1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    tinfoilmattT
    @johnpoz said in Please help to configure HAProxy to serve certifficate on internal LAN too: Yeah - what part do you not understand if you always resolve nextcloud.domain.tld so that it hits your haproxy on your pfsense wan IP are you not getting? You have 2 options - use a different domain internally and always go to nextcloud.publicdomain.tld, or use the same domain internally as external and run into the problem of what IP it resolves to.. Change your local domain to say home.arpa or .internal or atleast something different than the public domain your using to point to pfsense wan IP on the public internet. You are shooting yourself in the foot trying to use the same domain externally as internally. There are ways around it, but they complicate the setup. For example you might be able to use views in unbound as one way to work around the problem. You could use only host entries for all your resources. But then again you run into a problem of using the fqdn for this service, now always pointing to your wan IP.. And that is great when you want to access the service haproxy is doing - but if you want to access that resource on some other service that haproxy doesn't handle - like say simple file sharing.. You are going to have problems. Since you clearly do not understand how any of this works - the simple solution is change the local domain you are using so it is not the same as the public domain you want to use to get to your nextcloud. This tone is outrageous directed at somebody who acknowledged right off the rip that English is not their first language. How many languages do you speak, John? And safely assuming it's only one—English of course—take it from a fellow English native that you'd do well to say more with less words. You otherwise were directing OP in the right direction in my opinion.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @netboy said in is something wrong with pfBlockerNG?: After my post, I "changed" DNSBL -> DNSBL mode from "unbound python mode" to "unbound mode" and so far i have no issues. Terrible idea. Moving backwards in development history there.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    654 Posts
    C
    @luckman212, Thanks for your suggestion. I will check what I have in /usr/local/pkg/tailscale/state, and also the RAM disk settings others have brought up. I could learn more about where Tailscale and pfSense store system files. If I find anything worth sharing, I will let you know.

  • Discussions about WireGuard

    715 Topics
    4k Posts
    S
    @LaUs3r Yeah, I added those IPs, but after restarting pfSense, the WireGuard status says “handshake failed.” Also, when I do nslookup us-bos.prod.surfshark.com, I get two different sets of IPs. For example: • The first time I get 43.225.189.108 and 43.225.189.118 • The next time I get 149.40.50.216 and 149.40.50.290 So I was wondering can I add both sets of IPs, and put a “0” at the end of each, and use /24 for both IPs? I reached out to Surfshark support, and they sent me their official pfSense WireGuard setup guide see the guide here in the guide they mention 10.14.0.2 for static routes
Log in to post
Load new posts
  • A

    Squid / squidguard advice needed

    7
    0 Votes
    7 Posts
    5k Views
    S
    I will look into this. I had not seen that sort of info before. Thank you!
  • bmeeksB

    Snort Pkg 2.5.8 Change Log and Screenshots

    25
    0 Votes
    25 Posts
    7k Views
    bmeeksB
    @marcelloc: @bmeeks: You can write Snort rules to block whomever you wish based on traffic content.  On the Rules tab, select "Custom Rules" in the drop-down and then create your own Snort text rules.  You must get the syntax correct before the save will be successful. I think asbirim is trying to block offenders based on snort rules but block only specific ports instead of blocking all ip traffic changing pf rule created by snort. On pfblocker I've added an option to only create alias but do not apply rules. This way sysadmin can create any rule based ou package created alias. Oh…OK.  I wasn't initially understanding his intent.  I'm not sure this idea really fits into what Snort is about, though.  Sounds more like something for one of the other packages like pfBlocker perhaps. Bill
  • B

    Snort not working on 2.1 RC0

    16
    0 Votes
    16 Posts
    5k Views
    bmeeksB
    @Mitterwald: Just did an update to the current RC0 snapshot and deinstalled snort and installed it again. The config still remained on my pfsense. But now it seems to work again. WAN is up for over 30 Minutes now, already blocked several attackers. So seems ok for me again. P.S.: I didn't changed any VMWare settings up to now. Some things changed in the latest snapshot of the RC0 release.  I have not investigated what changed, but I did notice my test 2.1RC0 box was prompting me about an update. Bill
  • S

    Squid3 and PLEX

    3
    0 Votes
    3 Posts
    2k Views
    S
    @marcelloc: Try to fill https field options. No luck with that.  Am I getting the FQDN and URI stuff correct?  The actual address that I am looking to start is something like: https://starch.hopto.org/web/ If it makes any difference that is a dynamic dns I use to keep up with my home IP as it changes often.  Would there be any issue with that?
  • I

    Squid3-dev mitm configuration

    2
    0 Votes
    2 Posts
    2k Views
    marcellocM
    @iodaddio: So if you have http/https going through squid3 proxy, I have transparent for both and mitm.  Then how does dansguardian check traffic?  It seems that once squid3 breaks into http/https it would need to send the hacked traffic to then be scanned by dansguardian…  not sure how that works.  sorry, proxy setups still mystify me. It will not, only icap/redirector calls will work as it's a ssl connection. Try squidguard or enable mitm on dansguardian(alpha code for mitm) @iodaddio: I ask because my assumption is that if I make 2 nat rules to send traffic to dansguardian. it would then be responsible for mitm, is that correct?  I think that would be setup like this: No need to do nat rules while using squid3-dev(The package will do that for you).
  • E

    Snort Memory Consumption

    2
    0 Votes
    2 Posts
    2k Views
    bmeeksB
    @ESWBitto: I'm having an issue where my snort sensors are using over 700 mb of memory each. If I only had one sensor that would not really matter, but I have 7! We've had to tweak the amount of rules and Emerging threats that are used and frankly I don't want to have to sacrifice not using all or most of the rule sets. Is this the norm? Does anyone have any suggestions on tweaking the memory usage? In the gui the selected option for the lowest memory consumption for best performance is already selected (I think it was the default) I believe I read somewhere that each sensor by default should only use 200 MB each. Bitto Snort with a lot of enabled rules and a lot of connections will eat memory.  There are settings that can be tweaked to improve this a bit, but nothing beats having at least 4 GB of RAM per sensor.  RAM is pretty cheap these days anyway. Also, there is no point in trying to run all the rules (both ET and Snort VRT).  I'm sure there are partisans on both sides of the issue who will swear one set is better than the other (ET vs. VRT), but you might consider choosing Snort VRT with the IPS-Connectivity policy to start with.  That will catch most stuff and not give a lot of false positives.  As you gain experience with Snort and its behavior with your specific network traffic, you can bump up to the IPS-Balanced or even IPS-Security policies.  Just be aware that these are likely to start giving false positives and need tuning. Here is a link about hardware sizing for Snort:  http://mikelococo.com/2011/08/snort-capacity-planning/ Bill
  • N

    OpenVPN Client Export Utility - Option Requests

    3
    0 Votes
    3 Posts
    2k Views
    N
    Figure that since the http-proxy option is already there it shouldn't be to much to just make proxy type selectable.  (http proxy or socks proxy)
  • D

    Squid3 Dynamic Content Cachine Profiles

    3
    0 Votes
    3 Posts
    1k Views
    D
    that would be terrific.
  • G

    Squidguard error page external redirect - no images

    1
    0 Votes
    1 Posts
    982 Views
    No one has replied
  • B

    Bug in squid in trasparent mode? No redirect if…

    1
    0 Votes
    1 Posts
    758 Views
    No one has replied
  • F

    DansGuardian Authentication in Windows.

    5
    0 Votes
    5 Posts
    2k Views
    F
    @marcelloc: @friskee: Any ideas? you do not need wbinfo -u. It will work only on small user lists. wbinfo -t is all you need to know if it is running or not. how do I know that it can successfully pull users from active directory?
  • L

    Squid.conf Bungled acl safeports

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • marcellocM

    Patch to show Available Packages by category on pfsense 2.1

    12
    0 Votes
    12 Posts
    4k Views
    jimpJ
    Defaulting to a restricted one-category list tab does a few bad things (and probably more I'm not thinking of): 1. As mentioned previously, people will not see the tabs and wonder where packages disappeared to. 2. People will have to hunt through multiple tabs to find a package if they don't know and can't correctly guess the package category. What took two clicks before suddenly takes half a dozen and a lot more time. 3. It makes it less obvious just how many awesome packages there are. The giant list makes us look good there. :-) I would not use tabs at all, but do search and include categories in the search. Your "tabs" could now just be shortcut links to search the category, or a search filter that does the same job. Best thing, I think, would be that the default should be 'all packages' but have a search box right at the top. Maybe a drop down to restrict by category but it would have "All packages" as its first choice. Perhaps something like: [ Text Box For Search ] [Category Drop-Down] [ "Go"/"Search" button ] Enter search terms to filter the list, or select the category from the box, press search (no text entry) would display all packages in the category. Since the entire list of packages is known before the page is rendered, that could all be done in javascript and could do autocomplete or immediate filtering (meaning it could look like AJAX but doesn't actually make additional calls)
  • N

    Openvpn speed differences between full install & nanobsd

    3
    0 Votes
    3 Posts
    1k Views
    N
    thank you. it's weird though because i don't see a cpu spike when i download a large file over vpn on the 1 ghz system.
  • A

    Open-VM-Tools [Stable 8.7.0.3046 (build-425873)platform: 2.0]

    9
    0 Votes
    9 Posts
    2k Views
    A
    If I am not mistaken, VMware had provided the drivers for FreeBSD. Don't get me wrong here.. VMTools works, not sure what one gains by installing it other then adding drivers for network cards. I can understand VMware tools for Windows etc. but for pfSense my main goal was for VXN. If the drivers don't work, I don't want to install VMTools and break my baby ;)
  • T

    PfBlocker disabled pf when router was booted with no internet

    8
    0 Votes
    8 Posts
    2k Views
    T
    I was able to reproduce this on a test router, and I have posted this at: http://forum.pfsense.org/index.php/topic,42543.msg340581.html#msg340581
  • B

    OpenVPN Client Export Settings

    5
    0 Votes
    5 Posts
    2k Views
    B
    Thank you, found it.
  • T

    Snort update page & footer div

    6
    0 Votes
    6 Posts
    2k Views
    T
    Thanks.
  • S

    Tuning Dan's Guadian

    3
    0 Votes
    3 Posts
    1k Views
    R
    @SoFlo1: I'm having a few of problems with DG and wondered if there wasn't a tweaking/tuning guide somewhere that works through all these issues. First, the Japanese porn weighted phrase list was triggering on all kinds of random crap - like shopping for shelves at homedepot.com. So I turn that off only to find other weighted lists that keep triggering on completely random stuff. Are there better weighted lists than what the DG package for pfSense ships with are are they just generally known to be pretty useless? Anyway, the other problem is with weighted phrases turned on, certain sites like reddit get all munged - reduced to a simple links-only kind of rendering, some graphics but no layout. The other, other problem I'm having is inline JPEGs stripped out, but not other MIME types. I'm sure this is a setting somewhere but it doesn't seem to be as obvious to find as I would have thought. I'm sure everyone's run across these and more so maybe you could just point me to a "living with dansguardian" link before I give up? Thanks. I'm fairly confident this is something to do with your configuration… been using it for years with none of these issues.
  • M

    Squid 3.1 transparent proxy omits HTTP exceptions (PEBKAC?)

    3
    0 Votes
    3 Posts
    2k Views
    N
    MatSim, you coul have a look at the "bypass proxy" options on squid. In my environment I bypass proxy for all internal communication. If you bypass the proxy for some source/destination IPs then the pfsense firewall rules need to do the job for port 80 (http). If you do not bypass the proxy for that traffic then you must configure ACLs on squid which allow/deny that traffic on port 80 (http).
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.