1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    A
    Docker image for squid 7.3 and above https://hub.docker.com/r/fredbcode/squid If pfsense does not push the update.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @vicking said in No blocks on IP: Is it a bad idea to have the action set to deny both instead of inbound only? Question is squarely for admin. Per the infoblock which explains, in part, the "Deny Inbound", "Deny Outbound", and "Deny Both" actions: 'Deny' Rules: 'Deny' rules create high priority 'block' or 'reject' rules on the stated interfaces. They don't change the 'pass' rules on other interfaces. Typical uses of 'Deny' rules are: Deny Both - blocks all traffic in both directions, if the source or destination IP is in the block list Deny Inbound/Deny Outbound - blocks all traffic in one direction unless it is part of a session started by traffic sent in the other direction. Does not affect traffic in the other direction. One way 'Deny' rules can be used to selectively block unsolicited incoming (new session) packets in one direction, while still allowing deliberate outgoing sessions to be created in the other direction. In other words: When set to "Deny Inbound", incoming connection requests from WAN hosts are blocked and therefore no state will be created. However a LAN host can still establish state to an otherwise listed IP. If set to "Deny Outbound", outgoing connection requests from LAN hosts are blocked and therefore no state will be created. However an incoming connection request from an otherwise listed IP to an 'open' WAN port can still establish state. If set to "Deny Both", both incoming connection requests and outbound connections requests are blocked and therefore no state will be created regardless of connection direction.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    C
    @dennypage Nicely done sir!

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    654 Posts
    C
    @luckman212, Thanks for your suggestion. I will check what I have in /usr/local/pkg/tailscale/state, and also the RAM disk settings others have brought up. I could learn more about where Tailscale and pfSense store system files. If I find anything worth sharing, I will let you know.

  • Discussions about WireGuard

    715 Topics
    4k Posts
    patient0P
    @andresbraga if you still have the firewall rules as you posted, then I don't know why from the laptop you can't ping the pfSense Wireguard address 10.10.6.1 nor the pfSense gateway 10.10.1.1 What is the routing table of the laptop. And I would run a packet capture on pfSense and check what you see if you run the ping to 10.10.1.1 or 10.10.6.1.
Log in to post
Load new posts
  • S

    This topic is deleted!

    1
    3
    0 Votes
    1 Posts
    56 Views
    No one has replied
  • L

    Need some help: Package used to work but doesn't work now.

    1
    0 Votes
    1 Posts
    362 Views
    No one has replied
  • R

    FreeRadius3 LOG

    2
    1 Votes
    2 Posts
    617 Views
    GertjanG
    I totally agree with this. What about moving the FreeRadius Logs to the "Package log" menu ?! Right know its overwhelming my general log also.
  • V

    openvpn-client-export & auth-nocache option

    2
    0 Votes
    2 Posts
    7k Views
    K
    -auth-nocache Don't cache --askpass or --auth-user-pass username/passwords in virtual memory. If specified, this directive will cause OpenVPN to immediately forget username/password inputs after they are used. As a result, when OpenVPN needs a username/password, it will prompt for input from stdin, which may be multiple times during the duration of an OpenVPN session. This directive does not affect the --http-proxy username/password. It is always cached. I don't think you'd want to type in your username/password multiple times during the login session and then on every reconnect just to buy some peace of mind. On top of that, --auth-nocache can not be implemented 100% reliably on any normal computer, you would need some special secure memory that can guarantee the no cache property of the memory used. As soon as the username/password are read, there is some cached memory that holds the password for a non-zero time.
  • M

    Network analyzer

    2
    0 Votes
    2 Posts
    637 Views
    emammadovE
    Hi. You can use Squid together with SquidGuard to block websites. And Lightsquid is web proxy reporting tool that you can see which user or ip address has visited what websites. With ntopng package, you can see network usage of ip addresses, which ip address is using most bandwidth and etc.
  • B

    Creating a package around a set of python scripts

    2
    0 Votes
    2 Posts
    537 Views
    jimpJ
    A FreeBSD port is the heart of it. You can look at other small and simple packages to get an idea of how they work. For a GUI, it depends on what you need. If it's a few settings then using the built-in XML package GUI method may be easiest, otherwise you can code up a small PHP page to do what you need.
  • S

    Nagios nrpe Version 3 after Upgrade to 2.3.5-RELEASE-p2?

    3
    0 Votes
    3 Posts
    1k Views
    S
    Hi, there was an upgrade for the nrpe Package from 2.3.2_2 TO 3.0 available. Now everything works as expected again…  :)
  • J

    General security

    3
    0 Votes
    3 Posts
    826 Views
    Raffi_R
    Hi John, I am not very experienced with pfSense either, but I have spent several months time with setting up the box and digging into different packages. You already mentioned most of these, but speaking from my own limited experience and setup, below is what I have and some of my knowledge on them. OpenVPN Great for secure remote access. pfBlockerNG Great for URL filtering and added security depending on the lists used. I followed this awesome tutorial on YouTube to help get that setup the way I wanted. https://www.youtube.com/watch?v=QwFpMwXEK5w. You don't have to use all the lists and examples in that video, but it's a great start. For example, the ad blocking helps prevent users from doing things they shouldn't be doing like clicking on Google ads that say "Official Microsoft site" but the URL is clearly not right and can take them to a potentially malicious site. This saved me a few times at least. I use most of the lists in that video along with some of the easy lists included in the package. Suricata I originally used Snort, but I had a fatal issue with it when Snort ran into some updated rules which it didn't know what to do with. To me, having an IPS with a few missing rules is better than having one that chokes on those few faulty rules and not run at all. I ended up switching to Suricata instead which uses many of the same rules and categories anyway. Squid with ClamAV Squid is being used as a caching web proxy server which all my clients go through. The web proxy wasn't really needed, but the anti-virus on the firewall level was the main selling point to me. That is done thanks to ClamAV included in the Squid package. On my setup, ClamAV is only scanning http traffic and not https. Technically it could be setup to do both. I personally am staying away from that for reasons discussed throughout these forums. Good luck. Raffi
  • DerelictD

    MOVED: FreeVRRP

    Locked
    1
    0 Votes
    1 Posts
    376 Views
    No one has replied
  • E

    Cyberpower OR500LCDRM1U and apcupsd package issue

    3
    0 Votes
    3 Posts
    823 Views
    Raffi_R
    I was never able to get the apcupsd package to work with my Cyberpower CP1500C. In your case, it sounds like it could be a driver issue. It doesn't make sense why it would stop working suddenly. In my case, I used the NUT package instead and it's been working smooth for months. I don't know if it's worth a try though because my setup is different. I don't have it connected to my pfSense box with USB. I have the UPS connected via USB to NAS on my LAN. That NAS also acts as my UPS server so pfSense is able to access the UPS info via the LAN. In the NUT package on pfSense, I just enter the server IP, port and the admin credentials of the server.
  • S

    Softflowd configuration form does not accept hostname for collector address

    1
    1 Votes
    1 Posts
    486 Views
    No one has replied
  • F

    Zabbix proxy web scenario checks

    1
    0 Votes
    1 Posts
    721 Views
    No one has replied
  • J

    Munin-node package for 2.3?

    5
    0 Votes
    5 Posts
    3k Views
    A
    Thank you Gertjan and apologies for my rather clueless question. The munin master is within the LAN. Indeed, I have set up the node as described above, and everything now runs as it should. Sorry again for being a bit dumb…
  • P

    How to configure Syslog-ng

    3
    0 Votes
    3 Posts
    2k Views
    O
    How do you configure the logs to be sent to ELK running in Docker Containers?
  • S

    Freeradius with oracle support in addition to mysql and postgresql

    2
    0 Votes
    2 Posts
    605 Views
    GertjanG
    Hi, If you are ready to do some keyboard work, I guess it's possible : Enter console mode, and go to God mode (option 8). Goto the settings directory : cd /usr/local/etc/raddb/ and ask if this  FreeRadius knows anything about 'oracle' : grep -R 'oracle' * You will see this : mods-available/sql:#  Where "DB" is mysql, mssql, oracle, or postgresql. mods-available/sql:    #    * rlm_sql_oracle mods-config/sql/ippool-dhcp/oracle/queries.conf:#  ippool-dhcp/oracle/queries.conf -- Oracle queries for dhcp-ippool mods-config/sql/ippool/oracle/queries.conf:#  ippool/oracle/queries.conf -- Oracle queries for rlm_sqlippool mods-config/sql/main/oracle/queries.conf:#  main/oracle/queries.conf -- Oracle configuration for default schema (schema.sql) The major part about how to set it up is there … but : FreeRadius needs a 'driver' that can talk to Oracle. The settings will learn you that the driver name of MySQL is "rlm_sql_mysql". For Oracle this would be  "rlm_sql_oracle" ... Check here : cd /usr/local/lib/freeradius-3.0.15 ls -al Bad news : no Oracle driver in the FreeRadius 3.x package … (maybe you borrow a copy from an original FreeBSD 11.1 (current FreeBSD kernel used by pfSense) "FreeRadius" package ..
  • U

    Configure syslog-ng to stream multiple individual log files not working

    3
    0 Votes
    3 Posts
    2k Views
    U
    After more testing, and the update to v2.4.3 I'm not seeing any difference in behavior.  Anyone know of anything I can try to change?  Also, is there a good way to report a bug or is that directly to the redmine project site?
  • J

    Editing AVAHI Deny Interfaces?

    6
    0 Votes
    6 Posts
    1k Views
    GertjanG
    @JimPhreak: Ahhhh, I wasn't holding Ctrl and clicking at the same time.  Wow what a brain cramp. "Ctrl" is a dead key, that needs to be pressed with 'something' on the keyboard - or mouse - that is, for the last 2, 3 decades it behaves like that  ;)
  • J

    TFTP can't create files

    2
    0 Votes
    2 Posts
    698 Views
    GertjanG
    Hi, You tried to use the entire path as a file name ?
  • J

    Freeradius3 authorization and accounting

    2
    0 Votes
    2 Posts
    812 Views
    GertjanG
    Hi, @Javid_B: (0) exec: Executing: /bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh jb@gmail.com daily: cat: /var/log/radacct/datacounter/daily/max-octets-jbXgmail.com: No such file or directory /usr/local/etc/raddb/scripts/datacounter_auth.sh: arithmetic expression: expecting primary: "/1024/1024" For every user that has a quota in a time span, a file is created here /var/log/radacct/datacounter/daily/ - the file starts with "max-octets-" in your case, it's max-octets-jbXgmail.com In this case your time duration for the quota "daily". Does this file exist ? The error message says : no ! So login won't work. All is normal  ;) I advise you to experiment with a non-email login like login like "test". Check if the file  /var/log/radacct/datacounter/daily/max-used-test is created - in the file you will find the quota size in bytes. When the login works, another file will be created :  /var/log/radacct/datacounter/daily/used-test and probably  /var/log/radacct/datacounter/daily/used-test-xxxxxxxxxx (xxxxxx is the session ID). Check this.
  • H

    Bug Pfsense 2.4.1 Freeradius 0.15.1 OTP Google Authentcation is not working

    8
    0 Votes
    8 Posts
    3k Views
    B
    This is what happens when the Shared Secret key does now match ;)
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.