1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    A
    Docker image for squid 7.3 and above https://hub.docker.com/r/fredbcode/squid If pfsense does not push the update.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @vicking said in No blocks on IP: Is it a bad idea to have the action set to deny both instead of inbound only? Question is squarely for admin. Per the infoblock which explains, in part, the "Deny Inbound", "Deny Outbound", and "Deny Both" actions: 'Deny' Rules: 'Deny' rules create high priority 'block' or 'reject' rules on the stated interfaces. They don't change the 'pass' rules on other interfaces. Typical uses of 'Deny' rules are: Deny Both - blocks all traffic in both directions, if the source or destination IP is in the block list Deny Inbound/Deny Outbound - blocks all traffic in one direction unless it is part of a session started by traffic sent in the other direction. Does not affect traffic in the other direction. One way 'Deny' rules can be used to selectively block unsolicited incoming (new session) packets in one direction, while still allowing deliberate outgoing sessions to be created in the other direction. In other words: When set to "Deny Inbound", incoming connection requests from WAN hosts are blocked and therefore no state will be created. However a LAN host can still establish state to an otherwise listed IP. If set to "Deny Outbound", outgoing connection requests from LAN hosts are blocked and therefore no state will be created. However an incoming connection request from an otherwise listed IP to an 'open' WAN port can still establish state. If set to "Deny Both", both incoming connection requests and outbound connections requests are blocked and therefore no state will be created regardless of connection direction.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    C
    @dennypage Nicely done sir!

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    654 Posts
    C
    @luckman212, Thanks for your suggestion. I will check what I have in /usr/local/pkg/tailscale/state, and also the RAM disk settings others have brought up. I could learn more about where Tailscale and pfSense store system files. If I find anything worth sharing, I will let you know.

  • Discussions about WireGuard

    715 Topics
    4k Posts
    patient0P
    @andresbraga if you still have the firewall rules as you posted, then I don't know why from the laptop you can't ping the pfSense Wireguard address 10.10.6.1 nor the pfSense gateway 10.10.1.1 What is the routing table of the laptop. And I would run a packet capture on pfSense and check what you see if you run the ping to 10.10.1.1 or 10.10.6.1.
Log in to post
Load new posts
  • M

    Arpwatch enhancements -> Interface descriptions and email with interface information

    1
    1 Votes
    1 Posts
    587 Views
    No one has replied
  • P

    SG-1100 with AVAHI - Issues with SamSung SmartThings?

    4
    0 Votes
    4 Posts
    743 Views
    P
    Well, I realized after typing it was probably a better idea if I had placed the question on the Avahi Forum. @tman222 , thanks for the input. As it turns out just as I was diving in to try to tackle the issue, a day after I posted it, it all started working with no additional changes...
  • T

    Changing FreeRadius Framed-MTU Attribute

    2
    0 Votes
    2 Posts
    1k Views
    T
    Hi all - just thought I would follow up and bump this to the top to see if anyone had any idea where in the FreeRadius package configuration I would need to make an adjustment for the Framed-MTU attribute. Thanks again for your help, I really appreciate it.
  • P

    Beginner SG-1100 - Available packages null or fail to install Avahi

    10
    0 Votes
    10 Posts
    2k Views
    chrismacmahonC
    We were a bit late on twitter, we don't do RSS feeds, nor really have much on our blog for service issues. We are hoping the delay on twitter has been corrected.
  • A

    This topic is deleted!

    4
    0 Votes
    4 Posts
    77 Views
  • BiloxiGeekB

    Abandoned packages

    2
    0 Votes
    2 Posts
    739 Views
    GrimsonG
    https://www.netgate.com/docs/pfsense/development/submitting-a-pull-request-via-github.html start from there.
  • A

    Block downloads based on file extension

    4
    0 Votes
    4 Posts
    4k Views
    C
    @cheonne not working for me
  • B

    workaround for bug in tinc package

    4
    1 Votes
    4 Posts
    1k Views
    B
    with the result that the OS seemed to totally mess up the interface names. $ ifconfig -l [...] tnc0 $ ifconfig tnc0 ifconfig: interface tnc0 does not exist $ ifconfig (considered as spam by akismet) For some strange reason ifconfig does not show an interface name in front of the colon. It than occurred to me that maybe a bloody carriage return character is involved. And indeed $ ifconfig `printf "tnc0\r" ` (considered as spam by akismet) [...] The reason for the \r was this one... $ file /usr/local/etc/tinc/tinc-up /usr/local/etc/tinc/tinc-up: ASCII text, with CRLF, LF line terminators while the default tinc-up script (when the text field is left empty) is /usr/local/etc/tinc/tinc-up: ASCII text This is the actual problem that caused all the trouble and that definitely needs to be fixed in the tinc package for pfSense. As a workaround I added comment signs # at the end of each line, to the \r character is not appended to the interface name, e.g. ifconfig $INTERFACE name tnc0 # After a reboot the interface was finally named correctly, however, after adding the "tnc0" interface in the web interface the next boot hang with Warning: Configuration references interfaces that do not exist: tnc0 and the interfaces have to be manually reassigned first. I than finally noticed that renaming of the interface isn't actually necessary and the problem was that the \r was also appended to the group name, i.e. "pkg_tinc\r". My final working tinc-up script thus reads ifconfig $INTERFACE 192.168.21.7 netmask 255.255.255.255 # ifconfig $INTERFACE group pkg_tinc # route add -host 192.168.21.7 -interface $INTERFACE # route add -net 192.168.18.0/24 192.168.21.7 # (sorry for the partial postings, but as a single post it was considered as spam by stupid "akismet")
  • D

    stunnel question

    3
    0 Votes
    3 Posts
    847 Views
    D
    Who wrote the stunnel package? Why is only ip 127.0.0.1 accepted and not other IPs in "Listen on IP" field?
  • D

    Having difficulties with Squid and SquidGuard

    2
    1
    0 Votes
    2 Posts
    415 Views
    GertjanG
    Hi, Just a wild guess : try setting up from LAN (it still has the default rules ? ).
  • L

    bind 9.12 on pfsense

    10
    0 Votes
    10 Posts
    1k Views
    L
    pss if i make a query like: dig @ns2.bicsa.co.cu -x 200.55.178.24/29.30 ;;## [root@temis ~]# dig @ns2.bicsa.co.cu -x 200.55.178.24/29.30 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> @ns2.bicsa.co.cu -x 200.55.178.24/29.30 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45248 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;30.24/29.178.55.200.in-addr.arpa. IN PTR ;; ANSWER SECTION: 30.24/29.178.55.200.in-addr.arpa. 1200 IN PTR ksmg.bicsa.cu. ;; AUTHORITY SECTION: 24/29.178.55.200.in-addr.arpa. 1200 IN NS ns1.bicsa.co.cu. ;; ADDITIONAL SECTION: ns1.bicsa.co.cu. 1200 IN A 200.55.178.28 ;; Query time: 287 msec ;; SERVER: 200.55.136.19#53(200.55.136.19) ;; WHEN: Fri Jan 18 14:20:58 2019 ;; MSG SIZE rcvd: 120 ;;## as i said if make a query: dig @ns2.bicsa.cu -x 200.55.178.30 it are refused so i missing some think ? or is is the correct behaivour or i had the name zone incorrect.. or i don't has been making the query correctly... sorry thanks in advansed.
  • J

    Which rules should be active is there enabling WAN and LAN interfaces on SNORT?

    3
    0 Votes
    3 Posts
    596 Views
    bmeeksB
    @john-the-ripper said in Which rules should be active is there enabling WAN and LAN interfaces on SNORT?: I am new to computer networking. I would like to setup SNORT for my small office. I was wondering what is the difference between enabling SNORT on WAN and LAN and Which rules should be active is there enabling WAN and LAN interfaces on SNORT? Thanks for your help in advance. Put Snort on the LAN interface only. Putting it on the WAN will just log a bunch of junk the firewall is going to drop anyway. Plus, as @NogBadTheBad said, on the WAN all of your LAN host IP addresses will show in alerts "after NAT", meaning they will have the WAN's public IP. This is not very helpful when you are trying to determine which local host triggered the alert. As for which rules, I suggest you do this to use a Snort Team provided IPS policy. Get a Snort Subscriber Rules account. There are free and paid versions. You have to register for both. The difference in the two is explained at the link you will find on the GLOBAL SETTINGS tab in Snort. You can also use this link. After you get your Snort Oinkcode, enable the Snort Subscriber Rules by clicking the checkbox and paste your Oinkcode into the box provided on the GLOBAL SETTINGS tab. Go to the UPDATES tab and click Update to get a fresh copy of the Snort rules. Be sure to wait until the pop-up modal dialog auto-closes before leaving the page. It will take several seconds to a minute or more to download the rules. Now click on the INTERFACES tab and add your LAN interface to Snort if you have not done that already. Leave things at their defaults initially. I recommend you do not enable blocking initially to give you some time to see what alerts your network generates. If you turn on blocking right away, expect some false positives and some headaches caused by blocking what are really OK things (those false positives). Save the new interface. You should get returned to the INTERFACES tab. Cilck the edit icon for your LAN and then click on to the CATEGORIES tab. Click the checkbox to "Enable IPS Policy" and then choose the "IPS - Connectivity" policy in the drop-down. Let that be it at first. That is a good starter set of rules put together by the Snort team. Click Save on the page. Return to the INTERFACES tab and click the "start" icon to start Snort on the LAN. Hover over the icons to see a pop-up tooltip of what each icon does. Wait for Snort to start. The icon will turn into a green gear when Snort is running. You're done for now. Let it run like that for a week or so to give you a chance to see what kinds of alerts you get. Decide if you are getting any false positives (those are very likely with some of the HTTP_INSPECT rules), and suppress or disable the false positive rules. There are numerous threads here about setting up Suppress Lists and which rules to disable in Snort. Search for them to get some Snort tuning advice from other experienced Snort users. After you get the rules tuned up, then you can go to the INTERFACE SETTINGS tab again for the LAN and enable blocking. Remember when you make changes on the INTERFACE SETTINGS tab, you need to restart Snort on the interface for the changes to take effect.
  • A

    pfsense / freeRADIUS

    Moved
    2
    0 Votes
    2 Posts
    578 Views
    NogBadTheBadN
    Do a radtest to verify its working:- root@unifi:~# radtest -4 andy password 172.16.0.1 1812 ClientSharedSecret Sending Access-Request of id 181 to 172.16.0.1 port 1812 User-Name = "andy" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 172.16.0.1 port 1812, id=181, length=34 Class = 0x61646d696e73 Service-Type = Administrative-User root@unifi:~# https://support.microfocus.com/kb/doc.php?id=7014552 You could also do a radsniff -x on pfSense.
  • L

    BIND DNS Package on pfsense

    1
    0 Votes
    1 Posts
    303 Views
    No one has replied
  • S

    BIND GUI is missing "advanced options"

    7
    0 Votes
    7 Posts
    1k Views
    S
    I reinstalled the package and it's there. [image: WId57Ne.png] I don't know why it wasn't in the first place but thanks for the help!
  • L

    Help with bind package and dynamic dns server by my own and ecme package

    2
    0 Votes
    2 Posts
    725 Views
    GertjanG
    @luisenrique said in Help with bind package and dynamic dns server by my own and ecme package: https://www.netgate.com/docs/pfsense/dns/rfc2136-dynamic-dns.html To get you started : check out the link again. Read everything several times. Using a script or program (like nsupdate) locally, or remotely, works great but every bit counts here : one slightest error and your ko. The big hint is here https://www.netgate.com/docs/pfsense/dns/rfc2136-dynamic-dns.html - the last line : And that should be it. Assuming the firewall has connectivity to the name server, and there are no other access policies that would prevent the update, RFC2136 DynDNS service is now working. Should anything not work as expected, check the system log and/or the log on the name server. The last 6 six words will gie you the solution : check out bind's log files (they have to be set up of course). They tell you how the update went, and what failed.
  • M

    How do I know what's new in a pfSense package update?

    3
    0 Votes
    3 Posts
    572 Views
    M
    @jimp Ok, thank you!
  • T

    Using Pfsense in aws with Freeradius and AD accounts for mfa/otp functionality

    1
    0 Votes
    1 Posts
    453 Views
    No one has replied
  • B

    HAProxy Maint Mode Page

    4
    0 Votes
    4 Posts
    1k Views
    P
    @brailyn Well.. ssl/https uses 'mode tcp'. And haproxy will not send the errorfile in that case. To make haproxy respond with a http error response, you would need it to 'offload' the ssl traffic with a certificate. Or if you can supply haproxy with the certificate you could still pass the main traffic as-is with the sni frontend and send it to a second 'local frontend' that does the decryption of the https request if a backend is down to serve the error reply.. Together with a nbsrv acl to switch to that second 'error frontend' if the webserver is down.
  • R

    Package database getting deleted

    8
    0 Votes
    8 Posts
    2k Views
    R
    My bad. I had a proxy URL configured. Removing it has solved my problem. Thanks for you help everyone. Ricky
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.