1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    J
    @ha11oga11o Your LAN DNS returns both pfSense and Nextcloud IPs, so clients bypass HAProxy. Add a host override in DNS Resolver for nextcloud.mydomain.xx pointing only to 192.168.1.1. Flush DNS, restart Unbound, and all local traffic will use HAProxy with the correct certificate.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    RedDelPaPaR
    @bmeeks Understood. Thank for kindly for your help. I will likely be ordering a new unit soon.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    D
    @Gertjan Thanks a lot for your help. This really helped me: I'm not using "pfSense pfBlocker Web server logging" (DNSBL Webserver/VIP ) as the "you are blocked web page" only shows up when the end browser user visits http sites, something that doesn't exist anymore on the Internet. All sites are https these days, and https sites can be redirected to "another https web server" like the "pfSense pfBlocker Web server". With that hint I was able to resolve my issue by: Unchecking the Python Group Policy Enable checkbox for the DNSBL Webserver Configuration on the DNSBL tab in pfblockerng. Checking the Permit Firewall Rules Enable checkbox and selecting the appropriate interfaces for the DNSBL Configuration on the DNSBL tab in pfblockerng. Forced Update | All. It now appears that all the blocked domains are appearing on the Alerts tab in pfblockerng. I couldn't find that host name in the "/var/db/pfblockerng/dnsbl/Max_MS.txt" file - where does your "/var/db/pfblockerng/dnsbl/Crazy_Max_Extra.txt:" come from ? I get that DNSBL, and 2 others, from the original maintainer (https://github.com/crazy-max/WindowsSpyBlocker): https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/extra.txt https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/update.txt. I really appreciate your help!

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    92 Topics
    639 Posts
    E
    Updated CE 2.8.1 to 1.90.4. Looks like they are already working on .6 Freshports pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.90.4.pkg Changelog

  • Discussions about WireGuard

    713 Topics
    4k Posts
    M
    I have my wiregaurd up and running and can ping from firewall to devices on the vlan but cannot get clients to ping each other.
Log in to post
Load new posts
  • M

    Barnyard2 Fatal error

    3
    0 Votes
    3 Posts
    1k Views
    F
    Are you sure that your database server is accepting connections from outside itself? By default MySQL usually only listens to localhost.
  • B

    Squid bandwidth throttling amount

    3
    0 Votes
    3 Posts
    1k Views
    R
    Do you have your Wi-Fi on a seperate subnet or on a separate Pfsens interface from your LAN? If so then run the Traffic shaping Wizard and dedicate 2MB of total bandwidth (Set upload and download max) Then test it to ensure it works. I done something similar, and can confirm it workshere. That Wi-Network won't allow the Wi-Network to go over 2BM total download and upload…if too many people is on it, it just slows down, but it won't let the wifi exceed 2 MB download and Upload as a total. since your already running Squid, you can use cacheing to make it appear faster then it actually is without it chewing up your bandwidth.
  • B

    DNS forward: including ports

    3
    0 Votes
    3 Posts
    1k Views
    GruensFroeschliG
    Method 2: https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks?
  • C

    Squid/Squidguard - Allow only specific URL and not the entire domain?

    2
    0 Votes
    2 Posts
    3k Views
    T
    Maybe you can try a "whitelist" in squidguard. You create an extra folder called "whitelist" into your favorite blocklist.tgz. (so download it first on your desktop) That folder, called whitelist, should contain a url file or a domain file, with the urls or domains you want to whitelist. Upload that manipulated blocklist.tgz into pfSense, and update squidguard with that locally stored blocklist. Now in the squidguard menu (Proxy filter) in the tab "Common ACL" you add the "whitelist" category to whitelist. Save and Apply and test the previously blocked url.
  • S

    Quagga OSPF, OpenVPN Site-2-Site and Cisco hardware.

    1
    0 Votes
    1 Posts
    897 Views
    No one has replied
  • E

    Cron not working

    4
    0 Votes
    4 Posts
    2k Views
    jimpJ
    @evilsmo: I create simples script /bin/echo 1 >> /root/eu.txt And call this on gui cron on web interface 1 * * * * * /bin/sh /root/eu.sh NOT WORK That will run the script at minute 1 of every hour. If you want to run every minute, you need to use */1 as the first parameter. Also make sure the user is root, not *
  • L

    Mailreport: RRD graphs for queues not updated

    1
    0 Votes
    1 Posts
    636 Views
    No one has replied
  • C

    Squid Proxy - Google working in chrome but not an IE?

    2
    0 Votes
    2 Posts
    2k Views
    jimpJ
    Chrome may be using HTTPS and not HTTP, and may be bypassing the proxy. The default setting in squidGuard is to block. Go to the Common ACL tab, look in the Target Rules List, and make sure the last entry for default is set to Allow. Then go back to the first squidGuard tab, apply, and then test again.
  • KOMK

    LightSquid and IP addresses

    2
    0 Votes
    2 Posts
    1k Views
    KOMK
    Bump
  • D

    Squidguard on pf2.1 release STILL fails after a Year !!

    3
    0 Votes
    3 Posts
    2k Views
    D
    This problem goes back YEARS !! Seriously, does no one ever use time restrictions on Squidguard ? https://forum.pfsense.org/index.php/topic,43352.0.html
  • D

    Squid cache

    2
    0 Votes
    2 Posts
    992 Views
    R
    What is your maximum object size set to?  If it's less than your example, no it will not be saved in cache. Rick
  • A

    Snort still blocking a Network that is listed in Whitelist

    13
    0 Votes
    13 Posts
    4k Views
    D
    @bmeeks: @digdug3: :o stupid me… I changed the name in "Whitelists" and of course you need to reset them in all the interfaces. Maybe you could add a warning that the whitelist is used in an interface and should be re-enabled? I can do that.  I already flag an error message when trying to delete a "currently assigned to an interface" whitelist.  I can do the same with rename, or else just silently go ahead and change the name for all interfaces it is assigned to (and maybe just pop up an info box to let the user know).  I think I like the "just rename it on assigned interfaces" option best. I'll put this on my TODO list.  To late, though, for the 3.0.4 version that is in review right now. Bill No problem, it's just to prevent stupid questions like this in the future, although I know that even if you warn people, they still don't -read- it…
  • X

    Restrict Websites for kids devices

    3
    0 Votes
    3 Posts
    1k Views
    R
    Personally, I think Dansguardian is the ultimate in managing internet access for a family. See this post for a description of how I use it and some stuff I've created to try to make it easier for those who want to use it in the same way… https://forum.pfsense.org/index.php/topic,68927.msg379573.html#msg379573
  • G

    Pfflowd 0.8.3 giving wrong info

    Locked
    3
    0 Votes
    3 Posts
    987 Views
    G
    Thanks for the reply! Why can't you? Maybe you could solve this issue in a future version. I'll give it a try with the softflowd package and then I update this issue.
  • S

    SNORT problem

    2
    0 Votes
    2 Posts
    868 Views
    bmeeksB
    @sebna: Hi, I have changed by mistake SNORT settings in Alerts tab to show 3000 or 30000 and it is now refreshing to blank page so I cannot change it back to 300. How can I change it back to show only 300 or so if the GUI interface of Alerts tab does not load. pf 2.1, snort Installed: 2.9.4.6 pkg v. 2.6.0 Thanks, Well, first off that is an old version of Snort.  The current package is 2.9.5.5 v3.0.3.  I would suggest upgrading if possible.  If not here is how to change the value back manually. First, make sure you give it enough time to actually read 30,000 rows.  That could take several minutes on a slow box.  If you are satisfied that it actually won't come back to a displayed page, then you will need to manually edit the config.xml file to fix this. Click Diagnostics…Edit File from the pfSense menu. Browse to /conf and open the config.xml file in the editor window. Scroll down near the bottom of the file and locate the section for <snortglobal></snortglobal>.  In there are all the settings for Snort. Find the element tag <alertnumber>30000</alertnumber> Change the 30000 value to 250 and then save the change.  That should put things back to the default. Bill
  • S

    Proxy Server problem!!!

    2
    0 Votes
    2 Posts
    903 Views
    S
    How can help me,Please? ???
  • G

    Status of unbound on 2.1.x

    5
    0 Votes
    5 Posts
    1k Views
    D
    @grandrivers: there are also ipv6 issues with it on 2.1.1 if i enter ipv6 on gerneral tab complains about format of conf hopefully can start trying 2.2 before too long I have no issues with IPV6 and Unbound on 2.1 or 2.1.1.
  • F

    Snort not updading VRT ruleset

    6
    0 Votes
    6 Posts
    1k Views
    bmeeksB
    @fragged: I does download the paid rules. But what you were the OP was talking about in your first post was the Snort binary version. The Snort VRT tie the snort binary version to the rules version.  This means you can't use 2.9.6.0 rules with the 2.9.5.5 binary and vice-versa.  The installed binary must match up with the rules. An update to 2.9.5.6 Snort is on the way.  We are having some issues at the moment getting the binary package to build for 2.0.3 users of pfSense (the old *.tbz packages).  The new 2.1 PBI packages are working fine.  We don't want to release the new update until the binaries will work on both pfSense versions since both are supposed to be supported.  We should get this *.tbz package building problem worked out shortly, and then the new 2.9.5.6 binary and the updated 3.0.4 GUI package will be posted. I have not updated to 2.9.6.0 yet because doing so will lock out the free users of Snort VRT rules so they would not get updates until the end of February.  And because the binary version and rules version are tied together, that prevents me updating just for the paid-subscriber guys as well.  All things considered, it's probably not a bad idea to be one version behind "bleeding edge"… ;).  That way the bugs can get worked out. Bill
  • S

    AutoConfigBackup causes "error while uploading"

    4
    0 Votes
    4 Posts
    1k Views
    jimpJ
    Great. We have a potential fix in testing for that problem, it shouldn't be an issue in the near future.
  • S

    Help sending flows to an IPsec destination

    4
    0 Votes
    4 Posts
    1k Views
    S
    also tried setting the static route to 0.0.0.0/1 … flows still not making it.  I also did a pcap to confirm they are not making it.  I feel like I'm missing something simple......  :-\ EDIT: BAH. Nevermind. pfflowd works with the static route in place. I absolutely could not get softflowd to work over IPsec. I'm happy.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.