The pfSense package system provides the ability to extend pfSense without adding bloat and potential security vulnerabilities to the base distribution. Packages are supported on full installs and a reduced set of packages are available on NanoBSD-based embedded installs.


NanoBSD installs have the capability of running some packages, but due to the nature of the platform and its disk writing restrictions, some packages will not work and thus are not available for installation on that platform.

To see the packages available for the current firewall platform being utilized, browse to System > Packages, on the Available Packages tab.

Introduction to Packages

Many of the packages have been written by the pfSense community and not by the pfSense development team. The available packages vary quite widely, and some are more mature and well-maintained than others. There are packages which install and provide a GUI interface for third-party software, such as Squid, and others which extend the functionality of pfSense itself, like the OpenVPN Client Export Utility package which automatically creates VPN configuration files.

By far the most popular package available for pfSense is the Squid Proxy Server. It is installed more than twice as often as the next most popular package: Squidguard, which is a content filter that works with Squid to control access to web resources by users. Not surprisingly, the third most popular package is Lightsquid, which is a Squid log analysis package that makes reports of the web sites which have been visited by users behind the proxy.

Some other examples of available packages (which are not Squid related) are:

  • Bandwidth monitors that show traffic by IP address such as ntopng, and Darkstat.
  • Extra services such as FreeRADIUS.
  • Proxies for other services such as SIP and FTP, and reverse proxies for HTTP or HTTPS such as HAProxy.
  • System utilities such as NUT for monitoring a UPS.
  • Popular third-party utilities such as nmap, iperf, and arping.
  • BGP Routing, OSPF routing, Cron editing, Zabbix agent, and many, many others.
  • Some items that were formerly in the base system but were moved to packages, such as RIP (routed)

As of this writing there are more than 40 different packages available; too many to cover them all in this book! The full list of packages that can be installed on a particular system is available from within any pfSense system by browsing to System > Packages.

The packages screen may take a little longer to load than other pages in the web interface. This is because the firewall fetches the package information from the pfSense package servers before the page is rendered to provide the most up-to- date package information. If the firewall does not have a functional Internet connection including DNS resolution, this will fail and trigger a notification. If the package information has been retrieved previously, it will be displayed from cache, but the information will be outdated. This is usually caused by a missing or incorrect DNS server configuration. For static IP connections, verify working DNS servers are entered on the System > General Setup page. For those with dynamically assigned connections, ensure the DNS servers assigned by the ISP are functioning. This traffic will only go via the default gateway on the firewall, so ensure that gateway is up or change another active WAN gateway to be the default.