1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    JonathanLeeJ
    Squid can be configured externally, I would love a how to guide on how to do this correctly.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    D
    @BBcan177 Thank you for the kind reminder; I am so accustomed to ensuring Save Settings is checked that I didn't follow your instructions properly (thanks @tinfoilmatt for uploading and highlighting the screen shot). I've properly followed the instructions and the update did not report and db problems. Thank you again! drac

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    C
    @dennypage Nicely done sir!

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    GPz1100G
    @agitelzon I have no issue connecting to LE servers from pf shell. The issue is cloudflare security setting is configured as a whitelist for api zone record changes. The whitelist includes my ipv4 address only, as a /32. As I mentioned, I could add the ipv6 prefix as a /64. Given that pf is configured to prefer ipv4, I thought that would carry over to acme as well.

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    663 Posts
    C
    For what it’s worth, we may have had the same issue but for different reasons. I checked, and my system has the duplicate two files. Therefore, I asked Grok.ai about “/usr/local/etc/rc.d/pfsense_tailscaled enable /usr/local/etc/rc.d/tailscaled disable” versus the solution it had provided me yesterday. See the answer below. (Grok.ai used sources that included this Netgate forum, Lawrence Systems Forums – Networking & Firewalls, and https://forum.tailscale.com/.) The Two Service Files: Quick Breakdown Before diving into the relation, let’s clarify what those files are (based on standard pfSense Tailscale package behavior on 25.07.x/FreeBSD 15-CURRENT): • /usr/local/etc/rc.d/tailscaled: This is the generic FreeBSD/Tailscale rc.d script. It originates from the underlying tailscale package (the one you manually installed via' pkg add' for version 1.90.6). It’s a basic daemon starter/stopper that just runs /usr/local/bin/tailscaled without any pfSense-specific smarts (e.g., no auto-auth, no route advertising, no GUI integration). • /usr/local/etc/rc.d/pfsense_tailscaled: This is the pfSense-specific wrapper script. It’s installed by the official pfSense-pkg-Tailscale package. It wraps the generic tailscaled binary but adds pfSense magic: it reads your GUI config (auth key, advertised routes, exit node flags), writes them to /usr/local/etc/rc.conf.d/pfsense_tailscaled (e.g., pfsense_tailscaled_authkey="yourkey"), and handles the full tailscale up with flags on boot. It’s what makes the service “pfSense-aware.” In a stock official package install (without your manual binary upgrade), only pfsense_tailscaled exists and runs everything. When you force-installed the newer tailscale pkg on top, it added the generic tailscaled script as a side effect—but your fixed script (the one we pasted into /usr/local/etc/rc.d/tailscaled) overrode it to behave correctly.

  • Discussions about WireGuard

    716 Topics
    4k Posts
    chpalmerC
    @tinfoilmatt Thanks! I have done that and it worked when forcing just her TV out the Centurylink.. My problem is my local box here. Im missing something because I can not get it to pass traffic from the WAN to the Wireguard tunnel. Ive got some time today so will chip away on my lab setup to see if I can finally accomplish it here first.
Log in to post
Load new posts
  • L

    Squid Block log deleted or name changed

    Locked
    10
    0 Votes
    10 Posts
    4k Views
    D
    Updated.
  • A

    Ntop filter out opt1 interface and settings

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • J

    Snort IP Block will not work with the latest 2.0 snapshots built on the 15th

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    jimpJ
    If it's the amd64 snapshot from very late on the 15th ("Tue Feb 15 23:25:41 EST 2011") or and i386 snapshot from the 16th ("Wed Feb 16 02:41:43 EST 2011") it should be OK again.
  • K

    Squid Custom Rule refresh_pattern help needed

    Locked
    7
    0 Votes
    7 Posts
    17k Views
    K
    Sorry For late reply. These are my refresh pattern rules…. refresh_pattern -i .(gif|png|jpg|jpeg|ico) 43200 90% 129600 ignore-reload ignore-no-cache ignore-private; refresh_pattern -i .(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv|mpg|wma|ogg|wmv|asx|asf) 43200 90% 432000 override-expire ignore-reload ignore-no-cache ignore-private; refresh_pattern -i .(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf|jar) 43200 90% 129600 override-expire ignore-reload ignore-no-cache ignore-private; To avoid no-cache response from servers & increase hit rate. Note: "ignore-private" command may give a warning message as "WARNING: use of 'override-expire' in 'refresh_pattern' violates HTTP". I just Ignored it. refresh_pattern .dnl..geo.kaspersky.com/..(zip|avc|kdc) 2160 100% 10080 ignore-no-cache reload-into-ims; refresh_pattern ..avg.com/..(bin) 2160 100% 10080 ignore-no-cache reload-into-ims; refresh_pattern ..avast.com/..(vpu|vpaa) 2160 100% 10080 ignore-no-cache reload-into-ims; refresh_pattern ..kaspersky-labs.com/..(cab|zip|exe|msi|msp) 4320 100% 43200 ignore-no-cache reload-into-ims; refresh_pattern ..kaspersky.com/..(cab|zip|exe|msi|msp|avc) 2160 100% 10080 ignore-no-cache reload-into-ims; refresh_pattern ..nai.com/.*.(gem|zip|mcs) 2160 100% 10080 ignore-no-cache reload-into-ims; Anti virus update Cache Not so much luck Only 5% hit increased. Its only 3 days i am running my pfsense box. HOPE BETTER PERFORMANCE AFTER SOME DAYS. any suggestion is much appreciable. Thanks in advance.
  • M

    Squidguard deny report

    Locked
    4
    0 Votes
    4 Posts
    3k Views
    D
    It is not envisaged.
  • M

    Log (not block) porn, time-wasting sites

    Locked
    8
    0 Votes
    8 Posts
    6k Views
    R
    @hugo: @mellow-yellow: I need to log, not block porn, gambling, facebook, and related (i.e. "time-wasting sites" as our management calls them) websites. We want to know WHO (reverse IP is fine) is viewing them and WHEN (squid). We already have pfsense, squid, and lighttpd running. These forums seem to recommend openDns or squidguard. However those products, while excellent, appear to block, not simply log such sites. lighttpd is also excellent, but it returns too many websites, since we're not interested in employees' visiting our already approved sites, including gmail, yahoo, google, etc, which represent 95% or more of the traffic. In short, how can we simply log, not block, such sites? There are specific software applications that can do that… One of them is: MyPornBlocker. Which has many options and can log access to time wasting sites and even take screenshots. That site and software sounds like a scam site or something that are trying to sell useless software to a high price to protective parents and that tip is also useless because the topic is about a BSD firewall, not a Windows client. // rancor
  • A

    PhpSysInfo from WAN?

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    A
    Any ideas? I still want to do this…
  • F

    What commands to use to properly stop/start freeswitch via Cron?

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • Q

    SquidGuard Blacklists

    Locked
    13
    0 Votes
    13 Posts
    7k Views
    Q
    Oh thanks. :) # Do not edit manually ! http_port 10.10.200.254:8080 icp_port 0 pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_directory /usr/local/etc/squid/errors/English icon_directory /usr/local/etc/squid/icons visible_hostname ffdfw002 cache_mgr ithelp@dontcare.com access_log /var/log/httpproxy/access.log cache_log /var/log/httpproxy/cache.log cache_store_log none logfile_rotate 8 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src  10.10.200.0/255.255.255.0 uri_whitespace strip cache_mem 512 MB maximum_object_size_in_memory 32 KB memory_replacement_policy lru cache_replacement_policy lru cache_dir aufs /var/squid/cache 2500 16 256 minimum_object_size 0 KB maximum_object_size 1024 KB offline_mode off cache_swap_low 90 cache_swap_high 95 # No redirector configured # Setup some default acls acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535 acl sslports port 443 563  acl manager proto cache_object acl purge method PURGE acl connect method CONNECT acl dynamic urlpath_regex cgi-bin \? acl allowed_subnets src 10.10.200.0/24 cache deny dynamic http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB reply_body_max_size 0 allow all delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow all # Setup allowed acls # Allow local network(s) on interface(s) http_access allow allowed_subnets http_access allow localnet # Custom options redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf redirector_bypass on redirect_children 3 # Default block all to be sure http_access deny all Thoughts?
  • J

    OSPF kills traffic

    Locked
    5
    0 Votes
    5 Posts
    2k Views
    J
    Bump
  • O

    SQUID - Cache renew

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    _
    Your info is here: http://doc.pfsense.org/index.php/Squid_Package_Tuning You can find that infos for (not all pages/packages at the moment) by clicking at the blue help-point ahich is present on every page in the upper right white space near the page-name.
  • N

    Pfsense + squid + Windows

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    K
    I have been having the same problem. And was thinking of using a linux box in between to authenticate Squid users on pfsense. Did you find a better solution? Or did this work for you? Thanks
  • S

    Fatal error: Call to undefined function: str_split() in /usr/local/pkg/squidguar

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    D
    What would you like me to do (?), without the following information: pfSense version; squidGuard version; full text of the error / screenshot.
  • N

    DenyHost

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    W
    Did you try checking /etc/hosts.allow? Here is a quote from: http://www.mail-archive.com/ossec-list@googlegroups.com/msg00939.html "Freebsd does not use /etc/hosts.deny but rather inserts all wrapper rules into /etc/hosts.allow." Also the formatting is ALL: XXX.XXX.XXX.XXX: deny @tracer: thanks for the file, this made my day. It seems to work now. Any idea where it creates the rules to block these IPs ?
  • W

    Squid different .confs on different NICs

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • C

    Error message on snort startup

    Locked
    3
    0 Votes
    3 Posts
    5k Views
    C
    Hey Chris! Problem is that you need to enable the HTTP inspect preprocessor. To do that… Thanks - made the changes and still got some fatal errors on startup, but these were related to the snort rule files. Deleted one rule line in /usr/local/etc/snort/snort_31447_fxp0/rules/exploit.rules and around 6 in ..specific-threat.rules and everything now starts up without any errors. Can't say I completely know what i'm doing here, but all seems to work. It's my first introduction to FreeBSD and their seem to be a whole load of options in pfsense that I don't recognise at all, so will have to get FreeBSD installed on an old machine later in the year to see how all the bits fit together. Had an uptime almost since install, with constant memory usage, so no memory leaks and a very robust, fit and forget system thus far... Regards, Chris
  • T

    Snort blocks users connection to OpenVPN

    Locked
    1
    0 Votes
    1 Posts
    3k Views
    No one has replied
  • I

    Snort

    Locked
    6
    0 Votes
    6 Posts
    3k Views
    CrossEyeC
    @jamesdean: Im working on Snort 2.9.0.3 package for Pfsense 2.0. Please be patient. james Thanks a lot James, it is truly appreciated!! Gabriel
  • G

    Snort in Pfsense

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    G
    http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764568353.html
  • N

    Proxy filter Log issue

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    D
    http://forum.pfsense.org/index.php/topic,32994.0.html
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.