1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    H
    We installed haproxy on Netgate 8200 device 25.07.1-RELEASE (amd64) installed acme certificates and get certificate from letsencrypt, everything ok. checked ssl offload in frontend and selected the acme generated certificate under SSL Offloading. result after Apply Changes: Errors found while starting haproxy [NOTICE] (72045) : haproxy version is 2.9.14-7c591d5 [NOTICE] (72045) : path to executable is /usr/local/sbin/haproxy [ALERT] (72045) : config : Couldn't open the ca-file '/var/etc/haproxy_test/clientca_WAN_117.pem' (No such file or directory). [ALERT] (72045) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:15] : 'bind x.x.x.x:443' in section 'frontend' : 'ca-file' : unable to load /var/etc/haproxy_test/clientca_WAN_117.pem [ALERT] (72045) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg [ALERT] (72045) : config : Fatal errors found in configuration. also package _devel has the same issue. on other boxes where haproxy was configured on 24.11 - upgraded to 25.07.1 its working. BUG ?? so what can we do now -bolded text we need this function. thank you all in advance

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    bmeeksB
    @RedDelPaPa said in Suricata ETOpen rules failing to update: @bmeeks This makes sense. I was able to tweak with it some and inserted a custom url for the Suricata v5.0 rules files and it seems like it was able to pull a usable update? What do you think? Will this work ok for now? Thank you! Should be okay so long as the v5 rules don't contain any syntax that is too "new" for the older 4.x Suricata binary on your system. The SG-3100 has a 32-bit ARM CPU which is basically obsolete. Suricata from version 5.x on moved critical pieces of code over to Rust from pure C. There is no "buildable" Rust library for 32-bit ARM chips, hence Suricata on the SG-3100 is stuck on an old and EOL (end-of-life) version. In my opinion, it's time to retire that hardware and move to a modern 64-bit Intel platform.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    N
    @netboy Most probaly a configuration regression. You really need to dig deeper. From which pf version did you upgrade? Have you tried removing and reinstalling pfblockerng? Looking to the moon for craters with naked eye doesn't show the one that the crashed spaceship created. Use a telescope instead. FWIW, I see quite a few pfblockerng instances on 25.07.1 running with no (apparent) issues τοο

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    F
    I didn't say you should remove the override.ups.delay.shutdown directive, I said you should remove the ignorelb directive. Ok, I will test without ignorelb directive. Also, you do not have anything in the Advanced settings section, correct? Yes As to running a calibration test, consult your UPS manual or support from the manufacturer of your UPS. I find anything I will search tomorow

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    92 Topics
    639 Posts
    E
    Updated CE 2.8.1 to 1.90.4. Looks like they are already working on .6 Freshports pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.90.4.pkg Changelog

  • Discussions about WireGuard

    712 Topics
    4k Posts
    chpalmerC
    @dean.viens What kind of internet services are on the two endpoints? I ask because some modems such as cellular modems can cause issues with VPNs once in a while. I assume you are using the standard ports?? have you tried a different port such as 8443 one of the gui ports you are not using? 80 or 443? If you set the incoming rule to log the traffic do you see the attempts in the firewall log? Long story short here.. are you sure the traffic from router two is making it to router 1 and visa versa?
Log in to post
Load new posts
  • F

    Developing a DNS block via httpBL and ZEN: Question about connection detection

    1
    0 Votes
    1 Posts
    682 Views
    No one has replied
  • L

    Squid/Sarg truthful?

    2
    0 Votes
    2 Posts
    809 Views
    L
    Ignore me  :o I have a small error in my code (OK major), which is saving my log files a day behind…. All the IP's I see were yesterdays.
  • M

    Captive portal quirk

    1
    0 Votes
    1 Posts
    548 Views
    No one has replied
  • C

    FreeRadius2 and OTP

    4
    0 Votes
    4 Posts
    2k Views
    N
    @cthurner: Hello, thanx for your reply. I have used the radtest tool on the command line to test the OTP authentication as described here https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package. As password I have used the OTP that has been created by DroidOTP on my Android phone. I don't think I have mistyped anything. Furthermore I have compared the otpverify.sh from http://motp.sourceforge.net/bash/otpverify.sh with the version provided by the freeradius2 package. The original script uses "OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 1-6" (in line 104) whereas the freeradius version uses "OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 6". In my understanding the second version is wrong, as it only uses the 6th character instead of the first 6 characters. Therefore any authentication request via radius will be rejected. With my modifaction it works. So I think this is indeed a bug. CU Christian I try to explain it again for you. On the GUI YOU probably typed: 6 This is "wrong" because it only uses character 6 (just one character) On the GUI you MUST type: 1-6 This uses characters 1, 2, 3, 4, 5, 6
  • D

    TCP request redirection in HAProxy

    2
    0 Votes
    2 Posts
    1k Views
    H
    TCP does not have a notion of a "request". TCP is just a binary stream of data, like a file stream. What you would need is a reverse proxy that could forward based on mysql protocol. My guess is this has not been done as it sounds like there is a better way to handle this, but I could be wrong. Hopefully someone can help you with if this can be done.
  • E

    Remote Pfsense without Dynamic Ip

    8
    0 Votes
    8 Posts
    2k Views
    jimpJ
    If your WAN IP is public, DynDNS will let you reach it. If your WAN IP is private and you control your modem/router ahead of you, then set it to pass the traffic into your pfSense (e.g. port forward, "DMZ", etc) and you can still use DynDNS. If your WAN IP is private and your ISP is performing Carrier-Grade NAT then in all likelihood you have no way to receive inbound traffic for remote management. If you have another location that has a public address, you could do a site-to-site tunnel to there, and then have a remote access VPN connect to that and hop across a site-to-site VPN to reach the router that's stuck behind NAT.
  • A

    Squid-2.7.9_3-amd64 package will not install

    2
    0 Votes
    2 Posts
    2k Views
    J
    I had the same issue, i386 version though. After two retries it worked for me.
  • P

    Dansguardian Web Upload banned

    3
    0 Votes
    3 Posts
    1k Views
    C
    @percyiii: fetch -o /usr/pbi/dansguardian-amd64/sbin/dansguardian "http://e-sac.siteseguro.ws/pfsense/8/amd64/dansguardian" save one of the dansguardian pages.. check make sure it started… check make sure the web ulpload is now working Now the how-to had fetch to e-sac.siteseguro.ws going into /usr/local/sbin /usr/local/sbin is symlinked to /usr/pbi/dansguardian-amd64/.sbin/dansguardian But the only way I could get it to work was to fetch to /usr/pbi/dansguardian-amd64/sbin not .sbin.. Does Dans use both executables? Whick one runs? I fetch to  /usr/pbi/dansguardian-amd64/sbin  which seems to work fine for me.
  • F

    Help me explain and fix this problem

    2
    0 Votes
    2 Posts
    848 Views
    KOMK
    This has been answered in previous forum posts: https://forum.pfsense.org/index.php?topic=43154.0 https://forum.pfsense.org/index.php?topic=64264.0 https://forum.pfsense.org/index.php?topic=54180.0 https://forum.pfsense.org/index.php?topic=48139.0 etc etc
  • R

    Squidguard question

    3
    0 Votes
    3 Posts
    980 Views
    KOMK
    In the menu, look at Services - proxy filter.  From there, use Times to create your schedule.  Then go to Groups ACL to create groups of IP addresses and what they are allowed to access, and link them to the schedule.
  • E

    HAVP - Problem virus not alert but detect

    2
    0 Votes
    2 Posts
    1k Views
    E
    https://forum.pfsense.org/index.php?topic=18714.msg96295#msg96295 same probem with me  , but still no solution . btw after restart it will be false again . and my will be like this "can't connect to clamd: No such file or directory" i fix using this mkdir /var/run/clamav ln -s /var/run/clamd.pid /var/run/clamav/clamd.pid ln -s /var/run/clamd.sock /var/run/clamav/clamd.sock every reboot
  • H

    Pfsense freeradius webGUI vs config files (proxy.conf /

    3
    1 Votes
    3 Posts
    2k Views
    A
    I'd be interested in how to do this too??
  • E

    SNORT - Reverse , dnstunnel block help

    4
    0 Votes
    4 Posts
    2k Views
    bmeeksB
    @BBcan177: I would suggest that you block all outgoing LAN DNS requests unless they are originating from your DNS Server(s) or pfSense DNS apps. This is a very effective way to handle the potential issue.  Restrict all LAN DNS traffic to just your internal DNS server (or servers), then further restrict outbound DNS (on WAN) to designated forwarders. There are some DNS policy rules in the Emerging Threats family that can help as well, but in my view the easiest method is restricting outbound DNS to only authorized hosts. Bill
  • Z

    Squid Proxy stops working after 2 minutes??

    5
    0 Votes
    5 Posts
    2k Views
    KOMK
    I'm no expert either.  I just try to help people if I can. To get to the log, first login to the shell (option 8 in the pfSense text menu). From there, go to /var/log and look for squidGuard.log.  Maybe take a look at the system.log while you're at it. I can't even begin to tell you what to look for other than obvious errors.
  • B

    Squid install not working

    2
    0 Votes
    2 Posts
    1k Views
    jimpJ
    1.2.3 is no longer supported. Squid+SquidGuard on NanoBSD on 1.2.3 even less so. There could be some remnant of a past installation somewhere on the drive in /usr/local/pkg/ or in the config.xml that needs cleaned out. Not enough info to say, but you should really be running the latest version (2.1.x) and not 1.2.x.
  • T

    Many havp processes. OK?

    3
    0 Votes
    3 Posts
    927 Views
    T
    It is a pity that I did not get any answer…  :'( Havp seems to be running, although I can see many log entries. havp[35911]: connect() failed: Address family not supported by protocol family havp[78165]: connect() failed: Operation not permitted havp[19896]: connect() failed: Address family not supported by protocol family
  • T

    Squid 3.3.10 pkg 2.2.4 not starting

    4
    0 Votes
    4 Posts
    2k Views
    T
    Updated to pkg 2.2.5 yesterday, Squid refuses to start. However the error message has changed, it is now : php: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '2014/06/10 13:23:33| parse_peer: token='round-robinssl' FATAL: Bungled /usr/pbi/squid-i386/etc/squid/squid.conf line 98: cache_peer 10.0.0.10 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robinssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_exchange Squid Cache (Version 3.3.10): Terminated abnormally. CPU Usage: 0.015 seconds = 0.007 user + 0.007 sys Maximum Resident Size: 29312 KB Page faults with physical i/o: 0' and then : squid: Bungled /usr/pbi/squid-i386/etc/squid/squid.conf line 98: cache_peer 10.0.0.10 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robinssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_exchange Obviously there is some code in the config pointing to a server that does not exist any more. Can I delete this line ? I could not find any point in the GUI pointing to this retired server and I have never configured a chache_peer. Thank you for your hints cheers thafener
  • C

    TCP_DENIED/411 POST

    3
    0 Votes
    3 Posts
    1k Views
    C
    Sorry everyone… Bump
  • bmeeksB

    Suricata 1.4.6 pkg v1.0.2 – Update Release Notes

    41
    0 Votes
    41 Posts
    7k Views
    bmeeksB
    @jflsakfja: Bug: Blocked tab: Warning: inet_pton(): Unrecognized address TCP in /usr/local/www/suricata/suricata_blocked.php on line 247 Warning: inet_pton(): Unrecognized address TCP in /usr/local/www/suricata/suricata_blocked.php on line 247 Rule that caused it: files.rules: 1:22 FILE pdf claimed, but not pdf <<< fires up when spiders (eg googlebot) try to download a part of a pdf, therefore DELETE UPSTREAM (part after <<< is in the upcoming suricata topic) It also breaks the alerts tab, with text all over the place. Thanks for the report.  I will add this to my list.  I'm holding the next Suricata hoping the Ports tree on FreeBSD will soon update to the 2.0.x Suricata branch. Bill
  • S

    Squid not working in no-transparent mode

    5
    0 Votes
    5 Posts
    1k Views
    S
    KOM I use the no-transparent mode to block internet connection  in a user
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.