1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    tinfoilmattT
    doh_rfc8484 How are you populating this ACL? Is it comprised of both IPs and domain names?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    J
    @SteveITS I'm not a bug hunter but I wanted to report some findings which might help with troubleshooting this issue. I have two 6100s [26.03-RELEASE] - one with a single WAN Legacy interface in Suricata, the other with two WAN Legacy interfaces in Suricata. On the assumption that perhaps it might have been a misconfiguration issue during my recent package upgrade, and not finding any direction on how to downgrade, I decided to try directly altered the two instances of "7.0.8_13" back to "7.0.8_8" in /cf/conf/config.xml file and then immediately reinstall the package under the normal package manager. This of course still results in the "7.0.8_13" version, but I thought it might find and address additional configuration issues. The result was that the configuration for the single WAN interface was completely lost and had to be rebuilt from scratch, whilst the firewall with two Suricata WAN interface configurations survived but both interfaces needed to be manually restarted (did not come back online automatically). After rebuilding the single interface and restarting the two interfaces, both had no issues with opening and displaying the BLOCKS page (without using the patch). Whilst I have no idea why it worked, i thought it might help some people out there.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    579 Topics
    3k Posts
    dennypageD
    @hulleyrob said in Ntopng changing live traffic list from 10 to 20 crashed 6100 Max: Is Ntopng just that dangerous to leave running or is there something else going on? While I do not generally recommend running ntopng on a continuous basis, doing so should not cause pfSense itself to become unresponsive. Although ntopng is a rather large and busy program, it runs in user space rather than kernel space and as such should not be able to crash the kernel. You may have an underlying system problem. If it happens again, my recommendation would be to connect to the console and see what you can discover.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    LaxarusL
    It appears that just adding "application/octet-stream" does not fix the issue unless I manually unzip the file. top-1m.csv should be present in the /var/db/pfblockerng Just updated to the devel v3.2.16 and this issue is still present. @BBcan177 any ideas for permanent fix?

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    106 Topics
    3k Posts
    N
    @dennypage said in UPS ups on battery - appers often now: I have no idea. The information that has been provided is insufficient for me to offer any conclusion. fair enough - i am going to get rid of UPS and buy power station with UPS functionality

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    518 Topics
    3k Posts
    GertjanG
    @zimnysbrain The bad news : Setting up acme.sh with the correct settings is close to rocket science. And the good news : the pfSense acme.sh packages is used daily by the thousands. If it didn't work, people wouldn't have their certificates, and then things will go bad very fast. Have a look for yourself here : you saw some one mentioning something ? I have many domain names with OVH (EU), so I decided to ask for a certificate for a domain name "test.test-domaine.fr" - I do own => rent "test-domaine.fr" from OVH. First, after reading the official OVH acme.sh notice : https://github.com/acmesh-official/acme.sh/wiki/How-to-use-OVH-domain-api#3-authentication-the-api-key I quickly created/found the 3 things needed : [image: 1776250268164-950c3548-42b5-4aa9-a322-2a13abf08bb9-image.png] [image: 1776250346724-6996b61c-7fcd-478b-848a-f44eafd48253-image.png] and I hit 'Issue'. [image: 1776250318306-aeacae9b-f89c-4139-af4b-a9303d73b201-image.png] As I'm a bit more stupid then avarrage today, I totall forgot that, although I rent the domain name 'test-domaine.fr' from them, I removed all the extras, like : they don't do my DNS, I do my own DNS. Which means I have to talk:negocaite to my own domain name server, not OVH ... So the isseuing failed with a "invalid domain" which I should read as : "domain ok - but can't do DNS zone modification for you". So it couldn't add the TXT challenge, etc But : no authorization issues. Btw : the DNS-OVH API script, the official source file here was last modified 6 month ago. The pfSense version was synced like yesterday - PfSense acme.sh package version 1.2. I presume you use the same version. Do you mind telling what your issue is, give details ? With all the juicy details, andf you can find them here /tmp/acme/test-domaine.fr/acme_issuecert.log (where test-domaine.fr has to be changed with your domaine name) @zimnysbrain said in NOT working with OVH end point since 2025: is also the answer NOT updated OVH api which changed from the beginning of 2026 I copied this file, the original dns_ovh.sh on my pfSense, in the /root/ folder. Then : [26.03-RELEASE][root@pfSense.bhf.tld]/root: ll dns_ovh.sh -rw-r--r-- 1 root wheel 8324 Apr 15 13:15 dns_ovh.sh [26.03-RELEASE][root@pfSense.bhf.tld]/root: ll /usr/local/pkg/acme/dnsapi/dns_ovh.sh -r-xr-xr-x 1 root wheel 8324 Apr 13 15:48 /usr/local/pkg/acme/dnsapi/dns_ovh.sh* [26.03-RELEASE][root@pfSense.bhf.tld]/root: diff dns_ovh.sh /usr/local/pkg/acme/dnsapi/dns_ovh.sh [26.03-RELEASE][root@pfSense.bhf.tld]/root: conclusion : the pfSense acme.sh package contains the latest - identical 'official' "dns_ovh.sh" file. Also : In the past, when things were 'manual', I could use the instructions and get a certificate 'by hand' == using command line. acme.sh is a command line tool after all. Goto /usr/local/pkg/acme/ and start from there. That should work, and I have an indirect proof : if it didn't you would have found others here talking about it.

  • Discussions about the FRR Dynamic Routing package on pfSense

    299 Topics
    1k Posts
    N
    @Schannes said in PfSense UI Not Updating frr.conf: I had the same problem. I was able to solve the problem, with clearing the "SAVED frr.conf" field under Services --> FRR --> Global Settings --> Raw Config. After clearing the field, it was possible again, to use the GUI to configure frr. I really want to stress that this is the ONLY feasible way to get frr config and web gui to work again. And while we are at it I would like to request an addition to the frr ospf menu's [image: 1774758674881-714f8830-f68c-4cd7-bfdd-aed167173a54-image.png] What is needed is to produce the line in bold interface tun_wg0 ip ospf network point-to-multipoint non-broadcast ip ospf area 0 This is supported by frr (tested in 25.11.1 and 26.03rc) and is required for ospf over wireguard tunnels on a single spoke , for hub and spoke setups. You also need to specify the neighbor by ip. The reason is that ospf wants multicast, (and works if you add 224.0.0.0/4) on the hub, BUT it will only work for the last spoke, since this is how wireguard operates. The setting above solves it, but since it is not on the menu, you need to change it by hand , which then gets the configuration out of sync, and one have to do chores described above to get it to synce, and THEN change the line to ip ospf network point-to-multipoint non-broadcast Hell breaks loose.!! ps. I would opt for bgp instead of ospf for wireguard tunnels, but this will be another thread!

  • Discussions about the Tailscale package

    98 Topics
    758 Posts
    keyserK
    I have yet to start testing but as far as I can tell pfSense and tailscale are not properly integrated to a level where you can assign the tailscale interface in pfsense and start doing portforwards and what not from the tail IP. Apparantly pfSense won’t boot and starts displaying the interface assignment CLI option because tailscale is not present at boot. I assume this is because tailscale is running as a user level service, and is not started/present at kernel interface assignment time. Since tailscale is using wireguard “underneath” one could hope this could be brought to work, but that is probably alttogether different code. Is there no option to allow pfsense to start the tailscale service/interface before it continues assigning interfaces? tailscale would be an enourmously usefull package if the interface could be assigned and serviced/routed like any other site 2 site VPN.

  • Discussions about WireGuard

    738 Topics
    4k Posts
    Bob.DigB
    @pfSense_fireball said in Found an amazing tool for exporting WireGuard peers! (No more struggling): I actually made an account just to post it here. There is no doubt about that.
Log in to post
Load new posts
  • A

    Snort block notifications script (third party script)

    11
    0 Votes
    11 Posts
    9k Views
    NogBadTheBadN
    @sikita This is what I use for suricata, you may be able to tweak it a bit:- [image: 1743007897905-screenshot-2025-03-26-at-16.51.03.png] grep ^`date -v-1d "+%m/%d/%Y"` /var/log/suricata/suricata_igb0*/alerts.log | awk -v OFS='\t' -F "\[\\*\\*\]" '{a[$3]++;} END {for(i in a) print a[i],i}' | sed 's/]//g' | sed 's/\[//g' | sort -r ; echo grep ^`date -v-1d "+%m/%d/%Y"` /var/log/suricata/suricata_igb0*/alerts.log ; echo
  • J

    Bind Update from 9.17 to 9.20

    2
    0 Votes
    2 Posts
    2k Views
    patient0P
    @jeffry-maynard bind 9.20 is in pfSense+ 25.03-BETA.
  • ColdBrewC

    HAProxy - Include subdirectories in the HTTP Redirect

    10
    1
    0 Votes
    10 Posts
    2k Views
    F
    @ColdBrew @viragomann @johnpoz This is an interesting discussion, and I’ve run into similar issues with HAProxy and subdirectory redirection. From what I understand, HAProxy should pass the entire path (including subdirectories) to the backend by default, as long as the backend is properly configured to handle those requests. A few things to check: Backend Configuration: Ensure the backend server (IIS in your case) is correctly set up to handle requests for the subdirectories. Sometimes, the issue might be with the backend’s routing or permissions. HAProxy Logs: Check the HAProxy logs to see if the requests are being forwarded correctly. If the logs show the requests reaching HAProxy but not the backend, it might be a routing or firewall issue. Firewall Rules: Double-check your pfSense firewall rules to ensure traffic on port 80 (or any custom port) is allowed to pass through to the backend server. If everything seems correct but it’s still timing out, you might want to test with a simpler backend (like a basic HTTP server) to rule out any IIS-specific issues. Let us know how it goes!
  • patient0P

    Email Reports PHP warning -> report not created

    10
    0 Votes
    10 Posts
    2k Views
    AMG A35A
    @patient0 Upgraded to 24.11 yesterday and had same problem your change to /usr/local/www/status_mail_report_edit.php fixed it. Thank you!!!!!!!!!
  • C

    Crowdsec finally comming to pfSense

    68
    2 Votes
    68 Posts
    27k Views
    Sergei_ShablovskyS
    @provels said in Crowdsec finally comming to pfSense: Have there been any more thoughts about including Crowdsec as an official pfSsense package? Upvoting this!
  • S

    BIND Package and RFC 2317 Classless IN-ADDR.ARPA delegation

    1
    1
    0 Votes
    1 Posts
    481 Views
    No one has replied
  • I

    Prometheus node_exporter - does not show up in Grafana

    1
    0 Votes
    1 Posts
    455 Views
    No one has replied
  • I

    zabbix connection failures

    2
    1
    0 Votes
    2 Posts
    779 Views
    A
    @isaaclondo09 SSH into your pfSense box and run this command: /usr/local/sbin/zabbix_agentd -f That will show any early output and the cause of the failure to start. Usually it will be a parameter error. What is the IP of your Zabbix server? It looks like the agent's the Server Active parameter is set to 192.168.13.148 for active checks but the server is rejecting the connection. Passive checks (from the server) are coming from 192.168.13.109 but the agent is rejecting them because the Server parameter is set to 192.168.13.190.
  • E

    How to run zenarmor locally in Pfsense?

    2
    0 Votes
    2 Posts
    935 Views
    M
    @enesas follow up with the zen armor team on an official pfsense package. https://www.zenarmor.com/contact
  • W

    [solved] FreeRADIUS 3.x package LDAP/OTP problem

    6
    0 Votes
    6 Posts
    3k Views
    W
    @lawern Good to hear :) I think I also updated it once or twice to be compatible, but we used it until we replaced the gateway. Until then I think there was no easy alternative to this.
  • M

    Telegraf Package needs an update

    1
    2
    0 Votes
    1 Posts
    263 Views
    No one has replied
  • mtarboxM

    Email Reports WebGUI crashes February 2025

    5
    0 Votes
    5 Posts
    851 Views
    GertjanG
    @mtarbox said in Email Reports WebGUI crashes February 2025: https://github.com/pfsense/FreeBSD-ports/commit/c49098e2900a9211de44dc0b9937235ce9d638a2.diff Ah, ok, the pfSense-pkg-mailreport package. [image: 1739975511317-fe37f9ae-869e-4abe-ae82-918dfe2d5ac7-image.png] Package make less - or, AFAIK, not use of the patches system. If a patch exists fro them, then package is rebuild and you are proposed to update it.
  • R

    Using stunnel with Google LDAP

    solved
    3
    0 Votes
    3 Posts
    1k Views
    R
    After clearing the Protocol field in stunnel config, which I had originally set to ldap, saving the change, and restarting stunnel service, executing a connection test from the Toshiba MFD was successful. And after adding the Google Workspace server entry in the Toshiba MFD LDAP Client settings as a directory/service option (click Server Assignment button, also in MFD LDAP Client settings), Google Workspace directory searches from the Toshiba MFD are working as expected.
  • K

    How to block specific webpage and not a all website

    7
    0 Votes
    7 Posts
    2k Views
    GertjanG
    @KelvinU said in How to block specific webpage and not a all website: sounds NL, right? Born over there, exact. Living in France for the last 3 decades. @KelvinU said in How to block specific webpage and not a all website: though it came somewhat pretentious, right?! What makes you assume I'm a newbie? Lol, you first : what makes you presume that I assume you are a newbie ? But I get your point ^^ It's true, I am and I was pushing a bit. My point of view : About the proxy solution : me talking about planes was just an very accessible way to make you understand what the (imho) real question is. A lot of people fly planes. It's feasible. It just needs a lot of work. It's just that you were asking about why "/this/" isn't accessible to pfSense and/or anything else other then your browser and the web server on the other side. So I kicked of my way of saying : go have a look. I good have finished the question with one question back : do you know what https is ? (I sometimes do - as this is not a ). And I'm hoping I waked up your curiosity, that you dive into it, and then come back here and tell us how you did it. Because I'm still waiting as I never had the patience and/or time to use a proxy set up myself. Also, I don't have the age neither the young kids at home that motivates me being able to see my own traffic, let alone traffic off other people. That makes me feel very uncomfortable. @KelvinU said in How to block specific webpage and not a all website: and I've learned that we should never say, "No one. Not pfSense. Nobody. Not on planet Earth." and I fully agree with you. And we also enter into the "computer politics" now. So no more black and white, all becomes suddenly 'gray'. And it always was. If TLS (real time) decoding was possible, while the private key is unknown, this would mean "some one" could listen into your TLS connections at any time. I get it, it's the role of every big (governmental ?!) organization to let us know, the big public, that it's a scandal according to them, that they can't do their job right (protecting all of us, the big public), that they can't access your phone's traffic, can't see what you are saying (writing) to some one else. as national security is at stake here. So they say, your traffic is hidden and that's a problem for them - and this for us. edit : still looking for the country where the usage of TLS or comparable is forbidden by law ^^ And at the same time, somewhere hidden, down deep, in zone 51, they have this quantum computer that can tap into everything all ready using, probably, a back door key ? Maybe. And they won't say any one of course that they actually can I get that (except for tiktok of course). Let's give the public the impression they are safe, so the will "speak" freely, not knowing that some one listens in after all. If that capability was known, then Internet as a communication method would fall .... world economy would fall. But real time brut-forcing their way in ? Well ... do the math yourself ^^ Keep in mind : most of what I said above is "afaik" and "imho". @KelvinU said in How to block specific webpage and not a all website: I know a ton of GertJan Oula ... why even bother posting here - come and see me !? As I've questions also, and not only pfSense.
  • B

    Zabbix Proxy on 2.7.3

    7
    1 Votes
    7 Posts
    4k Views
    steve.scotterS
    I've been forced to upgrade to Zabbix 7.0 due to the previous LTS version 6.0 going EOL on February 28, 2025. (https://www.zabbix.com/life_cycle_and_release_policy) The Zabbix Proxies I have are also 6.0 LTS and I've just discovered there is no 7.0 package. I'm also seeing a lot of the following messages in my zabbix logs... 9868:20250208:120811.048 Proxy "FW-1" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9861:20250208:120811.086 Proxy "FW-2" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9868:20250208:120811.269 Proxy "FW-3" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9868:20250208:120811.366 Proxy "FW-4" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9861:20250208:120811.393 Proxy "FW-5" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9861:20250208:120811.403 Proxy "FW-6" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9861:20250208:120811.436 Proxy "FW-7" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9868:20250208:120811.489 Proxy "FW-8" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9866:20250208:120811.644 Proxy "FW-9" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. 9866:20250208:120811.700 Proxy "FW-10" version 6.0.27 is outdated, only data collection and remote execution is available with server version 7.0.9. 9868:20250208:120811.911 Proxy "FW-11" version 6.0.22 is outdated, only data collection and remote execution is available with server version 7.0.9. So I'm basically stuff. Rolling my Zabbix server back isn't an option due to EOL/compliance issues. And I seem unable to install the Zabbix 7 agent or proxy on pfsense. It seems as though the pfsense communication edition is dead?
  • L

    Do I Need to Revert Patches Before Upgrading pfSense?

    6
    0 Votes
    6 Posts
    1k Views
    GertjanG
    @leeroy said in Do I Need to Revert Patches Before Upgrading pfSense?: We don’t have any custom packages Make : [image: 1738773582966-61aef0a2-815f-46fa-b99f-95174dc0a65f-image.png] an exception. It's made by Netgate, for pfSense. Even if you don't think you need it, you need it. Probably because Netgate knows more about pfSense then we do
  • I

    Packages showing as up to date - they are not. 2.7.2

    6
    0 Votes
    6 Posts
    1k Views
    SteveITSS
    @iStuart said in Packages showing as up to date - they are not. 2.7.2: link that states what the latest version is? I don't think so. Usually it's discussed in the forum category here. There is https://www.patreon.com/pfBlockerNG but it isn't always posted there I think. Also https://www.reddit.com/r/pfBlockerNG/.
  • L

    cron package lead to boot issue

    3
    0 Votes
    3 Posts
    529 Views
    M
    I'm not seeing how the errors would trigger via the GUI - was the config.xml file manually modified?
  • T

    Suricata fails install

    9
    0 Votes
    9 Posts
    2k Views
    bmeeksB
    @TravisH said in Suricata fails install: @bmeeks That gave me the same errors, I might try a fresh install just to see if it has something else going on. Cheers I don't have any other suggestions, then. Those error messages appear to definitely originate from the pkg utility itself as it is creating the directories and copying the Suricata install files to the correct locations. The Suricata package is not even "alive" at that point (since it is in the process of being installed by the pkg utility). Have you monkeyed with any user permissions on the firewall? Can you remove and then successfully reinstall another package? What about trying to reinstall Snort again? What kind of hardware do you have? Is it something with an eMMC disk? Perhaps it has gone into "read only" mode ???
  • E

    haproxy does not start when pfsense start

    1
    0 Votes
    1 Posts
    587 Views
    No one has replied
Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.