[pfSense Support] site-to-site vpn nat traversal
Hi list, This is probably a dumb question but I'm a little confused about this whole Nat traversal problem so here goes My setup is like this: One pfsense on a public IP address and one behind a NAT device which only has one public IP address. pfsense - Internet -- Nat device-pfsense Is it possible to create an IPSEC vpn tunnel between the two pfsense firewalls? If so what do I specifically need to configure? Thank you very much. Kind Regards, Anders - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] site-to-site vpn nat traversal
The nat-device has to support ipsec pass through and shoule be able to forward IPSEC-Traffic to the pfsense behind it. the pfsense behind the NAT has to use the public IP-Adress of the nat-device as identifier as the connection appears to originate from that ip at the other end. All other settings should be the same like for a non natted site to site ipsec. If the connection fails check your systemlogs if traffic is passing the device correctly or if something is dropped somewhere. Good luck, Holger -Ursprüngliche Nachricht- Von: Anders D. Hansen [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 24. Januar 2006 12:32 An: support@pfsense.com Betreff: [pfSense Support] site-to-site vpn nat traversal Hi list, This is probably a dumb question but I'm a little confused about this whole Nat traversal problem so here goes My setup is like this: One pfsense on a public IP address and one behind a NAT device which only has one public IP address. pfsense - Internet -- Nat device-pfsense Is it possible to create an IPSEC vpn tunnel between the two pfsense firewalls? If so what do I specifically need to configure? Thank you very much. Kind Regards, Anders - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
At 12:11 AM 1/24/2006, you wrote: Our new code in head allows a bridge group to receive an ip and will remedy this. 1.0 is not even out and 1.1 is much more fancy. Go figure ;) not complaining. i'm just puzzled it works on pfsense on not my sitch. oh well... Scott On 1/23/06, Dan Swartzendruber [EMAIL PROTECTED] wrote: At 07:32 PM 1/23/2006, you wrote: I've never really tried doing bridging with FreeBSD, but with Linux that's how bridging is done. For every interface you want to add to the bridge, you set its IP address to 0.0.0.0. Then, you set the IP address of the bridge interface and that becomes the bridged IP address for all the interfaces in the bridge. what is odd is that i was looking at how pfsense uses if_bridge, and they don't set the IP on the bridge interface. color me puzzled... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
On 1/24/06, Dan Swartzendruber [EMAIL PROTECTED] wrote: not complaining. i'm just puzzled it works on pfsense on not my sitch. oh well... We use if_bridge if pfSense. Is that what you are using? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
Yes, Andrew is investigating this problem. We are seeing some similar issues as well. On 1/24/06, Dan Swartzendruber [EMAIL PROTECTED] wrote: At 09:54 AM 1/24/2006, you wrote: On 1/24/06, Dan Swartzendruber [EMAIL PROTECTED] wrote: not complaining. i'm just puzzled it works on pfsense on not my sitch. oh well... We use if_bridge if pfSense. Is that what you are using? yes. that's why i'm so puzzled. it did NOT work on freebsd 6.0 until i moved the IP address from fxp0 to bridge0. dunno why not :( - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Re: PCIe NIC support for Pfsense - recommened NIC's
We are using Dell PE 850s as well. The addon PCIe Intel NICs that Dell offers (or at least did when we bought ours) work fine. Lynn [EMAIL PROTECTED] wrote: Hello all, We have just brought a couple of Dell 850 servers to use as Pfsense firewalls. Unfortunately I didn’t check too well and have found that the servers only have PCIe slots. I can’t find specific info to say that Pfsense supports PCIe, although I have found another mail on a FreeBSD site that said: We use Intel's dual port gigabit PCIe adapters in dell servers with Freebsd 6 without any problem. They are supported by the em driver. What I actually need is 4 extra network ports in each server so either 2xDual port NICs or 1xquad port NIC in each server. Can anyone recommend cheep dual or quad port PCIe NIC’s that are compatible with Pfsense. Cheers for your help, Simon. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
At 09:58 AM 1/24/2006, you wrote: Yes, Andrew is investigating this problem. We are seeing some similar issues as well. boy that's a relief. i was noticing that when the wifi card was on my pfsense box and bridging on, ftp proxy broke. possibly other weird stuff... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
I have also Problems with AppleTalk (EtherTalk) packets on a ath - sis bridge. Am 24.01.2006 um 16:47 schrieb Dan Swartzendruber: At 09:58 AM 1/24/2006, you wrote: Yes, Andrew is investigating this problem. We are seeing some similar issues as well. boy that's a relief. i was noticing that when the wifi card was on my pfsense box and bridging on, ftp proxy broke. possibly other weird stuff... -- kommunity GmbH Co.KG Tom Müller-Kortkamp Netzwerke Internet Goseriede 4 D-30159 Hannover Phone +49 (0)5 11 - 80 72 58 0 Fax +49 (0)5 11 - 80 72 58 10 http://www.kommunity.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
There is a sysctl to work around this: sysctl net.link.bridge.pfil_onlyip=0 On 1/24/06, Tom Müller-Kortkamp [EMAIL PROTECTED] wrote: I have also Problems with AppleTalk (EtherTalk) packets on a ath - sis bridge. Am 24.01.2006 um 16:47 schrieb Dan Swartzendruber: At 09:58 AM 1/24/2006, you wrote: Yes, Andrew is investigating this problem. We are seeing some similar issues as well. boy that's a relief. i was noticing that when the wifi card was on my pfsense box and bridging on, ftp proxy broke. possibly other weird stuff... -- kommunity GmbH Co.KG Tom Müller-Kortkamp Netzwerke Internet Goseriede 4 D-30159 Hannover Phone +49 (0)5 11 - 80 72 58 0 Fax +49 (0)5 11 - 80 72 58 10 http://www.kommunity.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
At 11:42 AM 1/24/2006, you wrote: There is a sysctl to work around this: sysctl net.link.bridge.pfil_onlyip=0 this sysctl did not show up on my freebsd box. the other pfil ones did. another odd difference? On 1/24/06, Tom Müller-Kortkamp [EMAIL PROTECTED] wrote: I have also Problems with AppleTalk (EtherTalk) packets on a ath - sis bridge. Am 24.01.2006 um 16:47 schrieb Dan Swartzendruber: At 09:58 AM 1/24/2006, you wrote: Yes, Andrew is investigating this problem. We are seeing some similar issues as well. boy that's a relief. i was noticing that when the wifi card was on my pfsense box and bridging on, ftp proxy broke. possibly other weird stuff... -- kommunity GmbH Co.KG Tom Müller-Kortkamp Netzwerke Internet Goseriede 4 D-30159 Hannover Phone +49 (0)5 11 - 80 72 58 0 Fax +49 (0)5 11 - 80 72 58 10 http://www.kommunity.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
Make sure you're freebsd box is on RELENG_6 and up to date. On 1/24/06, Dan Swartzendruber [EMAIL PROTECTED] wrote: At 11:42 AM 1/24/2006, you wrote: There is a sysctl to work around this: sysctl net.link.bridge.pfil_onlyip=0 this sysctl did not show up on my freebsd box. the other pfil ones did. another odd difference? On 1/24/06, Tom Müller-Kortkamp [EMAIL PROTECTED] wrote: I have also Problems with AppleTalk (EtherTalk) packets on a ath - sis bridge. Am 24.01.2006 um 16:47 schrieb Dan Swartzendruber: At 09:58 AM 1/24/2006, you wrote: Yes, Andrew is investigating this problem. We are seeing some similar issues as well. boy that's a relief. i was noticing that when the wifi card was on my pfsense box and bridging on, ftp proxy broke. possibly other weird stuff... -- kommunity GmbH Co.KG Tom Müller-Kortkamp Netzwerke Internet Goseriede 4 D-30159 Hannover Phone +49 (0)5 11 - 80 72 58 0 Fax +49 (0)5 11 - 80 72 58 10 http://www.kommunity.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
At 11:45 AM 1/24/2006, you wrote: Make sure you're freebsd box is on RELENG_6 and up to date. it's supposed to be. i've been running cvsup every couple of weeks. i'll make sure i didn't pooch something. thx! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
If you where up to date, you would have that sysctl :) Scott On 1/24/06, Dan Swartzendruber [EMAIL PROTECTED] wrote: At 11:45 AM 1/24/2006, you wrote: Make sure you're freebsd box is on RELENG_6 and up to date. it's supposed to be. i've been running cvsup every couple of weeks. i'll make sure i didn't pooch something. thx! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
At 11:50 AM 1/24/2006, you wrote: If you where up to date, you would have that sysctl :) Maybe I misread something. Here is my cvsup tag: *default release=cvs tag=RELENG_6_0 Please tell me this is wrong :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
At 12:00 PM 1/24/2006, you wrote: That is wrong. I said RELENG_6 On 1/24/06, Dan Swartzendruber [EMAIL PROTECTED] wrote: At 11:50 AM 1/24/2006, you wrote: If you where up to date, you would have that sysctl :) Maybe I misread something. Here is my cvsup tag: *default release=cvs tag=RELENG_6_0 Please tell me this is wrong :) thank you! :) i think i got the RELENG_6_0 tip from someone at work... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
That is FreeBSD 6 release. That does not include all the new goodies in -STABLE. On 1/24/06, Dan Swartzendruber [EMAIL PROTECTED] wrote: At 12:00 PM 1/24/2006, you wrote: That is wrong. I said RELENG_6 On 1/24/06, Dan Swartzendruber [EMAIL PROTECTED] wrote: At 11:50 AM 1/24/2006, you wrote: If you where up to date, you would have that sysctl :) Maybe I misread something. Here is my cvsup tag: *default release=cvs tag=RELENG_6_0 Please tell me this is wrong :) thank you! :) i think i got the RELENG_6_0 tip from someone at work... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
At 12:02 PM 1/24/2006, you wrote: That is FreeBSD 6 release. That does not include all the new goodies in -STABLE. i'm wondering if that explains some of the anomalies i saw. i'll test tonight after doing a make world and make kernel etc... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
That is wrong. I said RELENG_6 On 1/24/06, Dan Swartzendruber [EMAIL PROTECTED] wrote: At 11:50 AM 1/24/2006, you wrote: If you where up to date, you would have that sysctl :) Maybe I misread something. Here is my cvsup tag: *default release=cvs tag=RELENG_6_0 Please tell me this is wrong :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
At 12:02 PM 1/24/2006, you wrote: That is FreeBSD 6 release. That does not include all the new goodies in -STABLE. that did it! no more loss of connectivity. bless you, my son! :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
On Jan 24, 2006, at 11:48 AM, Dan Swartzendruber wrote: At 11:45 AM 1/24/2006, you wrote: Make sure you're freebsd box is on RELENG_6 and up to date. it's supposed to be. i've been running cvsup every couple of weeks. i'll make sure i didn't pooch something. thx! Make sure to remove the stale un-compressed kernel from /boot/ kernel. See my several emails in the past week regarding how to do that. You may be booting an old kernel since the current one is gzipped. smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] Bridging question
Scott Ullrich wrote: That is FreeBSD 6 release. That does not include all the new goodies in -STABLE. just wanted to add that this is only advisable if you're doing it for good reason. in this case, you want -STABLE because of the relevant changes you need for this particular purpose. In all other circumstances, RELENG_6_0 would be your best bet for stability, as that's just 6.0 release with bug and security fixes. RELENG_6 is more likely to be broken in some fashion. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
On 1/24/06, Chris Buechler [EMAIL PROTECTED] wrote: just wanted to add that this is only advisable if you're doing it for good reason. in this case, you want -STABLE because of the relevant changes you need for this particular purpose. In all other circumstances, RELENG_6_0 would be your best bet for stability, as that's just 6.0 release with bug and security fixes. RELENG_6 is more likely to be broken in some fashion. Indeed. When using -STABLE its a good idea to set a date= field in your supfile and always remember the last known good date so that you can rollback to the prior known working tree date if a problem occurs. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] A few questions, newbie :)
I All I just found out about pfsense this morning and have a few questions, I hope people don't mind :) Background: I am currently setting up a FreeBSD based firewall for a client to be used at a data centre protecting about 10 web servers. Using 2 firewalls with CARP. Now for the questions, does the CARP setup in pfsense allow me to setup CARP interface on both sides of the firewall? I need to fail over incomming and out going traffic. A major requirement for them is traffic counting, can pfsense proived me with accounting for bytes in/out for each IP address behind the firewall? Cheers, Stephen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] A few questions, newbie :)
Answers are between the lines: -Ursprüngliche Nachricht- Von: Stephen Cimarelli [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 25. Januar 2006 01:07 An: support@pfsense.com Betreff: [pfSense Support] A few questions, newbie :) I All I just found out about pfsense this morning and have a few questions, I hope people don't mind :) Background: I am currently setting up a FreeBSD based firewall for a client to be used at a data centre protecting about 10 web servers. Using 2 firewalls with CARP. Now for the questions, does the CARP setup in pfsense allow me to setup CARP interface on both sides of the firewall? I need to fail over incomming and out going traffic. Yes, check out the tutorial at http://pfsense.com/index.php?id=36 how to set it up. Failover is completely stateful. A major requirement for them is traffic counting, can pfsense proived me with accounting for bytes in/out for each IP address behind the firewall? You can use SNMP to gather that kind of information and/or use the ntop package. However, packagesupport is overworked atm and some packages don't work. This however is temporarily and will be fixed before release. Cheers, Stephen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Holger Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] A few questions, newbie :)
On 1/24/06, Stephen Cimarelli [EMAIL PROTECTED] wrote: I All I just found out about pfsense this morning and have a few questions, I hope people don't mind :) Background: I am currently setting up a FreeBSD based firewall for a client to be used at a data centre protecting about 10 web servers. Using 2 firewalls with CARP. Now for the questions, does the CARP setup in pfsense allow me to setup CARP interface on both sides of the firewall? I need to fail over incomming and out going traffic. Yep, I do it quite a bit. A major requirement for them is traffic counting, can pfsense proived me with accounting for bytes in/out for each IP address behind the firewall? Yep, we have packages, snmp and you can also use /exec_raw.php. Simply pass it a cmd= command. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridging question
At 06:53 PM 1/24/2006, you wrote: Scott Ullrich wrote: That is FreeBSD 6 release. That does not include all the new goodies in -STABLE. just wanted to add that this is only advisable if you're doing it for good reason. in this case, you want -STABLE because of the relevant changes you need for this particular purpose. In all other circumstances, RELENG_6_0 would be your best bet for stability, as that's just 6.0 release with bug and security fixes. RELENG_6 is more likely to be broken in some fashion. Good point.. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]