1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    H
    We installed haproxy on Netgate 8200 device 25.07.1-RELEASE (amd64) installed acme certificates and get certificate from letsencrypt, everything ok. checked ssl offload in frontend and selected the acme generated certificate under SSL Offloading. result after Apply Changes: Errors found while starting haproxy [NOTICE] (72045) : haproxy version is 2.9.14-7c591d5 [NOTICE] (72045) : path to executable is /usr/local/sbin/haproxy [ALERT] (72045) : config : Couldn't open the ca-file '/var/etc/haproxy_test/clientca_WAN_117.pem' (No such file or directory). [ALERT] (72045) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:15] : 'bind x.x.x.x:443' in section 'frontend' : 'ca-file' : unable to load /var/etc/haproxy_test/clientca_WAN_117.pem [ALERT] (72045) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg [ALERT] (72045) : config : Fatal errors found in configuration. also package _devel has the same issue. on other boxes where haproxy was configured on 24.11 - upgraded to 25.07.1 its working. BUG ?? so what can we do now -bolded text we need this function. thank you all in advance

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    bmeeksB
    @RedDelPaPa said in Suricata ETOpen rules failing to update: @bmeeks This makes sense. I was able to tweak with it some and inserted a custom url for the Suricata v5.0 rules files and it seems like it was able to pull a usable update? What do you think? Will this work ok for now? Thank you! Should be okay so long as the v5 rules don't contain any syntax that is too "new" for the older 4.x Suricata binary on your system. The SG-3100 has a 32-bit ARM CPU which is basically obsolete. Suricata from version 5.x on moved critical pieces of code over to Rust from pure C. There is no "buildable" Rust library for 32-bit ARM chips, hence Suricata on the SG-3100 is stuck on an old and EOL (end-of-life) version. In my opinion, it's time to retire that hardware and move to a modern 64-bit Intel platform.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    N
    @netboy Most probaly a configuration regression. You really need to dig deeper. From which pf version did you upgrade? Have you tried removing and reinstalling pfblockerng? Looking to the moon for craters with naked eye doesn't show the one that the crashed spaceship created. Use a telescope instead. FWIW, I see quite a few pfblockerng instances on 25.07.1 running with no (apparent) issues τοο

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    F
    I didn't say you should remove the override.ups.delay.shutdown directive, I said you should remove the ignorelb directive. Ok, I will test without ignorelb directive. Also, you do not have anything in the Advanced settings section, correct? Yes As to running a calibration test, consult your UPS manual or support from the manufacturer of your UPS. I find anything I will search tomorow

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    92 Topics
    639 Posts
    E
    Updated CE 2.8.1 to 1.90.4. Looks like they are already working on .6 Freshports pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.90.4.pkg Changelog

  • Discussions about WireGuard

    712 Topics
    4k Posts
    chpalmerC
    @dean.viens What kind of internet services are on the two endpoints? I ask because some modems such as cellular modems can cause issues with VPNs once in a while. I assume you are using the standard ports?? have you tried a different port such as 8443 one of the gui ports you are not using? 80 or 443? If you set the incoming rule to log the traffic do you see the attempts in the firewall log? Long story short here.. are you sure the traffic from router two is making it to router 1 and visa versa?
Log in to post
Load new posts
  • E

    Problem with site with squid -3 development

    4
    0 Votes
    4 Posts
    1k Views
    T
    Maybe a "proxy.pac" file or "wpad.dat" would be an option. (create one in the usr/local/www folder and make a symb-link for the other) There are topics on how to serve this pac-file via extra http-service on port 80 in combination with DHCP and have the pfsense GUI run on https. How successful it will be that depends on how you roll out DCHP (additional option 252, text, location of proxy.pac) and if users are allowed to change their internet settings regarding proxy settings. You filter https or facebook requests to be redirected to a "denied page". Example "proxy.pac" function FindProxyForURL(url, host) {   url = url.toLowerCase();   host = host.toLowerCase();   isHttp = (url.substring(0,5) == "http:");   isHttps = (url.substring(0,6) == "https:") // If the requested website is hosted within the internal network, send direct.     if (isPlainHostName(host) ||           shExpMatch(host, "*.home") ||           shExpMatch(host, "*.local") ||           isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||           isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||           isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||           isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0")) { return "DIRECT"; } // Forward non-http(s) and some hosts to forward proxy (or DIRECT (or access denied page?)) if((!isHttp && !isHttps) // Skip all non http(s)   || dnsDomainIs(host, "microsoft.com")   || dnsDomainIs(host, "windowsupdate.com")   || dnsDomainIs(host, "eset.com")   || dnsDomainIs(host, "mcafee.com") // McAfee   || dnsDomainIs(host, "siteadvisor.com") // McAfee   || dnsDomainIs(host, "hackerwatch.com") // McAfee   || dnsDomainIs(host, "hackerwatch.org") // McAfee   || dnsDomainIs(host, "avg.com")   || dnsDomainIs(host, "grisoft.cz")   || dnsDomainIs(host, "avgfree.com")   || dnsDomainIs(host, "avg.cz")   || dnsDomainIs(host, "symantecliveupdate.com")   || dnsDomainIs(host, "thawte.com")) { return "DIRECT"; } if (isHttps)   // Skip HTTPS (or return access denied page?) { return "DIRECT"; } // Otherwise, go through our proxy or if it fails, through bypass return "PROXY 192.168.0.1:3128; DIRECT"; } Or you could try a squidguard filter with a redirect page, maybe add a "proxy-list" and "VPN-service-list" to the block list there so users won't be able to use or search for anonimous-proxy or VPN's to circumvent the restrictions.
  • X

    Blinkled memory leak? (Alix platform)

    3
    0 Votes
    3 Posts
    1k Views
    X
    I think I've found a semi-reliable way to reproduce the leak. But as this is an alix2d3 with 256mb box running extra stuff pushes it's memory limits tight. If the interface goes away, the following code to never hit the cleanup path (can't find the source on the git repos, so from that post linked in the first post.):   for(ifp = TAILQ_FIRST(&ifh); ifp; ifp = TAILQ_NEXT(&ifc, if_list))   {       n = kvm_read(kd, (u_long)ifp, &ifc, sizeof(ifc));       if(n<0)       {         fprintf(stderr, "Error: kvm_read(element): %s\n", kvm_geterr(kd));         kvm_close(kd);         return -1;       }       if(strcmp(ifname, ifc.if_xname) == 0)       {         data->opackets = ifc.if_data.ifi_opackets;         data->ipackets = ifc.if_data.ifi_ipackets;         data->obytes = ifc.if_data.ifi_obytes;         data->ibytes = ifc.if_data.ifi_ibytes;         data->baudrate = ifc.if_data.ifi_baudrate;         kvm_close(kd);         return 0;       }   } } Note; there is no kvm_close(kd) if the interface isn't matched. I guess the package isn't being restarted in some conditions when the interface derps.
  • M

    Postfix - read only filesystem?

    2
    0 Votes
    2 Posts
    909 Views
    P
    pfSense recreates everything at boot time from data in its own config.xml - which is where all the GUI settings are saved. If you change any package conf file from the command line, the change will be lost when you reboot, or some other event happens that makes pfSense restart all the packages. You have to find a way to do your settings using the GUI provided with the package.
  • R

    Unbound package re-installation fails

    4
    0 Votes
    4 Posts
    1k Views
    W
    Nope that is an entirely different problem
  • G

    Unbound failing to install on 2.1.1 march 3

    4
    0 Votes
    4 Posts
    1k Views
    W
    A mistake on my part apologies on that - but fixed.
  • S

    PROBLEM: Unistall squid using console command

    3
    0 Votes
    3 Posts
    2k Views
    S
    Hi, I still haven't found a solution to the problem. I can't Uninstall squid using console but I can Uninstall it using web gui. I need to Uninstall it using console. Someone Can help me to find a solution. Thanks
  • B

    Vnstat2 Package Updated - Report/Feedback problems here.

    39
    0 Votes
    39 Posts
    8k Views
    B
    @petzi: @bryan.paradis: So you have received just one email from cron complaining that vnstat couldn`t create backups? Is it possible that the dyndns set the filesystem back to Read only after the vnstat script set it to read write and so it failed? This script gets run every minute by cron so I guess this may be possible that the timing just aligned perfectly. I've no idea. Probably mounting rw/ro isn't logged. If it happened only once? It must have been the fluke lining up of filesystem getting switched back after the rw call was made by the script.
  • D

    HAVP and PfBlocker - Malfunction ? Else ?

    1
    0 Votes
    1 Posts
    757 Views
    No one has replied
  • bmeeksB

    NEW – Suricata 1.4.6 pkg v0.1 BETA package released

    36
    0 Votes
    36 Posts
    8k Views
    bmeeksB
    @JWTrance: Thanks for the new Suri package, been looking forward to this for a bit. :) Feel free to disregard, but I was wondering how hard it would be to implement an options tab similar to the oldschool Snort IDSControl Center (see example) [image: snortoptions.jpg] I like the idea of being able to quick select options for a custom starting command line and then being able to save that Suri/Snort profile for later use. Be on the lookout for a substantial update to the Suricata package to be posted sometime over the next few days. I will be submitting the Pull Request shortly.  This will be version v0.2-BETA of the package.  There are lots of bug fixes and some other enhancements (such as an included Dashboard Widget, better rule update management and logging, and a Bro output option for Barnyard2). As for some control over command-line options, that is certainly possible.  Right now a fair number of parameters are configurable in the GUI and then provided to the Suricata binary via the suricata.yaml conf file.  Are there some Suricata-specific command-line options you need that are not available in the GUI?  If so, post a list and I will see what I can do. Bill
  • U

    HAVP antivirus wont start;

    2
    0 Votes
    2 Posts
    1k Views
    U
    Bump? Really want to have this working, It worked before hand on my netbook setup, but not now ? :(
  • D

    Unbound denies queries from IPsec clients…

    6
    0 Votes
    6 Posts
    1k Views
    W
    yeah and the other vpns.
  • O

    Detection Ultrasurf's traffic

    3
    0 Votes
    3 Posts
    2k Views
    D
    dont work! I think I have the wrong or your system dosent work I've addes my screenshoots. [image: snort_log1.jpg] [image: snort_log1.jpg_thumb] [image: snort_log2.jpg] [image: snort_log2.jpg_thumb]
  • ?

    HAVP service doesn't start

    16
    0 Votes
    16 Posts
    8k Views
    ?
    It works now in standard and parent mode. my problem was slow download process at update time.
  • B

    Reverse Proxy Using Squid

    1
    0 Votes
    1 Posts
    797 Views
    No one has replied
  • L

    Squid 3.4?

    1
    0 Votes
    1 Posts
    853 Views
    No one has replied
  • S

    Squid 3.3.10 error

    5
    0 Votes
    5 Posts
    1k Views
    B
    https://forum.pfsense.org/index.php?action=post;quote=398495;topic=43687.270 @serialdie: Under –- System ----- User Manager Add the user clamav. Worked for me.
  • B

    Voip server in ALIX

    1
    0 Votes
    1 Posts
    632 Views
    No one has replied
  • B

    Need to update file on http://files.pfsense.org (vnstat2 php front end)

    27
    0 Votes
    27 Posts
    7k Views
    A
    woo hoo! thanks!
  • W

    Unable to communicate to the pfsense package server

    4
    0 Votes
    4 Posts
    2k Views
    B
    Did you have it set to GW on your LAN? Or Like was your interface setup?
  • D

    Tftp not working (clean install of pfsense)

    2
    0 Votes
    2 Posts
    1k Views
    D
    After further review of older threads I noticed that tftpd was listening on 127.0.0.1  I added an internal UDP portforward to 69 and everything works now.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.