1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    E
    I even tried deleting and creating a new certificate. Any suggestions?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    bmeeksB
    It was all CVE fixes in the PHP GUI part of the package. See the Redmine ticket here: https://redmine.pfsense.org/issues/16414.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    572 Topics
    3k Posts
    keyserK
    @Antibiotic No it’s not possible with NtopNG as it is not a Netflow collector. You need nProbe for that which will “translate” recieved netflows into flows that NtopNG understands and can visualize (with very very little detail might I add as Netflows has no additonal information apart from sender/reciever and volume). The NtopNG package and the product in general is more geared towards visualising and recording traffic details from actual packet captures. This contains MUCH more metadata about the sessions than netflows (DNS names, protocol information and myriads of other things). But pffSense Plus has a builtin Netflow exporter if you have an external netflow collector on hand.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    V
    @Gertjan Thanks for your reply – that’s also my impression. The point is: I don’t really see any lists right now that are actually “maintained” in the sense of being actively cleaned up, checked for dead domains, categorized, etc. That’s why my main interest is more about the demand: Would curated lists really be a game changer for admins? Would they be more helpful than what’s available today, or are most people already using other alternatives? If so, which ones? And from your perspective, what would be your expectation towards “community lists”? (e.g. reliability, update frequency, categories, fewer false positives?)

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    501 Topics
    3k Posts
    A
    Hi, Please help to forward / report the bugs in ACME 1.0 package. Thanks.

  • Discussions about the FRR Dynamic Routing package on pfSense

    295 Topics
    1k Posts
    J
    Anyone else happen to notice that when configuring BFD, if you create a peer and select a profile - after save, re-edit the peer and the Profile is not represented. It appears as "None". You have to check the raw config to determine if the profile was actually assigned to the peer. This is on 2.8.1 (all packages up to date as of the date/time of this post). UPDATE: if re-edit and save (without re-configuring the profile none to what you want) - the save will strip the profile from the peer.

  • Discussions about the Tailscale package

    91 Topics
    611 Posts
    T
    Hi All, I use HAProxy to redirect to a range of https internal resources, this works really well at the moment through the WAN where I have source limits set up, and I can connect to the internal resources from limited external IP Addresses. Given I have tailscale I would like to basically be able to put custom dns entries in to point these hostnames to my pfsense tailscale IP4 address (100.89.148.118) but I am not having any luck getting this working. At the moment, I am just trying to connect to HAProxy using https://100.89.148.118 but it is getting blocked by the firewall. Sep 11 11:55:58 tailscale0 Default deny rule IPv4 (1000000103) 100.89.148.10:53148 100.89.148.118:443 TCP:S I have tried with and without NAT redirecting internally to 127.0.0.1, and I also have rules set up to allow any traffic to and from my tailnets (defined in an alias) but I still keep getting these connections from my other tailscale machines being blocked on the pfsense machine. Can someone give me some pointers on what I am missing because I can see the requests are coming through to the pfsense machine, and in theory the rules should allow it through but I cant see why they don't. I do have tailscale ACL in place, but clearly that is not an issue as the requests are making it through to the firewall. 0/0 B IPv4+6 TCP/UDP TailNets * TailNets * * none Allow across Tailnets 0/0 B IPv4+6 TCP/UDP * * * 443 (HTTPS) * none Allow Tailscale IP4 I also tried adding a EasyRule but because the tailscale0 interface doesn't exist in pfsense it throws an error and won't let me add that rule. Appreciate any help or tips, Cheers.

  • Discussions about WireGuard

    700 Topics
    4k Posts
    Bob.DigB
    @HFADmin If it is no Site2Site-VPN then you don't need any gateways in the first place... If that is true but you want to monitor the connection then you could create dummy-gateways just to ping the remote ip-addresses.
Log in to post
Load new posts
  • A

    Postfix mailscanner and white listing

    Locked
    3
    0 Votes
    3 Posts
    1k Views
    A
    It's on acls. you whitelist based on error you got from remote server From remote server? Sending server or recieving server? Enable log and follow instructions on first gui tab. I assume my log is enbabled because I selected Destination: SystemLog. Or is there another place to enable ti? First GUI tab is the General tab. Settings are as followed Enabled Postfix: Checked Listen Interface: WAN Maximum message size: blank Process Limit: Blank Custom main.cd options: blank Logging Destination: SystemLog Updaters sqlite: every minute debug peer list: blank debug peer level: 2 Widget Options List Days 1 Max File size: blank
  • S

    Squid3 RealTime Problem!!!

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    marcellocM
    your session has expired. logon again on pfsense and it will work.
  • H

    Minecraft server & Snort

    Locked
    6
    0 Votes
    6 Posts
    5k Views
    bmeeksB
    @hansrotec: an unrelated Q/A does ssd/HDD matter much in terms of performance for pfsense. right now i had a spare ssd laying around but due to its size it seems a waste to have it in the current setup. You will probably get a better answer to your ssd/HDD question in the Hardware thread.  I personally run an old SATAII 40 GB drive in my home firewall.  It is a Supermicro small-form factor server with an Intel Atom 330 with 4 GB of RAM.  My Internet connection (12 megabits/sec cable modem service) can't come close to breaking it into a sweat.  The only advantage of ssd is no moving parts and a little less heat. Bill
  • S

    Snort unable to open rules file

    Locked
    6
    0 Votes
    6 Posts
    8k Views
    bmeeksB
    @Supermule: After a reinstall of Snort, then everything is fine. That error looks like perhaps you got hold of a corrupted rules file for the preprocessor text rules.  Can you tell if this coincided with an automatic rules update?  That file (decoder.rules) is used straight out of the archive downloaded and unpacked from Snort.org.  It is updated on each download of fresh rules from Snort.org.  My guess is either a borked download of the TAR file from Snort.org, or perhaps during the extraction and copying to the interface directory on the firewall it got trashed. A reinstall of Snort would have wiped the existing file and downloaded a fresh copy. Bill
  • H

    Mailscanner package not found

    Locked
    26
    0 Votes
    26 Posts
    7k Views
    F
    Strange, from my 2.1-BETA1 (i386) built on Wed May 22 08:31:46 EDT 2013 FreeBSD 8.3-RELEASE-p8 I can install the package, but still not on the 2.0.3. Other packages work. Fabian
  • M

    Ntop RRD graphs broken

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    M
    I tried deleting the "rrd" folder but now it won't generate graphs at all.. just a broken image icon. It DID recreate the folder though. Wish I knew how to completely wipe ntop and start over…
  • D

    Ubiquiti Unifi package for pfSense

    Locked
    19
    0 Votes
    19 Posts
    21k Views
    X
    plus one
  • T

    New squid package issue

    Locked
    3
    0 Votes
    3 Posts
    3k Views
    marcellocM
    @tzlwin: FATAL: The ssl_crtd helpers are crashing too rapidly, need help! are you using ssl_crtd  on squid 3.1?  ??? This feature is implemented on squid3-dev, not 3.1.
  • A

    Dansguardian: Error reading PICS file

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    F
    I concur with sir awsiemieniec, that there is a problem with the script that generates dansguardianf1.conf. I tried running /usr/local/etc/rc.d/dansguardian.sh and the same problem exist. Please verify, Thanks. I am using pfsemse 2.0.3 (x64) Dansguardian: 2.12.0.3 pkg v.0.1.8 Squid 2.7.9 pkg v.4.3.3
  • perikoP

    Squid, cache creation is longer that squid restart?

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • B

    Siproxd Pf2.0.2 - Registration Issue

    Locked
    2
    0 Votes
    2 Posts
    3k Views
    C
    I'm having the same problems using 2.0.3-RELEASE (i386) and the siproxd package. You are supposed to set the "outbound proxy" of your phones to the siproxd ip. For me, this works fine but only for a few hours/days. After that time, I get the same messages from my SNOM phones: 23/5/2013 00:46:42 [DEBUG1] PHN: SIP: send REGISTER (2: 5e000000a533-vvikzxlifbbb) -> udp:10.2.0.254:5060 23/5/2013 00:46:42 [ERROR ] PHN: SIP: transaction_timeout udp: 1000002 (32000) 23/5/2013 00:46:42 [ERROR ] PHN: SIP: transport error: 1000002 -> udp:10.2.0.254:5060 23/5/2013 00:46:42 [NOTICE] PHN: SIP: Add dirty host: udp:10.2.0.254:5060 (0 sec) 23/5/2013 00:46:42 [NOTICE] PHN: SIP: final transport error: 1000002 -> udp:10.2.0.254:5060 23/5/2013 00:46:42 [ERROR ] PHN: SIP: transport error 1000002: generating fake 599 23/5/2013 00:46:42 [DEBUG1] PHN: SIP: recv 599 REGISTER (2: 5e000000a533-vvikzxlifbbb) <- ::0 23/5/2013 00:46:42 [ERROR ] PHN: SIP: Registrar 7771885676@sip.finotel.com timed out 23/5/2013 00:46:42 [NOTICE] PHN: SIP: Registration Metrics failed 23/5/2013 00:46:43 [DEBUG1] PHN: SIP: send REGISTER (3: 5e000000a533-vvikzxlifbbb) -> udp:10.2.0.254:5060
  • P

    Reverse proxy (HAproxy) not redirecting to correct servers

    Locked
    7
    0 Votes
    7 Posts
    7k Views
    P
    Thanks PiBa, I'm currently not using the http close option for the frontends, but the ACL is configured. I'll make the change tonight and see how it goes. Thanks again for your help
  • K

    OpenVPN + OSPF + Multi WAN (EXSTA state)

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • D

    Snort alerts

    Locked
    4
    0 Votes
    4 Posts
    13k Views
    S
    thanks, it was useful also for me!
  • M

    Havp stopped after upgrading to pfsense 2.0.3-RELEASE (i386)

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • E

    Snort HOME_NET Settings

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    bmeeksB
    @ESWBitto: Ok here is the issue. We are using the latest packaged version of snort and have both wan and lan interfaces setup. I can see traffic on my wan no problem, but my lan's are not picking up anything. I know they are working because when I do a port scan they alert on it and it shows the information. I'm now trying to set it up to where when an alert fires it shows the internal IP and the outside IP as the culprit or vice versa. When looking at the snort.config it doesn't show that my ipvar HOME_NET is set to anything. I've been doing some research through the forums and the standard is don't modify the config directly use the gui. So do I follow the instructions of others to setup an alias and use the alias name in the whitelist? I'm not quite sure where to go about getting this setup correctly. I don't want to exclude the internal IP's from being monitored….I know it may create a lot of alerts, but those can be suppressed. There is a fix for this coming in Snort Package version 2.5.8.  Until then, create an Alias containing the firewall's locally attached networks and then create a Whitelist using that Alias along with the WAN IPs, Gateways and DNS Servers (if applicable).  These are all checkboxes on the Whitelist tab when creating a new list.  On the If Settings tab for the interface in Snort, set the HOME_NET variable to the whitelist you created and save the changes. Saving the changes on the If Settings tab is very important.  If you skip that step, then the snort.conf file will not get properly created. Bill
  • E

    Snort and Rules options

    Locked
    3
    0 Votes
    3 Posts
    1k Views
    E
    Bill, I completely forgot I even made this thread….To answer this issue so that you can have full completeness and resolution in your life I will let you know the outcome. :P In short yes it was something that wasn't being selected in the preprocessors. I have since then fixed that....I also have done what you do. I set the Policy to Secure (or whatever the third one is) and then selected all the ET rules. So its going good now....carry on with life :)
  • T

    Ntop OK for CF flash cards?

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    P
    On nanoBSD CF-card systems, bandwidthd now stores all its data in /var/bandwidthd on the memory-disk. So the CF card remains read-only. When you reboot the bandwidthd data goes in the bit-bucket. I was intending to add an option to save that data to the CF card at a user-specified interval (like you can do for RRD dat) and reload it during startup, but I have been busy with other upgrades/installs of non-pfSense stuff, so haven't got around to it. If anyone else wants to work on that, feel free to submit on GitHub ;)
  • E

    SARG 2.3.6 pkg v.0.6.1 - Graph issue

    Locked
    8
    0 Votes
    8 Posts
    4k Views
    H
    Seems my problem was related to date format. Changed from European and sarg is working again.
  • M

    LAGG and ntop

    Locked
    1
    0 Votes
    1 Posts
    925 Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.