Re: [pfSense] 2.4.3 - cannot define table bogonsv6

[Jim Pingle]

On 04/19/2018 04:54 AM, Eero Volotinen wrote:
> fix is in reddit thread ..
> 
> Someone should fix this on pfsense default config..

It has been fixed for over two weeks in the repo:

https://redmine.pfsense.org/issues/8417

There have been numerous threads about it on the forum, reddit, and
elsewhere.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Maximum CARP Addresses?

[Jim Pingle]

On 02/16/2018 10:09 AM, ad^2 wrote:
> Ok I understand. What are the limitations here? How many aliases can be
> stacked on one CARP VIP?
> 
> Is anyone out there running +255 VIPs?  My implementation will required at
> least 500 floating IPs right away.

While there is no known practical limit, if you feel you need that many
VIPs, most likely your design is deeply flawed in some way.

If you explain the purpose of the setup and how the IP addresses are
delivered to your firewall, there is likely a better way to reach your goal.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FRR and IPv6 Bug

[Jim Pingle]

On 12/19/2017 11:21 AM, Jim Pingle wrote:
> On 12/17/2017 12:54 PM, Daniel wrote:
>> it seems i found a bug when using FRR with IPv6.
>>
>> I enabed and configured a IPv6 BGP Peer but it seems that the GUI make a 
>> wrong IPv6 BGP peering config.
>>
>> In s hip bgp sum I can see that IPv6 peers are configured but in sh ipv6 bgp 
>> sum (this it has to be) is shown: No IPv6 Unicast neighbor is configured
>>  
>>
>> This happened because the FRR config puts all IPv6 related stuff in in IPv4 
>> Stack configuration.
>>
>> Is there any way to to it correctly with the GUI or should I use raw config 
>> instead?
> 
> I don't have any IPv6 peers setup in FRR but can you elaborate more on
> your configuration and the changes you made that allowed it to work?
> 
> Looking at the FRR code, the only place it manually specifies ipv4 or
> ipv6 is when defining the networks to distribute.


I was able to setup a lab test and found the problem(s), I believe. I
pushed a new version of FRR a few moments ago which should behave
correctly. In my lab setup I am now able to get a working IPv6 BGP
neighbor peering.

Jim P.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FRR and IPv6 Bug

[Jim Pingle]

On 12/17/2017 12:54 PM, Daniel wrote:
> it seems i found a bug when using FRR with IPv6.
> 
> I enabed and configured a IPv6 BGP Peer but it seems that the GUI make a 
> wrong IPv6 BGP peering config.
> 
> In s hip bgp sum I can see that IPv6 peers are configured but in sh ipv6 bgp 
> sum (this it has to be) is shown: No IPv6 Unicast neighbor is configured
>  
> 
> This happened because the FRR config puts all IPv6 related stuff in in IPv4 
> Stack configuration.
> 
> Is there any way to to it correctly with the GUI or should I use raw config 
> instead?

I don't have any IPv6 peers setup in FRR but can you elaborate more on
your configuration and the changes you made that allowed it to work?

Looking at the FRR code, the only place it manually specifies ipv4 or
ipv6 is when defining the networks to distribute.

If you can show me the settings in the GUI, the "broken" config, and
then what you think it should look like I can try to get that fixed up
in the package.

You can send that to me privately if you don't want to send it to the list.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Floating rule with multiple interfaces not generated with reply-to

[Jim Pingle]

On 12/5/2017 5:34 AM, Shamim Shahriar wrote:
> Now, if I select multiple interfaces, since there is no reply-to on the
> rule, I am unable to communicate with the pfsense box from outside. Which
> makes me wonder, am I misunderstanding the purpose/functionality of
> floating rules entirely? I know one good thing about them is to be able to
> add "quick" so the rules are checked before other interface bound ones, but
> is this also not a feature (i.e., put same rule for multiple interfaces in
> one go)?

What you are seeing is expected behavior. If you have multiple
interfaces selected, it cannot possibly use reply-to because it can't
specify reply-to on rules for multiple interfaces. Interface groups have
the same limitation.

If you need reply-to, the rules must only apply to a single interface.

For that reason, multiple interface rules (groups or floating) are
primarily useful only for internal interfaces.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] quagga/bgp

[Jim Pingle]

On 11/17/2017 08:29 AM, Daniel wrote:
> I don’t want to use openBGPd and I also don’t want to use FRR because I am 
> completely new in FRR.

If you know quagga, you know FRR. FRR is a fork of quagga and they work
nearly the same. Most people probably won't know the difference, except
that FRR will probably work better.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] may a bug / v2.4.x problems with more than 6 NIC's Intel pro1000 / emX

[Jim Pingle]

On 11/05/2017 03:35 PM, WolfSec-Support wrote:
> remark:
> as written v2.3.4 works well WITHOUT tuned anything
> 
> so seems to have an dependency with freebsd 11.1 kernel ?

That doesn't mean much, the newer base/drivers could be enabling
features on the NICs that require more resources. It's not the first
time that's happened.

Do you see any errors in the boot log (/var/log/dmesg.boot) or on the
console when it starts up with all of the NICs present?

What does "netstat -m" show? "netstat -mb"?

Is this bare metal hardware or a virtualized system? Describe the
hardware/hypervisor in more detail.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] may a bug / v2.4.x problems with more than 6 NIC's Intel pro1000 / emX

[Jim Pingle]

On 11/5/2017 12:09 PM, WolfSec-Support wrote:

> if a host has more than 6x emX then the NICs are initialed, but only em0
> can see traffic from switch.
> em1 and higher see not any traffic from network / see only their self
> generated traffic.

Sounds like it's running out of mbufs and doesn't have enough to
initialize all of the NICs and their queues.

https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards#mbuf_.2F_nmbclusters

Try setting that higher, like 100

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HAProxy edits not saving

[Jim Pingle]

On 9/18/2017 2:44 AM, maina maish wrote:
> Am editing /var/etc/haproxy/haproxy.cfg but looks like changes are getting
> cleared if someone uses Services/HAProxy/Frontends and applies changes
> using WebGui.
> 
> Is there way to make sure changes made through command line do not get
> cleared?

The GUI configuration for pfSense or a package will always overwrite
config files edited manually. That is part of the core design of the
entire system. There is no way for the GUI to know that a change to a
file was intentional, the config.xml settings are always assumed to be
correct.

If you don't want to use the GUI to maintain the haproxy configuration,
then don't install the GUI package; Install haproxy itself using pkg
from a shell prompt.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Factory Default / Cleanup(script) of binaries + config backups + etc

[Jim Pingle]

On 08/07/2017 08:09 AM, WolfSec-Support wrote:
> Well, Jim, you are completely right - and as paranoid as I am normally :)
> 
> Here it is for INTERNAL use only - simply colleagues etc should not see
> all old data

Which is my point. Without a wipe+reload, inevitably _something_ is
going to get left behind, especially with package data.

Since it is staying internal, a reinstall is sufficient and not a full
disk wipe.

> And - to be honest:
> in general it would be really helpful to HELP/ANSWER a question, instead
> to decline it by default.
> The people have also thought about their idea before - if it foits not
> YOUR requirements, may it fits THEIRS ;)

I focus on the goal rather than the methods. If someone asks "How can I
do X so I get Y", I answer how to reach "Y" in the best way, because
often "X" is not the most efficient or correct method.

I am answering the question of how to reach your goal in the safest and
most secure way possible. The specific method you're inquiring about is
not going to achieve your goal and could easily result in unintended
behavior or information exposure. Technically, yes, what you want to do
could be achieved by a script, via ssh commands, or by any number of
methods, but all of those techniques suffer from the same problems.

I'd rather you have the most stable, secure, and reliable experience
possible, and following your suggested methods would most likely not
have that result.

Reinstalling does not take long, and in most cases all you have to do is
press Enter a few times in a row. If all of your hardware is identical
with identical drives you could even take a disk image of a stock
install and write that out any number of ways, but that would still be
slower than a reinstall in most cases.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Factory Default / Cleanup(script) of binaries + config backups + etc

[Jim Pingle]

On 8/7/2017 2:20 AM, WolfSec-Support wrote:
> Goal is to put devices on stock for replacements in a nearly clean state
> for internal usage and shipping to other sites

A wipe+reload is the only proper way to accomplish this acceptably.

No matter how careful you are, something will most likely be left behind
and may surprise you later.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Acme client - DNS server setup/dns client secret issue.

[Jim Pingle]

On 8/6/2017 9:47 PM, Walter Parker wrote:
> How do I  get the Acme package to let me update the sample.com
>  zone, to add the host for
> _acme-challenge.fw.sample.com ? I
> think I missed a step. This is for a firewall that I don't want to setup
> external web access on.

At the moment it only supports host keys, not zone keys. It will need to
have a key made for that host specifically.

Also, make sure the update-policy for the dynamic zone grants the
ability to update TXT records specifically, or ANY.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Acme client - DNS server setup/dns client secret issue.

[Jim Pingle]

On 8/6/2017 8:03 PM, Walter Parker wrote:
> I think I'm missing something simple with my Acme Client setup in pfsense.
> I followed the following steps and I'm get a TSIG error (note NSUPDATE
> worked when run by hand).
> 
> 
>- dnssec-keygen -a HMAC-MD5 -b 512 -n HOST fw.sample.com
>- Copy secret from Kfw.sample.com.*.key (note this secret has a space in
>the middle)

Use the copy of the key from the .private file. It shouldn't have a
space in it.

Jim P.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.4 with ZFS, will it solve corrupt systems

[Jim Pingle]

On 8/5/2017 8:59 AM, Arthur Wiebe wrote:
> This is more out of curiosity to verify that I'm correct, with pfSense 2.4
> using ZFS will that solve the issue where an SG appliance will stop booting
> because of a corrupt filesystem and require a reinstall?
> 
> I've had too many cases where for whatever reason a box was shutdown
> improperly (could be the client unplugging it for example) and the system
> became corrupt and worked fine after re-installing the OS.
> 
> I'm hoping that ZFS with it's data integrity and rollback features will
> solve this issue.
> 
> Am I right? And if so we should consider re-installing existing
> installations with pfSense 2.4 so that it installs using ZFS?

ZFS is self-healing and though we have not been able to reproduce the
corruption issues seen by some with UFS, all evidence points to ZFS not
being susceptible to those problems.

ZFS does have increased RAM requirements so you have to be mindful of
RAM usage and enabled features so that you don't run yourself out of
memory. On systems with 4GB or RAM of more, it should be safe to use. It
also requires a 64-bit OS, but any of the SG devices would be 64-bit so
that shouldn't be a concern.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Factory Default / Cleanup(script) of binaries + config backups + etc

[Jim Pingle]

On 7/27/2017 4:46 AM, WolfSec-Support wrote:
> Is there a way / document / script to cleanup a pfSense WITHOUT
> reinstallation ?

If you need to clean it up in a way where anything other than resetting
the configuration matters, you will want to wipe/reload. The feature is
intended to put a system back into a default state from which it can be
reconfigured, it is not intended to be a secure reset that removes all
changes to the entire OS.

If you are preparing the system to hand off to someone else and want to
be sure your content is erased, there is no substitute for a full disk
erase with a secure wipe/erase utility such as DBAN.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] uncomplete update to 2.3.4, no route to host

[Jim Pingle]

On 05/12/2017 12:47 PM, Steve Yates wrote:
>They're missing the DNS record for pkg.pfsense.org.  Per the SOA 
>ad...@netgate.com is the contact; I've bcc'd this there.

pkg does not use A/ records, it uses SRV records, which are present
and work fine:


$ host -t srv _https._tcp.pkg.pfsense.org
_https._tcp.pkg.pfsense.org has SRV record 10 10 443 files00.netgate.com.
_https._tcp.pkg.pfsense.org has SRV record 10 10 443 files01.netgate.com.

OPs problem is not related to DNS. "No route to host" indicates they
have a problem with their connectivity, for example they may have broken
or half-configured IPv6 that is present but not usable for routing.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 (CARP and DHCPv6 failover)

[Jim Pingle]

On 03/22/2017 02:16 PM, hamid ashraf wrote:
> I have 2 pfsense FW 2.3.3 p1 version, one is Master and Second is Backup. 
> CARP configured between both firewalls  for IPv4 and all the configurations 
> are successfully syncing. When I configured the DHCPv6 on master firewall, 
> that configuration didn't replicated to the backup one and everything works 
> perfectly from outside to inside and vice versa on master. When firewall 
> failover IPv6 connectivity is gone. My questions: 
> 
> 1. Does pfsense does not support IPv6 Failover?

No, because the ISC DHCP daemon for IPv6 does not have any concept of
failover baked in at this time. And last I heard, they are holding out
waiting for an IPv6 DHCP failover standard to be written. There are a
couple drafts floating around but last I saw, none have yet move beyond
that stage.

> 2. Does pfsense does not support DHCPv6 failover as I observed nothing has 
> been synced to backup firewall, related to DHCPv6?

It could, but it doesn't, because of the above limitation. You have to
manually configure a different range on both boxes, or use only SLAAC
for automatic assignment. You could configure the same pool on both
units but since the two units cannot share lease information, you end up
relying on IPv6 DAD to prevent conflicts.

Since the potential IPv6 address pool for a subnet is huge (/64), using
a separate range on each unit shouldn't be a problem. But it does mean
you have to configure them manually.

> 3. Please suggest a design to get IPv6, IPv4 workig together in failover with 
> DHCPv6 synced between them and if the firewall failover it should be seemless.

You have to setup each node manually for DHCPv6 but it works fine this way:

Primary:
* DHCPv6 enabled
** DHCPv6 set for a given range (say...
:::xxx0::1:-:::xxx0::1:)
** DHCPv6 DNS server set to the LAN IPv6 CARP VIP

* Router advertisements enabled
** RA set to Managed
** RA Router priority set to Normal
** RA interface set for the LAN IPv6 CARP VIP. Binding to the CARP VIP
interface ensures that radvd only runs on the node which is master.
** RA DNS Server 1 set to the LAN IPv6 CARP VIP (or check the box to use
the same settings as DHCPv6 server)

Secondary:
* DHCPv6 enabled
** DHCPv6 set for DIFFERENT range (say...
:::xxx0::2:-:::xxx0::2:)
** DHCPv6 DNS server set to the LAN IPv6 CARP VIP

* Router advertisements enabled
** RA set to Managed
** RA Router priority set to Normal
** RA interface set for the LAN IPv6 CARP VIP
** RA DNS Server 1 set to the LAN IPv6 CARP VIP (or check the box to use
the same settings as DHCPv6 server)

Then repeat that for each local interface (e.g. DMZ, guest network, etc)

It may seem clunkier than its IPv4 sibling but they both transition at
nearly the same rate.

As an alternative, you could bind the RA daemon to the LAN directly and
set the primary to high, secondary to normal or low. That way nodes
would always know about both gateways and they would decide which one to
use automatically.

Jim P
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense upgrade problems?

[Jim Pingle]

On 2/22/2017 1:23 PM, Eero Volotinen wrote:
> The process will require 14 MiB more space.
> 
> 73 MiB to be downloaded.
> 
> Fetching php56-5.6.30.txz: .. done
> 
> pkg: php56-5.6.30 failed checksum from repository
> 
> 
> something wrong with the packages?

Nothing on our side as far as we've seen. Large numbers of completed
upgrades without issue.

Probably the transfer was cut off or something happened upstream, or
potentially a local storage issue.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Jim Pingle]

On 01/25/2017 01:10 PM, Karl Fife wrote:
> The piece that's still missing for me is that there must have been some
> change in default system setting for FreeBSD, or some other change
> between versions, because the system booted fine with pfSense v 2.2.6

Aside from what has already been suggested by others, it's possible that
the newer drivers from FreeBSD 10.3 in pfSense 2.3.x enabled features on
the NIC chipset that consumed more mbufs. For example, it might be using
more queues per NIC by default than it did previously.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forward => load balancer

[Jim Pingle]

On 12/02/2016 06:04 AM, Ugo Bellavance wrote:
> I'd like to know if there is a way to switch from a port forward to a
> server load balancer configuration without downtime.  Can I create
> everything in the load balancer config and then remove the port forward
> at the end?
> 
> v 2.3.2-RELEASE-p1


Using relayd (Services > Load Balancer) or the HAProxy package?

If using relayd, then maybe but probably not. relayd hooks in using NAT
similar to a port forward but it would take precedence. The moment the
frontend is setup it would likely take over the port forward even if you
were not ready. If it all happened to work on the first try, then it
would be fine.

If you're using the haproxy package then that would work fine. It would
bind to the outside address directly but the port forward would bypass
that. After you've tested it from the inside you could disable the port
forward and it would take over from there.

Given the choice between the two, I would always take HAProxy.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.3.2-p1 RELEASE Now Available

[Jim Pingle]

On 10/13/2016 5:53 PM, Volker Kuhlmann wrote:
> I can't believe there is a major fault, but where is the download for
> 2.3.2-p1?

There are no installers for 2.3.2-p1. You have to install 2.3.2 and
update to patch 1 once it's installed.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Mailing List Posts from Non-Members

[Jim Pingle]

Hello,

Lately the mailing list moderation queues have been overrun with a large
volume of spam on a daily basis. To make it easier on the list admins,
we have changed the default list policy to discard messages from
non-members on all of our lists rather than holding them for manual
moderation.

The change should not impact many people because only on rare occasions,
usually once a month or less, would someone post a message without being
a list member. We had to manually look for and approve such requests
among the thousands of spam messages in the queues.

If you want to post from multiple addresses, you can subscribe from the
additional addresses and set the alternate addresses to "nomail" that
way you won't receive multiple copies of the list mail but it can still
post. The same procedure can be used for an address where the sender
does not want to receive the list by e-mail, but follows the list using
the list's web archive and occasionally wants to post.

You can change your mailing list subscription options or sign up your
other addresses from the list management pages, such as
https://lists.pfsense.org/mailman/listinfo/list

Thanks!

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DHCP Implicit rule processing order

[Jim Pingle]

On 8/31/2016 9:30 PM, Karl Fife wrote:
> This suggests the implicit rules are evaluated BEFORE the explicit
> rules.  Is there a good reason they're evaluated first? I'd expect them
> to be after to allow for debugging, logging, blocking, etc.
> 

Yes, that is done on purpose. Otherwise it would be far too easy for a
user to block DHCP with a manual rule on the tab and then lose connectivity.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pf rule error

[Jim Pingle]

On 08/09/2016 09:46 PM, Joseph L. Casale wrote:
> I recently received an error that the pf table was wedged and had been reset
> while making changes. A few days later, a vlan stopped passing dhcp traffic
> and filter reload did not resolve it, I actually had to reboot the unit.
> 
> Has anyone seen this, are there configurations known to produce this behavior
> or would hardware be the first suspect?

The two are unlikely to be related.

The "pf wedged" message can happen in some race conditions if multiple
actions are happening, attempting to hit pf in the same way at the same
moment. In most cases it's noteworthy but otherwise harmless.

There isn't enough detail in your description to speculate about why a
VLAN might have stopped passing traffic, but it's unlikely to be related
to a filter reload or pf in general unless you were changing rules on
the interface at the time.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] multiple:multiple

[Jim Pingle]

On 8/5/2016 3:13 PM, Karl Fife wrote:
> All of the states in the pfsense states display make sense to me:
> e.g. http://www.cs.hofstra.edu/~cscccl/c333/tcp.gif
> 
> Maybe I'm having a brain fart, but I'm not finding a good treatise on
> the "multiple:multiple" state?
> Anyone?

That "state" should only be seen with UDP and other stateless protocols.
You'll see SINGLE:NO_TRAFFIC when one side sends a single packet to the
other but has not yet received a response, and MULTIPLE:MULTIPLE when
both sides have sent multiple packets that match the state.

You can also see various combinations of these depending on the
protocol. For example you might see SINGLE:MULTIPLE from a perfectly
normal DNS request or you might see it on a partially working (or even
broken) ESP state for IPsec.

Essentially it's a counter that lets you know if 0, 1 or 2+ packets have
been observed matching the state.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] previous / older pfSense release image files

[Jim Pingle]

On 07/13/2016 05:06 AM, Herwig Unterrichter wrote:
> I am having troubles finding a certain older pfsense release, in particular 
> 2.2.4, the memstick am64 image.
> 
> Is there some kind of archive server where i can get access to all previous 
> releases?

https://atxfiles.pfsense.org/mirror/downloads/old/

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Removing obsolete packages

[Jim Pingle]

On 07/26/2016 05:38 PM, Chris Bagnall wrote:
> It would, however, be rather nice to remove the obsolete references.

At the moment there is no automated way to do that, but you can edit
them out of your config.xml. Either by editing in-place using "viconfig"
if you're daring, familiar with vi, and don't mind the potential for
danger. Or the safer route is to download a backup, edit them out, and
then restore the backup.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] yesterday update to 2.3.2 has not worked - these machines now can not update any more

[Jim Pingle]

On 07/27/2016 12:48 AM, WolfSec-Support wrote:
> Any hint to solve the broken upbated-boxes ?

Use ssh or the console and either use option 13, or use option 8 and
from the shell, execute "pfSense-upgrade -d"

Early in the upgrade process, pkg is updated and from that point, the
GUI for updates and packages can't interpret the new pkg data format, so
the console update is required.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Alerts

[Jim Pingle]

On 07/27/2016 07:47 AM, Luis G. Coralle wrote:
> Hello everyone.
> Someone knows how pfsense considered an alert? They can be customized?
> There is list?

There isn't an official list, but it's not very long. Usually
emergency-level events or events at the very least that require the
attention of an administrator, such as:

* config.xml missing or unreadable
* SSH keys on the firewall changed
* GEOM Mirror drive status changed (e.g. degraded or rebuilt)
* Firewall ruleset failing to load
* XMLRPC communication errors for HA configurations
* RAM too low to properly run pfSense
* Problems with the configuration that were not rejected in previous
versions but are invalid (Alias names consisting of only numbers,
removed features that were deactivated like L7)
* Virtual IP addresses that cannot be applied to interfaces
* DHCP configuration problems that prevent the service from starting

There are a couple others but that's the bulk of them. At the moment
there is not a way to customize the list.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS-forwarder through OpenVPN "stopped working" with 2.3.2

[Jim Pingle]

On 07/27/2016 08:45 AM, Philipp Tölke wrote:
> since the update to 2.3.2 yesterday our external devices do not get
> DNS-Replies anymore.

What version was this firewall running previously?

> We have configured the DNS-Forwarder to listen on the interface and
> sockstat show it's listening on *:53. We have a rule allowing everything
> to pass to "self" on port 53.
> 
> With tcpdump I can see that the queries reach the firewall but no
> responses get send out.
> 
> The log of the DNS-Forwarder shows many entries like "Jul 27 14:36:22
> dnsmasq   83840   failed to send packet: Host is down".
> 
> Is this a known problem? Is there anything I can do?

Check the system routing table. From the sound of the errors, it would
appear that the firewall routing table does not include a route back to
the VPN client subnet.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 502 Bad Gateway

[Jim Pingle]

On 07/08/2016 10:09 AM, Bill Arlofski wrote:
> I just realized something thanks to your post.  It seems that I have also
> witnessed that OpenVPN stops working when this occurs.

It would depend on the type of OpenVPN. RA or SSL/TLS using certificates
would likely fail as the scripts the verify parts of the cert and
perform the authentication are PHP. So if PHP is not functioning
properly, those can fail. The root problem is still PHP.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Update to android ipsec instructions?

[Jim Pingle]

On 6/24/2016 7:18 PM, Cheyenne Deal wrote:
> Has anyone made any updated instructions for Android 5-6 for mobile ipsec
> tunnels? I have not been able to find any instructions for newer android
> versions for pfsense

There is a bug in racoon on Android that prevents it from working
properly against strongSwan[1][2]. I'm not sure if it's been fixed in
6/MM, I don't have a device with 6 on it yet to try. Use IKEv2 with the
strongSwan app on Android if you want a better solution there for the
time being.

Jim
1: https://redmine.pfsense.org/issues/4522
2: https://wiki.strongswan.org/issues/255
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Fwd: [Openvpn-announce] New OpenVPN 2.3.10 Windows installers (I604/I003) released

[Jim Pingle]

On 05/09/2016 11:45 AM, WebDawg wrote:
> How do we get an update for the export util?

They just released OpenVPN 2.3.11 yesterday, I've pushed out an update
for the export package on pfSense 2.3, might take a bit to sync around
but it'll show up soon.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPsec: tunneling both IPv4 and IPv6 between two sites

[Jim Pingle]

On 4/30/2016 6:57 AM, Olivier Mascia wrote:
> Sorry for having asked this question.
> While I had tried to find the answer before posting, I finally found the 
> answer seconds later.
> 
> https://doc.pfsense.org/index.php/IPv6_and_VPNs
> 
> "Currently IPv6 with IPsec is functional, but traffic cannot be mixed 
> families in a tunnel. Meaning, IPv6 traffic can only be carried inside a 
> tunnel which has IPv6 endpoints, and IPv4 traffic can only be carried over a 
> tunnel using IPv4 endpoints. A single tunnel cannot carry both types of 
> traffic."

That page is a little out of date in one respect: You can't mix traffic
with IPsec using IKEv1, but you can with IKEv2. So long as both sides
support IKEv2 you can carry IPv6 and IPv4 in P2 entries.

FWIW, You can also tunnel both at once using OpenVPN.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IKEv2 with LDAP or RADIUS?

[Jim Pingle]

On 10/27/2015 6:07 PM, Adam Thompson wrote:
> I just watched the last hangout that jimp did on Remote Access VPNs, and
> I'm wondering: is there no way to do user authentication against a
> back-end LDAP or RADIUS server when using IKEv2-EAP-MSCHAP2?

There is EAP-RADIUS for RADIUS, but no means for LDAP.

I'll be following up on that in the hangout this Friday.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Kernel problem after upgrade 2.2.3 to 2.2.4

[Jim Pingle]

On 08/03/2015 04:58 AM, Carlos Vicente (Gmail) wrote:
> [...] I upgraded it to the last version (via firmware upgrade), everything
> went well till the reboot, it shows an error message:
> 
> Can't find 'kernel'
> 
> Error while including /boot/menu.rc. in the line:
> 
> Menu-display
> 
> \
> 
> Can't load 'kernel'

Only time I've seen that is when the disk space ran out during upgrade.
Did you provision that VM with an unusually small disk?

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] SG-4860 vs. support pricing question

[Jim Pingle]

On 07/21/2015 04:19 PM, Adam Thompson wrote:
> Next question:  extended warranty, to wit: can I purchase an extended
> warranty on these units?

It's not there yet but it is in the works and it is a priority for us.
We hope to offer that in the coming weeks.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] SG-4860 vs. support pricing question

[Jim Pingle]

On 07/20/2015 07:09 PM, Adam Thompson wrote:
> Also, the price for a 2-incident support pack is $399, but I can buy a 
> SG-2220 for only $299 and get the same # of support incidents.
> 
> Have I missed something?  Is this intentional?

Not sure about the other questions but this one I can answer:

The incidents you buy separately can be used for any device running
pfSense, including devices you didn't buy from us, VMs, etc.

Incidents included with a hardware purchase can only be used with that
one specific piece of hardware.

So you can't, for example, buy a 2220 and then use one of those
incidents for a problem with a custom-built device.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] SG-4860 vs. support pricing question

[Jim Pingle]

On 07/20/2015 07:09 PM, Adam Thompson wrote:
> But I do have one issue/question/comment about the pricing of that bundle: 
> there are still only 2 support incidents bundled.
> 
> It seems that if I bought two 4860s and tie-wrapped them to my own shelf, I’d 
> wind up paying almost the same amount (maybe $75 more if I had to buy a new 
> shelf) but would get 4 support incidents included with my purchase.

Good news! The wording on the page is wrong, it does come with four.
Both units can be registered individually.

We'll get that wording cleared up
Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP issues on 1:1

[Jim Pingle]

On 7/6/2015 7:59 PM, Ryan Coleman wrote:
> Using 1:1 has turned most of my knowledge in pfSense completely useless. I 
> feel like a beginner again.
> 
> FTP worked on port 21. But for security reasons I do not want it there so I 
> moved it to port 9000.
> 
> ProFTPd is set up for Masquerading on its 1:1 IP, passive ports are dictated 
> in the conf (49500-52500) and configured as such in the Firewall Rules. 
> Firewall Rules also have port 8999-9001 open for the FTP server.
> 
> FTP works internal to the network so the issue isn’t in the configuration of 
> ftp server but in the configuration of the firewall.

Seems the actual question/problem statement is missing. What exactly
isn't working?

Did you actually change the binding port in ProFTPd or did you redirect
21 to 9000 with a port forward?

If you mix 1:1 NAT and port forwards you will find a couple things you
may not expect due to the way pf works and how NAT happens before
firewall rules:

1. Port forwards override 1:1 NAT, which is good for doing what you want

-but-

2. If you forward a different port (e.g. 9000 to 21) your rule still
passes to the local IP on port 21 so BOTH ports are actually accessible.
In other words, you can't relocate a port and block access to the
original port.

Changing the binding in ProFTPd to 9000 should work around that.

If that's what you did, then your rule would pass to the local IP on
port 9000.

If that doesn't help, give us a bit more detail about the exact NAT and
firewall rules you have and what isn't working as expected. Include
firewall logs, states for the test connections, and perhaps a packet
capture.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Loading pfSense on Netgate 1U rack mount server c2758

[Jim Pingle]

On 7/2/2015 4:12 PM, Rainer Duffner wrote:
> 
>> Am 02.07.2015 um 20:31 schrieb Paul Upson :
>>
>> I recently purchased this device and am now trying to load pfSense onto it
>> using a usb stick. Each time the load fails with the following error.
>> Mounting from cd9660:/dev/iso9660/PFSENSE fails with error 19. I found a
>> post that said to add the command "set kern.cam.boot_delay="1" but it
>> doesn't change the result. I need a resolution soon.
> 
> Tried a different USB stick?

+1 to that.

Also if you're using one of the USB 3 ports (blue) try moving to a USB 2
port (black).

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Dashboard Width

[Jim Pingle]

On Jun 30, 2015, at 8:25 AM, Paul Galati  wrote:
>
> All,
>
> Am I doing something wrong or is the current dashboard themes limited to
> 2 columns across?  With computer screens being wider than taller, it would
> be nice to be able to have a 3rd or 4th row of data rather than scrolling
> up and down.
>
> Just curious. Thanks.

Change your theme to pfsense_ng_fs from System > General and then you
can add columns and then add widgets to those columns.

On 06/30/2015 11:26 AM, Oliver Hansen wrote:
> You may want to look into this recent post: https://blog.pfsense.org/?p=1773

That's the long term goal, of course. In the meantime using
pfsense_ng_fs will help.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Too many VIPs

[Jim Pingle]

On 06/17/2015 09:07 PM, Brian Caouette wrote:
> I assume it's not ready yet? Mine says 2.2.2 and current.

Correct, it has not yet been released. There are snapshots for it,
however. It should be out by the end of next week if all goes well.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Too many VIPs

[Jim Pingle]

On 6/17/2015 2:53 PM, Jordan K wrote:
> Do someone solved this? I've got the same issue

I saw a commit in the repo for this at some point, and it's mentioned on
the 2.2.3 release notes draft:

https://doc.pfsense.org/index.php/2.2.3_New_Features_and_Changes#Rules.2FAliases.2FNAT

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2

[Jim Pingle]

On 06/17/2015 09:53 AM, Adam Thompson wrote:
> So far, PPTP and IKEv2 (using EAP-MSCHAPv2) appear to be the only
> options, and while PPTP works fine, it's insecure.  (This isn't actually
> a problem for my use case, but since it's going away and certainly isn't
> getting any love in pfSense, I'm leaving it behind.)
> 
> IKEv2 just... never works.  I'm pretty darn sure (99.999%) my
> certificate meets the requirements.
> 
> Are there any tricks that aren't obvious?

I've set it up several times, all of the knowledge I've been able to
gather has been dumped into the wiki:

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS

I marked the most commonly missed and most important parts of the
configs with a warning graphic to help them stand out. Usually problems
are with the certificate, either with generating the cert (missing the
SAN, for example) or importing it into the client properly (perhaps it
wasn't imported into "Trusted Root Certification Authorities" under
"Local Machine").

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WRAP and pfsense

[Jim Pingle]

On 06/09/2015 12:37 AM, Cheyenne Deal wrote:
> I know that wrap boards are not supported on pfsense but I was wondering if
> anyone know if a way of installing a os on it and getting it to be a vpn
> end point.

OS load aside, a few things to keep in mind to manage expectations:

Realistically, with its very slow CPU and other components, as a VPN
endpoint it would perform very poorly.

Without encryption the wrap can barely manage in the neighborhood of
20Mbit/s, with a VPN it would be much slower. Its newer (but still
outdated) descendant the ALIX could only manage 8-15Mbit/s of VPN
throughput without an accelerator enabled (depends on the encryption
algorithm). Last I saw, the wrap couldn't even manage 2Mbit/s of
encrypted traffic with 3DES, and though AES-128 would be faster, even
2-3x of 2Mbit/s is not much.

Between that and the age of the hardware, I'd not trust them in the wild
at this point for that role. The WRAP went EOL in 2007, and the ALIX
isn't far off. The newest WRAP would still be 8 years old.

I've got one tucked away on a shelf here but it hasn't been powered on
in many years.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Documentation about Firewall Lookup Process, State Table, Firewall Rules Table

[Jim Pingle]

On 06/03/2015 09:47 AM, Espen Johansen wrote:
> Don't double post please.

Looks like his other post was stuck in the moderation queue and
approved, I'd have killed it but I didn't notice he'd already managed to
get it through to the list.

> Hello everybody,
> 
> Is there any documentation about:
> 
>  * the process how pfSense firewall handles packets (lookup in firewall
>rules, lookup in state table, add new state, ...) e.g. a flow chart
>  * how the firewall rules are beeing (data structure)
>  * how the connection states are beeing (data structure)
> 
> Any hints are greatly appreciated!

While not that low level (which as others have stated could be found in
PF docs from FreeBSD and/or OpenBSD, plus the source), this should also
be of interest:

https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Assign IP Address with /32 Mask on WAN Interface

[Jim Pingle]

On 03/30/2015 09:14 AM, Vick Khera wrote:
> On Sat, Mar 28, 2015 at 11:42 AM, day knight  > wrote:
> 
> I see the configuration script doesn't allow you to pick /32 address
> when configuring an interface as my default gateway is not in the
> same subnet. I have limited IPs and run pfsense from vmware. How can
> i override and assign /32 ip address to wan interface. 
> 
> 
> How exactly does your computer talk to anything *not* on the same network?

Some providers are getting, let's say "creative", due to shrinking IPv4
space availability.

https://redmine.pfsense.org/issues/972

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense and anchors

[Jim Pingle]

On 03/23/2015 07:33 AM, Alessandro Baggi wrote:
> Hi list,
> I need to create an anchors for a proxy. Seems to be not possible
> accomplish this with web interfaces. How I can insert anchor
> (rdr-anchor) in main ruleset without kill pfsense?
> 
> Can someone point me in the right direction?

Look at the code for the recent FTP proxy package [1]. It does exactly
that, and the code is fairly small/simple.

Jim

1:
https://github.com/pfsense/pfsense-packages/blob/master/config/ftpproxy/ftpproxy.inc#L96
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Fwd: freak vulnerable for pfsense

[Jim Pingle]

On 03/19/2015 06:27 AM, Amit Saxena wrote:
> I am working on pfsense firewall as well as configured as a Opnevpn server
> I got the information that "Freak vulnerable" so i want to know  it
> affected to Pfsense box
> My pfsense Detail
> 
> Pf sense version 2.1 and opnessl version 0.9.8y

The firewall GUI itself is not vulnerable as a server, even on that version.

The OpenSSL library on that version may be vulnerable as a client,
however. If you do not have anything on the firewall that makes outbound
connections to arbitrary servers that would use SSL, it may not be a
factor for you, but upgrading to 2.2.1 is still advised.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1-RELEASE sudo issues?

[Jim Pingle]

On 3/17/2015 4:48 PM, Manojav Sridhar wrote:
> Just upgraded my pfsense to 2.2.1-RELEASE, 
> 
> [2.2.1-RELEASE][user@host]/usr/lib: sudo
> Shared object "libintl.so.9" not found, required by "sudo
> 
> Cant seem to fin the libintl.so.9, this breaks the sudo package. Anyone
> else run into this? 

Try the latest version of the sudo package, there is a fix for this.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Issue with OpenVPN certificate depth validation and long certificate subjects

[Jim Pingle]

On 03/07/2015 04:32 PM, David Durrleman wrote:
> There seems to be an issue in pfsense's custom certificate depth
> verification for OpenVPN connections. When long certificate subjects are
> used, the validation fails. Here is how to repro:

Probably this (already fixed in 2.2.1):
https://redmine.pfsense.org/issues/4329

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multi WAN IPv6

[Jim Pingle]

On 03/09/2015 10:28 AM, Tiernan OToole wrote:
> But there is a problem... The Multi-WAN one assumes that both WAN
> connections give IPv6 addresses, which in my case is false, and the
> Tunnel Broker assumes you have one WAN connection... Last time i tried
> this, mind you with a different router, all traffic went though one
> connection (the one the tunnel broker knew about) and nothing went
> though the rest...
> 
> 
> Any one done this before?

Actually the instructions were written with a separate tunnel broker
connection on each WAN.

Though it may work with one tunnel broker and using a gateway group on
the tunnel endpoint update dyndns entry, I'm not sure anyone has tried that.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] VIPs : CARP vs IP Alias

[Jim Pingle]

On 03/08/2015 06:50 PM, Bryan D. wrote:
> My interpretation of the nice chart and notes on
> https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
> leads me to believe that I can switch the CARP VIPs to be IP Alias VIPs.  
> However, when I do that, the 2 servers for the 2 domains tied to the VIPs are 
> no longer accessible from the Internet (but IIRC, the mobile VPNs still work).
> 
> Can anyone suggest what it is that I don't understand (well, limited to this 
> behavior, at least)?

As has been hinted at elsewhere in the thread, your problem is likely
layer 2-related.

CARP VIPs get their own unique MAC address. Proxy ARP and IP Alias VIP
MAc addresses are shared with the NIC itself.

Changing from CARP to Proxy ARP or IP Alias would cause the MAC address
of the VIP to change, which may require clearing the ARP cache on the
modem/upstream router/etc.

Another possibility is that your upstream requires each additional IP
address to have a unique MAC address. We have seen this with some ISPs /
certain modems and it's a bit of a pain. CARP works around it because
each VIP on a different VHID has a unique MAC address, where IP alias
and Proxy ARP VIPs all have the same MAC address.

So there isn't a clear answer here. Likely, it would be OK to use Proxy
ARP, but you'll need to reboot the modem or upstream router. If that
still fails and CARP works, then your ISP or upstream equipment must be
expecting each IP to have a unique MAC address.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] serial port sadness

[Jim Pingle]

On 02/25/2015 12:03 PM, Bob Gustafson wrote:
> Years ago I had problems with serial cables - I invested in a little
> in-line gadget that had red and green LEDs for each line. The one I have
> uses 25 pin connectors, so the cable is a mix of 9-25 pin adapters and
> the LED viewer.
> 
> You can shut down/disconnect one end to see what lights remain lit. A
> flicker on a pair of lights indicates data flow. It has been very helpful.

I picked this up a few days ago and I'm quite happy with it:

http://www.amazon.com/gp/product/B00AHYJWWG

USB to serial converter with an LED readout including transmit and
receive indicators.

FTDI chip, too.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Documentation page : wildcard DNS record

[Jim Pingle]

On 02/19/2015 07:03 AM, Guillaume wrote:
> The example wildcard DNS record given here :
> https://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder is
> inaccurate w/pfsense 2.2.

The page is correct, but if you note the name it was specific to the DNS
Forwarder only (dnsmasq), not the DNS Resolver (Unbound).

> Thanks to this post (
> https://unbound.net/pipermail/unbound-users/2009-April/000560.html ) I
> have been able to set a wildcard, with the advanced option box.
> 
> In short :
> 
> local-zone: "FQDN" redirect
> local-data: "FQDN A HOST_IP"
> 
> 
> May someone update the doc ?

I added that info to the doc and renamed it so it's clear that now it
covers both the Forwarder and Resolver.

Thanks for the updated info!

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lightsquid

[Jim Pingle]

On 02/12/2015 10:37 AM, Jim Pingle wrote:
> * Uninstall lightsquid
> * rm -rf /usr/local/lib/perl5
> * rm -rf /usr/local/www/lightsquid
> * rm /usr/local/bin/perl
> * rm /usr/bin/perl
> * Reinstall lightsquid

I missed a step, it should be:

* Uninstall lightsquid
* rm -rf /usr/local/lib/perl5
* rm -rf /usr/local/etc/lightsquid
* rm -rf /usr/local/www/lightsquid
* rm /usr/local/bin/perl
* rm /usr/bin/perl
* Reinstall lightsquid

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lightsquid

[Jim Pingle]

[Please don't top post]
On 02/11/2015 08:13 PM, Brian Caouette wrote:
>> On Feb 11, 2015, at 5:24 PM, Jim Pingle  wrote:
>> It works fine on 2.2 under the right circumstances.
>>
>> Those being that before installing lightsquid, /usr/local/lib/perl5
>> doesn't exist, and /usr/local/bin/perl is something valid or a link to
>> something valid.
>>
>> If you clean up the leftovers from older broken installations it works fine.
>>
>> The package tries to do some cleanup but it can't do too much without
>> potentially harming other packages.
> How do you clean left overs? I have an all but new 2.1.5 Netgate apu4
that I left upgrade to 2.2.
>
> Will that fix the blank page when I try to view reports? What's steps
are needed for the fix? I have the support that came with the unit.
Would somebody connect and fix it?

The "nuke it from orbit" method:

* Uninstall lightsquid
* rm -rf /usr/local/lib/perl5
* rm -rf /usr/local/www/lightsquid
* rm /usr/local/bin/perl
* rm /usr/bin/perl
* Reinstall lightsquid

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lightsquid

[Jim Pingle]

On 2/11/2015 9:24 AM, WolfSec-Support wrote:
> lightsquid seems broken since release v2.2
> on our v2.1.5 pfsenses it worked fine

It works fine on 2.2 under the right circumstances.

Those being that before installing lightsquid, /usr/local/lib/perl5
doesn't exist, and /usr/local/bin/perl is something valid or a link to
something valid.

If you clean up the leftovers from older broken installations it works fine.

The package tries to do some cleanup but it can't do too much without
potentially harming other packages.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Visual seperators?

[Jim Pingle]

On 2/11/2015 6:55 AM, kpolb...@olberg.name wrote:
> I guess it would break the current UI to have collapsible groups. And it
> might not have been the most thought through proposal :) I do however
> still feel there is a use for a separator. With regards to your comment
> on "over engineering". "If something is worth doing, it's worth
> overdoing" ;)

We get requests for this sort of thing from time to time but a consensus
is never reached about what might be possible, useful, and wouldn't make
the view worse for others.

Typically, though, if a set of rules is so long that they need grouping,
they likely are not making good use of aliases.

For visually identifying rules without grouping, there is also this
bounty thread on the forum that is progressing:
https://forum.pfsense.org/index.php?topic=87494.0;topicseen

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] problem with bacula-client 7.0.5 binaries on pfsense 2.2

[Jim Pingle]

On 02/09/2015 11:30 AM, Dan Langille wrote:
> There's been a bug open for 14 days regarding the configuration issues:
> 
> https://redmine.pfsense.org/issues/4307
> 
> I will try the packaged binaries again.

FYI for others (Dan already knows from Twitter):

Bacula should be OK now on 2.2, as of package version 1.0.6.

The main problem was the paths being used for the various configuration
file and startup script references. Once those were fixed up things seem
to be OK.

There is still some awkwardness in how to set the package GUI up but
that's the same as it always was. Have to add two directors, one local
for the firewall itself and another for the remote bacula server.

There is still a lingering issue with the rc script not restarting
properly but we're looking into that as well. Not as critical as the
other issues at least.

If anyone wants to work on making the GUI more intuitive, feel free to
collaborate and submit some patches.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] New pfSense 2.2 install

[Jim Pingle]

On 01/29/2015 10:08 AM, Doug Lytle wrote:
> I'm building a new 64bit pfSense 2.2, running under ESXi 5.5.
> 
> I've noted 2 things.
> 
> 1.)  Bulk Alias imports button no longer exist on the main alias page.

It's still there on all mine, on each tab at the bottom there is an up
arrow ("^") and it opens the bulk import page.

> 2.)  When trying to create an alias that links to an online listing of
> blacklisted IP addresses, the alias that was just created disappears
> when hitting apply.

Look on the URLs tab or "all" tab not the IP tab.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] RRD persistence

[Jim Pingle]

On 01/07/2015 09:07 AM, Jeppe Øland wrote:
> Doesn't it automatically save the latest files when you reboot?
> I don't reboot often, but I don't remember ever having lost data
> (except if the firewall crashes - which did happen a few times in the
> past).

It does save them on a clean reboot. It can't save them if the power is
cut or the OS crashes/reboots uncleanly, though.

Some people "reboot" by yanking the power out from under a device or
using a hardware (or VM) reset button. That works, of course, but should
be a last resort. Rebooting via Diagnostics > Reboot or the equivalent
console/ssh menu option is best.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 32 or 64?

[Jim Pingle]

On 01/06/2015 04:08 PM, Jeppe Øland wrote:
>> https://doc.pfsense.org/index.php/Upgrade_Guide#Changing_architecture_.2832-bit_to_64-bit_or_vice_versa.29_during_upgrade
> 
> From that link:
>> Upgrading from 32-bit to 64-bit mostly works fine with a couple caveats - the
>> 32-bit RRD data is invalid on the 64-bit version and will have to be deleted 
>> by
>> running rm -rf /var/db/rrd*. All RRD history will be lost, this cannot be 
>> converted.
> 
> That is only partially true, but you will have to do it manually...
> Before backup/upgrade/restore, convert your RRD files to XML and store
> them on another machine.

Read the next paragraph below the one you quoted. :-)

It does precisely that provided you start with pfSense 2.1.x.

What doesn't work is a 2.0.x backup w/RRD 32-bit to 2.1 64-bit.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 32 or 64?

[Jim Pingle]

On 01/06/2015 12:57 PM, Márcio Merlone wrote:
> I am planning to replace some Linksys boxes on remote offices with a
> virtual pfSense in the next months and was wondering  what's recommended
> for a new install today: 32 or 64 bits? I ask considering what's best
> for the mid-long term, are there any 64bit-only features now or planned?
> Will I loose something running a 32 bit version now or a few years from now?
> 
> What are the advantages/disadvantages of each now and what is expected
> for a near future? I am not asking for an in-depth analysis, but rather
> a general overview and opinion of the main diffs.

If the hardware can run 64-bit, use 64-bit. If the hardware can't run
64-bit, don't buy it. :-)

https://doc.pfsense.org/index.php/Is_32-bit_or_64-bit_pfSense_Preferred
https://doc.pfsense.org/index.php/Does_pfSense_support_64_bit_systems

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Client-Side 1:1 NAT for IP address conflicts w/ VPN

[Jim Pingle]

On 12/10/2014 07:34 AM, Chris Bagnall wrote:
> On 10/12/14 6:36 am, Chris L wrote:
>> That’s actually your fault for using 10/8, not Comcast's.
>> Even if they were to use something like 10.58.223.0/24 they’d still
>> conflict with your 10/8.
> 
> There are so many different brands and models of consumer router on the
> market these days in the 10/8 and 192.168/16 range that we've pretty
> much given up on them for all new installs, instead dropping things into
> the other RFC1918 range: 172.16/12 (we usually use variants on
> 172.20.x/24 where x is reasonably random).
> 
> I don't think we've seen more than 1 or 2 consumer routers that default
> to anything in the 172.16/12 range - yet.

There are plenty out there using everything under the sun inside
RFC1918. It's only a matter of time before you hit a conflict.

Not that I would ever encourage such things (*cough*) but there are
other networks that could be used for VPN clients by admins who don't
feel like sticking strictly to RFC1918, and which are less likely to
conflict. Networks like those reserved for documentation (192.0.2.0/24,
198.51.100.0/24, 203.0.113.0/24) or benchmarking (198.18.0.0/15).

Which all sound good until you run across someone else who used them for
their LAN because they thought they wouldn't conflict. :-)

The Carrier-Grade NAT space should be avoided for VPN use also
(100.64.0.0/10) since clients could end up with an IP address in those
nets when connected to providers directly (3G/4G for example).

All that said, OpenVPN actually works OK in some conflicting scenarios.
At least it did last I tried it. Say the local client network at the
Hotel/airport/etc is 192.168.1.0/24, tunnel network is 10.0.8.0/24, and
the office net is 192.168.1.0/24. Except for the local gateway and the
clients actual IP address in the local network, the rest of the traffic
for 192.168.1.0/24 would still go over the VPN. They can't communicate
with other local hosts while they're connected but on a network like
that they wouldn't want to. The important thing to avoid conflict with
is the tunnel network itself.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 32bit to 64bit load config?

[Jim Pingle]

On 10/16/2014 08:10 AM, Mike Montgomery wrote:
> Good morning, I have a Pfsense 32bit running currently on a vmware host
> and am going to create a new one, but 64bit and using the 64bit
> install.  If I replicate the hardware on the vm, except I'm going to add
> more ram and cpu's to the host, is there any config issues to restore
> the 32bit backup to a 64bit install?  Also, this machine is also
> currently running 2.0.2, can I restore the config to the latest, or
> should I install the new as 2.0.2, then upgrade after restored?  Thanks

It will work fine, though from 2.0.x to 2.1.x moving between 32 and
64-bit you should make sure to not include RRD data in the backup.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Help with OpenVPN interface rules

[Jim Pingle]

On 10/13/2014 10:46 AM, Paul Beriswill wrote:
> Now, when I create rules for the OpenVPN_Ops interface, using
> 'OPEN_VPN_OPS net' as 'Source' the rule never hits.
> It doesn't appear
> that the 'net' and 'address' aliases are being populated when the
> connection is established.  Is this correct?

I don't believe that macro works for OpenVPN interfaces. Remember, when
you assign the interface you must set it to an IP type of "None" which
is what that macro would have used to fill that macro.

Manually specify the source of the traffic in the rules and you'll be OK.

You could use aliases to define specific subnet(s) or groups of people
based on the addresses you intend to assign via client-specific overrides.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] new user with console menu

[Jim Pingle]

On 9/26/2014 3:51 AM, Martin Fuchs wrote:
> When i add a new user to pfSense, this user does not have a menu when
> logging into the shell…
> 
> What rights does the user need to have the console menu displayed ?

The user won't have all the necessary permissions to use the menu so
they don't get one displayed.

You can install the sudo package and give someone access to run commands
and then perhaps they can run then menu via /etc/rc.initial

Through the use of sudo without a password (not recommended) and adding
the command to run the menu (/etc/rc.initial) in their login script, it
might work out to have them dropped in automatically.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] HPET timer issues?

[Jim Pingle]

On 9/23/2014 12:34 PM, Moshe Katz wrote:
> 1. Has anyone else seen this behavior?

The only HPET issue I'm aware of is on older versions of ESX where the
clock would completely stop ticking. That's been patched for a long time
now though.

> 2. I haven't noticed any performance issues after the switch, but is
> there anything that I need to be concerned about?

If you're not noticing any other side effects it's probably OK.

Check for a BIOS update or relevant BIOS setting, though it's probably
just something specific to that bit of hardware.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] CVE-2004-0230

[Jim Pingle]

On 9/18/2014 8:55 AM, Martin Fuchs wrote:
> Does CVE-2004-0230 affect pfSense 2.1.5 ?

As Vick mentions, practically the answer is 'no'.

There are some rare cases when it might, however. It would require:

1. Disabled pf (System > Advanced, Firewall/NAT tab, check "Disable all
packet filtering")
1a. Or the default rules were replaced by interface and floating rules
in every direction set to 'no state'

2. The firewall is still reachable by the attacker

3. Connections are being made _to_ pfSense (not _through_ pfSense), e.g.
local services such as the GUI, packages such as haproxy or squid, etc,
*NOT* WAN-to-LAN or LAN-to-DMZ type connections.

If all of the above are true then it may be susceptible to the attack
described in the FreeBSD SA.

I don't think I have ever witnessed a setup that met all of those
criteria, and even those that could meet the criteria wouldn't
necessarily have long-lived connections for which such a TCP session
reset would have any meaningful impact.

We will have the fix in 2.2 but I'm not sure if there will be another
2.1.x release at this time, but we'll see what happens.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] understand the CARP "advskew" option

[Jim Pingle]

On 9/11/2014 7:23 PM, Martin T wrote:
> I see, thanks! However, while not the best practice, one could
> determine the master/backup role solely with "advbase", couldn't he?
> Thats because host with the lowest "advbase"+"advskew" value(not just
> the "advskew" value) should be the preferred one?

Someone could but why would they?

pfSense automatically sets the skew for a backup during the sync, you'd
have to go out of your way to control it using only the base, and using
only the base would fail over much more slowly than using skew.

Technically, yes, it would possible to do, but there is no advantage to
doing so unless using skew alone does not work for your configuration.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] understand the CARP "advskew" option

[Jim Pingle]

On 9/10/2014 5:15 AM, Martin T wrote:
> 1) Why does the messages interval matter to CARP? Is CARP designed in
> a way that CARP preferres system which announces CARP messages with
> shortest interval?

Yes, the fastest advertisement wins the election and becomes master.

> 2) Why is "advskew" needed if one could determine the master/backup
> role solely with "advbase"?

See above. advbase is a base time added to the skew. (+1 sec per base value)

On slower networks you need to use a higher advbase on both to account
for lag in local network equipment such as when the two nodes are in
different buildings or similar situations.

Typically, base matches on both and you set the skew to give your
preferred primary node preference.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic shaper related error

[Jim Pingle]

On 8/5/2014 11:47 AM, Erik Anderson wrote:
> On Tue, Aug 5, 2014 at 9:37 AM, Jim Pingle  wrote:
>> Ensure that the correct interfaces are being chosen, especially if you
>> have reassigned the traditional WAN/LAN interface roles, since the
>> "single WAN" wizard would assume that the first interface is WAN,
>> regardless of what it may have been renamed.
> 
> Oh, interesting. In my case, my interfaces look like this:
> 
> - em0 (802.1q trunk to LAN subnets)
> - em1 (WAN)
> 
> Does that mean that I'll need to "reverse" things when going through the 
> wizard?

Not the first physical interface, but the first one assigned. For
example the one labeled "WAN" on the default install, if that was
renamed to something else and it's not actually "WAN" then the single
WAN wizard would make a false assumption.

We've done away with the extra wizards on 2.2 so now there is only the
multi/multi one that makes you select each one on its own so it can't
make bad assumptions.

The other bits wouldn't matter for shaping.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic shaper related error

[Jim Pingle]

Perhaps https://redmine.pfsense.org/issues/3535 or similar is happening.
Ensure that the correct interfaces are being chosen, especially if you
have reassigned the traditional WAN/LAN interface roles, since the
"single WAN" wizard would assume that the first interface is WAN,
regardless of what it may have been renamed.

Jim

On 8/5/2014 9:39 AM, Erik Anderson wrote:
> Just giving this a bump.
> 
> As it turns out, this error appears any time I build a shaper using
> the single-wan, multi-lan wizard. I haven't given any of the other
> options a try as they don't apply to my situation, and likewise, I
> haven't yet tried manually creating all of the traffic shaper queues,
> rules, etc.
> 
> Has anyone else seen this and if so, any recommendations for resolution?
> 
> -Erik
> 
> 
> On Thu, Jul 31, 2014 at 2:08 PM, Erik Anderson  wrote:
>> v 2.1.4...
>>
>> I configured a traffic shaper earlier this week (Monday I believe),
>> and I just started getting errors on the web UI stating:
>>
>> [There were error(s) loading the rules: pfctl: DIOCGIFSPEED: Invalid
>> argument - The line in question reads [0]: ]
>>
>> Grepping through my syslog server, the first occurrence of this error
>> was at 06:43 this morning (the 31st):
>>
>> Jul 31 06:43:38 pfsense-01.invenshure.com php:
>> rc.filter_configure_sync: New alert found: There were error(s) loading
>> the rules: pfctl: DIOCGIFSPEED: Invalid argument - The line in
>> question reads [0]:
>>
>> No config changes would have happened at this point that would trigger
>> configuration reload.
>>
>> Googling around, I found this bug:
>>
>> https://redmine.pfsense.org/issues/2901
>>
>> Following the lead of the user that posted this bug (and then
>> abandoned it), I removed my shaper and that fixed the problem. That's
>> not a viable long-term solution for me, though.
>>
>> Does anyone have guidance as to what the cause of this bug is?
>>
>> I'd be glad to provide config snippets if that would be helpful - just
>> specify which section(s) of the config would be helpful.
>>
>> Thank you!
>> -Erik
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
> 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] packages.pfsense.org down!

[Jim Pingle]

On 8/5/2014 6:04 AM, Nishant Sharma wrote:
> Package installer is not working for me.
> 
> https://packages.pfsense.org/xmlrpc.php shows following error:
> 
> "faultCode 105 faultString XML error: Invalid document end at line 1"

That page isn't meant to be accessed directly by a browser. Packages
work fine from here on a all of the versions and platforms I had handy
to test.

You'll need to provide a lot more info about exactly how they fail for
you, starting with the exact version/architecture/platform of pfSense
you're using and what error message/condition you encounter when
attempting to install a package.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How to Enable/Disable DynDNS update e-mail notifiations?

[Jim Pingle]

On 7/10/2014 10:38 AM, Stefan Baur wrote:
> Thank you.  I just checked, it actually appears twice, once for IPv4 and
> once for IPv6 (7 lines below the first occurrence), so I'm going to
> comment out both.

Yes, it is in there twice but IPv6 DynDNS is still fairly rare so the
second one probably isn't going to be hit often.

> (I'm kinda curious whether no one uses e-mail notifications in
> combination with DynDNS, or why I'm the first to notice/complain. I
> can't really imagine an "everything OK" e-mail being a desired feature
> for DynDNS updates, given their frequency.)

It was put in due to demand. People wanted to be alerted when their IP
address changed. For most it's a fairly infrequent event.

> Is there any chance of getting this disabled or made configurable via
> WebGUI checkbox in one of the next few releases?  Should I file a
> bug/feature request?

It may be possible in the future, but unless someone submits a pull
request to add the option, probably not any time soon. You can look for
an existing entry on https://redmine.pfsense.org/ for it, if one does
not already exist, feel free to create a new feature request.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How to Enable/Disable DynDNS update e-mail notifiations?

[Jim Pingle]

On 7/10/2014 4:27 AM, Stefan Baur wrote:
> since upgrading to 2.1.3-RELEASE and enabling e-mail notifications under
> "System: Advanced: Notifications", I'm receiving an e-mail whenever the
> DynDNS update script ("Services: Dynamic DNS client") triggers an update.
> 
> I *do* want e-mail notifications, just not for such mundane things, only
> when stuff breaks.
> 
> So how do I configure that?

There is no way to selectively disable that notification at this time.

If you don't mind a simple source edit, you can disable the notification
by removing or commenting out etc/inc/dyndns.class line 1027 (on 2.1.3)
it should start with "notify_all_remote"

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NTPv6 Assignments Not Possible?

[Jim Pingle]

On 7/9/2014 11:57 AM, Mark Tinka wrote:
> I tried to add IPv6 NTP servers to my pfSense installation, 
> and it doesn't like them.
> 
> Anyone know when IPv6 support for NTP servers will come to 
> pfSense?

They work on 2.1.x but have to be found by hostname and not a bare IP
address. For an example, try ntp6a.rollernet.us or ntp6b.rollernet.us

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Please update the pfSense Wiki with the attached note

[Jim Pingle]

On 6/11/2014 4:40 AM, Stefan Baur wrote:
> Hi Jim (or anyone with editing rights on the Wiki):

I added that text (with some minor edits) to the page.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ldap authentication against active directory fails with passwords containing the paragraph sign

[Jim Pingle]

On 6/5/2014 8:02 AM, Freund, Ingo wrote:
> today a user complained about not being able to login to IPsec VPN on the 
> pfSense via Shrew-Client 2.2.2 after he had changed his password.
> 
> After some research and testing we have to report that passwords which 
> contain the paragraph sign '§' are not validated the right way.
> The message on the DC is: Wrong username or password.
> After changing the paragraph sign into e.g. the dollar sign, everything works 
> fine.
> 
> Is this a bug?

Did you check "UTF8 Encode" on the LDAP server settings?

If not, then such non-standard characters may not have been sent in the
proper format for the server to understand.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Problems with gateways on IPv6 Tunnels?

[Jim Pingle]

On 6/3/2014 12:37 PM, Seth Mos wrote:
> I just upgraded to 2.1.3 at home and tried to switch my IPv6 default gateway 
> around.
> 
> Unfortunately, when I try to set my HE.net tunnel gateway as the default it 
> throws an error that the gateway address is not in the interface subnet. 
> 
> I’ve set the prefix length in both the GIF interface settings and the OPT4 
> Interface settings to /120. Unfortunately it still throws that error. 
> Strangely enough the gateway status widget and status page tell me the 
> gateway is reachable fine and with proper response time.
> 
> This makes no sense. Anybody else seeing this?

IIRC, between 2.1 and 2.1.3 Ermal changed things so that GIF interfaces
get automatic gateways, so they should be "dynamic" these days. I'm not
sure if all the docs got caught up to that change.
(https://redmine.pfsense.org/issues/3484,
ddb30ebfc686165e00f0155e00df16edc17c31c5)

Mine is still set the old way but so long as I don't touch it, it works.
I haven't re-worked everything for the "new" method yet.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] installing vmtools

[Jim Pingle]

On 5/21/2014 2:31 PM, Florio, Christopher N wrote:
> Oh I feel dumb, the first thing is to install perl, which I can't do
> given my location on the network.
> 
> Ok so nevermind, sorry.

You can fetch the .tbz file for perl and the compat package mentioned on
the page to another system and then copy it to the vm locally, and
pkg_add perl.tbz from the shell (or whatever its name may be...)

For pkg_add there isn't a remote requirement, it's easier, but it's not
necessary.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Poweredge 2850

[Jim Pingle]

On 5/20/2014 4:37 PM, Harlan Stenn wrote:
> On 5/20/14 11:01 AM, Jim Pingle wrote:
>> On 5/20/2014 1:45 PM, Brian Caouette wrote:
>>> For the price paid it can't be beat.
>> There is more than the sticker price to be considered.
>>
>> Note that these are just vague numbers that would vary by the specific
>> equipment power usage and local power costs.
>>
>> Atom, ~35W, 24h/day @ $0.05/kWh = About $15 per year.
>>
>> PE2850, ~250W, 24h/day @ $0.05/kWh = About $110 per year.
>>
>> Also have to factor in the extra cooling needed to handle the higher
>> heat output of the server, but that is more difficult to figure.
> 
> Where are you that you get electricity for .05/kWh?  Here in Oregon we
> have pretty great rates, and I think we're paying .10-.12/kWh.

It was just a random base figure for easy calculation that was in an
energy calculator site I used. Too much variance around the world to
pick any arbitrary "accurate" number since it wouldn't carry over.

Tiered pricing makes it even more difficult.

Either way, the power draw cost difference is substantial.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Poweredge 2850

[Jim Pingle]

On 5/20/2014 1:45 PM, Brian Caouette wrote:
> For the price paid it can't be beat.

There is more than the sticker price to be considered.

Note that these are just vague numbers that would vary by the specific
equipment power usage and local power costs.

Atom, ~35W, 24h/day @ $0.05/kWh = About $15 per year.

PE2850, ~250W, 24h/day @ $0.05/kWh = About $110 per year.

Also have to factor in the extra cooling needed to handle the higher
heat output of the server, but that is more difficult to figure.

If you are in a place where power is included in your rent, it's no big
deal, but over time that adds up considerably for most people.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Status of pfSense 2.2 regarding 802.11n

[Jim Pingle]

On 5/15/2014 1:03 PM, b...@todoo.biz wrote:
> I wanted to know what was the status of 2.2 regarding WLAN (802.11 n) support 
> / implementation ? 
> 
> I am mainly interested in Atheros driver support since most of our HW is 
> based on this chipset. 

The drivers are there, and the GUI options should pick up on the
supported protocols automatically.

I don't have an 802.11n capable card in anything running pfSense at the
moment to try it, but it should be there.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Recommendations for Analyzing Firewall logs

[Jim Pingle]

On 5/14/2014 2:16 PM, Travis Hansen wrote:
> Do you have some good grok patterns for indexing pfsense data?
> 
> I started some a while back for this exact setup but gave up.

Keep an eye on the logs for pfSense 2.2. We ditched the native pflog
tcpdump style output and changed to a single line comma-separated log
output that should be fairly simple to parse by external utilities.

The logs on 2.2 have some issues on amd64 yet, but work on i386 if
you're looking to tinker right now.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] log grep inconsistency

[Jim Pingle]

On 5/13/2014 12:55 PM, David Burgess wrote:
> I have two firewalls running pfsense 2.1.3 amd64. One is nanobsd, the
> other is full install. Why is it that when I do 'grep band
> /var/log/ppp.log' on the embedded system I get the expected output of
> lines containing "band", while on the full system I only get "Binary
> file /var/log/ppp.log matches" for output. I can cat the file and see
> its contents. Both systems have /var on ram disk.

Luck?

ppp.log is a binary circular log[1], you have to use:

clog /var/log/ppp.log | grep band

Jim
1: http://doc.pfsense.org/index.php/View_Log_Files_in_the_Shell
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] High iostat

[Jim Pingle]

On 05/12/14 23:09, Wajih Ahmed wrote:
> BTW it would be very nice to have a tool like lsof to see what files a
> pid has open and writing too.  But pfsense does not have lsof package.

In addition to the other things mentioned, run:

top -aSH

press 'm' to switch to i/o view to see what process is hogging the disk.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Port forwarding from multiple interfaces - reply packets are forwarded through the wrong interface.

[Jim Pingle]

On 5/9/2014 8:02 AM, Thierry De Leeuw wrote:
>> I have some trouble to setup port forwarding with multiple interfaces.
>> When a connection is initiated from the VPN tunnel (SYN), the SYN/ACK
>> is sent from the VPN IP but throught the pppoe interface (which is the
>> default gw, but I would expect the NAT to take care of that - maybe I
>> am wrong?).
>> I would like that my server is accessible from both pppoe and VPN tunnel.

The "multiple interfaces" bit works fine when they're both actually
WANs, but when one is a VPN it doesn't work that way by default.

To get the behavior you want with OpenVPN, where reply-to sends the
packets back the way they came in, you'll need to do the following:

1. Assign/enable the OpenVPN interface from Interfaces > (assign). Set
it to an IP type of 'none'
2. Restart the VPN (edit/save)
3. Move firewall rules from the OpenVPN tab to the new interface tab. No
rules on the OpenVPN tab can match the traffic.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ICMPv6 filtering recommendations with pfSense?

[Jim Pingle]

On 5/8/2014 1:16 PM, Adam Thompson wrote:
> Sorry for the late addition... Perhaps this was already covered, but if not:
> 
> Please don't filter ICMPv6. This is one of the key points every
> intro-to-v6 class teaches: IPv6 actually *needs* ICMPv6 to function in
> pretty much every situation.
> 
> The official guidance on this subject is RFC 4890, "Recommendations for
> Firing ICMPv6 Messages in Firewalls".
> The TL;DR version is " just don't ".
> If a firewall operator can't read the RFC, and accurately distinguish
> between transit and local traffic, then they shouldn't filter any of it.
> 
> (Yes, I'm being a hard-ass here, because I already see people breaking
> IPv6 because they think it's OK to filter ICMP.)
> 
> It is probably possible to extrapolate a base set of recommendations
> that pfSense might be able to build in, similar to how there's a lot of
> automatic IPv4 filtering under the hood, but I don't believe this has
> been done yet.

Code of interest here:
https://github.com/pfsense/pfsense/blob/master/etc/inc/filter.inc#L2644

IMO, I agree that it's best to let ICMP flow free on IPv6. ICMP has had
a bad reputation for a long time, and it's mostly undeserved in recent
times.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] upgrade dual ALIX netgate box?

[Jim Pingle]

On 5/7/2014 9:03 AM, Vick Khera wrote:
> I wonder then why pcengines points to the ALIX case from the APU board
> page as a recommended case.

They refreshed their cases about 6 months so they would be compatible.
The newer ALIX+APU style cases fit the ALIX and the APU both, but the
older ALIX cases are the ones that don't fit properly. I haven't tried
it myself, but someone might try to use ~1mm thick washers to gain a
little height on the stand-offs, but I wouldn't trust it to put adequate
pressure on the heat spreader to ensure proper cooling.

> Thanks for the info. Seems like it almost fits, but not quite... this 1U
> dual board form factor is very convenient for me, and having a more
> powerful system in it is attractive to me. Maybe I'll try to see if I
> can fit it using some additional mounting hardware.

Even if it did fit as expected, you may not get adequate cooling with
both units' heat spreaders pumping heat into the same single, large
metal case. Netgate is working on something to accommodate two APUs
comfortably.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Manual Outbound NAT Creates Multiple Local Host Entries

[Jim Pingle]

On 4/28/2014 11:16 AM, Adam Piasecki wrote:
> I am currently running 2.1.2, I386. It’s possible that the config was
> originally from 1.2.3 as it has been upgraded multiple times to 2.1.2.
> 
> When enabling manual outbound NAT, it appears 3 entries are exactly the
> same 127.0.0.0/8 with NAT ports 1024:65535.
> 
> Just wondering what the reason for this is, or if it was a bug left in
> the config from 1.2.3. It’s not causing any problems just seemed strange.
> 

It depends on when you changed from Automatic to Manual. The rules would
have been made then. I thought we had fixed that before 2.1 went out but
it's possible it was still an issue there. There would be at least one
such rule per WAN you have, normally.

On 2.2 all of that was completely rewritten and it's definitely not an
issue there.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] export/import ipsec xml from pf 1.2.3 to 2.1.1

[Jim Pingle]

On 4/22/2014 2:15 PM, Alexsander Rodrigues wrote:
> I see. By upgrading the configuration file you mean to upgrade the
> pfsense 1.2.3 to 2.1.1 and then to export the configuration file?

That, or you can take the whole 1.2.3 config.xml and restore that to a
firewall already running 2.1.2, and then from there export the ipsec
section and import into another 2.1.2 system.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] export/import ipsec xml from pf 1.2.3 to 2.1.1

[Jim Pingle]

On 4/22/2014 1:03 PM, Alexsander Rodrigues wrote:
> Has anyone else having troubles trying to export vpn config from pfsense
> 1.2.3 to 2.1.1?

Anyone who tried that would have an issue, as it's only possible to
import and upgrade entire configuration files, not individual sections.

You have to upgrade the entire configuration as a whole.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Interface yoyo

[Jim Pingle]

On 4/20/2014 7:02 PM, Volker Kuhlmann wrote:
> On Mon 21 Apr 2014 09:54:49 NZST +1200, Jim Pingle wrote:
> 
>> http://files.pfsense.org/jimp/patches/openvpn-tapbridgefix-2.1.x.diff
> 
> This has no effect on the hme problem unfortunately.
> 
> I rebooted and re-tested, but unplugging the cable to the wifi AP from
> the pfsense box and re-plugging it still gives a run-away system. Some
> logs below.

Some other setting appears to be causing the link on the NIC to bounce
up and down when configured. In the past we have seen that happen
because of a few things, such as spoofing a MAC address resetting the
NIC or bugs in the code causing the interface to be reset due to an
error. Those should have all been fixed/worked around, especially with
that last patch applied.

The Spoofed MAC address issue was a problem in the past with certain
drivers that sounds very similar because it got into a chicken-and-egg
scenario that went a little something like this:

* pfSense sets the MAC address
* The NIC driver resets its own link on the MAC change
* The link down/up triggered pfSense to reconfigure the NIC
* pfSense sets the MAC address again while reconfiguring the NIC
* The NIC driver resets its own link on the MAC change
* The link down/up triggered pfSense to reconfigure the NIC
* [lather, rinse, repeat]

We added some extra checks before resetting the MAC to prevent that sort
of thing from being a problem though, but it's possible that the HME NIC
is resetting its link when some _other_ setting is being applied. If you
have any special configuration on the NIC (spoofed MAC, custom MTU,
specific link speed, etc) it would help to know.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Interface yoyo

[Jim Pingle]

On 4/20/2014 5:13 PM, Volker Kuhlmann wrote:
> On Sun 20 Apr 2014 19:46:41 NZST +1200, Bryan D. wrote:
>> I reported this issue with the HME's a while ago (it's nasty!):
>> bug #3481 -- https://redmine.pfsense.org/issues/3481
>>
>> Executive summary: replace the NIC with a different model. Too bad,
>> they used to work very well and virtually never die.
> 
> Confirm on (almost) all counts.
> I moved the printer to an rl driver port and the problem disappeared.
> top reports 350MB free memory.
> The same problem exists with the wifi AP connected to an hme driver
> port. Turning the AP off then on kills pfsense.
> I'll update the report.
> 
> The number of spawned php processes that kill the system however look
> like a pfsense problem to me and the php code should prevent itself from
> meltdown. Or does freebsd really require php for handling interface
> hotplug events? As in, a basic minimal freebsd system does not work
> without php installed?

Apply this patch with the system patches package, see if it's maybe
hitting a bug similar to what was happening with OpenVPN (rc.newwanip
was being fired from rc.linkup repeatedly... something made it fall into
a loop)

http://files.pfsense.org/jimp/patches/openvpn-tapbridgefix-2.1.x.diff

That code is already in the tree but it happened after 2.1.2.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Heartbleed and OpenVPN

[Jim Pingle]

On 4/11/2014 9:57 AM, Tim Nelson wrote:
> Hot on the heels of the OpenSSL debacle, and a fresh new release of
> pfSense (THANK YOU), I'm curious about the Heartbleed vulnerabilitie's
> actual surface attack area. All of the relevant information, reports,
> and PoC's are pointing at exploit only via an affected HTTPS webserver.
> However, I have not yet seen any PoC for exploiting other SSL based
> services, specifically OpenVPN.
> 
> At this time, are there PoC's for Heartbleed and OpenVPN? I understand
> regardless the upgrade/patch is needed, but curious to know if an
> exploit is yet in the wild for OpenVPN (TCP or UDP, using PKI or even
> static keys).

Static keys were never vulnerable, nor is SSL/TLS when using a TLS
Authentication Key unless the attacker has the key, in which case you
probably have larger problems... or you're on a public VPN service that
is running lots of people through common instances.

https://community.openvpn.net/openvpn/wiki/heartbleed has more info.

I also have yet to see a testing program/script/PoC that would get
anything from OpenVPN. If anyone does know of one, we'd love to see it.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Problem with lots of dhcpleases processes

[Jim Pingle]

On 4/9/2014 11:21 AM, Brian Caouette wrote:
> On 4/9/2014 11:05 AM, Jim Pingle wrote:
>> On 4/9/2014 9:34 AM, Raimund Sacherer wrote:
>>> the last weekend I took a new firewall in production, the server is a
>>> Dell R210 with 2 port intel card (igb) .
>>>
>>> today I checked the system and I encountered the following, any idea
>>> why I have so much dhcpleases processes?
>>> Can I kill them without problems?
>> Usually it's due to a bad/stale PID file in /var/run
>>
>> There's a fix for this coming also along with the heartbleed ssl fix
>> should be later today.
>>
>> Jim
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
> Captive Portal bug being fixed too? I had to disable the CP after the
> 2.1.1 update to be able to surf again.

Yes that one too it was a typo that has been corrected.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Problem with lots of dhcpleases processes

[Jim Pingle]

On 4/9/2014 9:34 AM, Raimund Sacherer wrote:
> the last weekend I took a new firewall in production, the server is a Dell 
> R210 with 2 port intel card (igb) . 
> 
> today I checked the system and I encountered the following, any idea why I 
> have so much dhcpleases processes?
> Can I kill them without problems?

Usually it's due to a bad/stale PID file in /var/run

There's a fix for this coming also along with the heartbleed ssl fix
should be later today.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list