1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    H
    We installed haproxy on Netgate 8200 device 25.07.1-RELEASE (amd64) installed acme certificates and get certificate from letsencrypt, everything ok. checked ssl offload in frontend and selected the acme generated certificate under SSL Offloading. result after Apply Changes: Errors found while starting haproxy [NOTICE] (72045) : haproxy version is 2.9.14-7c591d5 [NOTICE] (72045) : path to executable is /usr/local/sbin/haproxy [ALERT] (72045) : config : Couldn't open the ca-file '/var/etc/haproxy_test/clientca_WAN_117.pem' (No such file or directory). [ALERT] (72045) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:15] : 'bind x.x.x.x:443' in section 'frontend' : 'ca-file' : unable to load /var/etc/haproxy_test/clientca_WAN_117.pem [ALERT] (72045) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg [ALERT] (72045) : config : Fatal errors found in configuration. also package _devel has the same issue. on other boxes where haproxy was configured on 24.11 - upgraded to 25.07.1 its working. BUG ?? so what can we do now -bolded text we need this function. thank you all in advance

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    RedDelPaPaR
    @bmeeks Understood. Thank for kindly for your help. I will likely be ordering a new unit soon.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    GertjanG
    @netboy Things you can test : Leave pfBlockerng enabled, but : Remove all IP lists. De activate all DNSBL lists : you can do that by un checking : [image: 1762169315597-16b7ab6f-b38d-4c9b-8201-07756bb1a081-image.png] Btw : You use the "Unbound Python mode", right ? When DNS fails to work for your LAN devices, check 'manually' : C:\Users\Gauche>nslookup google.com Serveur : pfSense.bhf.tld Address: 2a01:cb19:907:dead:beef:92ec:77ff:fe29:392c Réponse ne faisant pas autorité : Nom : google.com Addresses: 2001:4860:4802:32::78 216.239.38.120 This tells me my LAN (windows) device was using the pfSense LAN IPv6 = 2a01:cb19:907:dead:beef:92ec:77ff:fe29:392c (for IPv4 this would be 192.168.1.1) - so I know that my device is using pfSense, the resolver, as it DNS source. I got an answer, so I know the resolver did its work. If no answer, go console or SSH of pfSense and check there : [25.07.1-RELEASE][root@pfSense.bhf.tld]/root: dig @127.0.0.1 google.com +short 216.239.38.120 This shows me that @127.0.0.1 (pfSense localhost) answered, as the resolver listens on every LAN interface and also localhost. This : [25.07.1-RELEASE][root@pfSense.bhf.tld]/root: dig @192.168.1.1 google.com +short 216.239.38.120 as my pfSense uses the default 192.168.1.1/24 LAN IP. If no answer : then the resolver isn't running, and that's 'not normal'. Starting it : [image: 1762169873517-560068d3-a229-4bde-8701-0d05a0b31cd9-image.png] would resolve the issue right away. Left to discover : why does your revolver (unbound) process dies ? edit : Also logical : we all use the same 'code' : [image: 1762169997506-667f8b72-cc12-4959-bbf3-660d23e9b5cf-image.png] ( I'm using 25.07.1 on a 4100 ) 'all' is probably a couple of hundred thousand pfBlockerng users using 2.8.1 or 25.07.1 and the latest pfBlockerng version. The only thing that is different for all of us : our settings ... This requalifies the problem from : "is something wrong with pfBlockerNG?" to a more mangeable "is something wrong with my pfBlockerNG?". And as it is already known that we all use the same "pfBlockerNG", the issue reduces further to "What wrong with my (pfBlockerNG) settings?". So : tell us all about your pfBlockerNG and DNS (!) settings, and we might be able to tell you what's wrong

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    F
    I didn't say you should remove the override.ups.delay.shutdown directive, I said you should remove the ignorelb directive. Ok, I will test without ignorelb directive. Also, you do not have anything in the Advanced settings section, correct? Yes As to running a calibration test, consult your UPS manual or support from the manufacturer of your UPS. I find anything I will search tomorow

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    92 Topics
    639 Posts
    E
    Updated CE 2.8.1 to 1.90.4. Looks like they are already working on .6 Freshports pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.90.4.pkg Changelog

  • Discussions about WireGuard

    712 Topics
    4k Posts
    D
    @chpalmer okay so here is the update. I was able to get all my wireguard servers handshaking, my two personal tunnels and my one nord. I have full access to to my lan with my personal tunnels but I now dont have nord routing any traffic through its tunnel. I try to make a lan rule route one ip through nord and make one NAT rule and nothing. I lose internet on my one ip when I try and make a rule to use the nordvpn gateway
Log in to post
Load new posts
  • K

    PPP Autodisconnect/Reconnect

    1
    0 Votes
    1 Posts
    643 Views
    No one has replied
  • ?

    Bug - Squid package log dir

    1
    0 Votes
    1 Posts
    475 Views
    No one has replied
  • A

    Zabbix2-proxy-2.0.8 pkg v0.7_1 on Netgate does not work, reference missing files

    4
    0 Votes
    4 Posts
    1k Views
    A
    It has to do with how the Netgate release of pfSense seems to be limiting the Zabbix2 packages to the 2.0.x branch. Perhaps the init scripts are not versioned or something. Installing the zabbix2-proxy-2.0.8 pkg v0.7_1 package but pulling the init script that has been updated for zabbix2-proxy-2.2.1 pkg v0.8_0. I know the Netgate release package repository lags behind a little, perhaps I can help get the zabbix2.2 updates fully tested so they can be released to the Netgate release.
  • panzP

    Sending "upsmon -c fsd" to NUT (Network UPS Tools).

    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • I

    Install squid does nothing :(

    8
    0 Votes
    8 Posts
    2k Views
    I
    Thanks… And now it's worked. Really weird because I've installed and uninstalled many times, suddenly it appears. So I'm a happy camper, but odd that the GUI should report a successful installation when that doesn't seem to be the reality.
  • B

    Squid3

    1
    0 Votes
    1 Posts
    731 Views
    No one has replied
  • H

    Need help with a redirect loop in squidguard!

    1
    0 Votes
    1 Posts
    725 Views
    No one has replied
  • A

    Snort blocks many websites badly

    2
    0 Votes
    2 Posts
    5k Views
    bmeeksB
    @A999: Hi, I'm setting up a fresh pfSense box for proxying http traffic at my office. I installed Squid3-dev and snort (updated VRT community rules and ETOpen rules). I disabled "block offenders" in snort but as time goes by, it's still blocking many normal websites like: AWS, reddit, and many more photos sharing hosts. Description for those blocked hosts are "UNKNOWN METHOD" or "DOUBLE DECODING ATTACK" or "NO CONTENT-LENGTH" OR "TRANSFER-ENCODING IN HTTP RESPONSE". It would be great if somebody tell me what's wrong here and what I'd do to improvise. Thanks. Edit: snort are enabled on WAN interface, and it's also blocking download packages from psfense.org for same reason. Did you remember to stop/start the Snort process after you changed the blocking option from "on" to "off"?  If you uncheck "block offenders" and restart Snort, it won't block anything.  It will print alerts, but it won't block. The alerts you listed are considered to be common, known false positives from the HTTP_INSPECT preprocessor.  There is a long thread containing suggestions from experienced Snort users for suppressing false positives.  Here is a link:  https://forum.pfsense.org/index.php/topic,56267.msg300473.html#msg300473 Bill
  • M

    Squid Package status X how come ?

    2
    0 Votes
    2 Posts
    878 Views
    T
    Have you just installed (downloaded and added it to the menu system) it from the package menu? Then you have to go to the "Services" –> "Proxy Server" menu option and at least press the "save" button there at the bottom. This will basically create the config file and start squid.
  • J

    Snort time from alert to block

    18
    0 Votes
    18 Posts
    7k Views
    BBcan177B
    @jandohrmann: alert tcp $EXTERNAL_NET any -> any 25 (msg:"SMTP AUTH LOGON brute force attempt"; content:"AUTH LOGIN"; nocase; classtype:suspicious-login; sid:1000001; rev:2;) I didn't see the "content:"AUTH LOGIN" in the rule above. My bad. Thought you were blocking port 25 completely at first glance.
  • V

    Snort clearing block hosts ahead of schedule

    21
    0 Votes
    21 Posts
    10k Views
    R
    Then…  you've made my point. But thanks for sharing what you have. Rick
  • B

    Squid Reverse Proxy

    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • E

    Snort doesn't stay running

    2
    0 Votes
    2 Posts
    733 Views
    bmeeksB
    @ethos101: Every time Snort updates its rules we need to manually start the service again.  The log says it's restarted, but it is not.  Where else can I look for trouble signs? Thanks Look in the system log for clues.  My first suspicion is a disabled preprocessor, and the new rule update suddenly has introduced a dependent rule.  Look for any messages about "unrecognized or unknown rule option" in the system log. Did you disable any preprocessors on the PREPROCESSORS tab, or have you left everything at the defaults from the initial installation? Bill
  • L

    Postfix - suddenly stopped working?

    4
    0 Votes
    4 Posts
    4k Views
    X
    I got the same issue and selecting interface(s) in the "Listen on" list instead of "listen on all interfaces/ip addresses" solves it.
  • M

    So many issues

    12
    0 Votes
    12 Posts
    5k Views
    bmeeksB
    @MilesDeep: I will do what you recommend with regards to rule sets. One last thing on this topic,  you write:  As for your question on IPS Policy (Balanced, Security, Connectivity), that only shows up when you have enabled the download of the Snort VRT rules. We have enabled to download the Snort VRT rules.  Where do I (globally, I hope) set the IPS Policy? You can select an IPS Policy on the RULE CATEGORIES tab for the Interface in the Snort menu.  So click Services…Snort and then select the Snort interface you want to edit by clicking the small e icon next to the interface.  Next, in the bottom row of tabs that appears, click RULE CATEGORIES.  You should see a dropdown selection like the one pictured in the attachment to this post. Bill [image: IPS-Policy-Selection.jpg] [image: IPS-Policy-Selection.jpg_thumb]
  • Z

    HAVP + Snort: connect() failed: Operation not permitted

    2
    0 Votes
    2 Posts
    2k Views
    bmeeksB
    @Zosimo: Current setup pfSense 2.1-RELEASE (i386) FreeBSD 8.3-RELEASE-p11 snort 2.9.5.5 pkg v3.0.3 HAVP antivirus 0.91_1 pkg v1.01 squid Network 2.7.9 pkg v.4.3.3 Squid is configured as a transparent proxy, and HAVP as the parent for Squid (and set accordingly in the config). Snort is not configured to block sites when an alert is triggered, but is apparently doing so anyways. The system log files show Feb 12 13:22:12 havp[55759]: connect() failed: Operation not permitted Feb 12 13:22:01 havp[44820]: connect() failed: Operation not permitted Feb 12 13:22:00 havp[44820]: connect() failed: Operation not permitted Feb 12 13:21:59 havp[44820]: connect() failed: Operation not permitted Feb 12 13:21:08 havp[77462]: connect() failed: Operation not permitted Feb 12 13:21:06 havp[78132]: connect() failed: Operation not permitted Feb 12 13:21:05 havp[44591]: connect() failed: Operation not permitted Feb 12 13:19:37 havp[57273]: connect() failed: Operation not permitted Feb 12 13:17:21 havp[55759]: connect() failed: Operation not permitted It would seem that I am having the same issue as the OP in this post: https://forum.pfsense.org/index.php/topic,18725.0.html. Was this ever fixed? Snort should not block anything if you have the "block offenders" checkbox unchecked on the Interface tab.  If you think Snort is the cause, simply stop the Snort process by clicking the green arrow icon on the Snort Interfaces tab and waiting for it to turn to a red X.  At that point Snort is dead and not blocking anymore.  Try your connection then.  If it still fails, then Snort is not your problem. Another way to check if Snort is the cause is to click on Diagnostics…Tables and select the snort2c table in the dropdown list.  If no IP addresses show up, then Snort is not blocking.  All blocked IPs by Snort get put in the snort2c table that you can view under Diagnostics…Tables.  If an IP address is not in that table, then Snort is not blocking that IP. Bill
  • F

    Pfsense proxy in paralell with Mikrotik

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • M

    HAVP not found, fail clamd

    3
    0 Votes
    3 Posts
    1k Views
    Z
    Actually, this happens because the HAVP config expects to find the following files at /var/run/clamav: clamd.sock clamd.pid The thing is, in pfSense those files are found in /var/run, which is why the package can't find them. Moreover, there seems to be no way to change the path in the config file (and I read somewhere this was hardcoded into the scanner). The current workaround for this is creating this directory and linking the files together. mkdir /var/run/clamav ln -s /var/run/clamd.sock /var/run/clamav/clamd.sock && ln -s /var/run/clamd.pid /var/run/clamav/clamd.pid The problem is that these files get lost on every reboot. I've tried modifying the service startup script to check for this automatically, but have had no luck so far. Hope this helps
  • R

    Help with NTP

    4
    0 Votes
    4 Posts
    2k Views
    ?
    There is a recently launched NTP attack on a large number of servers, dunno how many are left working properly. Last I heard was a 400gbps ddos. The reason removing pfblocker allowed it to work was that the attack was a coverup for an infiltration of some servers, who were subsequently identified as compromised and added to pfblocker's lists. MNSHO
  • P

    Pure ftp package

    1
    0 Votes
    1 Posts
    716 Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.