1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    H
    Hello all, please dont shoot me on sight, im one of those who kinda set up things by following tutorials and actually see things how they look like on screen. And English is not my native language either. I setted up HAProxy with pfSense package for Nextcloud which works as VM at ip 192.168.1.214. It has self signed cert. I created ACME with Porkbun as wildcard and all that works totally fine. BUT i have big issue which i dont know how to solve. When im acessing by nextcloud.mydomain.xx in LOCAL LAN it serves page fine, but it uses self signed cert. Will someone, please, by example show me how to create working rule which will force pfSense to serve 192.168.1.214 and all its translation or whatever exclusively outside? Bare in mind that 214 has to be able to lurk in 192.168.1.0/24 also, since data storage is served by NFS on TrueNas. 192.168.1.1 (pfSense IP), 192.168.1.214 (Nextcloud IP) All works fine from outside, but from local LAN it bypase HAProxy, and serve nextcloud internal cert with correct domain name nextcloud.mydomain.xx . Well it seems that only bypas cert part since domain works. Somehow it resolve. This is what dig command does from local lan: ;; ANSWER SECTION: nextcloud.domain.xx. 3600 IN A 192.168.1.1 nextcloud.domain.xx. 3600 IN A 192.168.1.214 ;; Query time: 0 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP) ;; WHEN: Thu Oct 30 08:48:37 CET 2025 ;; MSG SIZE rcvd: 83 Main problem here is that Nextcloud app go stuck when we are on local network. It does not work since it gets different cert. It does not even ask do we want to accept it or not. Even if does it will be bit weird to do that every time we come home. Many thnx in advance!

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    B
    @Greyhat I think it's useful to work with what we've got and figure something out for the (i hope) edge cases later. So for the JSON I figured you can actually use an existing suricata integration by co-opting their pipelines.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @dma_pf Debt collector, or debt relief service?

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @netboy said in Docker container for nut server?: I am NOT installing docker in pfsense - offcourse this is a big security risk - I agree !!! My apologies. I interpreted your earlier question I think i need to explain what i am asking for. I am fully aware if your netgate router is attached to an UPS you can configure netgate. Let us say you 5 UPS's in your home and you want nut server to read all the UPS's and show me a dasboard about the status of all the UPS's ? - Is there a ready made docker container for client server nut with dashboard functionality? as a request to have something running on pfSense, which is why I responded I believe most people would say that the type of thing you are asking for isn't something you want to run on your firewall. I recommend using a general purpose operating system behind the firewall instead. Mutual misunderstanding I guess. If you want to explore general NUT monitoring, and not something particular to pfSense, I would recommend the NUT Users list as a better place to seek information.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    92 Topics
    638 Posts
    L
    @Vad-B Interesting indeed! I just tried to fill the Pre-authentication Key with file:/dev/null. I get an crash in pfsense after some time, but when I login again is saved. For me this for after service restarts at least this solves it, including the issue with the routes not being advertised even set in the WebUI. Havent done an full restart of pfsense (yet)

  • Discussions about WireGuard

    711 Topics
    4k Posts
    D
    Hello, I’m wondering if it’s possible to have a private vpn wireguard server on pfsense and to also have a personal wireguard server such that friends can link to your pfsense network but also be under the private vpn, nordvpn for example. Is that possible to with routing?
Log in to post
Load new posts
  • N

    FreeRaDIUS+OpenVPN

    6
    0 Votes
    6 Posts
    2k Views
    N
    Thank you for replying me , i`m already use "SSL/TLS + Uther-Auth" on OpenVPN server, but simultaneous check is not working. Openvpn was configured with Road-Warrior Tutorial that i found on https://doc.pfsense.org/index.php/Tutorials.
  • S

    [solved] How can I use the user management/right management in packages

    1
    0 Votes
    1 Posts
    682 Views
    No one has replied
  • P

    Bind package Howto

    3
    0 Votes
    3 Posts
    3k Views
    P
    no but i test it now with making a view Recursion=no Match-clients: any Allow-recursion: any but still not working. can you post some pictures of your frontend so that i can see what ist wrong. if there is any critical you can cut it out or make it black. that would be very nice, i think i am not the only one with this start problems  ::)
  • L

    Squid3 and squidguard not intercepting traffic or blocking blacklist

    5
    0 Votes
    5 Posts
    2k Views
    L
    @BujangLapok: Had the same issue today with squidguard3-squid. The issue was the path being used for squidguard.conf was not correct. A workaround: ln -s  /usr/pbi/squidguard-squid3-amd64/etc/squidGuard/squidGuard.conf /usr/pbi/squidguard-squid3-amd64/etc/squid/squidGuard.conf Then rebuild blocklist DB manually with: squidGuard -db -C all I had had ineffective squidGuard set up for a while. Investigating today and this fixed it. I'm not sure if I had some config sitting around from messing with different combinations of squid 2 and 3 and their respective squidguards over time and something hanging around. But anyway, I also had a messed up squidGuard.conf path and the ln -s fixed it.
  • ?

    EMail report DynDNS service

    2
    0 Votes
    2 Posts
    779 Views
    ?
    Solution: Changed the eMail address to my "local" mailserver (on the other side of VPN tunnel) at the same time. It takes 3-4 minutes to re-establish the tunnel (although DynDNS service is up to date the open VPN client repeatedly tries with the old IP…) and in this time the eMail gets lost somewhere...
  • K

    Added 2nd Interface on Snort 2.9.6.0 pkg v3.0.8 and got "no-go" until…..

    1
    0 Votes
    1 Posts
    672 Views
    No one has replied
  • Q

    Snort - transfer config from one port to another?

    6
    0 Votes
    6 Posts
    1k Views
    BBcan177B
    @irj972: thanks for the prompt response. I'll grab some beers and start setting up then….second thoughts, might be best to lay off the beer whilst setting up snort rules  :o As long as you are still drinking beers when you turn Snort back on ….  :)
  • G

    Disabling (http_inspect) snort alerts

    2
    0 Votes
    2 Posts
    24k Views
    BBcan177B
    @G.D.: Is there some other configuration option I am missing to make disabling HTTP_INSPECT alerts work? From the following link, there are some recommendations to add some suppress actions to certain Sids leaving the HTTP_Pre-processer enabled. https://forum.pfsense.org/index.php?topic=64674.90 You should review them before applying. But generally they are ok to suppress. Here are the suppressions that I am using: #(http_inspect) SIMPLE REQUEST suppress gen_id 119, sig_id 32 #(http_inspect) UNKNOWN METHOD suppress gen_id 119, sig_id 31 #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE suppress gen_id 120, sig_id 8 #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 #(http_inspect) DOUBLE DECODING ATTACK suppress gen_id 119, sig_id 2 #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED suppress gen_id 120, sig_id 6 #(http_inspect) IIS UNICODE CODEPOINT ENCODING suppress gen_id 119, sig_id 7 #(http_inspect) BARE BYTE UNICODE ENCODING suppress gen_id 119, sig_id 4 #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1 suppress gen_id 120, sig_id 9 #(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED suppress gen_id 120, sig_id 10 #(http_inspect) UNESCAPED SPACE IN HTTP URI suppress gen_id 119, sig_id 33 #(http_inspect) U ENCODING suppress gen_id 119, sig_id 3 Or find the rule  #427  /usr/pbi/snort-amd64/etc/snort/snort_28491_igb3/rules/snort.rules(427)  and disable this rule as it depends on the HTTP_Preprocessor. There may be others. The link below has details on how to do that. https://forum.pfsense.org/index.php?topic=74930.msg410285#msg410285 When the HTTP_Pre-Processor is disabled, I don't think that Snort can Automatically Disable rules that are "Enabled" and require the HTTP_Processor to be Enabled.
  • R

    Unbound can't start when …

    5
    0 Votes
    5 Posts
    2k Views
    R
    What are you trying to do? my situation is so, i dont have have any write storeage on my pfsense (embedded) , and i dont want any additional storage on the pfsense, so everytime when pfSense is booting up, and connected successfully to "WAN" ,  pfSense is downloading the "ads" file, called "unbound_ad_servers"(aka /tmp/mydnsfile), from an additional host. How would "/tmp/mydnsfile" be created? only working with the workaround which i posted before What is in that file that cant be placed in the custom options section? inside the file i have over 40000 "ads" domains (not static, no static IP's or HOST's)which id like to redirect to 127.0.0.1 some like this: local-zone: “adserver.yahoo.com” redirect local-data: “adserver.yahoo.com A 127.0.0.1″ after the "ads" file has been downloaded to his place like "/tmp/unbound_ad_servers" , unbound automaticly uses the new domains thats nice :) so i hope you understand now what id like to do. and some additional thinking: but even if you have a something else/different inside the "ads" file, can be also used as configuration file instead of holding hosts to block, like a home network configuration … and if you have as example 3 different configuration files for 3 different scenarios , 3 include custom options are then needed, but you like to use only 1 of these 3(1file filled with information the 2 others are 0bytes files and unbound can run,  for your home office and everytime to like to change/switch the configuration you can do this by a file which unbounds reads and is setting the configuration. this should be a really flexible way to use unbound to set up configuration for different host, depending if the file has information inside or not. best regards
  • T

    Clamdscan not working under Dansguardian 2.12.0.3_2

    16
    0 Votes
    16 Posts
    5k Views
    P
    Hi RJ, In private emails to Marcello (using this forum), Marcello suspected ClamD support was also not being compiled and requested that i contact the coreteam directly. I have not been successful in contacting them. I have tried contacting them via the the forum - but the forum does not recognise the address coreteam or coreteam@pfsense.org. I have also tried emailing coreteam@pfsense.org from my gmail account. I know fully understand your previous posts expressing your frustration about the coreteam / package building. I much preferred it when Marcello was building these packages - but obviously i understand that he cant do everything! Would you know how i can contact the coreteam and asked them to compile DG with ClamD support?
  • A

    Dansguardian - Web upload is banned

    30
    0 Votes
    30 Posts
    10k Views
    P
    It's been 10 months since the last activity on this thread. Just checking that: 1. This is still the correct procedure, on 2.1.2 with the current Dansguardian, to fix the banned uploads? 2. The huge difference in the size of the replacement binary (971K) vs the original one (11.1K) is of no concern? (actually, I replaced the file in /usr/pbi/dansguardian-amd64/.sbin) [just noticed, this is my first post, though I've been a member here a long time]
  • M

    PfBlocker Fatal error!

    6
    0 Votes
    6 Posts
    2k Views
    M
    I rolled back from 2.1.3 to 2.1.2 and it fixed the issue I was having, then updated to 2.1.3 again and it works!
  • W

    Creating dedicated cache drives for squid

    2
    0 Votes
    2 Posts
    577 Views
    jimpJ
    There isn't support for that in the GUI, but it can be done manually. If you have the option, and the know how, it's best to run the proxy outside of the firewall on a dedicated machine.
  • ?

    Squid SSL Transparent Proxy shows CA-Cert in Browser

    2
    0 Votes
    2 Posts
    845 Views
    P
    You need to export the CA cert from pfSense and import it to the Trusted Root Certificate repository on all your clients.
  • BBcan177B

    Snort 2.9.6.0 pkg v3.0.8 - Restart issue after update

    5
    0 Votes
    5 Posts
    2k Views
    ?
    …throughout the last days sometimes not all interfaces come up after the update (one box had that yesterday and today). Trying to restart the respective interface manually results in lengthy procedures (build new sig-msg.map for ALL interfaces, re-start of ALL interfaces) on the embedded system and in the end, another interface might be down...
  • C

    Snort fails to start with ETOpen rules after update

    18
    0 Votes
    18 Posts
    6k Views
    bmeeksB
    @Ramosel: @bmeeks: I'm surprised.  I have not retested since my last post, though.  The gentleman I corresponded with is quite high up in the ET management hierarchy, and he acknowledged the problem with the pcre in the rule.  He did say he was, at that time, on the road.  He may still be out of the office. Bill Bill, he's either on a real long trip or forgot your conversation.  It's still broken. :( Rick Sorry.  I don't know if he forgot or if they decided that since the rule was default disabled anyway, to let it slide.  I think there is a link for support on the Emerging Threats web site.  You can give that a try if you like.  Maybe you will have better luck than I did. Bill
  • ?

    Squid - transparent proxy does not work after midnight

    3
    0 Votes
    3 Posts
    2k Views
    ?
    how do i call squid_reconfigure().php through cron? i didn't find any files: find / -name "*squid*.php" searching for proxy only gives me these files: /usr/local/www/services_igmpproxy_edit.php /usr/local/www/services_igmpproxy.php
  • N

    Freeradius Name field utf-8 support

    3
    0 Votes
    3 Posts
    1k Views
    N
    woohoo! :) I changed xmlparse.inc at line 65 and it working! line 65: file xmlparse.inc before: array_push($curpath, strtolower($name)); after: array_push($curpath, utf8_encode(strtolower($name)));
  • B

    Reverse proxy: how to set X-forwarder

    2
    0 Votes
    2 Posts
    684 Views
    D
    I also want to do this. any one can help?
  • ?

    Bind Package as forwarder

    1
    0 Votes
    1 Posts
    699 Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.