pfSense Packages

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Subcategories

Cache/Proxy

Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

3.7k
Topics

20.6k
Posts

M

Hi there,
I have an issue with HAProxy and Kubernetes Ingress Controller in Proxy Mode.
Setup:
I have a Kubernetes cluster hosting all my applications, which is sitting behind a pfSense firewall with HAProxy. All incoming requests on TCP port 443 hitting the firewall are being forwarded in TCP mode to the Kubernetes NGINX Ingress Controller. The NGINX Ingress Controller is set in proxy mode, and HAProxy is configured to send traffic to the backend in proxy mode as well.
Problem:
While my applications work perfectly in a web browser, I encounter a strange issue when trying to push Docker images to my private Harbor registry. The error I receive is:
ERROR: failed to solve: failed to push harbor.mr-elamin.com/library/redis-proxy:3.20.3: failed to do request: Head "https://harbor.mr-elamin.com/v2/library/redis-proxy/blobs/sha256:1e9f215cdf351e6ca07ba06d8f13ad228bc80c58c34e1d455a6335581e340466": EOF Debugging:
I tested the connection using curl https://harbor.mr-elamin.com and observed the following behavior:
The connection is successful two to three times, returning status code 200. When successful, the curl command hits the access log of my NGINX Ingress Controller. Occasionally, the connection fails with an error, and no entry is recorded in the NGINX access log.
Here is an example of the curl command output when it succeeds:
curl https://harbor.mr-elamin.com/ -v * Host harbor.mr-elamin.com:443 was resolved. * IPv6: (none) * IPv4: 93.128.34.35 * Trying 93.128.34.35:443... * Connected to harbor.mr-elamin.com (93.128.34.35) port 443 * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /usr/lib/ssl/cert.pem * CApath: /usr/lib/ssl/certs * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS * ALPN: server accepted h2 * Server certificate: * subject: CN=harbor.mr-elamin.com * start date: Nov 30 23:30:54 2024 GMT * expire date: Feb 28 23:30:53 2025 GMT * subjectAltName: host "harbor.mr-elamin.com" matched cert's "harbor.mr-elamin.com" * issuer: C=US; O=Let's Encrypt; CN=R10 * SSL certificate verify ok. * Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption * Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption * Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption * using HTTP/2 * [HTTP/2] [1] OPENED stream for https://harbor.mr-elamin.com/ * [HTTP/2] [1] [:method: GET] * [HTTP/2] [1] [:scheme: https] * [HTTP/2] [1] [:authority: harbor.mr-elamin.com] * [HTTP/2] [1] [:path: /] * [HTTP/2] [1] [user-agent: curl/8.5.0] * [HTTP/2] [1] [accept: */*] > GET / HTTP/2 > Host: harbor.mr-elamin.com > User-Agent: curl/8.5.0 > Accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing < HTTP/2 200 < date: Thu, 19 Dec 2024 22:17:25 GMT < content-type: text/html < content-length: 785 < last-modified: Mon, 11 Nov 2024 09:31:49 GMT < etag: "6731cf05-311" < cache-control: no-store, no-cache, must-revalidate < accept-ranges: bytes < strict-transport-security: max-age=31536000; includeSubDomains < <!DOCTYPE html> <html> <head> <meta charset="utf-8"/> <title>Harbor</title> <base href="/"/> <meta name="viewport" content="width=device-width, initial-scale=1"/> <link rel="icon" type="image/x-icon" href="favicon.ico?v=2"/> <link rel="stylesheet" href="styles.ac415221c96d2bef.css"></head> <body> <harbor-app> <div class="spinner spinner-lg app-loading app-loading-fixed"> Loading... </div> </harbor-app> <script src="runtime.91e26be486c2d932.js" type="module"></script><script src="polyfills.d87db3092ff69ed9.js" type="module"></script><script src="scripts.3846d86d42cdb753.js" defer></script><script src="main.b7158e4b1766e693.js" type="module"></script></body> </html> * Connection #0 to host harbor.mr-elamin.com left intact
And here is an example of the curl command output when it fails:
curl https://harbor.mr-elamin.com/ -v * Host harbor.mr-elamin.com:443 was resolved. * IPv6: (none) * IPv4: 93.128.34.35 * Trying 93.128.34.35:443... * Connected to harbor.mr-elamin.com (93.128.34.35) port 443 * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /usr/lib/ssl/cert.pem * CApath: /usr/lib/ssl/certs * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to harbor.mr-elamin.com:443 * Closing connection curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to harbor.mr-elamin.com:443 Test:
To isolate the issue, I removed the proxy mode setting from the NGINX Ingress Controller and connected my PC directly to the NGINX Controller. In this configuration, I was able to push Docker images and perform other operations without any problems.
Configuration:
Here is the relevant HAProxy configuration on pfSense:

Frontend Configuration:
frontend k8s-nginx-ingress-ssl-pass-thru-custom mode tcp bind *:443 timeout client 30s use_backend k8s-ssl-pass-thru
Backend Configuration:
backend k8s-ssl-pass-thru mode tcp timeout connect 30s timeout server 30s server k8s-server 10.18.0.180:443 send-proxy Observations: The issue seems to be related to the proxy mode configuration in HAProxy and the NGINX Ingress Controller. Direct access without proxy mode works perfectly, while indirect access with proxy mode results in intermittent failures.
I would appreciate any insights or suggestions from the community to resolve this issue.

Thank you for your assistance!

here are some screenshots for more clarification:

f6145d19-1d63-42a5-bfd6-62535139b6f0-image.png
eee7469b-96b4-4d81-a469-c6b36e097e2e-image.png
5fe5241e-f633-422f-b657-a36c02ab4bcc-image.png
5472f361-c1d8-4193-9255-53bab761f3d6-image.png
cc881f50-d504-4de0-a8c8-094ce5c69ac9-image.png
IDS/IPS

Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

2.2k
Topics

15.6k
Posts

J

It runs alongside pfSense as a package. The logs can be configured by way of the package.
Traffic Monitoring

Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

555
Topics

2.7k
Posts

S

PROTOCOL-DNS Microsoft SMTP excessive answer records buffer overflow attempt

Just Curious what this is and how to stop it in snort, I first thought someone was trying to get in but now I am not so sure as I changed my external IP and it happened straight away
on the new External IP. From what I can gather its something to do with a vunerability in dns but at a loss where to start, if its not an issue then fine but its happening a lot.
pfBlockerNG

Discussions about the pfBlockerNG package

2.5k
Topics

19.1k
Posts

S

Wanted to get some feedback from folks before I upgrade to 24.11.
Is the latest pfBlockerNG 3.2.0_16 functioning ok on 24.11?
I moved away from Devel to Stable 6 months ago or so but see that the version hasn’t changed with the release of 24.11.
Just want to be sure I can expect all to function ok before I upgrade.
@BBcan177 can we expect a stable release of 3.2.1_20 perhaps or am I good to go?
Thanks in advance.
UPS Tools

Discussions about Network UPS Tools and APCUPSD packages for pfSense

87
Topics

2.3k
Posts

D

@firefox Glad you got it working
ACME

Discussions about the ACME / Let’s Encrypt package for pfSense

478
Topics

2.7k
Posts

K

@tinfoilmatt it looks like I have finally gotten the certificate to pop up but now I am dealing with getting 503 Service Unavailable error. Do you know if this is an HAProxy issue or on the cloudflare side?

Screenshot 2024-12-05 at 12.51.02 PM.png
FRR

Discussions about the FRR Dynamic Routing package on pfSense

280
Topics

1.1k
Posts

S

How is it configured? Does it appear correctly in vtysh 'show run'?
Tailscale

Discussions about the Tailscale package

75
Topics

429
Posts

R

@elvisimprsntr

Thanks
WireGuard

Discussions about WireGuard

635
Topics

3.3k
Posts

E

@Bob-Dig said in SOLVED: Wiregurad trouble after install and apply system_patches 2.2.11_16 in 2.7.2,:

My guess, it will come back

It was coming back today after rebooting host and start the pfsense in its VM.
At least i now fond a solution without reboot the host and the pfsense.
Solution was to go to Interfaces -> WGTun0 (tun_wg0) and disable the interface, safe that and the enable the interface gain.
So i gust the WGTun0-Interface will not every time comes up correctly after rebooting pfsense. Something went wrong.

S

Best practise for using HAProxy for internal servers?

• • shad0wca7

4

0
Votes

4
Posts

2.2k
Views

S

@costanzo

Your solution is so simple and works perfectly. I basically already had this set up for my WAN interface. And just needed to do the same for my internal networks. You have no idea the countless hours I have spent attempting to get DNS and what not to work internally with my HAProxy. And the endless opinions and options everywhere

Seriously, thank you so so so much. 👏 😊 😊 😊
S

System_patches

systempatches • • sstech

1

0
Votes

1
Posts

890
Views

No one has replied
W

PIMD Network Support

• • wlp94611

4

0
Votes

4
Posts

1.2k
Views

W

Can the number of vifs supported be increased? Maybe 24 vifs?
N

Core UI Modification

• • ng328

1

0
Votes

1
Posts

791
Views

No one has replied
J

Avahi Not Helping mDNS Cross Subnet Gaps

• • jasmilner

5

0
Votes

5
Posts

2.3k
Views

J

@johnpoz Well, that was up there with stupidly obvious and I feel stupid. I had even thought, "Maybe I ought to make explicit firewall rules... naaaaaah!"

Well, thank you for the assist!
J

OpenVPN behind CGNAT with VPS for remote access

• • JimS

17

0
Votes

17
Posts

4.2k
Views

J

@viragomann I tried selecting "dont pull routes" on client. still no joy. I did get the openvpn working so I can access my local machines when I am not on the local network but can't get from lan to wan. there is a rule to pass traffic but for some reason the logs show the traffic is blocked.
G

Add subdomain to haproxy

• • gschmidt

5

0
Votes

5
Posts

2.2k
Views

V

@gschmidt
In the frontend. You have to add an ACL for it with expression e.g. "Path starts with" and enter "ui" for the value.
And then add an action to direct it the the desired server.
G

Freeradius simultaneous-use assistance

• • getafix

3

0
Votes

3
Posts

1.9k
Views

G

@getafix said in Freeradius simultaneous-use assistance:

"seems so simple"

Everything is simple as soon as you know 'how it works'.
I just know enough to say that I know close to nothing.

I'm using the FreeRadius package to authenticate and account my captive portal users.

A user created with simultaneous-use = 1

Where did you enter this info ?

Did you look up what the syntax is ??
Yours looks wrong to me.

I have

e2b750a3-c166-43a8-944f-8459a4f75527-image.png

for a user, in the Users tab of the FreeRadius settings.

When you start to work with FreeRadius, you should work like this :

Stop de FreeRadius process in the GUI :

c3a89951-aef4-4b6a-8c58-77ab040f7f87-image.png

Enter console, or better, SSH, option 8, and use now this command :
radiusd -X
You'll see a lot of lines.
Important : use a ssh client and set it up these log lines are buffered and stored in a file. You'll be needing them.

The logging will pause when yiou reach this point :
...... Listening on acct address * port 1813 bound to server default Listening on auth address 127.0.0.1 port 18127 bound to server inner-tunnel-ttls Listening on auth address 127.0.0.1 port 18128 bound to server inner-tunnel-peap Ready to process requests
Now, FreeRadius is waiting for 'things to do' like identification' or 'accounting' events.

Periodacilt, you see a +/- 30 lines sequence of lines passing by, this is the handling of an event.

Your mission : you have to 'globally' understand what it does, and why it doing so.
Without this knowledge, it's like flying a plane, without the license.

To get back to the question :

See the image above. That's what need to be entered for a user. But I'm not really testing the "Simultaneous-Use" right now, I can't assure that it even works. I know the syntax is right.
Again "=" is not the same as ":=" as the first is an comparison and the other an assignment (probably, can't remember).

Btw : there is a plan B : forget about the GUI pfSense settings.
Go to the underlying "scratch pad files" that FreeRadius uses : the SQL database.

Most of the tables are empty, and could be used like this (example) :

2ba90308-08d0-4188-834b-a66d5ca08818-image.png

This is where I inform Freeradius that user 'b' has a password that is 'b'.

Keep in mind that the implementation of Freeradius in pfSense is only partial , at best.
Setting up a Radius server/process is complex, as it has a lot of options.
How to set up radius is less known or documented on the Internet, as only the 'real' admins know how to do so. These guys do not communicate their expertise, as it is way to difficult for the common mortals. There is a steep learning curve, which can't be short cut with 'a click'.
But : our Internet connection, our mobile phones, they all use radius to grant access to resources. Which means that half the planet is using Radius right now.
A

MailReport does not send out scheduled emails from a device but SendNow works

• • atlassol

1

0
Votes

1
Posts

876
Views

No one has replied
S

MailReport Filter Syntax Continued

• • SuperTechie

2

0
Votes

2
Posts

1.4k
Views

B

@supertechie
Have a look at regexp

It will explain why the "dot" has to be "escaped" (by the )

/Bingo
A

How Squid users can change own passwords?

• • atn78

1

0
Votes

1
Posts

760
Views

No one has replied
G

Zabbix proxy service doesnt start

• • GeorgeCZ58

1

0
Votes

1
Posts

867
Views

No one has replied
L

Anyone successfully deployed WPA3 with Freeradius?

• • leolk

3

0
Votes

3
Posts

2.6k
Views

L

@gertjan
Ah, I forgot that say that everything works well in WPA2 mode. My setting is the same with the tutorial, I wonder if there’s any special requirement on WPA3 radius. Anyway, thank you for your help.
L

Which packages should I install?

• • LPD7

7

0
Votes

7
Posts

1.8k
Views

L

@michmoor Yes going to see if PFB will be the right solution, seems like squid would be a lot of overhead and not serve all current needs. Thanks for your input.
?

Packages unavailable when using IPv6

• • A Former User

2

0
Votes

2
Posts

1.5k
Views

?

Performed a new test with Prefer IPv4 disabled and enabled and captured DNS queries

Prefer_IP_Disabled_Enabled_DNS_queries.txt
4

Can't access LAN from wireguard tunnel.

• • 4RT

2

0
Votes

2
Posts

1.4k
Views

4

@4rt
PLEASE DETELE
I figured it out. Thanks anyway.
M

Zabbix6 agent & proxy

• • mike_vc

2

0
Votes

2
Posts

1.5k
Views

M

Looks like this was added! Thanks!
P

Package updates don't restart services

• • pyrodex

5

0
Votes

5
Posts

1.7k
Views

P

Thanks all for the explanation!
T

bind package 9.16_12 reads from /cf/named, but changes in the GUI are written to /var/etc/named

• • tbahn

20

1
Votes

20
Posts

2.7k
Views

V

Redmine issue created:
https://redmine.pfsense.org/issues/13002
R

System Patches update on 2.5.2

• • revengineer

5

0
Votes

5
Posts

1.5k
Views

J

There is an update for System Patches on Plus 21.05/CE 2.5.2, even if your update branch is set to stay on Plus 21.05/CE 2.5.2.

We put an update there to add the recommended patches list populated with important security and stability fixes for people who couldn't upgrade to 2.6.0 right away.

23 / 461