1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    tinfoilmattT
    @johnpoz said in Please help to configure HAProxy to serve certifficate on internal LAN too: Yeah - what part do you not understand if you always resolve nextcloud.domain.tld so that it hits your haproxy on your pfsense wan IP are you not getting? You have 2 options - use a different domain internally and always go to nextcloud.publicdomain.tld, or use the same domain internally as external and run into the problem of what IP it resolves to.. Change your local domain to say home.arpa or .internal or atleast something different than the public domain your using to point to pfsense wan IP on the public internet. You are shooting yourself in the foot trying to use the same domain externally as internally. There are ways around it, but they complicate the setup. For example you might be able to use views in unbound as one way to work around the problem. You could use only host entries for all your resources. But then again you run into a problem of using the fqdn for this service, now always pointing to your wan IP.. And that is great when you want to access the service haproxy is doing - but if you want to access that resource on some other service that haproxy doesn't handle - like say simple file sharing.. You are going to have problems. Since you clearly do not understand how any of this works - the simple solution is change the local domain you are using so it is not the same as the public domain you want to use to get to your nextcloud. This tone is outrageous directed at somebody who acknowledged right off the rip that English is not their first language. How many languages do you speak, John? And safely assuming it's only one—English of course—take it from a fellow English native that you'd do well to say more with less words. You otherwise were directing OP in the right direction in my opinion.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @netboy said in is something wrong with pfBlockerNG?: After my post, I "changed" DNSBL -> DNSBL mode from "unbound python mode" to "unbound mode" and so far i have no issues. Terrible idea. Moving backwards in development history there.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    654 Posts
    C
    @luckman212, Thanks for your suggestion. I will check what I have in /usr/local/pkg/tailscale/state, and also the RAM disk settings others have brought up. I could learn more about where Tailscale and pfSense store system files. If I find anything worth sharing, I will let you know.

  • Discussions about WireGuard

    715 Topics
    4k Posts
    S
    @LaUs3r Yeah, I added those IPs, but after restarting pfSense, the WireGuard status says “handshake failed.” Also, when I do nslookup us-bos.prod.surfshark.com, I get two different sets of IPs. For example: • The first time I get 43.225.189.108 and 43.225.189.118 • The next time I get 149.40.50.216 and 149.40.50.290 So I was wondering can I add both sets of IPs, and put a “0” at the end of each, and use /24 for both IPs? I reached out to Surfshark support, and they sent me their official pfSense WireGuard setup guide see the guide here in the guide they mention 10.14.0.2 for static routes
Log in to post
Load new posts
  • L

    Squid & Sarge - more than port 80?

    4
    0 Votes
    4 Posts
    2k Views
    jimpJ
    There isn't a way to store that info long-term on pfSense directly. ntop can get some but probably not the detail you want, it would be more for a summary or graphing. pfflowd (or softflowd, see the doc wiki) can export netflow data to a separate netflow server which then logs and records that information in a database, and you can then query or graph from there. The netflow server would be separate software, there have been several forum threads and mailing list threads discussing various free and commercial netflow server options. While ntop is capable of acting as a Netflow collector and server, I haven't had a ton of luck getting it to do what I wanted in the past. It's also fairly heavy in terms of dependencies and resource requirements.
  • D

    Installing antivirus and Squid

    3
    0 Votes
    3 Posts
    2k Views
    N
    AntiVirus: If you do not want to use HAVP anymore you can try the new squid 3.3.5 package which includes actual antivirus. Search the forum for the squiod 3.3.x thread. Mobile devices: How are these connected? Via VPN or via W(LAN) interface on your pfsense? In general you can use transparent proxy on squid and select the interfaces where squid should listen to. If the devices are connected via OpenVPN for example then you must OpenVPN to an interface (Interfaces –> assign) and then select this interface on squid. squid in transparent mode filters only http port 80 non-transparent squid filters http and https port 443 but you need to configure the proxy IP on all devices. squid 3.3.5 can filter http and https in transparent mode.
  • C

    Squid in transparent bridge mode, what's the last working version of pfsense?

    3
    0 Votes
    3 Posts
    2k Views
    C
    @cmb: It's never worked, just not something that can work. thanks for the confirmation. i've been trying to find a distro that can do it. so far i have not found any, let along a few options that i can choose from…
  • N

    Can Snort block when connected to a span port?

    2
    0 Votes
    2 Posts
    2k Views
    bmeeksB
    @newbieuser1234: I have never used a span port with an IPS.  Is snort able to block traffic via a span port, or do I have to use an inline connection with two nics?  I want to have my snort box on a WAN switch if I can use a port span.  If not, I will use the dual nic and plug in before the router.  I have multiple static IP addresses.  Thanks. Snort on pfSense is not truly "inline".  Instead, it adds rules to the existing firewall set to block particular IP addresses.  Technically a third-party output plugin called Spoink works within Snort on pfSense to stick offending IP addresses into the pf engine's blocking table. So when used on pfSense, a SPAN port would really not be of much use.  Unless the traffic is coming through the pfSense firewall Snort is running on, any blocks put in place would be meaningless. Now if all you want is just to get alerts, then a SPAN port connection would do that.  Just be aware that no actual blocking would happen for every offending IP.  Only those which actually needed to traverse the firewall would be impacted by any block. Bill
  • N

    NRPE Issues

    3
    0 Votes
    3 Posts
    2k Views
    J
    Check logs. It might happen due to ssl issues
  • C

    Transparent proxy don't work properly

    3
    0 Votes
    3 Posts
    2k Views
    C
    Thanks for your reply! I did as your guide, it works. But the squid proxy log is disabled.
  • S

    Need help understanding logging options, esp with proxy related packages

    3
    0 Votes
    3 Posts
    1k Views
    S
    Is there a config file for the squidguard (proxy filter) page that I can modify how many blocked entries are displayed in the GUI? It limits it to 50 by default. The file squidguard_configurator.inc has a define statement that sets max log lines at 500. Is this meaning max gui entries or max entries to the block.log file? I cannot seem to find the file that has this value in it. Anyone know the location of the file, if it exists and this is possible?
  • R

    Quagga "no redistribute" bug

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • R

    Unbound package : 6core bug/patch

    7
    0 Votes
    7 Posts
    2k Views
    W
    Added in the latest Unbound package - thanks @Reiner030
  • S

    Unbound - small DNS Rebinding Security Issue

    4
    0 Votes
    4 Posts
    2k Views
    W
    A bit late on this thread - but adding 127.0.0.0/8 would hinder mail servers making use of RBLs.
  • R

    URGENT: latest Unbound Update 1.4.20_6 crashes on 2.0.x

    4
    0 Votes
    4 Posts
    2k Views
    W
    I just pushed some changes which should fix the empty element and your multiple core problem. Thanks for your input.
  • Z

    OpenVPN Client Export - problems with certificate export

    2
    0 Votes
    2 Posts
    2k Views
    Z
    The box was upgraded from 2.0.1 to 2.0.3 last night.  The php errors listed were from when the box was on 2.0.1.  The timestamp on system_certmanager.php has remained at "Feb 26  2011", if that means anything.
  • F

    I have a problem with squid

    8
    0 Votes
    8 Posts
    2k Views
    F
    Answer After searching online and especially here in the forums I saw that you can fix the problem if you delete and create squid libraries squid makes some problems if the computer not turn off normally ssh to your pfsense and use this squid -z
  • G

    Squid reverse proxy ssl problem

    3
    0 Votes
    3 Posts
    2k Views
    G
    Unistalled stable and installed squid-dev(3.3.5 pkg 2.1.2). Still the same behaviour. Any further idea? Thanks, grassu
  • F

    Problem installing squid

    3
    0 Votes
    3 Posts
    2k Views
    jimpJ
    It installs OK here in a test VM on 2.0.3. Try it again, it may have been a temporary failure.
  • bmeeksB

    Snort Package Wish List

    14
    0 Votes
    14 Posts
    3k Views
    G
    @bmeeks: @gogol: I have three wishes: When editing rules and after for instance disabling a rule the page reloads at the top and not where you were editing I tried this once without much success.  It gets to be a real issue with the large rule sets.  I did add sorting columns in the last update to make it easier to locate a particular rule.  I can experiment with some other approaches.  It needs some type of dynamic bookmarking. I didn't even notice that the columns could be sorted. That's already something to make life easier ;) @bmeeks: @gogol: Would it be possible to reload the snort2c table with the blocked IP addresses after it has been cleared by the system; fi snort is monitoring this table and writing it to /tmp? This has come up from several users, but I really don't know a good way to do this.  Snort the binary does not and cannot monitor the table.  At least it can't without adding significant customized code to the baseline source code from Sourcefire.  I don't think that is wise because then staying current with updates becomes a big problem.  The GUI does not run fulltime either, and launching some kind of independent process in the background seems messy. I also thought that another process would be needed. No problem. @bmeeks: @gogol: The rule update time is hardcoded in snort.inc as a function: snort_rules_up_install_cron. Now all those pfSense boxes in the same timezone connect simultaneously and that causes timeouts I guess, because when I change the time to something else I never get those timeouts. Can this be made a random time? I can address this, but instead of random times how about the ability to set either the offset in minutes from the top of the hour, or set a specific time of day? A specific time of the day has my preference, but the user must be remembered to set it at installation time. So not all pfSense boxes in a timezone try to connect at the same time. Maybe a small note for the user to explain.
  • A

    Postfix: Cant seem to whitelist

    4
    0 Votes
    4 Posts
    2k Views
    marcellocM
    @ant2ne: I made that change and I'm asked the person to resend the email. Ask him to include iatpnt2.iltech.org on externa dns too. That's why this message was blocked.
  • A

    Postfix errors connect to private/anvil

    3
    0 Votes
    3 Posts
    2k Views
    A
    Anvil Daemon currently set to disabled. Changed it to enabled and I will wait to see if the message appears in the log again.
  • L

    SquidGuard + Ldap (AD) (Patch - Updated)

    6
    0 Votes
    6 Posts
    11k Views
    L
    @jimp: OK this should now be integrated and available on 2.0.x and 2.1 with the current squidGuard package. I don't have a way to test, however. Thanks Jim !
  • D

    Squid + Dansguardian & transparent proxy

    9
    0 Votes
    9 Posts
    8k Views
    D
    @marcelloc: @demo: No, I've tried but It doesn't work. Client can access to internet without authentication. Check your firewall rules again. clients will access internet without proxy only when firewall permits. On pf I've created a rule that redirects traffic from lan address:80 to lan address:3128 but it doesn't work. Browser, configured with proxy's automatic detection, can access to internet without any authentication or filters. So I've created a rule that blocks traffic to lan address:80 and a NAT port forward that redirects traffic from 3128 to 8080. Browser now must be configured to use 3128 port, filtered too by dansguardian. If not set, browser can't access to internet. I think it's not a good way to do what I want for my lan, but in this moment I can't find another one…
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.