_append
              append( request.header.Cookie, "PREF=f2=8000000" )
              end
    ; === End of Safety Mode for YouTube ===
    ***********************</proxy>

    Do I need edit cookies in the individual browser? If so, then its not an feasible option because cookies will erased if we clear the history.
    Somehow SquidGuard has to come up with the solution for this.

  • D

    Squid revers proxy with multiple domains

    1
    0 Votes
    1 Posts
    675 Views
    No one has replied
  • B

    [cron?] automatic Restart of HAPROXY if ping fails…

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • I

    SNORT Bug?

    14
    0 Votes
    14 Posts
    2k Views
    BBcan177B

    @canux:

    Thanks for the info.  Do you have a paid subscription as well?

    Yes I use a Snort VRT and ET Pro subscription. Some of the other boxes I have use the Open Snort and ET Rulesets.

    Did you upgrade Snort to the latest version? There were two releases fairly recently.

  • S

    Error 422 - Snort VRT Updates - SOLVED

    2
    0 Votes
    2 Posts
    3k Views
    S

    This issue can be corrected by upgrading to Snort 2.9.6.2 pkg v3.1.1.

    ;D

  • D

    Proxy blocking https

    1
    0 Votes
    1 Posts
    538 Views
    No one has replied
  • S

    Squid3-dev - disk cache problem

    1
    0 Votes
    1 Posts
    750 Views
    No one has replied
  • C

    Sarg Error on generating reports

    5
    0 Votes
    5 Posts
    1k Views
    C

    @KOM:

    If I rememebr right, you had to have users_sites and sites_users selected or it won't work.

    They are both currently selected.

  • B

    HVAP - HTTP Antivirus Proxy Version

    3
    0 Votes
    3 Posts
    1k Views
    B

    I was a bit confused because most of the tutorials online for HVAP show the version number being reported. I guess it's nothing to be worried about. Thanks for the reply.

    My HVAP Alert dashboard widget is working:

    I am running the 2.1.4-RELEASE (i386) inside Vmware esxi.

  • B

    Pfsense2.1.4+squid+dansguardian+Ldap

    3
    0 Votes
    3 Posts
    1k Views
    B

    Hello

    I found a solution for disabling default setting "http_access allow localhost", default settings are in /usr/local/pkg/squid.inc.
    Maybe someone can find this useful.

    I have second question I need some help.
    Now Dansguardian filter groups are working but asking user for credentials every time you start the browser. Is it possible to use domain login credentials with browser, so when you login to computer you automatically get rules for using the internet.

    Regards
    Binkec

  • I

    HAVP Error Messages at Package Start

    4
    0 Votes
    4 Posts
    1k Views
    I

    as i hate reading unresolved forum posts, when googling for solutions, i'll give some feedback lately…

    solved it by reinstalling all because other problems appeared soon after this one due to a hard disk failure.

    thanks for your reply anyway doctornotor, i missed it at the time.  :( i think i looked for line 42, but i don't remember, why i didn't post it...

    now fighting with other things (havp blocking fine, syslog entries there, but dashboard widget not showing alarms anymore on 2.1.4)
    but thats another post if reinstalling doesn't solve it...

    itsol

  • J

    Filtering HTTP/HTTPs with NSFilter package

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.