1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    tinfoilmattT
    @johnpoz said in Please help to configure HAProxy to serve certifficate on internal LAN too: Yeah - what part do you not understand if you always resolve nextcloud.domain.tld so that it hits your haproxy on your pfsense wan IP are you not getting? You have 2 options - use a different domain internally and always go to nextcloud.publicdomain.tld, or use the same domain internally as external and run into the problem of what IP it resolves to.. Change your local domain to say home.arpa or .internal or atleast something different than the public domain your using to point to pfsense wan IP on the public internet. You are shooting yourself in the foot trying to use the same domain externally as internally. There are ways around it, but they complicate the setup. For example you might be able to use views in unbound as one way to work around the problem. You could use only host entries for all your resources. But then again you run into a problem of using the fqdn for this service, now always pointing to your wan IP.. And that is great when you want to access the service haproxy is doing - but if you want to access that resource on some other service that haproxy doesn't handle - like say simple file sharing.. You are going to have problems. Since you clearly do not understand how any of this works - the simple solution is change the local domain you are using so it is not the same as the public domain you want to use to get to your nextcloud. This tone is outrageous directed at somebody who acknowledged right off the rip that English is not their first language. How many languages do you speak, John? And safely assuming it's only one—English of course—take it from a fellow English native that you'd do well to say more with less words. You otherwise were directing OP in the right direction in my opinion.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    V
    Ah, I changed the action to deny both and now I also have a wan firewall rule, which I also had on OPNsense. With this wan rule I can see the blocks already coming now! Is it a bad idea to have the action set to deny both instead of inbound only?

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    F
    @dennypage I tested it with a new UPS and I no longer have the problem. It was the UPS that wasn't working properly. Thanks for your help.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    654 Posts
    C
    @luckman212, Thanks for your suggestion. I will check what I have in /usr/local/pkg/tailscale/state, and also the RAM disk settings others have brought up. I could learn more about where Tailscale and pfSense store system files. If I find anything worth sharing, I will let you know.

  • Discussions about WireGuard

    715 Topics
    4k Posts
    patient0P
    @andresbraga that looks good, the same is needed for LAN.
Log in to post
Load new posts
  • G

    Last update killed snort

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    G
    Solution: Do NOT use last update "built on Wed Apr 3 21:48:42 EDT 2013" is broken aka pfSense-Full-Update-2.1-BETA1-i386-20130403-2147.tgz.
  • G

    Siproxd, setup and configuration for voip… works great!!!

    Locked
    35
    0 Votes
    35 Posts
    85k Views
    G
    And what will happen if I have CARP, so my WAN have a private ip address? I will have to use host_outbound = mypublicip in the configuration file, but how to edit the file and avoid pfsense gui to overwrite it?
  • bmeeksB

    Snort 2.9.4.1 Pkg 2.5.4 – Fix for SO rules version mismatch and failed startup

    Locked
    73
    0 Votes
    73 Posts
    30k Views
    D
    @Supermule: Didnt that get updated via the GUI?? @DigitalDeviant: I jusat signed up for VRT rules and cannot get them to install after a reinstall and reconfiguration of snort. I'm currently running 2.0.2-RELEASE (amd64). Edit: The issue may lie with my Snort account. I was unable to manually pull 2.9.4.1 rules with my Oinkmaster URL; I got an error saying I was not a subscriber, though I can manually download the 2.9.4.1 rules. I was able to pull 2.9.4.0 via Oinkmaster URL. Edit 2: All problems with my account are cleared and I still cannot automatically download Snort 2.9.4.1 rules. Edit 3: I had to change {$oinkid} in snort_check_for_rule_updates.php with my actual Oinkid. Then it worked. I haven't had time to troubleshoot any further. I have confirmed I have the right Oikcode in the GUI. Unless I change it in both spots it wound download the MD5 or rules. I don't have the exact errors from the system logs but it seemed like the download link was wrong so I'm guessing that it's not getting the Oinkcode variable. Troubleshooting time is minimal so any ideas on how to proceed would be appreciated.
  • B

    Squidguard block two particualr websites

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    S
    Hey Barry! I got it blocked it using squid and squidguard! My settings squid on transparent proxy and on squidguard with blacklist "http://www.shallalist.de/Downloads/shallalist.tar.gz", denied these two "[blk_BL_hobby_games-misc] - [blk_BL_hobby_games-online]" on both tabs Common ACL and Groups ACL! and it blocked those two websites.! One more thing about squidguard after making all the changes inside move to the "General settings" tab and scroll to the end and SAVE the settings first and then HIT apply on top of the same page. Good-Day!
  • C

    Freeradius: [pfsense-2.0.2] "no response from server" [RESOLVED]

    Locked
    5
    0 Votes
    5 Posts
    8k Views
    C
    The 127.0.0.1 user entry did the trick!  Before this, I had even created an entry for the specific IP address of the pfsense box, which didn't work. Thank YOU!
  • A

    How can I block remote access services

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • K

    WPA-Radius and freeradius2d

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    N
    Hi, can you make sure that the server certificate for the RADIUS server is a "server" certificate and not a client certificate ? Where did you create the certificate? Did you select the CA and the server cert in freeradius –> EAP --> CERTIFICATES FOR TLS ? If you created the certificate/CA on pfsense then you need to empty the "Private Key Password". Sometimes it works after clicking a second time on the "Save" button on the freeradius --> EAP page. If your Linux/Android clients does not support PEAP + MSCHAPv2 then you should use some other mechanism than MSCHAPv5. Try with MD5. It's not a security problem because PEAP establishes a TLS tunnel and this is secure and it doesn't matter what is happening within the tunnel unless it is compatbile with your devices.
  • N

    Squid2 + HAVP on pfsense 2.x - is HAVP outdated ?

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    N
    Thank you for your feedback. If I remember correct on an some weeks old test environment I installed HAVP and I could see that ClamAV version wasn't the actual version as it is on the clamav homepage. I am not sure if all signatuires and programcodes are still up to date on the HAVP package or if these will update automatically. Using an "old" version of HAVP proxy isn't the main problem i think because it is just redirecting traffic throu7gh ClamAV but it makes no sense (in my opinion) to redirect traffic through an old/utdates antivirus scanner and lose performance even if the scanner is not on the newest version an cannot find "all" viruses. I would be interested if ClamAV is independent from HAVP and updates itself? How does this work on other packages like Danguardian?
  • D

    Snort segfaulting on startup w/ http pre-processors enabled

    Locked
    25
    0 Votes
    25 Posts
    7k Views
    S
    What a great find!!!
  • A

    Snot not starting: Invalid argument to 'server_flow_depth'.

    Locked
    27
    0 Votes
    27 Posts
    9k Views
    bmeeksB
    @AhnHEL: @bmeeks: FYI.  I now have this functionality working in my latest test build of the Snort GUI. Wow, that was fast Bill.  Excellent work, cant wait to try out all the new improvements. Here is a link to my Github repository showing my latest changes: https://github.com/bmeeks8/pfsense-packages/commits/master You can look at the Commit History.  Changes after March 22 have NOT yet been submitted to the pfSense team.  I hope to do that in a day or two. Bill
  • I

    SARG daily reports

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • B

    Reverse Proxy - Squid3 or Varnish

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    K
    Search the forum on squid3 of reverse squid3. There are a lot of topics over this. Including instructions. Beter is just try. I prefer squid3.  It's easy to use and to learn.
  • C

    Snort Rules Update weirdness

    Locked
    6
    0 Votes
    6 Posts
    2k Views
    bmeeksB
    @ccb056: Maybe there is something wrong with running both Snort and ET rules at the same time…. No there shouldn't be a problem, I run both sets in my production system.  I run different sets on different interfaces.  My updates happen without any problems.  If you have not yet, a reboot of that box might help. I'm still doing quite a bit of testing various scenarios with the newest Snort package in a virtual machine environment.  I have found a few quirks in the PHP code that I am cleaning up and improving.  Hope to have a GUI code update to submit this weekend.  One area where I made some changes is in the rules update code (but nothing that I expect would definitely cause or correct the issue you see – still, it might help). Bill
  • T

    How to select the transparent interface for Squid

    Locked
    3
    0 Votes
    3 Posts
    1k Views
    T
    thx for your answer ! The thing is, I wanna do Radius or Local authentification on LAN (because the computer are multi-user) and just Mac logging on Wifi (wich is single user device). So I need the LAN interface not to be transparent and the WiFi to be (espcially because Android's Phone older than 4.0 can't add proxy settings for browsing ). Not sur i'm really clear … On IPCOP or smoothwall I can do it juste like that : [image: proxy.png] So it's possible but I don't know how to do it with Pfsense …
  • E

    Dansguardian block report to cgi crash

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    marcellocM
    what version of dansguardian are you using? If you are using latest version, it's better to post it on dansguardian sourceforge bug report.
  • S

    Does Snort work on Virtual IP's?

    Locked
    9
    0 Votes
    9 Posts
    3k Views
    S
    No worries. Will set one up during easter holidays when wife and kids are out shopping :D
  • A

    Maia Mailguard or another SpamAssassin Frontend?

    Locked
    5
    0 Votes
    5 Posts
    2k Views
    marcellocM
    @adiadasman: You mean just drop down to the FreeBSD prompt and install the package? Not in a jail? I am sorry, I have just started using pfSense, so I am still trying to familiarize myself with it. I would also need to install MySQL as well, correct? Yes, just use pkg_add -r for amd64 on freebsd 2.0.x pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.1-release/security/maia-1.0.2a_3.tbz Test it on a virtual machine first to see if it breaks or not pfsense gui.
  • J

    Snort blocks WAN IP after update

    Locked
    5
    0 Votes
    5 Posts
    2k Views
    bmeeksB
    @joako: My understanding it was already patched but with the same version number, uninstall + reinstall resolved it for me. Correct.  The Version Number was not incremented for the latest fix for WAN IP blocking.  Just uninstall and reinstall as suggested and the "fix will be in"… :) Bill
  • E

    How do you tell Squid to redirect all connections?

    Locked
    7
    0 Votes
    7 Posts
    2k Views
    D
    Redirects only function when a page is blocked - it's the replacement for a block message.  Try it with a block message and no redirect and see if the clients you wish to redirect get the block message.  You will also need to add a the redirect site to the Target Categories tab then set that page to Allow on the Allowed Clients rule or Whitelist it on the Common ACL page.  Otherwise it ends up in a loop of trying to visit the redirect page, oops, redirect page is blocked, so redirect, oops, redirect page blocks, so redirect . . .
  • H

    Will vnstat2 retain old data on NanoBSD system?

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    jimpJ
    If it stores the data in /var or /tmp then no it will not survive a reboot. The RRD backup only works for RRD graphs built into pfSense, not packages.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.