pfSense Package Management - Install and Update
The pfSense package manager provides a centralized interface for installing, updating, and removing additional system components. All operations are performed through the web interface at System > Package Manager, which communicates with the official Netgate repository. Packages extend firewall functionality without requiring modifications to the base system - each package receives its own configuration page in the web interface upon installation and is managed as a standard pfSense service.
Accessing the Package Manager
The package manager is located at System > Package Manager and contains two primary tabs:
| Tab | Purpose |
|---|---|
| Installed Packages | List of installed packages with version information and available updates |
| Available Packages | Catalog of all available packages from the official repository |
The Available Packages tab displays packages in alphabetical order with name, current version, and brief description. The search field at the top of the page allows locating packages by name or keywords.
Installing Packages
To install a new package:
- Navigate to System > Package Manager > Available Packages
- Locate the desired package using search or scrolling
- Click the Install button next to the package
- Confirm the installation in the dialog box
After confirmation, pfSense downloads the package and its dependencies from the repository, performs the installation, and displays progress in real time. Upon completion, a new menu entry for the package configuration appears in the web interface.
Warning:
pfSense requires access to DNS servers and internet connectivity through the WAN interface for package downloads. Installation will fail if DNS resolution or routing to the repository is unavailable.
Package Dependencies
Some packages require additional libraries or components to function. The package manager automatically resolves dependencies and installs all necessary components alongside the primary package. Dependencies are marked with a dedicated icon in the manager interface.
When removing a package, dependencies not used by other packages are removed automatically. However, if a dependency is shared among multiple packages, it is retained until the last dependent package is removed.
Updating Packages
Update availability is checked on the Installed Packages tab. When a newer version is available for an installed package, update information appears alongside the current version number.
To update a package:
- Navigate to System > Package Manager > Installed Packages
- Locate the package with an available update
- Click the update icon (double arrows)
- Confirm the update
Reinstalling a Package
When experiencing issues with a package, reinstallation without changing the version may be necessary. The reinstall icon next to the package on the Installed Packages tab performs this operation. Reinstallation preserves the current package configuration.
Packages During System Upgrades
When upgrading pfSense to a new version, all installed packages are reinstalled automatically. However, not all packages may be compatible with the new system version at the time of upgrade. Check package compatibility before upgrading pfSense and prepare for temporary unavailability of certain packages.
Removing Packages
To remove a package:
- Navigate to System > Package Manager > Installed Packages
- Click the remove icon (trash can) next to the package
- Confirm removal
Package removal deletes its configuration from the system. Before removal, creating a backup through Diagnostics > Backup & Restore is recommended in case settings need to be restored.
Warning:
Package removal irreversibly deletes its configuration. If the package is reinstalled later, configuration must be performed from scratch. Save a backup before removing.
Available Package Categories
The official pfSense repository contains over 60 packages organized by purpose:
Security and Threat Detection
| Package | Description |
|---|---|
| Suricata | Intrusion detection and prevention system (IDS/IPS) |
| Snort | Signature-based IDS/IPS alternative |
| pfBlockerNG | IP address and DNS request blocking using threat lists |
| ClamAV | Antivirus scanner for proxied traffic |
Proxies and Load Balancing
| Package | Description |
|---|---|
| HAProxy | Reverse proxy and load balancer for TCP/HTTP |
| Squid | Caching proxy server for HTTP/HTTPS |
| Lightsquid | Squid proxy log analyzer |
VPN and Remote Access
| Package | Description |
|---|---|
| WireGuard | Modern VPN protocol with minimal overhead |
| Tinc | Mesh VPN for building distributed networks |
| FreeRADIUS | RADIUS authentication server for VPN and Wi-Fi |
Network Services
| Package | Description |
|---|---|
| BIND | Full-featured DNS server (Unbound alternative) |
| FRR | Dynamic routing suite (BGP, OSPF, IS-IS) |
| NUT | Uninterruptible power supply monitoring |
Monitoring and Diagnostics
| Package | Description |
|---|---|
| ntopng | Network traffic analyzer with web interface |
| Darkstat | Lightweight network traffic monitor |
| iperf | Network bandwidth testing tool |
| nmap | Network scanner and security auditing tool |
Command-Line Package Management
When the web interface is unavailable, package operations can be performed from the command line (SSH or console).
Listing Installed Packages
pkg info | grep pfSense-pkgReinstalling a Package
pkg install -f pfSense-pkg-<package_name>Upgrading All Packages
pkg upgradeWarning:
Command-line package management should only be used when the web interface is inaccessible. The
pkgcommand does not perform pfSense-specific integration steps for the web interface, which may result in an inconsistent system state.
Backing Up Package Configuration
Configuration for all installed packages is stored in the main pfSense configuration file (/cf/conf/config.xml). When creating a backup through Diagnostics > Backup & Restore, package settings are included automatically.
When restoring configuration to a clean pfSense installation:
- Restore the configuration through Diagnostics > Backup & Restore
- Navigate to System > Package Manager > Installed Packages
- Reinstall all previously installed packages - pfSense will restore their configuration from the backup
AutoConfigBackup
For automatic configuration backup (including package settings), the built-in AutoConfigBackup feature (Services > Auto Config Backup) provides continuous protection. The service automatically saves the configuration on every change and maintains a version history.
Troubleshooting
Package Fails to Install
- Verify DNS availability - Diagnostics > DNS Lookup, enter
pkg.pfsense.org - Verify internet routing - Diagnostics > Ping, target
8.8.8.8 - Confirm that WAN firewall rules do not block outbound traffic
- Check available disk space - Diagnostics > Command Prompt, run
df -h - Review system logs: Status > System Logs > System > General
Dependency Errors
When dependency errors occur, refresh the package database:
- Navigate to Diagnostics > Command Prompt
- Execute
pkg update -f - Retry the package installation
Package Installed but Not Visible in Menu
- Clear the browser cache and reload the page
- Reinstall the package through System > Package Manager > Installed Packages
- If the issue persists, reboot pfSense through Diagnostics > Reboot
Corrupted Package Database
For severe package manager issues, database recovery may be required:
pkg-static clean -ay
pkg-static install -fy pkg
pkg-static update -fAfter executing these commands, reboot pfSense and retry package installation.
Repository Access Issues
When encountering repository errors, verify:
- DNS configuration at System > General Setup > DNS Servers
- Default gateway presence at System > Routing > Gateways
- No blocking rules for outbound HTTPS traffic (port 443)
- VPN tunnel status if pfSense connects to the internet through a VPN
Package Management Best Practices
Minimize Package Count
Each installed package increases resource consumption and expands the attack surface. Install only the packages genuinely required for the current deployment. Periodically review the installed package list and remove unused ones.
Plan Updates
Package updates may temporarily interrupt service operation. Schedule updates during periods of minimal load and create a configuration backup beforehand. After updating, verify the functionality of each updated package.
Version Compatibility
When upgrading pfSense to a new major version, not all packages may be immediately available in the updated repository. Review the release notes and verify compatibility of critical packages before upgrading the system.
Status Monitoring
Regularly check the Installed Packages tab for available updates. Package updates frequently contain security fixes and performance improvements.
Related Sections
- Suricata IDS/IPS - installing and configuring the intrusion detection system
- pfBlockerNG - IP address and DNS request blocking
- HAProxy - reverse proxy and load balancing
- pfSense Backup and Restore - complete backup and restoration guide