1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    N

    Can I use pgblockerng aliases in Haproxy?

    80758505-9bad-4dad-a80b-c159be1045a2-image.png

    If it was a firewall rule, typing pfb would produce a dropdown to select.

    Here it has to be written, but will it work? Is it supported?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    cyb3rtr0nianC

    @bmeeks So after upgrading to the newest PfSense 2.8.0 everything is now working like a charm!

    Suricata no longer seems to strip off tags like it did before! Which means I can now use my network segmented by VLANs and still use the benefits of Suricata Inline IPS! Very niiize!

    I checked in the Alerts section and it is indeed generating the correct alerts from the different VLAN sections, I put Inline IPS on the parent interface of all the VLANs.

    I assume this is because the FreeBSD version is also updated with the new PfSense 2.8.0 version?

    Because before, as soon as I selected Inline IPS mode, my entire VLAN tagging would break and nothing was reachable until I switched back to Legacy mode.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K

    @pulsartiger
    The database name is vnstat.db and its location is under /var/db/vnstat.
    With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    S

    @njaimo There's a note on https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-config.html

    Python Module Order:

    Controls the position of the Python module in the DNS resolution process. If DNSSEC is disabled, this option has no effect. Pre Validator: The script is run before DNSSEC validation. Post Validator: The script is run after DNSSEC validation.

    Since we normally forward (to Quad9) we disable DNSSEC.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    99 Topics
    2k Posts
    K

    @elvisimprsntr thanks for your suggestion. I will give it a try.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG

    @EChondo

    What's your pfSense version ?
    The instructions are shown here :

    1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png

    A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

    @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

    I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

    No need to wait x days.
    You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    R

    I had a similar issue with Routed VTI over IPsec recently. FRR lost its neighbors after rebooting or when a tunnel went down. It never re-discovered it automatically. Only restarting FRR (either in GUI or via CLI) brought the neighbors back.

    When I manually added those under the OSPF neighbors tab in the GUI it seems to solve the problem as well.

  • Discussions about the Tailscale package

    89 Topics
    574 Posts
    A

    Hello,
    I am unable to get the Tailscale package to work. The page at VPN > Tailscale > Authentication is stuck. It displays the error "Tailscale is not online," but also shows a "Logout and Clean" button, with no option to log in.
    link text

    This state persists even after performing the following troubleshooting steps:

    Rebooting the pfSense router.

    Completely uninstalling and reinstalling the Tailscale package multiple times.

    Clearing browser cache and using a private browser window.

    Toggling the main "Enable Tailscale" checkbox in the settings.

    Checking the logs, which show the service gets a "terminate" signal and shuts down cleanly; it does not crash.

    Manually trying to delete the state file with rm /var/db/tailscale/tailscaled.state, which failed because the file does not exist.

    It appears that the package's configuration is corrupted in a way that persists even after reinstallation. Can anyone advise on how to perform a complete manual cleanup of all Tailscale files and settings?

  • Discussions about WireGuard

    690 Topics
    4k Posts
    J

    I've read through some other posts about this, but they either didn't say whether the proposed solution worked or they were very convoluted and difficult to understand. Here is our scenario: We have 6 locations--Las Cruces (LC), Sunland Park (SP), El Paso (EP), Abilene (ABI), Fort Worth (FW), and Plano (PL). LC and ABI have software that is accessed by the other 4 locations via VPN. There are WireGuard VPNs set up between LC and those 4 locations (SP, EP, FW, PL), and ABI and those 4 locations (SP, EP, FW, PL). There is also a WireGuard VPN connection between LC and ABI. LC and ABI have 2 internet connections. SP, EP, FW, and PL each have one internet connection.

    If the primary internet connection goes down at either LC or ABI and failover occurs to the secondary internet connection, is there a way to set up the WireGuard VPN connections so that they also failover without purchasing some 3rd party application?

    Thanks.

Log in to post
Load new posts
  • F

    Snort alerts - surely there's more?

    14
    0 Votes
    14 Posts
    5k Views
    bmeeksB

    @fearnothing:

    OK, posts since last noob question just got reset back to zero  :-[. Now it's beginning to make sense. Tutorials are very good at saying "Do A, then B, then C" but when you ask them why they tend to just go quiet.
    [/quote]

    Don't despair.  There are lots of knowledgeable folks here ready to help.  None of us know it all.  I read just today a quote that is appropriate – "everyone you meet knows something you do not".  A corollary would be "all of us are noobs about lots of stuff"… ;).  The whole IDS/IPS world can be a confusing maze to navigate.  Add to that all the wonderful open source options out there and it can be daunting.  One downside of open source software is most developers are happier writing and tweaking code than producing usable documentation.  I include myself in that characterization... :-[

    That last comment reminds me to mention that an update to the documentation for Snort and Suricata on the pfSense Doc Wiki is needed.  I started some updates for Snort a month or two back, but have not gotten anything posted for Suricata yet.  If there is a willing user out there, any help would be welcomed.  You can contact the pfSense guys to get a Wiki account that allows updating.

    Bill

  • J

    IMSpector 20111108 pkg v 0.3.2 MySQL Logging Problem

    6
    0 Votes
    6 Posts
    1k Views
    N

    Install Imspector from package, and then install it from shell with pkg_add . depend on your Mysql Server , you need to install the proper version of mysql_client.

    pkg_add will not change version of package, just install it manually with freeBSD Package manager.

  • C

    Snort not restarting after rules update - 2.1.3- 2.9.6.0 pkg v3.0.8

    4
    0 Votes
    4 Posts
    1k Views
    BBcan177B

    I have intermittent issues with Snort Interfaces Exiting on Error, usually following a Rules Update.
    When it happens it happens to several boxes at a time.

    But the logs don't show very much information to help diagnose why its failing. I think it would be good to have a "debug" option where more details logs could be used as required to help diagnose issues better.

    All of my boxes are on Static so they don't renew their addresses.

  • J

    Pfblocker and emails

    7
    0 Votes
    7 Posts
    2k Views
    BBcan177B

    @foresthus:

    How many lists can be added to pfblocker? Whre is the limit?

    I haven't seen any information to state that it has a limit on the number of Lists? I have a box with about 30 main lists (on the "List" Tab) and within the lists, I have multiple lists per.

    Only thing you need to watch for is the max number of IPs in the Tables.

    Advanced:Firewall:Firewall/NAT - Firewall Maximum Table Entries

    Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, 
          combined. Note: Leave this blank for the default.

  • I

    [Suricata 1.4.6 v1.0.2] Streaming Content issues

    5
    0 Votes
    5 Posts
    15k Views
    ?

    Those rules were evaluated as false positives on "closed" networks (limited number of users), all trusted. They mostly fired on wifi clients, hence the "wifi clients moving around" comment.

    That "category" of rules (weird traffic) was generally either caused by a wifi client moving from point A to point B and missing a couple of packets OR more rarely by suricata itself, that is after suricata has cleared the states for a blocked host. Technically the firewall has no record of an active connection, which triggers the "weird traffic" category.

    As I said, false positives. Disable.

    Note: By category I'm talking about my categories. There are 3 categories: 1)Rules that should have their creators exiled from earth, subcategories idiotic rules (simple http request), stupidly outdated rules (firefox 3.x rules). 2)Weird traffic rules, includes "unknown" traffic, or theoretically impossible traffic (in theory, theory and practice are equal. Practically they are not) and finally 3) Rules that their creators should be honored with nobel prices and generally thought of as humanity's $deities.

  • N

    Help with stuck/botched Avahi install

    1
    0 Votes
    1 Posts
    682 Views
    No one has replied
  • D

    New packages: Zabbix-2 Agent and Zabbix-2 Proxy

    10
    0 Votes
    10 Posts
    18k Views
    R

    I also want to pipe in and say Thank You!
    I also have it in a working environment.
    It works perfectly.
    Now if I can only get it to work on FreeNAS…....... :-\

  • E

    NTLM Auth - Dansguardian broken package 2.12.0.3_2 pkg v.0.1.9 ?

    2
    0 Votes
    2 Posts
    993 Views
    E

    I give up to use Dansguardian on PFsense since the actual package don't work the NTLM plugin that is a requisite to my implementation.

    I'm using squidguard now.

  • M

    Stopping NTOP

    2
    0 Votes
    2 Posts
    703 Views
    M

    Ok,
    I've resolved

    cd /usr/local/etc/rc.d/ touch ztop.sh chmod +x ztop.sh vi ztop.sh

    put this line in the file:

    /usr/local/etc/rc.d/ntop.sh stop

    save and reboot

  • Y

    Squid3-dev + pfsense 2.1.3 = "No such process" & no internet in transparent mode

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • V

    Squid3-dev + pfsense 2.1.3 release

    1
    0 Votes
    1 Posts
    725 Views
    No one has replied
  • T

    [Solved] Cannot Install Squid 3 after 3.1.20 after PFSense 2.1.3 RELEASE update

    4
    0 Votes
    4 Posts
    1k Views
    T

    Thx finalcut, that runs like a charm  :)

  • S

    I cannot install package in pfsense how i can solve this problem

    1
    0 Votes
    1 Posts
    633 Views
    No one has replied
  • F

    Lightsquid Cron problems

    3
    0 Votes
    3 Posts
    1k Views
    F

    I guess the problem happends when users like me disable the Hard disk cache system (value null instead of ufs)

    I dont don't use squid for caching things , only keep record of activity.

    If I dont want a hard disk cache what shall I do to remove the warnings?

  • W

    PfBlocker in Alias Only Mode - Help

    7
    0 Votes
    7 Posts
    2k Views
    W

    Thanks Rick.

  • M

    NUT + APC Back-UPS CS 350 not working

    3
    0 Votes
    3 Posts
    2k Views
    M

    Hi, thx for answer. I try all APC combinations settings, nothing work.

    my NUT settings (i want use only local usb ups):

    Snímka.JPG_thumb
    Snímka.JPG

  • I

    Reverse-squid OWA,activesync attachement problem

    1
    0 Votes
    1 Posts
    865 Views
    No one has replied
  • P

    Tincd and nat

    4
    0 Votes
    4 Posts
    2k Views
    P

    well this worked.  thanks.  I forgot about the interface assign page…

  • D

    Brain-dead postfix postscreen function

    6
    0 Votes
    6 Posts
    2k Views
    B

    If anyone is running postfix and doesn't find this too fugly ;) I found this about how to whitelist Google servers:

    Comparing the list of subnets to one seen in another thread (now lost) it seems they haven't changed in over a year.  Not too surprising, since they are pretty big subnets.

    Paste the following into Services > Postfix Forwarder > Access Lists > Client Access Lists > CIDR:

    # Google IPv4 addresses 64.18.0.0/20 permit 64.233.160.0/19 permit 66.102.0.0/20 permit 66.249.80.0/20 permit 72.14.192.0/18 permit 74.125.0.0/16 permit 173.194.0.0/16 permit 207.126.144.0/20 permit 209.85.128.0/17 permit 216.239.32.0/19 permit # Google IPv6 addresses 2001:4860:4000::/36 permit 2404:6800:4000::/36 permit 2607:f8b0:4000::/36 permit 2800:3f0:4000::/36 permit 2a00:1450:4000::/36 permit 2c0f:fb50:4000::/36 permit

    Haven't been able to find anything similar for HotMail but no one I know uses it anyway  :)

  • D

    Lightsquid reports via email

    2
    0 Votes
    2 Posts
    2k Views
    jimpJ

    I've seen it done with mailreports before.

    You can use "/usr/bin/fetch -o - https://[…]" to include the contents of the page in the report, though I seem to remember that having a formatting issue of some sort.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.