RE: [pfSense-discussion] PPTP VPN on OPT1/WAN2
We tested this already pretty much in detail earlier and the answer is: no, pptp won't work at an OPT-WAN (unless you are coming directly from the OPT-WAN subnet with proper firewallrules). Looks like the PPTP server can't handle this situation correctly. Nothing that we can fix at our end. Holger -Original Message- From: Heath Henderson [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 18, 2006 6:23 AM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] PPTP VPN on OPT1/WAN2 I am not certain I explained it correctly. The pfsense built in PPTP server answers correctly on the WAN address. But it doesn't answer at all on the WAN2 address, regardless of rules in the FW for that interface. I just wondered if it was a limitation of that PPTP server/setup. I am using a load balanced/failover setup and just wanted to make sure that was not an option if I have people asking me about it. Thanks -- Heath Henderson [EMAIL PROTECTED] 1800 288 7750 -- From: DarkFoon [EMAIL PROTECTED] Reply-To: discussion@pfsense.com Date: Tue, 17 Oct 2006 20:19:31 -0700 To: discussion@pfsense.com Subject: Re: [pfSense-discussion] PPTP VPN on OPT1/WAN2 Seems to me that with PPTP (and other protocols) if the source IP address of packets sent to the client differs from the IP the client sends packets to, the PPTP software discards (as it should) the packets because they could be coming from an untrusted third-party. - Original Message - From: Heath Henderson [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Tuesday, October 17, 2006 7:51 PM Subject: [pfSense-discussion] PPTP VPN on OPT1/WAN2 Does anyone know if there is a limitation to the PPTP VPN connection to only connect via WAN connection and not vai OPT1 or WAN2? I have a successful server running and can connect via WAN but times out whenever I try and hit the WAN2/OPT1 connection with the same setup. I checked all of my rules and they are identical. Thanks -- Heath Henderson [EMAIL PROTECTED] 1800 288 7750 --
[pfSense-discussion] 2 vpn client connections from the same ip does not work
Hi, Thank for a great product, I am running the Racoon IPSEC server and it all works great, except that if 2 clients are behind the same firewall, only one of them will be able to make the connection to the VPN server, am I doing any thing wrong here? I have problems with roadwarriors using agressive mode. I'm using SafeNet SoftRemoteLT VPN clients. I know it works with the isakmpd IPSEC server from an erlier setup I have had. its does not work both behind a other pfsense firewall, and some other unknown firewall that I dont know the name of . What are my options? Is this the right behavior? or are there something setup completely wrong in the Racoon ipset setup? kind regards Mikael Syska
[pfSense-discussion] dnsmasq config file support
I have come across a few situations where I have wanted to be able to add wildcard dns entries to a pfsense box. Dnsmasq does support this through it's config file, dnsmasq.conf with an entry like this. address=/proxy.dns.net/192.168.1.1 or on the command line. -A, --address=/domain/ipaddrReturn ipaddr for all hosts in specified domains. -A /proxy.dns.net/192.168.1.1 This would return 192.168.1.1 for every request for *.proxy.dns.net. The reason I would find this useful is so that users behind a pfsense firewall that are not using reflection can use a dns based rewriting proxy that is inside the firewall from inside the firewall. See http://www.usefulutilities.com/support/rewrite.html for a description of that type of proxy. The situation in our case is that we use our ISP's dns servers for the the entries that the world can access, so we have a wildcard dns entry setup with them, which points to the external address of a pfsense box, which forwards it to an internal server. The url rewriting works fine from a remote location, but from inside the firewall dnsmasq passes the long dns names to the external dns server, proquest.com.proxy.example.com gets translated to the external ip address, which doesn't work from inside the firewall. I think the setup would be very similar to the /usr/local/www/services_dnsmasq_domainoverride_edit.php setup, since it could just add a command line argument. Is this something that would be considered for inclusion? Thanks Josh -- -- Lake Agassiz Regional Library - Moorhead MN larl.org Josh Stompro | Office 218.233.3757 EXT-139 LARL Network Administrator | Mobile 701.371.3857
Re: [pfSense-discussion] dnsmasq config file support
On 10/18/06, Josh Stompro [EMAIL PROTECTED] wrote: I have come across a few situations where I have wanted to be able to add wildcard dns entries to a pfsense box. Dnsmasq does support this through it's config file, dnsmasq.conf with an entry like this. address=/proxy.dns.net/192.168.1.1 or on the command line. -A, --address=/domain/ipaddrReturn ipaddr for all hosts in specified domains. -A /proxy.dns.net/192.168.1.1 This would return 192.168.1.1 for every request for *.proxy.dns.net. The reason I would find this useful is so that users behind a pfsense firewall that are not using reflection can use a dns based rewriting proxy that is inside the firewall from inside the firewall. See http://www.usefulutilities.com/support/rewrite.html for a description of that type of proxy. The situation in our case is that we use our ISP's dns servers for the the entries that the world can access, so we have a wildcard dns entry setup with them, which points to the external address of a pfsense box, which forwards it to an internal server. The url rewriting works fine from a remote location, but from inside the firewall dnsmasq passes the long dns names to the external dns server, proquest.com.proxy.example.com gets translated to the external ip address, which doesn't work from inside the firewall. I think the setup would be very similar to the /usr/local/www/services_dnsmasq_domainoverride_edit.php setup, since it could just add a command line argument. Is this something that would be considered for inclusion? Thanks Absolutely. If you want to provide diff -rub format patches, we will commit. Scott
Re: [pfSense-discussion] 2 vpn client connections from the same ip does not work
pf doesn't have any method of seperating out the isakmp or esp traffic. There's been some talk of ipsec state code, but I don't know when FreeBSD will see it (certainly not before it's implemented in Opens pf I'm sure). If you have multiple IP addresses, you could use 1:1 nats to solve this (I have coworkers that use this to have multiple workstations connected to our IPSec devices). --Bill On 10/18/06, Mikael Syska [EMAIL PROTECTED] wrote: Hi, Thank for a great product, I am running the Racoon IPSEC server and it all works great, except that if 2 clients are behind the same firewall, only one of them will be able to make the connection to the VPN server, am I doing any thing wrong here? I have problems with roadwarriors using agressive mode. I'm using SafeNet SoftRemoteLT VPN clients. I know it works with the isakmpd IPSEC server from an erlier setup I have had. its does not work both behind a other pfsense firewall, and some other unknown firewall that I dont know the name of . What are my options? Is this the right behavior? or are there something setup completely wrong in the Racoon ipset setup? kind regards Mikael Syska
Re: [pfSense-discussion] 2 vpn client connections from the same ip does not work
pfsense --Bill On 10/18/06, Mikael Syska [EMAIL PROTECTED] wrote: hey, so its a problem on the client side or server side? not the hardcore firewall dude, I had it working on a openbsd with isakmpd, is there implementation any different? kind regards mikael syska From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Wed 18-10-2006 18:57 To: discussion@pfsense.com Subject: Re: [pfSense-discussion] 2 vpn client connections from the same ip does not work pf doesn't have any method of seperating out the isakmp or esp traffic. There's been some talk of ipsec state code, but I don't know when FreeBSD will see it (certainly not before it's implemented in Opens pf I'm sure). If you have multiple IP addresses, you could use 1:1 nats to solve this (I have coworkers that use this to have multiple workstations connected to our IPSec devices). --Bill On 10/18/06, Mikael Syska [EMAIL PROTECTED] wrote: Hi, Thank for a great product, I am running the Racoon IPSEC server and it all works great, except that if 2 clients are behind the same firewall, only one of them will be able to make the connection to the VPN server, am I doing any thing wrong here? I have problems with roadwarriors using agressive mode. I'm using SafeNet SoftRemoteLT VPN clients. I know it works with the isakmpd IPSEC server from an erlier setup I have had. its does not work both behind a other pfsense firewall, and some other unknown firewall that I dont know the name of . What are my options? Is this the right behavior? or are there something setup completely wrong in the Racoon ipset setup? kind regards Mikael Syska