1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    JonathanLeeJ
    Squid can be configured externally, I would love a how to guide on how to do this correctly.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    BBcan177B
    @Draco try to goto the General Tab, first ensure that the Keep Settings option is checked. Then unchecked Enable pfBlockerNG so that its disabled. Hit save. Force Update. Then reenable pfBlockerNG and Force update.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    C
    @dennypage Nicely done sir!

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    GPz1100G
    @agitelzon I have no issue connecting to LE servers from pf shell. The issue is cloudflare security setting is configured as a whitelist for api zone record changes. The whitelist includes my ipv4 address only, as a /32. As I mentioned, I could add the ipv6 prefix as a /64. Given that pf is configured to prefer ipv4, I thought that would carry over to acme as well.

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    657 Posts
    C
    @lbm_ I have the same problem: pfSense v25.07.1 on FreeBSD 15-Current, Netgate 6100. Could you let me know if you found a solution? I haven't. I have been updating Tailscales from Freshports while keeping the Tailscale Package installed. I have recently read that this can cause problems with routes, interfaces, firewall rules, and others. I am leaning towards deleting the Tailscale package.

  • Discussions about WireGuard

    716 Topics
    4k Posts
    chpalmerC
    @tinfoilmatt Thanks! I have done that and it worked when forcing just her TV out the Centurylink.. My problem is my local box here. Im missing something because I can not get it to pass traffic from the WAN to the Wireguard tunnel. Ive got some time today so will chip away on my lab setup to see if I can finally accomplish it here first.
Log in to post
Load new posts
  • M

    Perl libraries to manipulate config.xml file?

    Locked
    7
    0 Votes
    7 Posts
    4k Views
    M
    Thank You very much everyone. I guess I'll write the perl modules myself.
  • M

    Squidguard with autoupdate

    Locked
    2
    0 Votes
    2 Posts
    4k Views
    D
    Autoupdate not a simple archive copy/paste. Need make steps for prepare archive's catalog-structure. And control config for correct blacklist names..
  • C

    Thresholds tab in snort - suppress not stopping alerts

    Locked
    6
    0 Votes
    6 Posts
    5k Views
    G
    Wow I feel like an idiot that I did not see that before. I guess I believed the drop down menus only had Default like my Home Net and external net has and ignored the rest while completely ignoring the fine text which is quite small on my laptop…. duuurr
  • JeanNoJ

    Sort test program

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    G
    You can enable the scan category and use "NMAP -sS window 4096" from a remote computer.
  • R

    Openbgpd status page

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    C
    Yeah that status page needs a lot of help, takes way too long in such circumstances (mostly people use the command line bgpctl instead). It's on our radar to get fixed up sometime in the future. Patches welcome if you have ideas on how to make it more usable.
  • JeanNoJ

    Little problem on Menu [snort]

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    G
    There is also a url error when traversing to the traffic shaper  from snort. With the following resulting URL http://192.168.153.1:8080/snort/firewall_shaper.php
  • _

    OpenBGPD restart script error

    Locked
    5
    0 Votes
    5 Posts
    3k Views
    _
    ok  ;) I agree with you, this script may not be used to start bgpd :) As you wrote, "Though I never investigated this issue and can't say anything" more ;) I found that error while deep testing a BGP configuration for OpenVPN/Link failover with carp, where openvpn may be started before bpgd, so that the tap device did not exist before, and for some obscure reasons (yet) bgpd was not started at boot time. So, I tested a script that check the existent of bgpd socket to restart it. It is not a standard configuration (unsupported).
  • G

    Internet -havp-squid-client

    Locked
    12
    0 Votes
    12 Posts
    10k Views
    Q
    @ColdFusion: I have squid/havp/squidguard and my config works this way. Try putting Havp in Transparent and Squid transparent unchecked. Havp… Transparent checked upstream proxy...lan IP:squid port.....example 192.168.1.1:3128 Havp proxy port 3121 enable x-forward...checked In squid: x forward unchecked disable Via unchecked transparent unchecked I have my configuration set up exactly like this, but it doesn't work…the IP address in the logs (and in the denied page), is the router's LAN address, and NOT the client PC.  What am I doing wrong?  Is there a bug?  Can someone shed some light on this?  Thanks!
  • nesenseN

    Squid+lusca+CDN+delay pools (pfs 1.2.3) ?

    Locked
    1
    0 Votes
    1 Posts
    4k Views
    No one has replied
  • M

    [patched] Apache + mod_security + proxy

    Locked
    3
    0 Votes
    3 Posts
    3k Views
    M
    Had to manual configure ProxyPass and ProxyPassReverse inside httpd.conf to get it working. Site Proxy | Site Name *Enter a short descriptive name for the site. (e.g. intranet) its misleading since what you enter there will go into httpd.conf, be aware its not just a description. It will end up in the ProxyPassReverse! Will see for any other issues, maybe fix them if time permit … cheers.
  • M

    Very urgent: Problem of updating of the SNORT rules

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    T
    update to the latest snort as you mentioned are are using snort-old There was a lot of discussion on the old snort.  Basically you updated to the latest rules based on the latest snort using an old snort version. See this as well as other threads. http://forum.pfsense.org/index.php/topic,23185.0.html
  • J

    LightSquid only updates manually

    Locked
    9
    0 Votes
    9 Posts
    7k Views
    J
    Here is the result of running pkg_info. $ pkg_info arc-5.21o_1        Create & extract files from DOS .ARC files arj-3.10.22_1      Open-source ARJ bandwidthd-2.0.1_1  Tracks bandwidth usage by IP address clamav-0.95.1      Command line virus scanner written entirely in C db41-4.1.25_4      The Berkeley DB package, revision 4.1 gd-2.0.35,1        A graphics library for fast creation of images gdbm-1.8.3_3        The GNU database manager gettext-0.17_1      GNU gettext package grub-0.97_3        GRand Unified Bootloader havp-0.90          HTTP Antivirus Proxy jpeg-6b_4          IJG's jpeg compression utilities lha-1.14i_6        Archive files using LZSS and Huffman compression (.lzh file libdnet-1.11_2      A simple interface to low level networking routines libiconv-1.11_1    A character set conversion library lightsquid-1.7.1_1  A light and fast web based squid proxy traffic analyser lua-5.1.3_3        Small, compilable scripting language providing easy access mbmon-205_4        A tty motherboard monitor for LM78/79, W8378x, AS99127F, VT mysql-client-5.0.77 Multithreaded SQL database (client) mysql-client-5.1.44_1 Multithreaded SQL database (client) nano-2.0.9          Nano's ANOther editor, an enhanced free Pico clone openldap-client-2.4.10 Open source LDAP client implementation p5-GD-2.39          A perl5 interface to Gd Graphics Library version2 packages            BSD Installer mega-package pcre-7.8            Perl Compatible Regular Expressions library pcre-8.00          Perl Compatible Regular Expressions library perl-5.10.1        Practical Extraction and Report Language perl-5.8.8_1        Practical Extraction and Report Language pkg-config-0.23_1  A utility to retrieve information about installed libraries sqlite3-3.6.10      An SQL database engine in a C library w/ Tcl wrapper squid-2.7.7        HTTP Caching Proxy squidGuard-1.3_1    A fast redirector for squid squid_radius_auth-1.10 RADIUS authenticator for squid proxy 2.5 and later unzoo-4.4_2        A zoo archive extractor vnstat-1.6_3        A console-based network traffic monitor That's interesting I thought I had removed havp through the web interface.
  • C

    2.0BETA1 - vHosts package install but service does not start - Logs are empty

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • 3

    Anyone interested in putting TCAR in Pfsense?

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    jimpJ
    It looks like that was written specifically for IPcop and uses its terminology and probably has specific requirements for that, and likely Linux-related conventions. pfSense uses FreeBSD, so it's unlikely that such a program would work properly without major work, if it can be done at all.
  • L

    Squid Setup

    Locked
    5
    0 Votes
    5 Posts
    3k Views
    L
    i am using 2.7.3 stable on debian and 2.7.8 on Pfsense. My ISP already allowed my IP address to bypass their proxy server. But i still want to redirect to my own proxy server. Thanks
  • T

    Cannot open one Url only

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    jimpJ
    If the site is hosted locally behind that same pfSense box, try checking the box in squid to bypass the proxy for RFC1918 networks.
  • D

    Freeradius startup problem

    Locked
    2
    0 Votes
    2 Posts
    3k Views
    jimpJ
    It's possible that this is falling victim to the same problem that several other packages have. On boot, they try to start up multiple times. First, they sync their settings and write out an rc script, and then start themselves. Then later in the boot process, the rc scripts get executed, starting them again. If you have a dynamic WAN (DHCP, PPPoE) sometimes it can happen one more time as the new IP will trigger another package sync. The package maintainer may need to add some more logic to handle this kind of situation.
  • A

    Snort Help

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    G
    I used my own suggestion and googled this page for you since you were lacking the necessary skills to do so yourself http://forum.pfsense.org/index.php?topic=18926.0;prev_next=prev
  • G

    Snort will not unblock a whitelisted IP

    Locked
    17
    0 Votes
    17 Posts
    16k Views
    G
    Reading another thread (spp_frag3) is a snort preprocessor error. Not sure how to fix it other than to suggest you turn on all the preprocessors to see if that fixes it. As far as whitelisting goes you need to find the offending rule that is blocking the address and create a suppress rule for it in the tab. I "believe" I got it to work by using this syntax. suppress gen_id 1, sig_id 11969, track by_src, ip 216.82.225.24 I tried to get one rule to handle the same sig i.e. suppress gen_id 1, sig_id 11969, track by_src, ip 216.82.222.14 suppress gen_id 1, sig_id 11969, track by_src, ip 216.82.212.10 Edit: This doesn't work. I will try restarting the router and see if anything changes. It is still blocking a category I have recently unchecked. But I was not able to get it to work as above. Haven't had the time to test using a , or ; to separate due to time constraints.
  • ?

    Snort Memory Setting

    Locked
    5
    0 Votes
    5 Posts
    6k Views
    G
    I second that AC-BNFA is the only usable setting for most systems. (My inner geek would love to see a system the handles AC with moderate traffic) My system has 2GB Ram with 3 interfaces running at this setting @ 23% memory usage with low traffic. It is also wise only to choose the categories that are necessary for that particular interface not all categories need to be checked. Use only what you need otherwise you will be wasting CPU time and memory for nothing.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.