1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    E
    I even tried deleting and creating a new certificate. Any suggestions?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    bmeeksB
    It was all CVE fixes in the PHP GUI part of the package. See the Redmine ticket here: https://redmine.pfsense.org/issues/16414.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    572 Topics
    3k Posts
    keyserK
    @Antibiotic No it’s not possible with NtopNG as it is not a Netflow collector. You need nProbe for that which will “translate” recieved netflows into flows that NtopNG understands and can visualize (with very very little detail might I add as Netflows has no additonal information apart from sender/reciever and volume). The NtopNG package and the product in general is more geared towards visualising and recording traffic details from actual packet captures. This contains MUCH more metadata about the sessions than netflows (DNS names, protocol information and myriads of other things). But pffSense Plus has a builtin Netflow exporter if you have an external netflow collector on hand.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    V
    @Gertjan Thanks for your reply – that’s also my impression. The point is: I don’t really see any lists right now that are actually “maintained” in the sense of being actively cleaned up, checked for dead domains, categorized, etc. That’s why my main interest is more about the demand: Would curated lists really be a game changer for admins? Would they be more helpful than what’s available today, or are most people already using other alternatives? If so, which ones? And from your perspective, what would be your expectation towards “community lists”? (e.g. reliability, update frequency, categories, fewer false positives?)

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    501 Topics
    3k Posts
    A
    Hi, Please help to forward / report the bugs in ACME 1.0 package. Thanks.

  • Discussions about the FRR Dynamic Routing package on pfSense

    295 Topics
    1k Posts
    J
    Anyone else happen to notice that when configuring BFD, if you create a peer and select a profile - after save, re-edit the peer and the Profile is not represented. It appears as "None". You have to check the raw config to determine if the profile was actually assigned to the peer. This is on 2.8.1 (all packages up to date as of the date/time of this post). UPDATE: if re-edit and save (without re-configuring the profile none to what you want) - the save will strip the profile from the peer.

  • Discussions about the Tailscale package

    91 Topics
    611 Posts
    T
    Hi All, I use HAProxy to redirect to a range of https internal resources, this works really well at the moment through the WAN where I have source limits set up, and I can connect to the internal resources from limited external IP Addresses. Given I have tailscale I would like to basically be able to put custom dns entries in to point these hostnames to my pfsense tailscale IP4 address (100.89.148.118) but I am not having any luck getting this working. At the moment, I am just trying to connect to HAProxy using https://100.89.148.118 but it is getting blocked by the firewall. Sep 11 11:55:58 tailscale0 Default deny rule IPv4 (1000000103) 100.89.148.10:53148 100.89.148.118:443 TCP:S I have tried with and without NAT redirecting internally to 127.0.0.1, and I also have rules set up to allow any traffic to and from my tailnets (defined in an alias) but I still keep getting these connections from my other tailscale machines being blocked on the pfsense machine. Can someone give me some pointers on what I am missing because I can see the requests are coming through to the pfsense machine, and in theory the rules should allow it through but I cant see why they don't. I do have tailscale ACL in place, but clearly that is not an issue as the requests are making it through to the firewall. 0/0 B IPv4+6 TCP/UDP TailNets * TailNets * * none Allow across Tailnets 0/0 B IPv4+6 TCP/UDP * * * 443 (HTTPS) * none Allow Tailscale IP4 I also tried adding a EasyRule but because the tailscale0 interface doesn't exist in pfsense it throws an error and won't let me add that rule. Appreciate any help or tips, Cheers.

  • Discussions about WireGuard

    700 Topics
    4k Posts
    Bob.DigB
    @HFADmin If it is no Site2Site-VPN then you don't need any gateways in the first place... If that is true but you want to monitor the connection then you could create dummy-gateways just to ping the remote ip-addresses.
Log in to post
Load new posts
  • J

    FreeRADIUS and LDAP

    1
    0 Votes
    1 Posts
    812 Views
    No one has replied
  • xanaroX

    Telegraf Module Source Code?

    6
    0 Votes
    6 Posts
    1k Views
    xanaroX
    @bmeeks awesome! thanks for the info! gives me a jump start when i tinker on this during the week, will definitely lab test it on some spare hardware.
  • J

    TOR proxy

    2
    1 Votes
    2 Posts
    1k Views
    bmeeksB
    As evidenced by the dearth of replies to your question, TOR, however noble its original design and intention, has had its reputation severely tarnished by association with the dark web and its bad actors. Thus I suspect no self-respecting firewall admin would consider putting anything TOR anywhere near their firewall.
  • H

    Package avahi-daemon does not exist in current Netgate pfSense Plus version and it has been removed.

    8
    0 Votes
    8 Posts
    2k Views
    johnpozJ
    @hulleyrob If I had to guess there are some things in redmine about packages not installing on reinstall, and this one talks about forcing reinstall sort of thing.. https://redmine.pfsense.org/issues/12235 To report the issue you have experienced we would really need some more details, and copies of your config you restored, etc.. But as you said its easy enough to work around.. But yeah it could get frustrating for someone, sure..
  • C

    FreeRADIUS 1st setup - authentication failed. How to troubleshoot?

    8
    0 Votes
    8 Posts
    3k Views
    C
    @NogBadTheBad @Gertjan : I received my spare SG-1100, set it up using the absolute basics and installed the FreeRADIUS package on that unit. Exact same issue. So the problem was the FreeRADIUS Server Certificate which was not created automatically, like in Tom's video. Right after installing the package I got the following notice: [image: 1637365313262-ce6fb673-565f-4701-99eb-2e839613f9dc-image.jpeg] This was exactly the same on my production SG-1100 unit. I don't understand why the SC could not be created where the CA was created just fine. I found this other post right here on the forums of another SG-1100 user running into the same issue. Could this be related to the SG-1100 specifically? Anyway I created a Server Certificate under de FreeRADIUS CA and boom the server is running and it is authenticating. Just one question as this is the first time I create my own certificate: The common name field cannot be left blank or I'll get an error creating the certificate: [image: 1637365674945-4a3ac69e-ad16-4081-838b-ffc96bf1bfa5-image.jpeg] However I didn't know what to enter there for this special FreeRADIUS use case. So I just entered a non-existing url. Will that be adequate? Thanks for your help! Pete
  • Z

    NUT disable anonymous access?

    4
    0 Votes
    4 Posts
    1k Views
    dotdashD
    @zoltrix It seems you are correct, if I load nut on a workstation, I can poll statistics if I know the configured name and address without any configuration on the client side. You could make this harder by choosing a unique name instead of the default 'ups'. I don't see this as a security risk, but the nut manual has a section 'Notes on securing NUT' which may be of use. An easy fix on pfsense would be to block LAN access to the NUT port for all but trusted workstations.
  • JonathanLeeJ

    Squid Proxy Server Clam AV showing outdated

    2
    1 Votes
    2 Posts
    937 Views
    GertjanG
    @jonathanlee said in Squid Proxy Server Clam AV showing outdated: Where would I update if the packages show up to date? You don't. Half the planet sees this message nearly daily (using ANY OS, using the 'clamav' package). Read the proposed : DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav Which explains the message.
  • M

    Interface Zabbix monitoring

    3
    0 Votes
    3 Posts
    2k Views
    M
    We tried to search for solution but unable to get it. Does anyone knows about the correct path for WAN interfaces.
  • P

    Unable to install git

    4
    0 Votes
    4 Posts
    1k Views
    P
    @jimp amazing. Thank you.
  • W

    [Solved] Login incorrect with FreeRADIUS to Google Authenticator

    1
    0 Votes
    1 Posts
    3k Views
    No one has replied
  • T

    Block Internet but allow Visual Studio Code

    1
    0 Votes
    1 Posts
    802 Views
    No one has replied
  • J

    NUT Config: Omron UPS BWxT

    1
    0 Votes
    1 Posts
    844 Views
    No one has replied
  • W

    FreeRadius Interfaces

    6
    0 Votes
    6 Posts
    1k Views
    NogBadTheBadN
    @whitetiger-it said in FreeRadius Interfaces: @nogbadthebad Let's see if I understand correctly. The switch, instead of querying the RADIUS on the firewall IP, queries a virtual (and therefore non-existent) IP that you have associated with the localhost of the firewall itself. Nope its a virual address tied to the localhost interface, if I had bound my FreeRadius to the LAN interface IP and I had shut it down then devices couldn't authenticate. [image: 1636629989624-screenshot-2021-11-11-at-11.24.29.png] Good idea, but I didn't understand why. The IP of the firewall is however known, for example because it is the Gateway of the network, there is DHCP, DNS, etc. However, my question remains open. Is the RADIUS interface the network on which the users are located or the one on which the servers/devices interrogated by the user are located? From what you have posted, it seems to me that it is the second answer. The radius interface is the IP address that Radius requests are sent to, as per "Enter the IP address (e.g. 192.168.100.1) of the listening interface. If you choose * then it means all interfaces. (Default: *)" You can point your devices to any IP address any pfSense interface you want if you leave the IP address as the default of *
  • A

    Avahi: "Failed to create client object: Daemon not running"

    12
    0 Votes
    12 Posts
    14k Views
    R
    @rajid Followup: I've also found that I need to add a filter to allow mdns packets to "pass", otherwise they end up blocked. I'm still not seeing any mdns responses using the avahi programs (such as "avahi-browse -a"), but "tcpdump" shows the packets are there on the wire.
  • B

    WireGuard multiple client bug

    wireguard
    20
    0 Votes
    20 Posts
    4k Views
    B
    @jimp thx for the hint it's working now, it totally make sense now. hope it will you @bbusa as well
  • F

    Suricata won't auto start on reboot

    2
    0 Votes
    2 Posts
    932 Views
    bmeeksB
    Did you look in the suricata.log for the interface to see why Suricata was failing to start? You can view that log on the LOGS VIEW tab. The log is overwritten with each startup attempt of Suricata. It will contain the status of the last startup attempt of Suricata for the interface. Was it complaining specifically about failure to allocate Stream Memcap memory? With lots of cores, that value must be increased substantially from the default. You can search on Google for info on configuring the value. I seem to recall running across a formula quite a long time ago that let you calculate how large that value needed to be for a given number of cores.
  • 4

    Bug in wireguard Package Addon config found, when generating wireguard config

    2
    0 Votes
    2 Posts
    1k Views
    4
    @4920441-0 If anyone is asking why this is a problem: I try to configure three tunnels which should connect 4 OSPF routers with each other.... For the first tunnel I could allow 224.0.0.0/6 but what should I do with the other tunnels? Thanks a lot.. Cheers 4920441
  • P

    Snort Inline Mode caused WAN to drop every few minutes

    8
    0 Votes
    8 Posts
    2k Views
    bmeeksB
    @tsmalmbe said in Snort Inline Mode caused WAN to drop every few minutes: @bmeeks A minute to review this question of mine and comment? Highly appreciated as always. The answer is very simple: switch to Legacy Mode if you want to use blocking with Snort (or Suricata) on your hardware. I've said on this board innumerable times that Inline IPS Mode relies on the kernel netmap device, and the kernel netmap device relies on well-written support within the hardware NIC driver. If that support is not well-written (meaning bug free), then netmap does not work reliably. That in turn means Inline IPS Mode does not work reliably. "Not working reliably" can manifest in ways from simple disruption of traffic on the configured interface to potentially a complete lockup of the firewall. There is a warning dialog that is displayed at the top of the INTERFACE SETTINGS page when you switch an interface to Inline IPS Mode and save the change. The message clearly says you may experience difficulties. You also have two installed packages that are likely not going to cooperate with the netmap kernel device: bandwidthd and softflowd. That's because when an interface is placed into netmap operation, it is disconnected from the kernel's control and placed under the the control of the app initiating the netmap connection. For the IPS/IDS packages, that would be Snort or Suricata.
  • A

    Problem with packages

    10
    0 Votes
    10 Posts
    1k Views
    A
    @gertjan with OpenVPN I think I can handle it, but the problem with multiWAN as far as I know has not been fixed yet.
  • A

    Sonos, Heos, Chromecast on subnet

    1
    0 Votes
    1 Posts
    785 Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.