1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    H
    Hello all, please dont shoot me on sight, im one of those who kinda set up things by following tutorials and actually see things how they look like on screen. And English is not my native language either. I setted up HAProxy with pfSense package for Nextcloud which works as VM at ip 192.168.1.214. It has self signed cert. I created ACME with Porkbun as wildcard and all that works totally fine. BUT i have big issue which i dont know how to solve. When im acessing by nextcloud.mydomain.xx in LOCAL LAN it serves page fine, but it uses self signed cert. Will someone, please, by example show me how to create working rule which will force pfSense to serve 192.168.1.214 and all its translation or whatever exclusively outside? Bare in mind that 214 has to be able to lurk in 192.168.1.0/24 also, since data storage is served by NFS on TrueNas. 192.168.1.1 (pfSense IP), 192.168.1.214 (Nextcloud IP) All works fine from outside, but from local LAN it bypase HAProxy, and serve nextcloud internal cert with correct domain name nextcloud.mydomain.xx . Well it seems that only bypas cert part since domain works. Somehow it resolve. This is what dig command does from local lan: ;; ANSWER SECTION: nextcloud.domain.xx. 3600 IN A 192.168.1.1 nextcloud.domain.xx. 3600 IN A 192.168.1.214 ;; Query time: 0 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP) ;; WHEN: Thu Oct 30 08:48:37 CET 2025 ;; MSG SIZE rcvd: 83 Main problem here is that Nextcloud app go stuck when we are on local network. It does not work since it gets different cert. It does not even ask do we want to accept it or not. Even if does it will be bit weird to do that every time we come home. Many thnx in advance!

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    B
    @Greyhat I think it's useful to work with what we've got and figure something out for the (i hope) edge cases later. So for the JSON I figured you can actually use an existing suricata integration by co-opting their pipelines.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @dma_pf Debt collector, or debt relief service?

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @netboy said in Docker container for nut server?: I am NOT installing docker in pfsense - offcourse this is a big security risk - I agree !!! My apologies. I interpreted your earlier question I think i need to explain what i am asking for. I am fully aware if your netgate router is attached to an UPS you can configure netgate. Let us say you 5 UPS's in your home and you want nut server to read all the UPS's and show me a dasboard about the status of all the UPS's ? - Is there a ready made docker container for client server nut with dashboard functionality? as a request to have something running on pfSense, which is why I responded I believe most people would say that the type of thing you are asking for isn't something you want to run on your firewall. I recommend using a general purpose operating system behind the firewall instead. Mutual misunderstanding I guess. If you want to explore general NUT monitoring, and not something particular to pfSense, I would recommend the NUT Users list as a better place to seek information.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    92 Topics
    638 Posts
    L
    @Vad-B Interesting indeed! I just tried to fill the Pre-authentication Key with file:/dev/null. I get an crash in pfsense after some time, but when I login again is saved. For me this for after service restarts at least this solves it, including the issue with the routes not being advertised even set in the WebUI. Havent done an full restart of pfsense (yet)

  • Discussions about WireGuard

    711 Topics
    4k Posts
    D
    Hello, I’m wondering if it’s possible to have a private vpn wireguard server on pfsense and to also have a personal wireguard server such that friends can link to your pfsense network but also be under the private vpn, nordvpn for example. Is that possible to with routing?
Log in to post
Load new posts
  • H

    crowdsec

    36
    0 Votes
    36 Posts
    10k Views
    Z
    @keyser My "security engine" which is the server that receives all the logs and makes decisions, can be run on a separate server. That is my exact setup so I can run my own web/php front end. As per the the url block list, or EDL since I'm entrenched in Palo terminology, doesn't do the log analysis and crowdsec reporting. Different strokes for different folks I guess.
  • M

    Arpwatch - flip flop notifications not suppressed

    1
    3
    0 Votes
    1 Posts
    3k Views
    No one has replied
  • N

    LCDproc Looses Connection - Restarting service Fixes but goes down again shortly after

    11
    2
    0 Votes
    11 Posts
    8k Views
    fireodoF
    @jimp said in LCDproc Looses Connection - Restarting service Fixes but goes down again shortly after: and I can never reproduce it in the lab. Hi, if you go to Diagnostics -> States and kill all states you get the "running wild" and flooding syslog lcdproc-client. (Maybe also of interest: LcdProc) Regards, fireodo
  • E

    Zabbix 6.4.x required for pfsense 2.8.0-RELEASE

    4
    0 Votes
    4 Posts
    6k Views
    A
    @EngineerSB I went through the same challenge when upgrading our Zabbix server to 7.0. 5.0, 6.0, and 7.0 are LTS releases that get 5 years of support, whereas standard releases are only supported for 18 months. I've learned my lesson to only stick to major versions to avoid this issue. The easiest option that achieves a similar result is to only use the Zabbix 6.0 Agent, and change all items of type "Zabbix Agent" to type "Zabbix Agent (Active)". Also change the host to be monitored by Server instead of by Proxy. On the Agent, change the Active Server to be the Zabbix Server FQDN/IP (that the Proxy was pointing to) rather than the 127.0.0.1 localhost Proxy IP. This will achieve nearly the same behavior as using passive Zabbix Agent items via Proxy. The Zabbix Agent will communicate outbound directly to the Server and get the configuration, and the agent will garther data for all items of type Zabbix Agent (Active) and send the data to the server. Another option would be to copy the files from another firewall that still has the 6.4 packages installed.
  • M

    statgrab package

    1
    0 Votes
    1 Posts
    3k Views
    No one has replied
  • A

    Telegraf stopped working after update to 2.8.0

    1
    0 Votes
    1 Posts
    3k Views
    No one has replied
  • C

    Avahi trying to broadcast on public interface?

    8
    0 Votes
    8 Posts
    6k Views
    dennypageD
    @clearscreen said in Avahi trying to broadcast on public interface?: I was just looking at mdns-bridge source code, but only realized now you're the author Yes. I'm also the maintainer of the pfSense Avahi package, which is why I felt compelled to write mdns-bridge. I’m not very familiar with mDNS, but I’m thinking of trying to implement one-way reflection (blocking either queries or broadcasts in a single direction). My motivation is to limit fingerprinting of my home network while allowing trusted subnets to see devices on less trusted subnets. Before I dive in, is there any technical reason this wouldn’t be feasible? Just want to understand if there’s a fundamental limitation and I figured I might as well ask you first. With mdns-bridge, you do not block queries or responses, but choose what mDNS names are shared by each network segment. Avahi uses a similar approach, but is limited to what in mdns-bridge terms would be a Global Allow filter list only. mDNS-Bridge is designed to give you detailed control of what mDNS names each segment is allowed to export or import, but I recommend keeping things simple if possible. I recommend starting with a Global Allow filter list to limit the overall scope, and exploring from there as needed. One thing to keep in mind, as noted in the mDNS-Bridge README filters that include hostnames are best used only in deny filters.
  • RyanMR

    HA Proxy and 503 error on pfSense

    2
    0 Votes
    2 Posts
    6k Views
    V
    @RyanM said in HA Proxy and 503 error on pfSense: So let's say my domain is internaldomain.com Does domain resolve to your public IP in a public DNS? If it doesn't, you won't get a Let's Encrypt cert at all. Is HA Proxy good for what I am trying to do? So I have self-signed certs for several internal hosts/services. Yes. You can install self-signed certs on your backend servers and direct all traffic over HAproxy, even from internal. However, you must not enable "SSL checks" in the backend. The better way, however, would be to generate the internal certs with a CA on pfSense. Then you can confiugre HAproxy to trust the CA and accept the server certs. When getting error 503 "service not available", the backend either does not respond to heath checks or the service is not reachable, or something else in HAproxy is configured wrong. So first of all go to the stats page and check if the backend is shown up as "online". If not check the health check configuration.
  • A

    Looking for few pointers getting Suricata on PFSense to talk to my Security Onion box.

    5
    2
    0 Votes
    5 Posts
    6k Views
    bmeeksB
    @aaronouthier said in Looking for few pointers getting Suricata on PFSense to talk to my Security Onion box.: Ok, so I've been researching the topic. It seems SO has an integration for PFSense. However, the FreeBSD implementation of Syslog is not optimal for this purpose, as mentioned above. Although I am comfortable with CLI Linux, I am effectively a Newbie with regard to BSDs. My next question is: What would be the least invasive method as far as the PFSense Box to export just the Suricata logs? I believe I saw an option to log to a Unix Socket. Would that be helpful coupled with something like Netcat? I'm not necessarily looking for help with such a feat, just wondering if such would likely be fruitful, or am I just chasing the infamous wild goose? I recommend exporting the EVE JSON log as that will be the most comprehensive. To export to a UNIX socket, change the EVE OUTPUT TYPE setting to UNIX socket. You will need to manually create the socket and give it a name. It will be up to you then to "receive" the socket data stream and redirect it elsewhere (seems you want it remote for your case to Security Onion).
  • C

    Introduce openvpn-auth-oauth2 as pfSense package

    2
    0 Votes
    2 Posts
    464 Views
    A
    @cdal This could be a great security improvement ... It's the only way to do MFA with "LDAP/AD" backend for exemple (using oauth 2 proxy for exemple)
  • R

    How to update to the latest Telegraf version

    9
    0 Votes
    9 Posts
    7k Views
    R
    @rocket Updated July 20-2025 pfsense 24.11 - Telegraf freebsd-15
 pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/telegraf-1.35.1.pkg pfsense 2.7.2 - Telegraf freebsd-14
 pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/telegraf-1.35.1_1.pkg https://www.freshports.org/net-mgmt/telegraf/#history
  • L

    Updated PIMD package (beta)

    1
    0 Votes
    1 Posts
    3k Views
    No one has replied
  • M

    pfSense-pkg-WireGuard removal failed!

    1
    0 Votes
    1 Posts
    3k Views
    No one has replied
  • M

    HowTO - FreeRADIUS + Omada Controller + LAN ethernet + 802.1x computer authentication with cert

    1
    0 Votes
    1 Posts
    139 Views
    No one has replied
  • L

    New widget for the official speedtest.net cli version.

    6
    4 Votes
    6 Posts
    7k Views
    A
    @ameinild Yes, I just confirmed at home that it is still working. I had some icon error right after install, but this seems to be fixed now.
  • M

    Installing sudo or nano issues?

    pfsensece sudo
    13
    0 Votes
    13 Posts
    7k Views
    w0wW
    @MrWhatZitTooya666 said in Installing sudo or nano issues?: "pkg+https://pkg.pfsense.org/pfSense_v2_8_0_amd64-core", "pkg+https://pkg.pfsense.org/pfSense_v2_8_0_amd64-pfSense_v2_8_0", looks good. Try Forced pkg Reinstall https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html To forcefully reinstall all packages, take the following steps: Make a backup Clean the repository and forcefully reinstall pkg, repo data, and the upgrade script: pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade Force a reinstall of everything: pkg-static upgrade -f Review the list of changes and enter y to proceed Manually reboot the firewall
  • S

    Main pfsense package is removed

    1
    0 Votes
    1 Posts
    3k Views
    No one has replied
  • D

    Telegraf and Grafana Dashboards

    5
    4
    4 Votes
    5 Posts
    3k Views
    Sergei_ShablovskyS
    Recently (May-Jun 2025) Grafana received a HUGE update (even possible to saying “reworked from scratch” because some fundamental changes made): from more closely integration with GitLab CVS and making the database abstraction layer to tabs, custom and dynamic dashboards and interactive elements. After some time of stagnation, “new Grafana” start to receive a real most asked and usable updates. Just look at this! With this new updates Your Grafana’s dashboard for pfSense receive a REALLY USEFUL FORM ! P.S. And personally I need to note that pfSense Dashboard lost their actuality because in Grafana You may receive more usable, dive-in-detailed, much more detailed and granulated, interactive view and (in some cases, more important than view) strongly secured user authentication scheme.
  • L

    Constant arpwatch bogon reports .... related to my own network !!??? (*strange andannoying!!*)

    31
    0 Votes
    31 Posts
    4k Views
    johnpozJ
    @dennypage nice! I think the running 3 instances and filtering vlans on 0 (untagged traffic) would eliminate any sort of bogon because the source IP range is different than the actual network being seen on.
  • G

    Telegraf on PFsense Error

    13
    0 Votes
    13 Posts
    7k Views
    P
    @gm2005fl that's great news, and very useful information for those of us (i.e me!) not realising there are different versions InfluxDB :)
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.