Skip to main content

The Best pfSense Packages

  • Author:
  • Updated date:

Sam has over 10 years of experience working with pfSense firewalls and has written over 30 articles on the subject.

One of the best features of pfSense is its ability to be adapted to many different situations using packages. Using a package based system allows the base pfSense installation to remain small and provides users the option to install only the packages they need for their environment.

In this article, you'll find a list of the best pfSense packages. Along with each package is a brief summary of what the package does and how it can help your network.

In order to install packages, you must be using the full version of pfSense. Packages are currently not supported on embedded or liveCD versions.

To learn more about pfSense and what it's capable of, check out the introduction to pfSense.

Here are the top five best packages for pfSense:

  1. Squid
  2. pfBlockerNG
  3. SquidGuard
  4. Darkstat
  5. Snort

1. Squid

Squid is by far the most popular package for pfSense. Squid is a caching proxy server that can improve the performance of your internet connection.

Squid builds a cache of commonly accessed web pages, images, or other files clients request from the internet. If a requested item is found in the cache, Squid can deliver it directly to the requesting computer instead of using your internet connection.

The Squid package can be configured to run transparently. This means that traffic on your network will be automatically routed through the proxy without having to change any configuration on the workstation.

Another benefit to installing this package is that when combine it with LightSquid, you can view reports of web sites visited by computers on your network.

To learn more, check out the pfSense transparent proxy guide.


2. pfBlockerNG

pfBlockerNG is the ultimate package for blocking incoming and outgoing traffic based on IP address or domain name. This package provides a wide variety of features for protecting your network from unwanted traffic, including country blocking, IP/DNS blacklisting, and IP reputation blocking.

The DNS blacklist feature allows you to add multiple external blacklists to block traffic such as advertisements, threats, and malware.

This is a great package to use if you are running a mail server on your network. By adding a spam blacklist such as Spamhaus, you can block spam before it even reaches your server.

pfBlockerNG package

pfBlockerNG package

3. SquidGuard

Another very useful package for pfSense is SquidGuard. SquidGuard is a high speed URL filter and redirector.

By uploading your own custom blacklist or using one of the freely available lists, you can customize which sites users on your network are allowed to access. The package can also be configured with schedules to grant access based on the time of day as well.

SquidGuard can also enforce the use of domain names, which prevents users from by passing the blacklist by simply entering the IP address. Blocked URLs can be redirected to an external web site or internal information page. Here is an article on how to configure SquidGuard in pfSense.

SquidGuard URL Filter

SquidGuard URL Filter

4. Darkstat

It's important to analyze the traffic usage on your network in order to optimize performance and look for potential problems. Darkstat is a network traffic monitor that runs in the background and captures network traffic which is used to generate usage statistics for your network.

The data collected by this package can be viewed using the web interface. The easy-to-use HTML interface allows you to view the top talkers and listeners on your network. You can drill down further into the charts to see which protocols and ports are taking up most of the bandwidth on your network.

This package provides a quick way to identify traffic to either block or prioritize on your network.

Darkstat Traffic Graphs

Darkstat Traffic Graphs

5. Snort

Snort is a very popular open source intrusion detection and prevention system (IDS/IPS). Installing this package on pfSense allows network traffic to be analyzed to detect probes, attacks, buffer overflow attacks, port scans, and much more.

The Snort engine is based on rules which are regularly updated by the community. Snort can be configured to send an alert, block, or log the intrusion attempt automatically.

If you are concerned with the security of your network, I would highly recommending installing Snort.

Snort intrusion detection package

Snort intrusion detection package

How to Install Packages

Installing packages in pfSense is quick and easy to do. To add or remove packages, open the package manager which can be found by clicking on the system menu in the web interface.

Click on the available packages tab to see a complete list of all packages available. When you locate the package you want to install, simply click the plus symbol on the right side of the package description.

PfSense will automatically install the package for you and create a new menu entry. Most packages create an entry in the services menu but some will place their settings in a different category.

pfSense package manager

pfSense package manager

How to Update Packages

pfSense will automatically check to see if any updates are available for packages that you have installed. To check for updates, click on the installed packages tab from within the package manager. If an update is available for a package, the package version section will be displayed in red for the out of date package.

To automatically install the updated version of the package, click the PKG button that is displayed to the right side of the package. pfSense will then remove the outdated version and install the update for you.

The package version field will turn red when a newer version of the package is available.

The package version field will turn red when a newer version of the package is available.

Additional Packages

pfSense has many other packages besides the ones I've listed in this article. Since pfSense is open source you can also develop your own packages and submit them to be listed in the repository. Almost any normal FreeBSD package can be packaged to run in pfSense. If you are interested in learning more about package development, visit

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2011 Sam Kear


Al B. Anonymous on February 27, 2018:

Country Blocker no longer exist. pfBlockerNG is the latest package for this.

User on November 04, 2017:

Any news about L7 Application filter in pfsense with 2.4 , or use Ntopng as helper for pfsense to detect Application to catch it

Chris on May 02, 2017:

Hi SAM, I would like to know more about the right configuration/setup for Loadbalancing/redundancy in pFSense. Would appreciate How-to guide.

adamo on April 24, 2017:

ironically using pfblockerng i see several blocked ads on this page :)

Savlong Kufeler on November 04, 2016:

Good Work ol chap best eye seeen yet!

Kalvin on September 21, 2016:

Thanks buddy

alejandrocf on September 06, 2013:

very good post, clear, short and precise!!

R K SANTHOSH from Bangalore on January 05, 2012:

good..thank you