Package List

The following packages are available from the pfSense® software package repository.


Packages availability can change over time. Check System > Package Manager > Available Packages for an always up-to-date list of packages.


The package name in the list below links to documentation for the package, if it exists.


The Automated Certificate Management Environment (ACME) package manages certificates from ACME providers such as Let’s Encrypt.

See also

ACME package


Broadcasts a who-has ARP packet on the network and prints answers.

See also

Arping Package


Monitors devices on directly attached networks and notifies when it detects new MAC addresses.


Controls all APC UPS models. It can monitor and log the current power and battery status, perform automatic shutdown, and can run in network mode to power down other hosts over the network.

aws-wizard (pfSense Plus Only)

AWS VPC VPN Connection Wizard. Automatically creates a VPN tunnel and BGP configuration to communicate with an Amazon AWS VPC.


Facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables clients to plug a laptop or computer into a network and instantly be able to view other people who they can chat with, find printers to print to or find files being shared. In addition it supports mDNS reflection across LAN segments. Compatible technology is found in Apple macOS (branded Bonjour and sometimes Zeroconf).

See also

Avahi package


Backs up and restores arbitrary files and directories.


Tracks TCP/IP network usage and creates graphs of data consumption for individual IP addresses.


Provides a GUI for BIND DNS server.


Provides a GUI for cellular cards (e.g. 3G/4G/LTE), it currently supports certain Huawei models.


Manages scheduled commands run periodically by the firewall.


A network statistics gatherer that offers bandwidth graphs for an interface, as well as traffic to/from specific IP addresses. Once installed, it appears under Diagnostics > darkstat.


Stores custom files persistently in the configuration.


A free implementation of the RADIUS protocol, used for Authentication, Authorization, and Accounting (AAA).


A GUI for the FRR routing daemon which supports BGP, OSPF, and OSPF6.

FTP Client Proxy

A basic FTP client proxy using ftp-proxy from FreeBSD.


A reliable, high performance TCP/HTTP(S) load balancer. This package implements the TCP, HTTP and HTTPS balancing features from haproxy and supports ACLs for smart backend switching. A good replacement when relayd is incapable of handling load balancing needs. Requires SSD/HDD.

See also



The development package for HAproxy.


A tool for testing network throughput, loss, and jitter. Can act as a client or a server.

See also

iperf package

ipsec-profile-wizard (pfSense Plus Only)

Creates IPsec configuration profiles for Apple devices (iOS and macOS) and IPsec import script bundles for Windows devices.


Sends and decodes link layer advertisements.

Supports LLDP (Link Layer Discovery Protocol), CDP (Cisco Discovery Protocol), EDP (Extreme Discovery Protocol) and NDP (Nortel Discovery Protocol).


LCD display drivers and service.



The add-on packages Squid, SquidGuard and Lightsquid are deprecated in pfSense Plus and pfSense CE software due to a large number of unfixed upstream security vulnerabilities. Netgate STRONGLY recommends that users uninstall these packages. The packages will no longer function in the next major release of pfSense Plus and pfSense CE software.

A high performance web proxy reporting tool. Includes realtime proxy statistics (SQStat). Requires the Squid package. Requires SSD/HDD.


Provides support for the 802.1ab Link Layer Discovery Protocol (LLDP), as well as support for several proprietary discovery protocols including Cisco Discovery Protocol (CDP), Extreme Discovery Protocol (EDP), Foundry Discovery Protocol (FDP), and Nortel Discovery Protocol (NDP / SONMP).

Similar to LADVD but a more modern implementation.


Manages periodic e-mail reports containing command output and log file contents.


An enhanced traceroute replacement. mtr combines the functionality of the traceroute and ping programs in a single network diagnostic tool.

Netgate Firmware Upgrade (pfSense Plus Only)

Provides a mechanism to update firmware on certain Netgate hardware models. Varies by hardware and may be Coreboot, Blinkboot, or other types of firmware.


The NET-SNMP implementation of SNMP. More extensible than the built-in SNMP daemon (bsnmpd), and supports SNMPv3 authentication and TLS encryption.


A utility for network exploration and security auditing. It supports scanning to determine active hosts, many port scanning techniques to determine services offered by hosts, version detection to determine what application/service is running on a port, and TCP/IP fingerprinting to identify the OS on remote hosts. It also offers flexible target and port specification, decoy/stealth scanning, SunRPC scanning, and more.

See also

Nmap package


Prometheus exporter for machine metrics.


Maintains a list of noteworthy items for the system.


Provides a GUI for Nagios NRPE. It execute Nagios plugins on remote hosts and report the results to the main Nagios server.

It also allows Nagios to execute plugins like check_disk, check_procs, etc. on remote hosts.


A network probe that shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user’s terminal. In Web mode it acts as a Web server, creating an HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics. Requires SSD/HDD.

Network UPS Tools (NUT)

Provides support for monitoring of Uninterruptible Power Supplies. It supports UPS units attached locally via USB or serial, and remote units via the SNMP protocol, the APCUPSD protocol or the NUT protocol.

See also

Nut package


A suite of open source utilities which enhance the performance of VMware virtual machine guest operating systems and improve management of virtual machines.

OpenVPN Client Export

Generates pre-configured OpenVPN configuration files for clients, Windows Client installers with configurations bundled, and macOS Viscosity configuration bundles, among others.

OpenVPN Client Import (pfSense Plus Only)

Imports a unified OpenVPN client configuration file as exported by an OpenVPN server, allowing clients to be easily configured without creating a client instance and adding settings manually.


Utility for controlling connections through the firewall based on more general criteria than firewall rules (e.g. by country, by domain name, etc). Manages IPv4/v6 List Sources into ‘Deny, Permit or Match’ formats. GeoIP database by MaxMind Inc. (GeoLite2 Free version). De-Duplication, Suppression, and Reputation enhancements. Provision to download from diverse List formats. Advanced Integration for Proofpoint ET IQRisk IP Reputation Threat Sources. Domain Name (DNSBL) blocking via Unbound DNS Resolver.


The development version of pfBlockerNG


A GUI for pimd, a multicast routing daemon. Primarily replaces the role of the built-in IGMP Proxy function to allow routing multicast traffic across multiple interfaces. Not a replacement for Avahi.

RRD Summary

Gives a total amount of traffic passed In/Out during this and the previous month. Set to be replaced by the Traffic totals package.

Service Watchdog

Monitors for stopped services and restarts them.


Manages boot-time commands.


A proxy for handling multiple SIP devices using a single public IP address.

See also

Siproxd package


SNMP Trap Translator for use with the Net-SNMP. Easy to setup and use.


An open source network intrusion detection and prevention system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection. SSD/HDD is strongly recommended.

See also



A flow-based network traffic analyzer capable of Cisco NetFlow data export. Tracks traffic flows and reports via NetFlow to a collecting host.



The add-on packages Squid, SquidGuard and Lightsquid are deprecated in pfSense Plus and pfSense CE software due to a large number of unfixed upstream security vulnerabilities. Netgate STRONGLY recommends that users uninstall these packages. The packages will no longer function in the next major release of pfSense Plus and pfSense CE software.

A high performance web proxy cache. It combines Squid as a proxy server with its capabilities of acting as a HTTP/HTTPS reverse proxy. It includes an Exchange-Web-Access (OWA) Assistant, SSL filtering and antivirus integration via C-ICAP. SSD/HDD recommended.

See also




The add-on packages Squid, SquidGuard and Lightsquid are deprecated in pfSense Plus and pfSense CE software due to a large number of unfixed upstream security vulnerabilities. Netgate STRONGLY recommends that users uninstall these packages. The packages will no longer function in the next major release of pfSense Plus and pfSense CE software.

A high performance web proxy URL filter. SSD/HDD recommended.

Status Traffic Totals

Calculates a total amount of traffic passed In/Out over the period of hours, days, and months. Uses vnStat for data collection. It shows up in the menu under Status > Traffic Totals.


A TLS encryption wrapper between a remote client and local or remote servers.

See also

Stunnel package


Delegates privileges to users in the shell so commands can be run as other users, such as root.

See also

Sudo Package


A high performance network IDS/IPS and security monitoring engine by OISF. SSD/HDD strongly recommended.


A modern syslog server which supports TCP and TLS encryption, among other features.


This service is not intended to replace the default syslog server on the firewall but rather acts as an independent syslog server.

System Patches

Manages custom code patches to be applied and maintained to the system. These can be commits from Github, manual diffs, or loaded from URLs.


An agent written in Go for collecting, processing, aggregating, and writing metrics.


GUI for a TFTP server, using the versatile tftp-hpa daemon.


A Virtual Private Network (VPN) daemon that uses tunneling and encryption to create a secure private network between hosts on the Internet. A single tinc daemon can accept more than one connection at a time, thus making it possible to create larger virtual networks, because some limitations are circumvented. Instead of most other VPN implementations, tinc encapsulates each network packet in its own UDP packet, instead of encapsulating all into one TCP or even PPP over TCP stream. This results in lower latency, less overhead, and in general better responsiveness and throughput.

UDP Broadcast Relay

A GUI for UDP Broadcast Relay. This program listens for UDP broadcast packets and retransmits them on additional interfaces.


WireGuard is a new VPN Layer 3 protocol designed for speed and simplicity. It performs nearly as fast as hardware-accelerated IPsec and has only a small number of options in its configuration.


Zabbix Monitoring agent. The agent gathers operational information locally and reports data to Zabbix server for further processing. The agent can also generate alerts in case of failures. Available in multiple versions.


Zabbix Agent proxy. Collects performance and availability data on behalf of the Zabbix server, lowering the burden on the server. Available in multiple versions.