1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    JonathanLeeJ
    I wanted to share this with anyone else that noticed the speed when you hover over connections on status shows 0/0 always. Just in case also if anyone has any recommendations let me know. sqstat.class.php - Changes Log pfSense Squid Realtime Stats (SQStat) Speed Fix Date: March 12, 2026 PROBLEM SUMMARY Current Speed and Avg Speed columns always showed 0 in SQStat. Three root causes were identified and fixed. CHANGE 1: Connection ID Key (both makeHtmlReport and parseRequest) LOCATION: makeHtmlReport (~line 341) and parseRequest (~line 499) BEFORE: $con_id = $con['connection']; AFTER: $con_id = md5($con['uri'] . $con['peer']); WHY: Squid reports connection IDs as memory addresses (e.g. 0xbe97ec98) which change on every request. This meant the session key for a connection never matched between page loads, so previous byte counts could never be found and current speed was always 0. Using md5(uri + peer) creates a stable, consistent key that matches the same connection across multiple refreshes. CHANGE 2: Session replaced with temp file (both functions) LOCATION: makeHtmlReport (~line 280) and parseRequest (~line 460) BEFORE (session read): unset($session_data); if (isset($_SESSION['time']) && ((time() - $_SESSION['time']) < 3*60) && isset($_SESSION['sqdata']) && is_array($_SESSION['sqdata'])) { $session_data = $_SESSION['sqdata']; } AFTER (file read): $sqstat_file = '/tmp/sqstat_data.json'; $session_data = array(); if (file_exists($sqstat_file) && (time() - filemtime($sqstat_file)) < 180) { $session_data = json_decode(file_get_contents($sqstat_file), true) ?: array(); } BEFORE (session write): $_SESSION['time'] = time(); if (isset($new_data)) { $_SESSION['sqdata'] = $new_data; } AFTER (file write): if (isset($new_data)) { file_put_contents($sqstat_file, json_encode($new_data)); } WHY: pfSense uses jQuery AJAX to refresh SQStat. Each AJAX call was receiving a new PHP session ID, meaning $_SESSION was always empty on every refresh. Data written to $_SESSION on one call was never available on the next call. This was confirmed by debug logging showing a different session_id() on every request. /tmp on pfSense is a tmpfs (RAM) filesystem so writing to /tmp/sqstat_data.json has zero SSD impact and persists correctly between AJAX calls. CHANGE 3: Session start blocks removed (both functions) LOCATION: makeHtmlReport (~line 213) and parseRequest (~line 395) BEFORE: if ($this->use_sessions) { if (session_status() == PHP_SESSION_NONE) { session_name('SQDATA'); session_start(); } } AFTER: (removed entirely) WHY: pfSense already starts its own PHP session before SQStat loads. Attempting to start a second session named 'SQDATA' was conflicting with pfSense's session management. Since we moved to file-based storage this code is no longer needed at all. CHANGE 4: Avg speed moved outside session check (parseRequest) LOCATION: parseRequest (~line 520) BEFORE: if (isset($session_data[$con_id]) && !empty($session_data[$con_id])) { // ... curr_speed calculation ... // avg speed $avg_speed = $con['bytes'] / 1024; if ($con['seconds'] > 0) { $avg_speed /= $con['seconds']; } } AFTER: if (isset($session_data[$con_id])) { // ... curr_speed calculation only ... } // avg speed - always calculate if ($con['bytes'] > 0 && $con['seconds'] > 0) { $avg_speed = ($con['bytes'] / 1024) / $con['seconds']; } WHY: Avg speed does not need previous request data - it can always be calculated as total bytes transferred divided by connection duration. By moving it outside the session/file data check it shows immediately on first load for any connection alive more than 1 second, without needing a previous snapshot. CHANGE 5: Current speed calculation simplified (both functions) LOCATION: makeHtmlReport (~line 345) and parseRequest (~line 503) BEFORE: if ($was_time && $was_size) { $delta = $is_time - $was_time; if ($delta == 0) { $delta = 1; } if ($con['bytes'] >= $was_size) { $curr_speed = ($con['bytes'] - $was_size) / 1024 / $delta; } } else { $curr_speed = $con['bytes'] / 1024; } AFTER: $delta_time = max(1, $is_time - $was_time); $delta_bytes = $con['bytes'] - $was_size; if ($delta_bytes > 0) { $curr_speed = ($delta_bytes / 1024) / $delta_time; } WHY: Simplified the delta calculation using max(1, ...) to avoid division by zero more cleanly. Removed the fallback that set curr_speed to total bytes when no previous size was recorded - that was showing inflated incorrect values. Now only shows current speed when there is a genuine positive byte delta between refreshes. NOTES /tmp/sqstat_data.json is written on every refresh (tmpfs = RAM, no SSD writes) Old closed connections remain in the JSON file but are ignored since they won't match any active Squid connection on the next poll makeHtmlReport is not used by pfSense's version of SQStat (pfSense uses parseRequest + sqstat_resultHTML via AJAX) but was updated for consistency Current speed requires at least 2 refreshes with the same connection active to show a value - this is expected behavior Avg speed shows immediately on first load for connections > 1 second old =============================== End of change log

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    bmeeksB
    The physical files themselves (the sample SID Management Configuration files) are installed with the Snort package into /var/db/snort. Then, if it's a first-time green field installation, the contents of those sample files are migrated into the config.xml file of the firewall as Base64 encoded text by the post-installation script and stored there from then on. If they are not showing for the OP, then somehow they were accidentally deleted is my best guess. The GUI will allow them to be deleted.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    577 Topics
    3k Posts
    G
    @johnpoz The decoded base 64 isn't something I recognise. It's simply "teamspeak5:" and then a random string of numbers/letters/symbols.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    keyserK
    @netboy I understand. A good guess since your websites (internetaccess) no longer works is that DNS stops working. That in turn suggests that Unbound (pfSense’s built in DNS server stopped working when attempting to start with the pfBlockerNG integration engaged. Try and check that Unbound have the python integration llisted in its config: [image: 1773438454507-706e4866-9e8e-4e8d-b9e3-55bb35f219bf-image.png] Next thing would be to look into the STATUS -> SYSTEM LOGS -> GENERAL/RESOLVER log and see if Unbound is spitting some usefull info into there

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    105 Topics
    3k Posts
    N
    @dennypage said in UPS ups on battery - appers often now: fast follow UPS like what you have Can you please explain what is "fast follow UPS"? Do you mean "actions or tasks that are done very quickly after an initial event, message, or decision." - I have to say no this is not the issue IMHO becuase the pattern is consistent.. The pattern: <1>Flooded with email alerts from netgate ups (usb attached) <2>No lights or warning from UPS <3>My "custom" app says the UPS is OK <4> I reboot router <5> next 12 hours no alerts <6> alert then flooding my inbox The above pattern repeats. @dennypage I am fully aware you are an expert in nut and i believe you are the developer for netgate NUT package - Do you really think there is no communcation issue between netgate router and the UPS package (service) installed inside the router based on my post?

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    516 Topics
    3k Posts
    L
    @jimp Up to now I install the certificates on the (web/mail/sftp)server(s) them selves. However since that is becoming more and more complex and certificate lifetimes as becoming shorter and shorter. I do seriously consider to use LetsEncrypt certificates generated on pfSense. And preferable without the help of additional systems. Note however that I am using HA-proxy. So I am trying two routes: completely on pfSense on pfSense with the help of a dedicated webserver on a VM, handling all LetsEncrypt requests. Routed via HA-proxy based on ^path starts /.well-known/acme-challenge/^ For method 1) I implemented the ^acme-http01-webroot.lua^ option I did not yet implement method 2) Of course I do not want to expose the pfSense GUI to the internet. I changed the GUI port number and do not allow access to pfSense from the internet at all (at least I home so) Also have a look at my other thread 'Do not manage to generate Certificate (using ^Webroot local folder^)' My intention is of course that the token is stored and read on pfSense itself without using the GUI webserver / the possibility to access the GUI.

  • Discussions about the FRR Dynamic Routing package on pfSense

    299 Topics
    1k Posts
    LinkPL
    @jimp I'm definitely eager to test that package update, but after the latest system update to 25.11.1 from 25.11, (which I did in the hope it would the OPFv3 issue) my long-working IPsec VTI setup quit passing usable traffic. This obviously not the right topic for that subject. I will post it where it belongs once I get time to collect more useful diagnostic information than I have now. ETA: VTI IPsec VPN seems to be working normally again! IPv4 OSPF is working, and I can now rebuild my IPv6 routes on OPFv3. I am pretty stoked! Thanks to everyone involved in getting that package update published.

  • Discussions about the Tailscale package

    96 Topics
    731 Posts
    chudakC
    @johnpoz said in "Tailscale is not online" problem: @chudak the next version of pfsense + 26.03, its in RC currently https://docs.netgate.com/pfsense/en/latest/releases/26-03.html https://forum.netgate.com/topic/200319/call-for-testing-pfsense-plus-26.03-rc-now-available Do you expect some changes related to TS in it?

  • Discussions about WireGuard

    734 Topics
    4k Posts
    N
    Off course, thanks for reporting.
Log in to post
Load new posts
  • jimpJ

    System Patches Package v2.2.23

    Pinned
    1
    7 Votes
    1 Posts
    3k Views
    No one has replied
  • 1

    DNS Broken for pkg.pfsense.org

    Pinned Locked
    3
    0 Votes
    3 Posts
    19k Views
    jimpJ
    https://forum.netgate.com/topic/115789/pkg-pfsense-org-appears-to-be-dead/2
  • R

    Packages wishlist?

    Pinned
    661
    0 Votes
    661 Posts
    2m Views
    O
    PRTG
  • D

    NUT server - After power is turned back on, pfsense shut's down sockets without warning for no reason

    15
    0 Votes
    15 Posts
    177 Views
    dennypageD
    @DomV said in NUT server - After power is turned back on, pfsense shut's down sockets without warning for no reason: Because I think that this is the default value for this UPS. And I still really don't understand why with the pi it works correctly even with this setting. The default for low battery on APC UPSs is 10%. 97% would not make sense to use as a default setting on any UPS. As to the Pi, there are any number of configuration reasons that would result in a change of behavior. If you want to explore that further, I recommend the NUT Users mailing list.
  • N

    DNSCrypt Proxy Package Available - Full GUI Support

    5
    1 Votes
    5 Posts
    297 Views
    N
    Update -- v1.2.0 Released A few releases have gone out since the initial post, here's a summary of everything new since v1.0.4. v1.1.0 -- Custom TOML, Config Viewer Custom TOML Options -- A freeform textarea on the Advanced tab for entering any dnscrypt-proxy option not exposed in the GUI. Custom options override generated keys automatically (no duplicate key errors). The full merged config is validated with dnscrypt-proxy -check before saving. Config Tab -- New 8th tab showing the generated TOML file with copy-to-clipboard and file download. v1.1.2 -- Security & Bug Fixes Input validation hardening -- Added TOML injection protection for all user-controlled string fields (file paths, server names, enum selects). Defense-in-depth escaping in TOML generation. XSS hardening in the query log viewer. Custom TOML override fix -- Custom options that override generated keys (e.g. http3 = false) no longer produce duplicate key errors. Overridden keys are stripped from the generated config before prepending the custom block. v1.2.0 -- Config Import/Export, UI Improvements Config Import -- Import a full TOML configuration from the Config tab. Paste the content directly or upload a .toml file. The import parses all settings, validates them with dnscrypt-proxy -check, maps them back to the GUI fields, and restarts the service. Useful for restoring backups or migrating between machines. Reset to Defaults moved from the Advanced tab to the Config tab. The Config tab is now the central place for config management: view, copy, download, import, and reset. What stays unchanged during import: enable/disable state, listen interfaces, list file contents (blocked names, allowed names, forwarding/cloaking rules), and custom server stamps. Unrecognized TOML keys are preserved in the Custom TOML field on the Advanced tab. Upgrade to latest: pkg-static add -f https://github.com/nopoz/pfsense-dnscrypt-proxy/releases/latest/download/pfSense-pkg-dnscrypt-proxy.pkg For pfSense Plus: pkg-static -C /dev/null add -f https://github.com/nopoz/pfsense-dnscrypt-proxy/releases/latest/download/pfSense-pkg-dnscrypt-proxy.pkg Your existing configuration is preserved during upgrades. All releases: github.com/nopoz/pfsense-dnscrypt-proxy/releases
  • P

    ANDwatch 2.1 in pfSense 25.11-RELEASE and RAM disk

    17
    0 Votes
    17 Posts
    631 Views
    MBehr2M
    @dennypage Thanks - worked like a charm, applied and tested with a reboot. All good now. Was over thinking this and would have pasted the entire 40+ lines of code - even tho only one line changed. Yet another reason not to do what your not sure of LOL Only difference is my Patch ID has a different hex value. I'm gathering it's because I have other patches installed and the system creates this upon install. Again, thanks
  • luckman212L

    udpbroadcastrelay vs mcast-bridge vs mdns-bridge

    11
    0 Votes
    11 Posts
    989 Views
    luckman212L
    thanks Denny- as usual I learn something from each and every one of your posts. On this system, I didn't have NUT, andwatch, vnstat etc installed so for me mdns-bridge.sh was the only file with the .sh suffix.
  • C

    telegraf failure due to deprecated ssl_ca parameter

    4
    1 Votes
    4 Posts
    243 Views
    kiokomanK
    @cadince i have the same problem plus i noticed that alot of parameters are not accepted anymore like #dns_lookup = true for [[inputs.ntpq]] #path = ["/usr/local/share/snmp/mibs"] for [[inputs.snmp]] #path = "/usr/local/sbin/smartctl" for [[inputs.smart]] configuration specified the fields ["path"], but they were not used; this is either a typo or this config option does not exist in this version
  • johnpozJ

    Freerad eap-tls auth and wpa3 enterprise wifi 7

    3
    1
    4 Votes
    3 Posts
    132 Views
    johnpozJ
    @nimrod I didn't throw the old ones away ;) Also the reviews I have read the lites, run much cooler even with no fan.. And mine are not under "heavy" load. ;) But will keep all that in mind. In a worse case scenario I could pop up old ones. I most never throw away working tech even older ;) I still have flexhd AP as well my son moved away from when he got fiber in and the isp ap was working fine for him. I got my old unifi gateway he was using that I had sitting around that I had gotten while waiting for my sg4860 when I had bumped up my internet speed. But great input - thanks.
  • D

    UDP Broadcast Relay - what happened to Instance ID ??

    7
    0 Votes
    7 Posts
    198 Views
    dennypageD
    @DBMandrake said in UDP Broadcast Relay - what happened to Instance ID ??: And either of these options are better than the built in udpbroadcastrelay how exactly ? Using a local service with ptp activation generally represents a much simpler and more reliable solution. To me, relaying an unreliable packet through multiple hops/agents is rather fragile. And with UDP broadcast forwarding, the prospect of unexpected loops is always a concern. YMMV. That said, if you are comfortable with the solution you have, then by all means use it.
  • K

    FreeRadius Log Problem

    12
    0 Votes
    12 Posts
    321 Views
    K
    @Gertjan said in FreeRadius Log Problem: Just the "Fix missing system logs from daemon facility (Redmine #16682) Yes, only "Fix missing system logs from daemon facility (Redmine #16682) BR, Krasimir
  • R

    How to update to the latest Telegraf version

    11
    0 Votes
    11 Posts
    8k Views
    R
    Updated Feb 18-2026 25.11.1-RELEASE (amd64) Telegraf freebsd-16 pkg add -f https://pkg.freebsd.org/FreeBSD:16:amd64/latest/All/telegraf-1.37.2.pkg https://www.freshports.org/net-mgmt/telegraf/#history
  • M

    Where to find Rate Limiting Setting on haProxy package GUI

    3
    2
    0 Votes
    3 Posts
    854 Views
    L
    @mikeinnyc hello how u fix this?
  • E

    zabbix 7.4 package

    5
    0 Votes
    5 Posts
    611 Views
    keyserK
    @elamigosam2 If you are going to use active zabbix components on your pfSense, then this is a VERY good reason to stay/use the LTS version of Zabbix rather than the minor builds. This way you don't get into as much trouble with especially the proxy version problem. The agent can be one or more versions old without issues in Zabbix, but not the proxy.
  • A

    Challenges with pfSense and Zabbix release schedule alignment

    1
    1
    0 Votes
    1 Posts
    169 Views
    No one has replied
  • A

    Client FTP Proxy Daemon Crashing

    1
    0 Votes
    1 Posts
    88 Views
    No one has replied
  • P

    Pacakge manager has no package available

    10
    0 Votes
    10 Posts
    462 Views
    johnpozJ
    @pylessard great to hear, now don't wait 8 years to update again ;) 26.03 will be the next update. Here in the next few months.. Knock on wood actually in March ;) heheh That is if 3100 is still supported.. At some point it will drop off support - since it is arm based and all. Curious how your wan gateway was wrong in your current backup?
  • F

    FREERADIUS - Filter User to login to a certain SSID

    5
    0 Votes
    5 Posts
    811 Views
    J
    I know this is old...but I am experiencing the same issue. It appears to be related to EAP (in my case PEAP). The CHECK-ITEM fails with certain characters after the Cleartext-Password. This does not happen when PEAP is not used.
  • F

    NRPE - check_pf_ipsec_tunnel problem when using name

    1
    0 Votes
    1 Posts
    95 Views
    No one has replied
  • T

    Problem enabling mDNS Bridge after removing Avahi

    2
    0 Votes
    2 Posts
    285 Views
    dennypageD
    @terryzb said in Problem enabling mDNS Bridge after removing Avahi: @dennypage Ran into a slight problem that I was able to solve but thought I'd report here in case others run into it. While upgrading a 2100 from 25.0.7 to 25.11, I followed best practices and first removed packages (pfBlockerNG, Avahi and a couple more). After the upgrade I installed mDNS Bridge to test the replacement for Avahi. After trying to enable it I got: "Avahi reflection must be disabled before enabling mDNS Bridge" I rebooted the 2100 but same problem. I then reinstalled the Avahi package and disabled it. Then mDNS Bridge could be enabled. I finished by removing the Avahi package again. A couple simple tests and mDNS Bridge seems to be working well mirroring an iPhone to an AppleTV. Thank you very much @dennypage for this package. Thank you for the report. Much appreciated.
Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.