[pfSense Support] Protocol binding to different WAN connection
Hi I have 2 WAN connections. The first WAN is ADSL (PPPoE). The second connection is a high speed cable modem. I wanted to set cable modem as the first WAN connection - but since OPT1 does not support PPPoE I was forced to set it up this way. My SMTP server and NEWS servers are available from my DSL ISP and all other traffic needs to be routed through my OPT1. I have taken following steps to set this up: 1. I checked and saved Enable advanced outbound NAT. 2. Setup Any - Any rule for internal network to OPT1 (very similar to the automatic rule created for WAN1) 3. Setup a Gateway by specifying a single Gateway in the pool (my DSL gateway). 4. Then I setup a rule for pass rule to for port 119 and 25 on WAN1 and set its gateway to the gateway setup in no. 3 After setting this up - I still cannot connect to my SMTP and NNTP servers via my WAN1. All traffic through OPT1 is working fine. Any help will be much appreciated. Thanks Manuj - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VPN NAT Traversal
I forgot FirewallNATOutbound: Enable IPSec passthru is enabled - don't know if that option has an influence on the problem - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Dynamic interfaces pf
Hello, I've managed to install and setup ssltunnel-client on my 0.84.6 embedded image (should I upgrade to 0.86.4, I didn't find any changelog on the website) Tunnel goes up, additionnal routes are triggered by ppp, everything's fine 'til this point. I can't use ppp0 tunnel as pf drops traffic, the last 2 rules of the ruleset deny everything not explicitely allowed. So is there a standard way to add an interface and associated rules in the web interface or do I have to hack some file to achieve this result ? TIA Regards Éric Masson -- HC Pourquoi les dates sont de la forme 04 Feb et non 04 Fév, comme HC on est en droit de l'attendre sur une hiérarchie francophone ? Pourquoi il y a tant d'enculeurs de mouches fainéants sur fr.* ? -+- AT in: http://www.le-gnu.net- Le dino n'est pas neuneutophone -+- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Question about pf and ipfw...
On 10/15/05, Bill Marquette [EMAIL PROTECTED] wrote: Not sure I follow with the redirection part.But if I understandcorrectly, yes we can use both ipfw and pf in conjunction fordifferent tasks.This is how our shaper code used to work - define the queues in PF and assign the traffic in IPFW.Our ultimate goal isto get IPFW out of the core system altogether and we had done thatuntil we found some nasty bugs in CP due to it (just stuff that'lltake a little longer to work around). Thank you for your reply. I am trying to run p3scan on pfsense, but it needs a redirection done with ipfw... When I am trying to add the rule, I have the following error: # ipfw add fwd 127.0.0.1:8110 tcp from 10.0.0.0/24 to any 110 ipfw: getsockopt(IP_FW_ADD): Invalid argument When I am loading ipfw module, I see the following in dmesg: ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding disabled, default to accept, logging disabled Does this mean that I cannot do forwarding with this ipfw? TIA Tom
Re: [pfSense Support] Question about pf and ipfw...
On 10/16/05, Tommaso Di Donato [EMAIL PROTECTED] wrote: On 10/15/05, Bill Marquette [EMAIL PROTECTED] wrote: Not sure I follow with the redirection part. But if I understand correctly, yes we can use both ipfw and pf in conjunction for different tasks. This is how our shaper code used to work - define the queues in PF and assign the traffic in IPFW. Our ultimate goal is to get IPFW out of the core system altogether and we had done that until we found some nasty bugs in CP due to it (just stuff that'll take a little longer to work around). Thank you for your reply. I am trying to run p3scan on pfsense, but it needs a redirection done with ipfw... When I am trying to add the rule, I have the following error: # ipfw add fwd 127.0.0.1:8110 tcp from 10.0.0.0/24 to any 110 ipfw: getsockopt(IP_FW_ADD): Invalid argument When I am loading ipfw module, I see the following in dmesg: ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding disabled, default to accept, logging disabled Does this mean that I cannot do forwarding with this ipfw? Module probably isn't loaded (it's only loaded if CP is in use I believe). Any reason you wouldn't just create a port forward for this? Seems like what you want to do is forward any traffic from 10.0.0.0/24 destined to port 110 anywhere to localhost on port 8110 (transparent pop3 server? interesting). This can be done easily in our GUI, just use a port forward (it was renamed from Inbound NAT to try and remind people it can be used in either direction). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Question about pf and ipfw...
You are very kind, in responding so fast!! Module probably isn't loaded (it's only loaded if CP is in use Ibelieve). Mmmh, I think it is (I loaded it by hand with kldload ipfw.ko): # kldstat Id Refs Address Size Name 1 4 0xc040 68cca0 kernel 2 16 0xc0a8d000 55fdc acpi.ko 3 1 0xc25e2000 c000 ipfw.ko But I am not a FBSD guru, so I may be wrong.. Do I have to load some other module? Any reason you wouldn't just create a port forward forthis?Seems like what you want to do is forward any traffic from 10.0.0.0/24 destined to port 110 anywhere to localhost on port 8110(transparent pop3 server? interesting).This can be done easily inour GUI, just use a port forward (it was renamed from Inbound NAT to try and remind people it can be used in either direction). Good question.. You are right, I already tryed it but it does not work with p3scan. P3scan acts as a transparent pop3 proxy, but seems to recognize the real server IP only if I use ipfw redirection (this is what I understood from p3scan mailing list). I already tried with pf, but seems not to work.. Any idea?
Re: [pfSense Support] Dynamic interfaces pf
On 10/16/05, Eric Masson [EMAIL PROTECTED] wrote: Hello, I've managed to install and setup ssltunnel-client on my 0.84.6 embedded image (should I upgrade to 0.86.4, I didn't find any changelog on the website) Tunnel goes up, additionnal routes are triggered by ppp, everything's fine 'til this point. I can't use ppp0 tunnel as pf drops traffic, the last 2 rules of the ruleset deny everything not explicitely allowed. So is there a standard way to add an interface and associated rules in the web interface or do I have to hack some file to achieve this result ? Look at how OpenVPN works. Hint, you'll probably end up doing something along the lines of copying those files and doing a s/OpenVPN/ssltunnel VPN/ and changing the commands to run it to whatever brings up your ssltunnel ppp connection. Depending on how well this works out, we might consider it for inclusion post 1.0. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VPN NAT Traversal
On 10/16/05, stephan schneider [EMAIL PROTECTED] wrote:
Hello Folks,
i am trying to get a (NATed) connection to an external VPN using
the cisco vpn client. Unfortunately it just doesn't work -
no connection. I added the port 500 (isakmp) and allowed ESP to pass
the firewall. But I think there's more to do to get NAT-Traversal
to work :-(
According to
http://kerneltrap.org/node/2948
it is necessary to set up the rule:
nat on $ext_if inet proto { tcp, udp } from $internal port = 500 to any
- ($ext_if:0) port 500
How can this rule be set using the GUI?
This is enabled by default unless you use advanced outbound NAT.
Make sure:
Firewall-NAT-Outbound: Enable IPSec passthru
is checked.
I am using pfsense-0.86.4.
Should be working in 0.86.4, I did introduce a bug a version or two
back that broke IPSec passthru, but I believe the fix for that made it
into 86.4 (hard to say, my boxes are usually running some Frankenstein
version). If you send in your /tmp/rules.debug, I'd be willing to
take a quick peek and make sure the NAT rule is correct.
--Bill
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Protocol binding to different WAN connection
On 10/16/05, Manuj Aggarwal [EMAIL PROTECTED] wrote: Hi I have 2 WAN connections. The first WAN is ADSL (PPPoE). The second connection is a high speed cable modem. I wanted to set cable modem as the first WAN connection - but since OPT1 does not support PPPoE I was forced to set it up this way. My SMTP server and NEWS servers are available from my DSL ISP and all other traffic needs to be routed through my OPT1. I have taken following steps to set this up: 1. I checked and saved Enable advanced outbound NAT. 2. Setup Any - Any rule for internal network to OPT1 (very similar to the automatic rule created for WAN1) 3. Setup a Gateway by specifying a single Gateway in the pool (my DSL gateway). 4. Then I setup a rule for pass rule to for port 119 and 25 on WAN1 and set its gateway to the gateway setup in no. 3 After setting this up - I still cannot connect to my SMTP and NNTP servers via my WAN1. All traffic through OPT1 is working fine. Any help will be much appreciated. Heh...good timing, I just fixed this last night and needed someone to test :) Those fixes will be MFC'd later today and should show up in the next release. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Question about pf and ipfw...
On 10/16/05, Bill Marquette [EMAIL PROTECTED] wrote: Got it, now I understand the problem (makes sense, I was wondering howit did transparent proxy w/out access to the destination IP:) ).Sobasically, it does a state lookup on the socket connected to it and figures out what the original IP was based on that. Exaclty.. It is marvellous to work with you.. All you guys are so fast in understanding.. Any idea?Maybe Scott will have an idea why IPFW isn't loading your ruleset. Other than that, waiting for the p3scan developers to fix this.BTW, if there's a finite number of pop3 servers you need to access andyou know what they are, you can run multiple instances of p3scan, one for each server and redirect the individual servers to specific p3scaninstances.Not elegant, but it might work in a crunch. Exactly what I did.. at least for few providers.. but it is a very very ugly solution: I am in touch with p3scan guys, but in the meanwhile I would like to fix the problem using ipfw.. I hope Scott could help me in this problem.. Thank you again, very very much. Tom
Re: [pfSense Support] Question about pf and ipfw...
Just a question.. I would like to ask one more thing: rule-based forwarding disabled in dmesg (ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding disabled, default to accept, logging disabled) means that pfsense kernel is compiled without this option (IP-FIREWALL_FORWARD)? Maybe Scott will have an idea why IPFW isn't loading your ruleset. Other than that, waiting for the p3scan developers to fix this.BTW, if there's a finite number of pop3 servers you need to access andyou know what they are, you can run multiple instances of p3scan, one for each server and redirect the individual servers to specific p3scaninstances.Not elegant, but it might work in a crunch. Exactly what I did.. at least for few providers.. but it is a very very ugly solution: I am in touch with p3scan guys, but in the meanwhile I would like to fix the problem using ipfw.. I hope Scott could help me in this problem.. Thank you again, very very much.
[pfSense Support] Newest Version ... ?
Is there a newer release than 0.86.4 ... been waiting for a mirror update to get the newest 0.86.8 or 0.87 release but haven't seen anything newer than 0.86.4 Just looking forward to getting the webConfigurator username update implemented. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Question about pf and ipfw...
Reinstall from scratch on the latest version. Your IPFW module is wrong. It should say rule based forwarding enabled. On 10/16/05, Tommaso Di Donato [EMAIL PROTECTED] wrote: Just a question.. I would like to ask one more thing: rule-based forwarding disabled in dmesg (ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding disabled, default to accept, logging disabled) means that pfsense kernel is compiled without this option (IP-FIREWALL_FORWARD)? Maybe Scott will have an idea why IPFW isn't loading your ruleset. Other than that, waiting for the p3scan developers to fix this. BTW, if there's a finite number of pop3 servers you need to access and you know what they are, you can run multiple instances of p3scan, one for each server and redirect the individual servers to specific p3scan instances. Not elegant, but it might work in a crunch. Exactly what I did.. at least for few providers.. but it is a very very ugly solution: I am in touch with p3scan guys, but in the meanwhile I would like to fix the problem using ipfw.. I hope Scott could help me in this problem.. Thank you again, very very much. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Question about pf and ipfw...
Thank you very very much!! ( I forgot to mention I am developing on version 0.84...) Thanx again!On 10/16/05, Scott Ullrich [EMAIL PROTECTED] wrote: Reinstall from scratch on the latest version. Your IPFW module iswrong. It should say rule based forwarding enabled.On 10/16/05, Tommaso Di Donato [EMAIL PROTECTED] wrote: Just a question.. I would like to ask one more thing: rule-based forwarding disabled in dmesg (ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding disabled, default to accept, logging disabled) means that pfsense kernel is compiled without this option (IP-FIREWALL_FORWARD)? Maybe Scott will have an idea why IPFW isn't loading your ruleset. Other than that, waiting for the p3scan developers to fix this. BTW, if there's a finite number of pop3 servers you need to access and you know what they are, you can run multiple instances of p3scan, one for each server and redirect the individual servers to specific p3scan instances.Not elegant, but it might work in a crunch.Exactly what I did.. at least for fewproviders.. but it is a very very ugly solution: I am in touch with p3scan guys, but in the meanwhile I would like to fix the problem using ipfw.. I hope Scott could help me in this problem.. Thank you again, very very much. -To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Hang after few hours
Generally when this happens its FreeBSD and hardware issues. Make sure you have plug and play turned off in the bios and try to allocate the IRQ's manually to make sure that there is no sharing going on. This is really good hardware so I would think that if you play around in the BIOS some you may be able to prevent the lockups. Scott On 10/16/05, Michał Depa [EMAIL PROTECTED] wrote: Hi, I've set up few pfsenses and I have problem with one of them. Installation of version 0.86.4 went without any problems, system boots properly, works fine (right now it's serving 3 clients connected to OPT1 interface) but after few hours (2-5h) it just hangs. I can't access pfsense via network and when I go to the console I can't enter any character. All I can do is to press reset on the box. After reset system works fine for another few hours and then hangs again. Here is my hardware: CPU: AMD Athlon 2500+ MB: Asus A7N8X Deluxe RAM: 2x256DDR TwinMOS Graphic card: something on PCI HDD: PATA Seagate 6,4 GB (also tried SATA WD 120GB) LAN: 3Com 3c2000 1Gbit (in PCI slot) WAN: 3Com 3c920 100Mbit (integrated on mainboard) OPT1: nVidia ethernet 100Mbit (integrated on mainboard) pfsense config is pretty standard: system installed on HDD NAT for LAN OPT1 Magic Trafic Wizard enabled No DHCP WAN - static IP address no additional packages installed defaults for the rest Please help Michal - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] DNS Settings for dual WAN setup
Hi Since my last email about trying to setup a dual WAN setup - I have found that there is a problem how PFSense configures DNS settings. It uses WAN1s DNS settings as global DNS settings for the whole system. My ISPs do not support DNS queries from another network. So when a request which is supposed to go out via WAN2 is sent out - it tries to use the DNS server of WAN1 which obviously is blocked and which causes the whole request to fail. Any idea whether there is a work around for that other than hosting your own DNS? Thanks Manuj - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Hang after few hours
was just gonna ask if you run on an nvidia chipset mobo (then i saw the integrated lan) had some weird problems with almost the same setup, right now iam running on an old p3 setup instead... // Johan Scott Ullrich [EMAIL PROTECTED] 2005-10-16 18:49 Please respond to support@pfsense.com To support@pfsense.com cc Subject Re: [pfSense Support] Hang after few hours Generally when this happens its FreeBSD and hardware issues. Make sure you have plug and play turned off in the bios and try to allocate the IRQ's manually to make sure that there is no sharing going on. This is really good hardware so I would think that if you play around in the BIOS some you may be able to prevent the lockups. Scott On 10/16/05, Michał Depa [EMAIL PROTECTED] wrote: Hi, I've set up few pfsenses and I have problem with one of them. Installation of version 0.86.4 went without any problems, system boots properly, works fine (right now it's serving 3 clients connected to OPT1 interface) but after few hours (2-5h) it just hangs. I can't access pfsense via network and when I go to the console I can't enter any character. All I can do is to press reset on the box. After reset system works fine for another few hours and then hangs again. Here is my hardware: CPU: AMD Athlon 2500+ MB: Asus A7N8X Deluxe RAM: 2x256DDR TwinMOS Graphic card: something on PCI HDD: PATA Seagate 6,4 GB (also tried SATA WD 120GB) LAN: 3Com 3c2000 1Gbit (in PCI slot) WAN: 3Com 3c920 100Mbit (integrated on mainboard) OPT1: nVidia ethernet 100Mbit (integrated on mainboard) pfsense config is pretty standard: system installed on HDD NAT for LAN OPT1 Magic Trafic Wizard enabled No DHCP WAN - static IP address no additional packages installed defaults for the rest Please help Michal - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Incoming connections?
I just answered this in the FAQ, but it needs to be approved still :) Short answer is, you want to do a Port Forward for this. --Bill On 10/16/05, Manuj Aggarwal [EMAIL PROTECTED] wrote: Hi I want to run a webserver behind PFSense. Is there a way to allow incoming connections for a certain PC on my network? e.g all incoming requests on port 80 should be served by PC with IP 10.0.0.155 Thanks Manuj - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Incoming connections?
OK, the entry is approved now. http://faq.pfsense.org/index.php?action=artikelcat=10id=53artlang=en --Bill On 10/16/05, Bill Marquette [EMAIL PROTECTED] wrote: I just answered this in the FAQ, but it needs to be approved still :) Short answer is, you want to do a Port Forward for this. --Bill On 10/16/05, Manuj Aggarwal [EMAIL PROTECTED] wrote: Hi I want to run a webserver behind PFSense. Is there a way to allow incoming connections for a certain PC on my network? e.g all incoming requests on port 80 should be served by PC with IP 10.0.0.155 Thanks Manuj - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DNS Settings for dual WAN setup
Use the built in DNS forwarder. This will force it to use the upstream DNS. Scott On 10/16/05, Manuj Aggarwal [EMAIL PROTECTED] wrote: Hi Since my last email about trying to setup a dual WAN setup - I have found that there is a problem how PFSense configures DNS settings. It uses WAN1s DNS settings as global DNS settings for the whole system. My ISPs do not support DNS queries from another network. So when a request which is supposed to go out via WAN2 is sent out - it tries to use the DNS server of WAN1 which obviously is blocked and which causes the whole request to fail. Any idea whether there is a work around for that other than hosting your own DNS? Thanks Manuj - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] squid
iam kinda bad at the squid conf... what line did you remove? regards // Johan Szasz Revai Endre [EMAIL PROTECTED] 2005-10-15 11:26 Please respond to support@pfsense.com To support@pfsense.com cc Subject Re: [pfSense Support] squid It seems to be working now, though I did have to edit the configuration manually, cause there is an ACL line which overlaps with the already configured local subnet, maybe just for me.. On 10/15/05, Vinc Duran [EMAIL PROTECTED] wrote: I'm curious about this too. The entry in Packages still indicates it's broken. Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Hang after few hours
Hello, Michał. On 16 îęň˙áđ˙ 2005 ă., 18:26:38 you wrote: MD Here is my hardware: MD CPU: AMD Athlon 2500+ MD MB: Asus A7N8X Deluxe MD RAM: 2x256DDR TwinMOS MD Graphic card: something on PCI MD HDD: PATA Seagate 6,4 GB (also tried SATA WD 120GB) MD LAN: 3Com 3c2000 1Gbit (in PCI slot) MD WAN: 3Com 3c920 100Mbit (integrated on mainboard) MD OPT1: nVidia ethernet 100Mbit (integrated on mainboard) freebsd on nvidia-based boards behaves very unstable so i think you better replace your mobo with something via-based (or even intel ;) -- Best regards, Michael mailto:[EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DNS Settings for dual WAN setup
I did enable it - but it did not make a difference. When I set the DNS to 4.2.2.2 and uncheck the Allow DNS server list to be overridden by DHCP/PPP on WAN it works fine. Any ideas? Scott Ullrich wrote: Use the built in DNS forwarder. This will force it to use the upstream DNS. Scott On 10/16/05, Manuj Aggarwal [EMAIL PROTECTED] wrote: Hi Since my last email about trying to setup a dual WAN setup - I have found that there is a problem how PFSense configures DNS settings. It uses WAN1s DNS settings as global DNS settings for the whole system. My ISPs do not support DNS queries froe m another network. So when a request which is supposed to go out via WAN2 is sent out - it tries to use the DNS server of WAN1 which obviously is blocked and which causes the whole request to fail. Any idea whether there is a work around for that other than hosting your own DNS? Thanks Manuj - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DNS Settings for dual WAN setup
Make sure all the clients are pointed to the DNS Forwarder. If the correct DNS servers are entered in each firewall then it should query upstream properly. On 10/16/05, Manuj Aggarwal [EMAIL PROTECTED] wrote: I did enable it - but it did not make a difference. When I set the DNS to 4.2.2.2 and uncheck the Allow DNS server list to be overridden by DHCP/PPP on WAN it works fine. Any ideas? Scott Ullrich wrote: Use the built in DNS forwarder. This will force it to use the upstream DNS. Scott On 10/16/05, Manuj Aggarwal [EMAIL PROTECTED] wrote: Hi Since my last email about trying to setup a dual WAN setup - I have found that there is a problem how PFSense configures DNS settings. It uses WAN1s DNS settings as global DNS settings for the whole system. My ISPs do not support DNS queries froe m another network. So when a request which is supposed to go out via WAN2 is sent out - it tries to use the DNS server of WAN1 which obviously is blocked and which causes the whole request to fail. Any idea whether there is a work around for that other than hosting your own DNS? Thanks Manuj - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Enable GRE 47 protocol?
I enabled a new rule to route all port 1723 traffic from my OPT1 interface (for PPTP clients). But when I try to connect to my VPN server at work - it comes back with an error stating I should enable GRE 47 protocol on the firewall. How do I do this? Pardon me for so many emails - but I am so close to setting this thing up. Thanks Manuj - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Solution: Re: [pfSense Support] VPN NAT Traversal (CISCO VPN Client)
i am trying to get a (NATed) connection to an external VPN using the cisco vpn client. Unfortunately it just doesn't work - no connection. I added the port 500 (isakmp) and allowed ESP to pass the firewall. But I think there's more to do to get NAT-Traversal to work :-( Got the solution. In the vpn client connection configuration you have to choose IPSec over TCP and of course Enable Transparent Tunnel. No custom rules, no IPSec passthru (that's a different approach), no custom nat rules (only the default: nat all lan) are needed. Thanks Bill! Have a nice day. Stefan. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Dynamic interfaces pf
Bill Marquette [EMAIL PROTECTED] writes: Hi Bill, Look at how OpenVPN works. Hint, you'll probably end up doing something along the lines of copying those files and doing a s/OpenVPN/ssltunnel VPN/ and changing the commands to run it to whatever brings up your ssltunnel ppp connection. Well, It seems to be disabled in the embedded image. There are files regarding OpenVPN in the embedded image, but it would be easier to understand how they work if OpenVPN was enabled (I'm really not a php guru :/). Regards Éric Masson -- Alcotest OUi, mais aussi pour la création des 2 autres ducon, Expliquez moi, pourquoi voulez vous créer deux autres ducon ? Vous vous sentez seul ? -+- FF in Guide du Neuneu sur Usenet - Les deux font l'impair -+- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Packages on WRAP
After installing a bunch of packages on the wrap (Got my nagios-plugins/nrpe to work) I noticed that it doesnt keep a record of installed packages in /var/db/pkg like it does on the pc. Im guessing this is because /var/db/pkg gets mounted on /dev/md0 # df /var/db/pkg Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/md0 15598 156 14196 1% /tmp Not sure if this is something you care about since you really dont want packages installed on the wrap or not. Side question Now if I wanted to make the nagios nrpe (remote plugin executer) config editable via pfsense gui and saved and such how do I go about that? Thanks John
Re: [pfSense Support] IPSec tunnel and Remote Desktop
Scott Ullrich wrote: I access SQL, RDP and many other items through my ipsec tunnel and I never change the MTU on the client. Thats a bad idea.The solution is to find out why the packets are getting frag'd. Active directory traffic does not work across my IPSEC tunnell but RDP and friends surely do. I would say there is something else causing the fragmentation. I'm coming a bit late into this one, but it still seems to be outstanding. Fragmentation isn't the issue at all. Modern OS's use PMTUD to discover the largest MTU of the path, if it's less than their MTU. Racoon (or FreeBSD, more likely) breaks PMTUD with IPsec because it doesn't take the IPsec overhead into account. So packets end up larger than the 1500 or 1492 MTU on the WAN and just disappear. What should happen at that point is pfsense should send back a frag needed, DF bit set message, which causes the host to retry with a smaller MSS. Some commercial VPN's (Cisco client in particular) will avoid this altogether because it can be easier that way, by automatically fragmenting packets that are too big. That's with the Cisco client VPN, their site to site VPN takes IPsec overhead on PMTU into account appropriately. OS's with PMTUD enabled by default (virtually everything in use today) won't fragment packets, they'll set the DF bit on everything, expecting the frag needed, DF bit set reply part of PMTUD to work. ICMP is an exception to this, generally, in situations like with MS AD where it needs a 2000 byte ICMP echo request and reply to determine link speed (which is ridiculous, but regardless...). DF is generally not set by default on ICMP (at least on Windows). While this doesn't always happen, and doesn't happen to everyone, it's most definitely an issue. Lowering the client MTU is the only way to resolve it at this point. I don't know what the cause is, but it's an issue as described above with both m0n0wall and pfsense. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Dynamic interfaces pf
On 10/16/05, Eric Masson [EMAIL PROTECTED] wrote: Bill Marquette [EMAIL PROTECTED] writes: Hi Bill, Look at how OpenVPN works. Hint, you'll probably end up doing something along the lines of copying those files and doing a s/OpenVPN/ssltunnel VPN/ and changing the commands to run it to whatever brings up your ssltunnel ppp connection. Well, It seems to be disabled in the embedded image. There are files regarding OpenVPN in the embedded image, but it would be easier to understand how they work if OpenVPN was enabled (I'm really not a php guru :/). http://cvstrac.pfsense.com/chngview?cn=5922 Enable the developer tag in system. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Packages on WRAP
On 10/16/05, John Cianfarani [EMAIL PROTECTED] wrote: Not sure if this is something you care about since you really don't want packages installed on the wrap or not. I haven't voiced this opinion yet, but this is an opportune moment. Due to the relatively inexpensive prices, I was considering using a 4GB Minidisk on my Wrap platform. Due to the real disk vs. CompactFlash, the issue of limited writes goes away (CompactFlash can only accept so many writes over it's lifetime). It may not be fast, but it would be acceptable. If I go this route, I will attempt to install a full (LiveCD) version versus the Embedded version, in order to enable packages and more easily take advantage of the larger disk.-- --Bill Plein
[pfSense Support] When will RC1 be released
I was wondering when RC1 will be released, nothing above 66.4 has been posted on the serveres yet they are already at 67 and RC1 When will those be available on mirrors? Thx, Dwabraxus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] When will RC1 be released
We're at .86.4 (which is on mirrors). There should be a .87 in the next day or two after it's had a final chance at testing by the devs. RC1, not sure where you heard we were there yet :) The fact that the tree has been tagged for version 1 means that we're just about ready for beta. --Bill On 10/16/05, Chris May [EMAIL PROTECTED] wrote: I was wondering when RC1 will be released, nothing above 66.4 has been posted on the serveres yet they are already at 67 and RC1 When will those be available on mirrors? Thx, Dwabraxus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] When will RC1 be released
Bill Marquette wrote: We're at .86.4 (which is on mirrors). There should be a .87 in the next day or two after it's had a final chance at testing by the devs. RC1, not sure where you heard we were there yet :) The fact that the tree has been tagged for version 1 means that we're just about ready for beta. --Bill On 10/16/05, Chris May [EMAIL PROTECTED] wrote: I was wondering when RC1 will be released, nothing above 66.4 has been posted on the serveres yet they are already at 67 and RC1 When will those be available on mirrors? Thx, Dwabraxus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ok. THX -dwabraxus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
