1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    tinfoilmattT
    @johnpoz said in Please help to configure HAProxy to serve certifficate on internal LAN too: Yeah - what part do you not understand if you always resolve nextcloud.domain.tld so that it hits your haproxy on your pfsense wan IP are you not getting? You have 2 options - use a different domain internally and always go to nextcloud.publicdomain.tld, or use the same domain internally as external and run into the problem of what IP it resolves to.. Change your local domain to say home.arpa or .internal or atleast something different than the public domain your using to point to pfsense wan IP on the public internet. You are shooting yourself in the foot trying to use the same domain externally as internally. There are ways around it, but they complicate the setup. For example you might be able to use views in unbound as one way to work around the problem. You could use only host entries for all your resources. But then again you run into a problem of using the fqdn for this service, now always pointing to your wan IP.. And that is great when you want to access the service haproxy is doing - but if you want to access that resource on some other service that haproxy doesn't handle - like say simple file sharing.. You are going to have problems. Since you clearly do not understand how any of this works - the simple solution is change the local domain you are using so it is not the same as the public domain you want to use to get to your nextcloud. This tone is outrageous directed at somebody who acknowledged right off the rip that English is not their first language. How many languages do you speak, John? And safely assuming it's only one—English of course—take it from a fellow English native that you'd do well to say more with less words. You otherwise were directing OP in the right direction in my opinion.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @netboy said in is something wrong with pfBlockerNG?: After my post, I "changed" DNSBL -> DNSBL mode from "unbound python mode" to "unbound mode" and so far i have no issues. Terrible idea. Moving backwards in development history there.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    654 Posts
    C
    @luckman212, Thanks for your suggestion. I will check what I have in /usr/local/pkg/tailscale/state, and also the RAM disk settings others have brought up. I could learn more about where Tailscale and pfSense store system files. If I find anything worth sharing, I will let you know.

  • Discussions about WireGuard

    715 Topics
    4k Posts
    S
    @LaUs3r Yeah, I added those IPs, but after restarting pfSense, the WireGuard status says “handshake failed.” Also, when I do nslookup us-bos.prod.surfshark.com, I get two different sets of IPs. For example: • The first time I get 43.225.189.108 and 43.225.189.118 • The next time I get 149.40.50.216 and 149.40.50.290 So I was wondering can I add both sets of IPs, and put a “0” at the end of each, and use /24 for both IPs? I reached out to Surfshark support, and they sent me their official pfSense WireGuard setup guide see the guide here in the guide they mention 10.14.0.2 for static routes
Log in to post
Load new posts
  • I

    Oauth with Azure

    1
    0 Votes
    1 Posts
    355 Views
    No one has replied
  • manjotscM

    LLDP Page not accessible

    3
    1
    0 Votes
    3 Posts
    586 Views
    manjotscM
    @bingo600 I didn't notice another package for similar functionality. I switch to that. Thanks,
  • I

    Free Radius with Wifi and CBA

    1
    0 Votes
    1 Posts
    369 Views
    No one has replied
  • B

    Trouble with unbound and telegraf

    1
    0 Votes
    1 Posts
    491 Views
    No one has replied
  • chudakC

    snort - LEGACY MODE ?

    6
    1
    0 Votes
    6 Posts
    1k Views
    chudakC
    @bmeeks Thx! Happy Holidays!
  • Q

    STunnel multiwan support?

    1
    0 Votes
    1 Posts
    433 Views
    No one has replied
  • C

    How do I install packages manually ?

    4
    0 Votes
    4 Posts
    3k Views
    bmeeksB
    @canernecocaner said in How do I install packages manually ?: @bmeeks Thank you very much for your answer. I understood the warnings and vulnerabilities. But I use pfsense for the hotspot.(I'm recording local users' internet access) There is another firewall in front of the pfsense, for security purposes. The subject I still don't know is this; Where,why can I download these packages (with additional shared libraries they are dependent on) from any windows computer and then transfer,install them to pfsense? Thanks You will need to locate a repository that keeps pre-compiled pkg format *.txz archives of the programs you want to install. That repository will also have to be the same FreeBSD version as your pfSense firewall. Currently the pfSense-2.4.5_p1 release is based on FreeBSD-11.3/STABLE. It may prove difficult to find an 11.3/STABLE public repository of compiled packages. You can use the built-in pfSense package repository as the pkg utility on the firewall is pre-configured to point there. However, that repository may not have all of the packages you want or need. That's because it is geared to supporting only what pfSense and its officially supported packages require. Another option is create a FreeBSD-11.3/STABLE virtual machine, download and install the portsnap FreeBSD ports tree, and then compile the packages you need yourself into the required *.txz format for later transfer over to pfSense and then manual installation there. However, by the time you go to this much trouble you may as well just install the mysql DB server on that FreeBSD virtual machine (back to my original suggestion). This is "hard" because it is not a good thing to do, and few if any folks try it. Otherwise there would be a ton of "how-to" links on the web and everyone would have all kinds of other software applications running on their firewalls. I seriously doubt you will find an easy "click here, click there and presto it's done" way to do what you desire. Instead of trying to install all this on a pfSense machine, why not use the bare metal hardware running pfSense to run a hypervisor like Proxmox, ESXi, Hyper-V, etc.? Then on the hypervisor you can create a pfSense virtual machine for the Captive Portal function, then create a separate FreeBSD-11.3/RELEASE virtual machine and install the mysql stuff there. Easy-peasy to do that without needing to transfer files around, compile packages yourself, or try to find a compatible public repository of pre-compiled packages.
  • F

    FreeRadius and DNS Attribute

    1
    0 Votes
    1 Posts
    403 Views
    No one has replied
  • manjotscM

    Is HaProxy vulnerable to CVE 2007-6750 ?

    3
    0 Votes
    3 Posts
    813 Views
    manjotscM
    @kiokoman Thanks, for cleariying
  • S

    Squid keeps switching to require sign in for wifi network

    1
    0 Votes
    1 Posts
    402 Views
    No one has replied
  • R

    System Patches Fail to Install

    10
    2
    0 Votes
    10 Posts
    757 Views
    RicoR
    For a Firewall 8G is a LOT in 98% use cases. ;-) -Rico
  • S

    FreeRADIUS OVPN GAUTH

    6
    1 Votes
    6 Posts
    2k Views
    M
    While looking for a solution to this, I saw that it is now possible to set the OTP Label by adding a Description in the Users Edit page: [image: 1608129208713-21294a16-3167-474f-9564-339843f24e74-image.png] I'm using pfSense 2.4.5-RELEASE-p1 and freeradius3 0.15.7_20 Requested in Issue: https://redmine.pfsense.org/issues/8878 Corresponding Pull Request: https://github.com/pfsense/FreeBSD-ports/pull/779
  • M

    SQUID is installed but not started. Not installing "filter" rules

    3
    0 Votes
    3 Posts
    7k Views
    L
    Solution: Services > Squid Proxy Server SSL/MITM Mode: Splice All. Splice All: This configuration is suitable if you want to use the SquidGuard package for web filtering. All destinations will be spliced. SquidGuard can do its job of denying or allowing destinations according its rules, as it does with HTTP. You do not need to install the CA certificate configured below on clients. Content filtering (such as Antivirus) will not be available for SSL sites.
  • E

    2.4.5_1 PHP Error installing HAProxy

    php error haproxy package install
    8
    0 Votes
    8 Posts
    2k Views
    E
    @piba said in 2.4.5_1 PHP Error installing HAProxy: unset($config['installedpackages']['haproxy']); write_config("fix haproxy install, remove empty config"); print("config fixed?"); By Jove Sir, I think you got it. I was able to install HaProxy.
  • F

    AWS ssm agent for pfsense

    3
    0 Votes
    3 Posts
    2k Views
    F
    @bauerfyr to automate starting the service, create a wrapper file and place it in /usr/local/etc/rc.d, and you MUST have an extension of .sh, and it'll run. My file is "amazon-ssm-agent-wrapper.sh" and the contents are: #!/bin/sh DIR="$( cd "$( dirname "$0" )" && pwd )" sh $DIR/amazon-ssm-agent onestart For the LOGGING of ssm agent to cloudwatch (if you are interested) you have to take the wayback machine b/c the ssm agent 2.3.x is so ancient. go to /usr/local/etc/amazon/ssm, create a new file (start fresh) called seelog.xml (you'll see templates there), sample below. I wanted to split into two separate logs files, but it doesn't look possible. !--amazon-ssm-agent uses seelog logging --> <!--Seelog has github wiki pages, which contain detailed how-tos references: https://github.com/cihub/seelog/wiki --> <!--Seelog examples can be found here: https://github.com/cihub/seelog-examples --> <!--References to mods: --> <!--How to add cloudwatch: https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-ssm-agent.html --> <!--For "deep" examples: https://github.com/cihub/seelog/wiki/Example-config --> <seelog type="adaptive" mininterval="2000000" maxinterval="100000000" critmsgcount="500" minlevel="info"> <outputs formatid="fmtinfo"> <console/> <!-- <file path="/var/log/amazon/ssm/amazon-ssm-agent.log"/> --> <rollingfile type="size" filename="/var/log/amazon/ssm/amazon-ssm-agent.log" maxsize="10000000" maxrolls="5"/>- <filter levels="error,critical" formatid="fmterror"> <rollingfile type="size" filename="/var/log/amazon/ssm/errors.log" maxsize="10000000" maxrolls="5"/>- <!-- LINE BELOW DOESN'T WORK YET - it gets overwritten by next "cloudwatch_receiver stmt."--> <!-- <custom name="cloudwatch_receiver" data-log-group="ssm-agent-errors"/> --> </filter> <!-- ENTER THE CLOUDWATCH LOG GROUP NAME AFTER 'data-log-group' --> <custom name="cloudwatch_receiver" formatid="fmtinfo" data-log-group="ssm-agent-log"/> </outputs> <formats> <format id="fmterror" format="%Date %Time %LEVEL [%FuncShort @ %File.%Line] %Msg%n"/> <format id="fmtdebug" format="%Date %Time %LEVEL [%FuncShort @ %File.%Line] %Msg%n"/> <format id="fmtinfo" format="%Date %Time %LEVEL %Msg%n"/> </formats> </seelog>
  • J

    HAproxy config for Rancher

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • M

    PfSense and Parental Controls (using DNS blocking and Cron to bring interfaces up and down)

    1
    2
    0 Votes
    1 Posts
    4k Views
    No one has replied
  • M

    Bind - Setup pfSense as slave DNS server

    bind dns
    21
    0 Votes
    21 Posts
    7k Views
    johnpozJ
    @gertjan said in Bind - Setup pfSense as slave DNS server: your DNS zone has to be fully IPv6 and IPv4 Don't agree with this.. While sure if you have IPv6 then yeah be nice to do that.. But it sure doesn't have to do anything IPv6.. And while I agree you should do dnssec - again not a requirement.. You do not have to setup dnssec - and people using dnssec will still resolve you. Unless you try setup dnssec and you mess it up.. Then yeah if your dnssec fails you won't resolve. He is trying to show you that yes it gets complicated very quickly.. But when it comes down to setting up a slave. You tell your master what IP are you slaves, and you setup the zones on your slave and tell them the IP of the master. But he makes a good point about your PTR.. Can you even set that either of your NSers IPs? That really should be set.. Is where you running pfsense even a static IP? What are you going to do if someone attacks your dns? What are you going to do if someone tries to use your NSers for a amplification attack and you didn't secure for that? What your using for NS should not be recursive.. An authoritative NS should not do queries for other clients. They only should answer for the domains they are authoritative for..
  • L

    Freeradius LDAP auth problem

    3
    0 Votes
    3 Posts
    636 Views
    viktor_gV
    @legtpa what kind of modifications? maybe new WebGUI checkboxes needed? You can create a feature request: https://docs.netgate.com/pfsense/en/latest/development/feature-requests.html
  • D

    HAProxy Caused Total Network Outage - Dissecting What Went Wrong

    1
    0 Votes
    1 Posts
    290 Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.