Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
Actually, this is the first time I've heard subnetting explained in a way that actually made sense. Kudos! And thank you! - Original Message - From: Adrian Wenzel adr...@lostland.net To: discussion@pfsense.com Sent: Saturday, February 28, 2009 9:22 AM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) My apologies, I meant Network layer, not Transport. Sheesh. Serves me right for spamming the list with general info (as I spam it again with my correction ;) snip So there 4 bits in the 2nd octet, 8 bits in the 3rd octet, and 8 bits in the 4th octet that are valid for use as IPs on the local subnet (the +'s represent bits that, if changed, would tell the Transport layer that the IP is not local... the -'s are bits you can change to give yourself IPs local to your subnet. Note that they correspond to the 1's and 0's of the netmask). /snip - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
The rules are the easy part. I had to do a similar thing for a pfSense box that had 4 interfaces. I'm just going to share my advice now, but you'll need to get the subnetting figured out before you can add these rules. One the LAN2 interface, create a block rule that goes at the very top of the rules list that prevents any connection originating in LAN2 from connecting to LAN1. Then after that you can have the standard LAN2 - any rule and everything should work as expected. On the LAN1 interface, you shouldn't have to add any rules except the default LAN - any rule. I understand I may have misunderstood your needs, but as I understand them, that is the rule set-up you will want. It should still allow LAN1 to print to a printer on LAN2, but not allow LAN2 to access LAN1. - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 12:53 AM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hi Adrian Thank you so much for your response. I think those numbers do have something to do with it, as when I enable OPT1 I loose the webserver's access and have to reset to a default and start over (I hate that!) I have since tried configuring as: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.(aaa+1).bbb.ccc/9 I presume I have still got it wrong. I want to keep LAN1's IP numbers as it is, as there a number of Static DHCP assignments all set, for LAN2 I don't really care what this is, and I can't imagine needing more than 20 addresses on LAN2, which may be relevant. Can you suggest further? (Of course they can be changed if necessary) Also I assume I will need to do some LAN2 rules to 1) give access to the Internet and LAN1 rules to gain access to LAN2 however the devil may be lying in the detail to do that... Still as you say we need to get LAN2 working for a start. Kind regards David - Original Message - From: Adrian Wenzel adr...@lostland.net To: discussion@pfsense.com Sent: Saturday, February 28, 2009 7:05 PM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hello, So, it seems you are configuring as such: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.xxx.yyy.zzz/8 This is not right, since /8 means a netmask of 255.0.0.0, making the network portion of each subnet only the first octet... thus the same subnet. Two devices with configured with the same subnet, and on two different physical networks will not work. You should try a netmask of 255.128.0.0, or /9 (assuming you really need all those IPs on each network). That will correct differentiate the subnets and allow routing to occur ;) We can get into separating your LANs to disallow your desired access after this is working. Thanks, Adrian - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 12:05:17 AM GMT -05:00 US/Canada Eastern Subject: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hi I have been trying to setup a WAN and two LAN. (3 NIC's) I want LAN1 to be able to access LAN2 but not the other way around. The idea is that LAN1 is less public than LAN2. i.e. visitors can connect to the Public LAN2 and browse the Internet etc while not having any access to LAN1 LAN 2 will have a LAN printer on it, as an example, which can receive print jobs from both LAN1 and LAN2. WAN is a static IP to Cable. LAN1 is using 10.xxx.yyy.zzz 8 and OPT was intended to use 10.aaa.bbb.ccc 8 however enabling this seems to make it all fall over, ie I lose Internet connection from LAN things become unresponsive. As an aside I tried editing /conf/config.xml however it would not save from the terminal window, does one have rights to edit the config there? I was using the ee editor. Has anyone done this sort of thing and what am I missing to get it working? In anticipation many thanks indeed. Kind regards David - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] SLC or MLC flash for full install
SLC, since storage isn't the most important factor. It gives better performance (a nice bonus, since it's also not primary) and more importantly it gives a longer lifetime, since fewer cells are over written with each write. FYI, Although not specifically about CF, I found this article enlightening regarding other manufacturers. http://www.anandtech.com/cpuchipsets/intel/showdoc.aspx?i=3403 The lesson learned is to stay away from bargain-basement makers. (And JMicron controllers, apparently...) - Original Message - From: Eugen Leitl [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Thursday, October 23, 2008 4:10 AM Subject: [pfSense-discussion] SLC or MLC flash for full install I'm thinking about trying the full instead of embedded install on WRAP/ALIX devices, on compact flash. With increased sizes and better flash it seems a year or a couple is a reasonable lifetime to expect in a domestic usage pattern these days. Have any of you made especially good/bad experiences wtith either SLC or MLC CF? Any vendors to recommend, or to stay away from? Thanks.
Re: [pfSense-discussion] W.O.L. Security Question
Thank you for your answer. - Original Message - From: Chris Buechler [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Tuesday, September 30, 2008 5:43 PM Subject: Re: [pfSense-discussion] W.O.L. Security Question On Tue, Sep 30, 2008 at 2:39 AM, DarkFoon [EMAIL PROTECTED] wrote: Greetings all, I recently upgraded my pfsense platform to a new(er) motherboard with an integrated NIC with Wake On LAN. If I use this as my WAN interface, does it pose any security vulnerability? I do not see a way in the BIOS or as a jumper to turn off WOL. I would normally assume that it would get ignored by pfSense, as all unsolicited traffic is, but I want to be sure. The most anyone could do (barring some sort of future exploit in WoL, which is unlikely) is turn on the machine if it's off. The default firewall rules will block the WoL traffic when the machine is on, though even if it didn't you can't wake a machine that's on already.
[pfSense-discussion] W.O.L. Security Question
Greetings all, I recently upgraded my pfsense platform to a new(er) motherboard with an integrated NIC with Wake On LAN. If I use this as my WAN interface, does it pose any security vulnerability? I do not see a way in the BIOS or as a jumper to turn off WOL. I would normally assume that it would get ignored by pfSense, as all unsolicited traffic is, but I want to be sure. Thank you for your time.
Re: [pfSense-discussion] CD-ROM + floppy
To be honest, I was wondering a similar thing. - Original Message - From: Paul M [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Tuesday, March 04, 2008 2:01 AM Subject: Re: [pfSense-discussion] CD-ROM + floppy Chris Buechler wrote: DarkFoon wrote: Yes. just the config is kept on the floppy. This means that the RRD graphs don't save across reboots, right? And packages can't be installed. (well that's sort of obvious...) Correct on both accounts. is there any reason why the shutdown scripts couldn't copy the RRD files and any .pkg's across to the secondary storage and reload on boot?
[pfSense-discussion] CD-ROM + floppy
Does pfSense 1.2 still support booting from CD-rom and storing the config (and possibly other data) on a floppy disk?
Re: [pfSense-discussion] CD-ROM + floppy
Yes. just the config is kept on the floppy. This means that the RRD graphs don't save across reboots, right? And packages can't be installed. (well that's sort of obvious...) - Original Message - From: Chris Buechler [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Saturday, March 01, 2008 5:44 PM Subject: Re: [pfSense-discussion] CD-ROM + floppy DarkFoon wrote: Does pfSense 1.2 still support booting from CD-rom and storing the config (and possibly other data) on a floppy disk? Yes. just the config is kept on the floppy. USB flash drives are also supported, and recommended over floppies.
[pfSense-discussion] ntpd irregular behavior
I've had my pfsense box up and running for 124 days straight (woo hoo) but back in July, the NTPD log page reported this: Jul 26 06:29:02 ntpd[588]: Terminating Jul 26 06:29:02 ntpd[588]: dispatch_imsg in main: pipe closed There was nothing new since those reports. I assumed that the whole time since then that it had been keeping my clock up to date. Much to my surprise I discovered on November 4th that the clock on my pfsense box had had fallen behind by over 20 minutes. So I checked the running processes by running ps auxc, and I noticed that NTPD was no longer running. So I went to System - General removed all the time servers (CTRL+X) and then added them again (CTRL+V), hit save and then checked the NTPD log page again. I was happy to find this: Nov 4 15:24:09 ntpd[51443]: set local clock to Sun Nov 4 15:24:09 PST 2007 (offset 1229.461968s) So is this a bug? Or does NTPD exit when it has tried long enough to set the time?(IIRC, the chipset in this machine has a well-documented bug where the clock always loses time)
Re: [pfSense-discussion] noob question
There is no logout (AFAIK) You can't install plain old 3rd party apps, you have you install a pfSense package. Only some software is available as pfSense packages, and many of them are beta or alpha. But you can make your own packages, something I haven't personally tried yet. To browse the packages available, log in and go to System - Packages. To install the package you want, click the + button to the right of the package listing. I hope that helps. - Original Message - From: Zied Fakhfakh [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Tuesday, September 18, 2007 3:33 PM Subject: [pfSense-discussion] noob question Hello everybody, I'm just starting with pfSense, nd I have a couple of questions - is there any logout button from the web interface ? - how canI install third party softwares, like squid, on pfSense thank you very much. -- Zied Fakhfakh dot TN - CTO Centre Molka, Esc E, Bur 17 | Tel : +216 71 886112 El Manar II | Fax : +216 71 885499 2092 - Tunis | mob : +216 22 535604 Tunisia | web : http://www.dottn.com GPG Key : gpg --keyserver pgp.mit.edu --recv-keys D2F4EE8C
[pfSense-discussion] location of dnsmasq.conf
I was able to find the dhcpd.conf file under /var/dhcpd/etc and I feel like I've scoured every nook and cranny, but I cannot find dnsmasq.conf. I require these two files because I'm attempting (for my own improvement) to set up a linux box to do pretty much the same thing as my pfSense box. Where is dnsmasq.conf hidden? Or is it even used?
[pfSense-discussion] MiniUPnPd security risks
I'm considering installing the UPnP daemon on some home/home office boxes, and I'm curious what the security issues are. From my own (simple) analysis, the worst that could happen is a malicious application could ask for many, many (almost all?) of the ports above 1024 to be routed to a machine, and that an external attacker might be able to use all the port forwards to control said malicious program from the internet and perhaps wreak havoc on the LAN net and maybe even the pfSense box (with a keylogger and sniff the pw for the pfSense admin). This is assuming I don't use the custom rules that I can specify. (which I could use to mitigate some of the damage) Did I miss anything? Thank you for your comments.
Re: [pfSense-discussion] Windows shares across the firewall
I was hired to do the same thing for a small business a year ago. I learned about a month and a half into the project that windows shares, while they work across subnets, the hostname can't be used because of WINS, only the IP address. Workgroups especially do not work across subnets. I would like to know if DNS will work for your workgroup. I can't remember if I tried that, or even had the proper settings for get it to work. My employer's entire network was set up with a workgroup that had been tweaked to act sorta like a domain. I set up a FreeBSD domain server, but he wanted a god box that was his domain server, web server, firewall-which I wouldn't build due to security reasons-and he had some custom server software that would only work under windows, so I was let go; his son can do windows stuff for free. Sorry, I got off topic there. WebDAV over https sounds like an interesting idea. I hope I have been of some help. - Original Message - From: David Brown [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Thursday, January 04, 2007 12:09 AM Subject: [pfSense-discussion] Windows shares across the firewall I'm planning to set up a new firewall/router at our company, and am leaning towards using pfSense because I want several green networks (either using multiple ports on the firewall machine, or using a managed switch and VLANs - as far as I understand it, they can work the same way). There are going to be a couple of server machines on different branches of the LANs, but I need access to them from the other branches. The setup I've planned looks like this: /---\ | |-red1internet | pfSense |-red2(second internet connection, optional) | | | |-orange--DMZ---web server, mail server, squid, etc. | | | |-blue---(wireless for laptops, including visitors) | | | || | | LinkSys WRT54GLLinkSys LinkSys | |/ \ / \/ \ | | laptops, etc. | | | |-green1---LAN (192.168.1.x)---server1.1, pc1.1, pc1.2, etc. | | | |-green2---LAN (192.168.2.x)---server2.1, pc2.1, pc2.2, etc. | | | |-green3---LAN (192.168.3.x)---server3.1, pc3.1, pc3.2, etc. | | \---/ Making appropriate firewall and routing rules for access to the DMZ servers from the green LANs is easy enough, as are things like allowing ssh access on different LANs for administrative purposes. But it is also important that I can get windows share access in some way across the LANs. For example, pc1.2 (say, 192.168.1.102) should be able to mount a share on server2.1 (192.168.2.1), while the reverse is not true (i.e., no machine on LAN2 should see the pc's on LAN1). Is it sufficient, and safe, to simply open a pinhole for traffic on port 139 towards 192.168.2.1 from 192.168.1.x ? I suppose I could set up VPNs somewhere to tunnel traffic around, but I can't see that this would actually improve matters (I have no need to encrypt traffic passing between greens) - I would need similar rules to limit the VPN traffic. In fact, I'm assuming that once I've got things figured for cross-green routing, I can use the same sorts of rules for VPN's from laptops on the blue zone or attaching via the internet. As far as I can tell, it is only the share access that I need from the SMB/CIFS protocols. pfSense's DNS server should be able to handle naming, and I am not running a windows domain (it's all set up as a workgroup). If I can't get a stable and secure arrangement for SMB sharing, what are my other options? At the moment, we have a couple of linux file servers and one old windows one, which can be replaced if it is not flexible enough. I've heard of using WebDAV as a protocol - W2K and XP (and linux, and presumably FreeBSD :-) can mount WebDAV paths, and use them directly. If the WebDAV access is over https, then it could be used directly from outside the LANs without needing a VPN. Another idea I have read about is using a SFTP server along with WebDrive software. Any hints, tips, website pointers, or comments about how only an idiot would arrange things like that, would be much appreciated. mvh., David
[pfSense-discussion] Policy Enforcement: Can pfSense beat it?
Hi everybody. A friend of mine recently informed me that hiscollege is going to be adding some "policy enforcement" devices (Cisco brand) to their network that will push Symantec Security software onto all computers on the campus network. If your computer doesn't meet the policy, it is denied internet access. Linux computers are exempt frm this for some reason (yeah *BSD != linux, I know). He doesn't want this Norton garbage pushed onto his PC, so he asked me if a firewall like pfSense would stop this nonsense. However he says that the machine must "look" like a Linux box to the campus "policy enforcement" device. My questions are: is pfSense immune to fingerprinting?Or can I alter the values it reports back? Also, do you think this would even work? (Would it trick the policy enforcement and allow him access through it?) I ask because you are the experts. I no longer have the free time I once had to research this myself (being a student also), so I am asking for the knowledge that comes with experience in the field. I understand that this question is a little "out there" and highly off-topic; my apologies if it belongs elsewhere. Thanks you very much in advanced. -a Rossi
Re: [pfSense-discussion] Dynamic DNS - no password encryption
I see, thank you for the clarification. - Original Message - From: Scott Ullrich [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Tuesday, August 29, 2006 7:59 AM Subject: Re: [pfSense-discussion] Dynamic DNS - no password encryption On 8/29/06, DarkFoon [EMAIL PROTECTED] wrote: I was looking through my XML configuration recently, and I noticed that my Dynamic DNS password is not encrypted like the PFsense password is. It seems to me that this is a rather important password and should be encrypted (if possible). http://faq.pfsense.com/index.php?action=artikelcat=1id=37artlang=enhighlight=encrypted Refer to mailing list history for juicy flame wars. We are not going there again. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.11.6/430 - Release Date: 8/28/2006
Re: [pfSense-discussion] Benchmarking
Thank you very much, Holger. No, aliases are not broken. I must be using them wrong, because I had some NAT and firewall rules that used aliases, and the NAT didn't work until I used the actual IP address, not the alias. - Original Message - From: Holger Bauer [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Thursday, July 27, 2006 7:34 PM Subject: AW: [pfSense-discussion] Benchmarking I'm using netio usually to do banchmarking the factory defaults with a netio server sitting at wan and a netio client at lan connecting to it. A wrap 266MHz 128MB benches at up to 32 mbit/s with latest release fyi. Holger -Ursprüngliche Nachricht- Von: DarkFoon [mailto:[EMAIL PROTECTED] Gesendet: Fr 28.07.2006 00:42 An: discussion@pfsense.com Cc: Betreff: [pfSense-discussion] Benchmarking Virus checked by G DATA AntiVirusKit No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.4/402 - Release Date: 7/27/2006
[pfSense-discussion] Benchmarking
I've recently upgraded my pfSense box from a pentium-MMX 233Mhz to a Celeron-MMX 333MHZ and I am curious how the developers (or anybody on the list) would go about benchmarking the system (max throughput is what I'm mostly curious about) One quick question: aliases are broken in 1.0 RC-1, right? Just checking. Thanks in advanced
[pfSense-discussion] Thank you
I just upgraded to RC-1 from Beta2, and I must say that I am impressed. I like the new features, such as the RRD graphs (well, they're new to me) and the filter status page. The product is very polished. So I am thanking the pfSense team for the excellent job they have done!
Re: [pfSense-discussion] artwork
Mr. Leitl, I don't quite understand your problem here. You claim that the m0n0 interface has better usability, and is superior in look, however, you do not support these claims with any useful examples that would allow the pfSense team to improve their interface. pfSense is not m0n0; it has more features, packages, and the like, and therefore needs a different interface to accomodate these differences. I've done web design before, and as far as I can see, I cannot think of a way to improve the pfSense interface. Perhaps your browser sucks and cannot display the menus properly? (I've had that problem before) Your statement that your claims are a bug report is a lie. Any useful bug report contains information that would be helpful to the developers; yours contains only incendiary comments. Learn how to code and port the m0n0 interface over to pfSense, or better yet, learn how to be respectful over the internet. The people who develop pfSense have other things to do than develop pfSense. We'd all be S.O.L. if it weren't for them. (Care to learn OpenBSD and write your own pf filter rules at console? Neither do I.) Good day sir A.C. R.
Re: Re[2]: [pfSense-discussion] P2P Blocker
I may have over looked it, but where in pfSense can you set the maximum number of states a workstation can have? I like that idea for P2P blocking. - Original Message - From: Bill Marquette [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Tuesday, June 06, 2006 1:07 PM Subject: Re: Re[2]: [pfSense-discussion] P2P Blocker On 6/6/06, Chris Noble [EMAIL PROTECTED] wrote: Ah good idea, pfsense has Traffic Shaper in it.. I could play with that and give P2Pa silly speed like 500 byte/sec heh. There were some threads on this in the forum also. I believe someone even went so far as to restrict the number of states individual workstations could have. Between castrating the bandwidth and castrating the amount of connections you're allowed, it should pretty effectively communicate the message. --Bill -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/357 - Release Date: 6/6/2006
Re: Re[2]: [pfSense-discussion] P2P Blocker
Thank you very much - Original Message - From: Scott Ullrich [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Tuesday, June 06, 2006 1:48 PM Subject: Re: Re[2]: [pfSense-discussion] P2P Blocker On 6/6/06, DarkFoon [EMAIL PROTECTED] wrote: I may have over looked it, but where in pfSense can you set the maximum number of states a workstation can have? I like that idea for P2P blocking. Firewall - Rules - Edit - Advanced -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/357 - Release Date: 6/6/2006
Re: [pfSense-discussion] Setup advice wanted, devices for public library
In most of the other locations I would rather go with CF so there are no moving parts. I am looking at Kingston Elite Pro CF cards, 512mb for $30 dollars, I saw them mentioned on the list. Does anyone have any recommendations of other brands. http://anandtech.com/storage/showdoc.aspx?i=2654 I know this article is a little dated, and the sizes are much more than you need, but it came to mind and I thought it might be of use.
[pfSense-discussion] VPN questions
Hello all, my client wants himself and his franchisees to be able to securely access a fileserver (actually it's his workgroup-soon to be domain-server) behind the pfSense box and upload important data files to it. These clients are using laptops with wireless connections(3G access, not wi-fi, but possibly wi-fi too), or desktops at home behind little home firewall/routers with broadband internet. All are running windows XP Pro. pfSense offers me three kinds of VPN, as you all know: PPTP (about which I've read numerous articles citing security flaws in its authentications using MS-CHAP), IPSec is for site-to-site (and impossibly to set up under windows, because all methods I've reasearched require a static IP on the windows computer, and 3G doesn't offer static IPs), and finally OpenVPN which is experimental and messes up the OPTx interfaces (of which this pfSense box has 4). I would like to give Stunnel a try, but the package doesn't install on pfSense (despite saying that it's stable). So as you can see, I've got a bit of a problem. If there is an easier way to set up IPSec on a mobile windows client, I'd love to hear it. If there's a way to secure PPTP (other than upgrading the PPTP server in pfSense which, I have been told, will not be done) I'm all ears. If OpenVPN is more stable than the warning on its config pages makes it sound, let me know. I'm out of ideas. Thank you all A Rossi
[pfSense-discussion] First bug of beta 2?
I'm experiencing some strange behavior with my beta2 box. I have to keep manually renewing the WAN dhcp. I'll connect to a website from a client on the LAN, and then maybe five minutes later, when I go to another page, it can't find the page (none of my internet based things work, actually), so I open up the webGUI and go to the interfaces page, and there the WAN DHCP is down, and I have to click renew. This probablem happens intermittently (like it started last night, and now it's not doing it) I don't quite understand even why this should be happening. I thought, though, in the past that it automatically renewed DHCP leases on the WAN. More than likely, however, it's a hardware or ISP problem, and has nothing to do with the pfSense box. I thought I should post this here in case this is a pfsense issue. My hardware: pentium-MMX 200mhz 64MB sd100 ram 2x 3com 905* nics (one's a 905b-tx, the other a 905-tx) CD-ROM platform (I don't like the noise added by harddrives) floppy-drive (with my config) The webGUI is a little sluggish in comparison to m0n0. But of course it should be: m0n0 was designed for this kind of hardware, and pfsense, well, wasn't. But, I like the features of pfsense more than m0n0, so I use it now. $ dmesg Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 6.1-PRERELEASE #0: Thu Mar 2 04:13:56 UTC 2006 [EMAIL PROTECTED]:/usr/obj.pfSense/usr/src/sys/pfSense.6 Timecounter i8254 frequency 1193182 Hz quality 0 CPU: Pentium/P55C (200.46-MHz 586-class CPU) Origin = GenuineIntel Id = 0x544 Stepping = 4 Features=0x8001bfFPU,VME,DE,PSE,TSC,MSR,MCE,CX8,MMX real memory = 62914560 (60 MB) avail memory = 51826688 (49 MB) Intel Pentium detected, installing workaround for F00F bug wlan: mac acl policy registered kbd1 at kbdmux0 ath_hal: 0.9.16.16 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) npx0: [FAST] npx0: math processor on motherboard npx0: INT 16 interface cpu0 on motherboard pcib0: Host to PCI bridge pcibus 0 on motherboard pci0: PCI bus on pcib0 isab0: PCI-ISA bridge at device 1.0 on pci0 isa0: ISA bus on isab0 atapci0: SiS 5513 UDMA33 controller port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x4000-0x400f at device 1.1 on pci0 ata0: ATA channel 0 on atapci0 ata1: ATA channel 1 on atapci0 xl0: 3Com 3c905B-TX Fast Etherlink XL port 0xf000-0xf07f mem 0xffadff80-0xffad irq 3 at device 13.0 on pci0 miibus0: MII bus on xl0 xlphy0: 3Com internal media interface on miibus0 xlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto xl0: Ethernet address: 00:10:4b:62:a1:f4 xl1: 3Com 3c905-TX Fast Etherlink XL port 0xec80-0xecbf irq 4 at device 15.0 on pci0 miibus1: MII bus on xl1 nsphy0: DP83840 10/100 media interface on miibus1 nsphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto xl1: Ethernet address: 00:60:08:1f:39:69 pci0: display, VGA at device 20.0 (no driver attached) pmtimer0 on isa0 orm0: ISA Option ROM at iomem 0xc-0xc7fff on isa0 atkbdc0: Keyboard controller (i8042) at port 0x60,0x64 on isa0 atkbd0: AT Keyboard irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] fdc0: Enhanced floppy controller at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0 fdc0: [FAST] fd0: 1440-KB 3.5 drive on fdc0 drive 0 ppc0: parallel port not found. sc0: System console at flags 0x100 on isa0 sc0: VGA 16 virtual consoles, flags=0x300 sio0: configured irq 4 not in bitmap of probed irqs 0 sio0: port may not be enabled sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 sio0: type 8250 or not responding sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled vga0: Generic ISA VGA at port 0x3c0-0x3df iomem 0xa-0xb on isa0 unknown: PNP0303 can't assign resources (port) speaker0: PC speaker at port 0x61 on isa0 unknown: PNP0700 can't assign resources (port) unknown: PNP0c02 can't assign resources (port) Timecounter TSC frequency 200456760 Hz quality 800 Timecounters tick every 1.000 msec Fast IPsec: Initialized Security Association Processing. acd0: CDRW YAMAHA CRW2100E/1.0K at ata0-master PIO4 GEOM_LABEL: Label for provider fd0 is msdosfs/ . GEOM_LABEL: Label for provider acd0 is iso9660/pfSense. Trying to mount root from cd9660:/dev/iso9660/pfSense md0.uzip: 1511 x 65536 blocks acd0: FAILURE - READ_BIG MEDIUM ERROR asc=0x02 ascq=0x00 error=0 acd0: FAILURE - READ_BIG MEDIUM ERROR asc=0x02 ascq=0x00 error=0 xl0: link state changed to UP xl1: link state changed to UP xl1: link state changed to DOWN xl1: link state changed to UP pflog0: promiscuous mode enabled xl1: transmission error: 90 xl1: tx underrun, increasing tx start threshold to 120 bytes xl1: transmission error: 90 xl1: tx underrun, increasing tx start threshold to 180 bytes xl1: transmission error: 90 xl1: tx underrun, increasing tx start threshold to 240 bytes
Re: [pfSense-discussion] pfSense merge with freebsd?
FreeNAS sounds like a neat idea, unfortunately it's not quite what I had in mind for this backup computer. I was going to write a cron job for this computer so that every night (or maybe once a week) it would turn on(the BIOS has an auto-boot function), and use smbtar to grab all of the files from a fileserver and back them up on that computer, then it would shutdown. If the disk got too full, it would delete older backups to make room for new ones. Right now the file srver is running windows XP, so I can't really tell it to send its files to that backup computer at a specific time. What about that jumpering thing, though? I remember from linux that if you have a drive jumpered to be smaller than its actual size, you need to have hdx=stroke as a boot parameter so linux can use all of the space. Well I've gotten off topic perhaps. I'll do some reading in the FreeBSD pages. Thanks! Anthony - Original Message - From: Holger Bauer [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Thursday, March 09, 2006 9:34 PM Subject: RE: [pfSense-discussion] pfSense merge with freebsd? I doubt that a bios flash will make that drive usable at that old machine. And for these utilities... I don't like them too much. I have used such a utility a very long time ago to bypass bios limitations. It actually went in the bootsector to get loaded before anything else (like the old evil masterbootrecord viruses ;-). It worked fine for some time until I needed to reinstall my OS as it was broken. The OS replaced the tool in the bootrecord and all my data stored at all partitions was gone with that. There was no way to reinstall the tool without doing a full preperation of the disk again whiping everything that existed there. In business environments things like these are really the worst ideas one can come up with. However I might have a solution for you to try. First find out what the max size limit is that box is natively supporting for hdds. Then get a bunch of these and run them with http://www.freenas.org/ . You even can build RAIDs with this (stripes and mirrors should be supported afaik), however I haven't tried it out personally. Just a suggestion. Holger -Original Message- From: DarkFoon [mailto:[EMAIL PROTECTED] Sent: Friday, March 10, 2006 6:24 AM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] pfSense merge with freebsd? The god box is always a bad idea. Yeah, I told him the God Box idea was a bad one. Figured I should look into it anyways. Right now his pfSense box is a Dell pentium III 866Mhz (same as the box I'm using right now to make this email) with 256Mb SD-100 ram and 5 added in Nics (plus the integrated, for a total of 6). I had a similar box running a SAMBA domain server and it was alright, so I thought I'd try to combine the two. But I digress. The God Box is out. Got that. As a matter of fact (this is probably a generic BSD question) he wants me to do the impossible again: He has an old K6-2 box laying around and he wants me to put in a 300GB seagate drive to do a network back up to. I told him the tech is too old to support 300GB (its ATA/UDMA66 or whatever; too many titles for the same thing) But he read some tidbit on Seagate's site that a mobo BIOS flash or using the seagate software will make it so the drive can be used, and apparently that means I can do it (completely ignoring the fact that the hardware came years before even 100 GB drives) and I'm a slacker for not making it happen. So the question is, if I jumper the drive to limit it to 32GB so the darn computer will actually boot (the BIOS freezes detecting the drive), can I get FreeBSD to recognize all 300GB? I probably should check the FreeBSD man pages, but being as ill as I am right now, I feel like asking you guys first (ya'll seem nice enough ;) ) thanks for the help! Anthony (stupid flu!) - Original Message - From: Andrew Burnette [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Thursday, March 09, 2006 6:49 PM Subject: Re: [pfSense-discussion] pfSense merge with freebsd? DarkFoon wrote: I am curious if it is possible to merge-for want of a better word-pfSense with a FreeBSD install. Why? Well, I have a client who wants to integrate everything into 1 box if possible. I told him its not possible, but I wouldn't be doing my job if I didn't check to see if I am wrong. You could of course snag the pf rules out of a pfsense box and put in a *bsd box if absolutely required. The god box is always a bad idea. Generally does everything poorly (think of what a fantastic pair of scissors are included in a swiss army knife). I have very very large clients that think the same of optical long haul gear, routers, and switches and how they all belong in one box. Invariably, they get burned by lousy functionality and cost overruns. (yes, think US DoD...) boxen sufficient for a pfsense firewall are $100
[pfSense-discussion] pfSense merge with freebsd?
I am curious if it is possible to "merge"-for want
of a better word-pfSense with a FreeBSD install. Why? Well, I have a client who
wants to integrate everything into 1 box if possible. I told him its not
possible, but I wouldn't be doing my job if I didn't check to see if I am
wrong.
Basically, the box needs to be a firewall and SMB
server. I like pfSense's webGUI (I would hate to have to write all the pf.conf
rules by hand) and all the easy controls it provides for me. (The more I type
this email, the less likely it seems that this is possible) So I would like to
try to combine the two, if possible. Yes, I am aware of the security and
stability implications of this. ("Why is the SMB transfer so slow?" Well, little
Timmy is using bittorrent right now... or "The internet is down? I
can't transfer files?!" The box crashed...)
Hey! This gave me an idea for a feature (probably
after 1.0) how about the ability to export the filter rules as pf.conf
file that could be put on another system? Certainly problems would arise if the
two systems aren't identically configured, but that's what a big warning on the
webGUI page is for ;)
Anyways, sorry for the long post. I think I am
coming down with some illness, and my mind is in another state.
Apologies.
Anthony
Re: [pfSense-discussion] pfSense merge with freebsd?
I don't know how to program, nor do I know PHP (I could probably learn it). That's a bit of a roadblock. And implementing all the SaMBa features that I would need with a nice webGUI would take me months of PHP. (Unless I just made one big writeable space and the user would have to know what they're doing and do it all by hand, but that is less elegant) And the final nail in that ideas coffin (it is a good idea though) is that I lack a sufficient platform to develop and test with. My client's network is not a good place to do it. And my home network uses the liveCD because I lack a crappy harddrive to install to. - Original Message - From: Jim Thompson [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Thursday, March 09, 2006 12:18 PM Subject: Re: [pfSense-discussion] pfSense merge with freebsd? DarkFoon wrote: I am curious if it is possible to merge-for want of a better word-pfSense with a FreeBSD install. Why? Well, I have a client who wants to integrate everything into 1 box if possible. I told him its not possible, but I wouldn't be doing my job if I didn't check to see if I am wrong. Basically, the box needs to be a firewall and SMB server. I like pfSense's webGUI (I would hate to have to write all the pf.conf rules by hand) and all the easy controls it provides for me. (The more I type this email, the less likely it seems that this is possible) So I would like to try to combine the two, if possible. Yes, I am aware of the security and stability implications of this. (Why is the SMB transfer so slow? Well, little Timmy is using bittorrent right now... or The internet is down? I can't transfer files?! The box crashed...) Why not just write a package (if one doesn't exist already) for SMB? http://www.pfsense.com/screens/package_manager.JPG -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: 3/9/2006
Re: [pfSense-discussion] pfSense merge with freebsd?
The god box is always a bad idea. Yeah, I told him the God Box idea was a bad one. Figured I should look into it anyways. Right now his pfSense box is a Dell pentium III 866Mhz (same as the box I'm using right now to make this email) with 256Mb SD-100 ram and 5 added in Nics (plus the integrated, for a total of 6). I had a similar box running a SAMBA domain server and it was alright, so I thought I'd try to combine the two. But I digress. The God Box is out. Got that. As a matter of fact (this is probably a generic BSD question) he wants me to do the impossible again: He has an old K6-2 box laying around and he wants me to put in a 300GB seagate drive to do a network back up to. I told him the tech is too old to support 300GB (its ATA/UDMA66 or whatever; too many titles for the same thing) But he read some tidbit on Seagate's site that a mobo BIOS flash or using the seagate software will make it so the drive can be used, and apparently that means I can do it (completely ignoring the fact that the hardware came years before even 100 GB drives) and I'm a slacker for not making it happen. So the question is, if I jumper the drive to limit it to 32GB so the darn computer will actually boot (the BIOS freezes detecting the drive), can I get FreeBSD to recognize all 300GB? I probably should check the FreeBSD man pages, but being as ill as I am right now, I feel like asking you guys first (ya'll seem nice enough ;) ) thanks for the help! Anthony (stupid flu!) - Original Message - From: Andrew Burnette [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Thursday, March 09, 2006 6:49 PM Subject: Re: [pfSense-discussion] pfSense merge with freebsd? DarkFoon wrote: I am curious if it is possible to merge-for want of a better word-pfSense with a FreeBSD install. Why? Well, I have a client who wants to integrate everything into 1 box if possible. I told him its not possible, but I wouldn't be doing my job if I didn't check to see if I am wrong. You could of course snag the pf rules out of a pfsense box and put in a *bsd box if absolutely required. The god box is always a bad idea. Generally does everything poorly (think of what a fantastic pair of scissors are included in a swiss army knife). I have very very large clients that think the same of optical long haul gear, routers, and switches and how they all belong in one box. Invariably, they get burned by lousy functionality and cost overruns. (yes, think US DoD...) boxen sufficient for a pfsense firewall are $100 or so from many sources (I paid $109 on ebay for the first one, then $100 for a rack mount job that fit in my cabinet better). Same size/capacity box should do for an SMB server (sans Big Fantastic Disks of course). if that's too much $$, then the client likely can't afford you ;-) But, isn't that what they pay you for in the first place? Good luck, andy -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: 3/9/2006
[pfSense-discussion] Wierd display problem in IE
I probably should have posted this bug before the beta2 release. but oops on my part. (sorry!) In IE all the pfsense text is way too small (like6 font or smaller)using the pfsense-pulldown "skin". I have a screenshot, but I don't know how to show it to ya guys. do I send it as an attachment?
Re: [pfSense-discussion] Wierd display problem in IE
stupid CTRL+MwheelUP. You're right. I accidentally (probably when I was selecting files to delete with CTRL and wheeling around the window) made my font smaller. But google and my other sites looked normal. - Original Message - From: Holger Bauer [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Sunday, March 05, 2006 7:04 AM Subject: RE: [pfSense-discussion] Wierd display problem in IE No Problem here. Check your Fontsize settings of the browser. You probably have modified them. Holger -Original Message- From: DarkFoon [mailto:[EMAIL PROTECTED] Sent: Sunday, March 05, 2006 10:19 AM To: discussion@pfsense.com Subject: [pfSense-discussion] Wierd display problem in IE I probably should have posted this bug before the beta2 release. but oops on my part. (sorry!) In IE all the pfsense text is way too small (like 6 font or smaller) using the pfsense-pulldown skin. I have a screenshot, but I don't know how to show it to ya guys. do I send it as an attachment? Virus checked by G DATA AntiVirusKit -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 268.1.2/274 - Release Date: 3/3/2006
Re: [pfSense-discussion] PANIC! problems with OPTx interfaces
nope, doesn't fix it. Just upgraded. Still as broke as it was an hour ago. The system is a Dell Optiplex (I can't find the model number at this time) It has a Pentium 3 and a 10 GB harddrive, if that helps at all. -- Original message -- From: Scott Ullrich [EMAIL PROTECTED] On 3/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: [snip] I'm using Beta 1 right now, because I don't think that upgrading to Beta2 would fix this. Upgrade. There was only 91+ fixes between beta1 and beta2 and countless FreeBSD fixes. Scott
Re: [pfSense-discussion] PANIC! problems with OPTx interfaces
Well, I have seemed to have fixed it, but the solution makes no sense to me. Perhaps it will make more sense to those of you with more networking knowledge than I. All of the cables leaving the PfSense box went to switches. The one hooked up to the LAN had the cable plug into a regular port on the LAN switch, all the others were plugged into the uplink port on those switches. So, when I moved all of the cables from the uplink port on the switches, to a regular port on those switches, all of a sudden things worked just fine. Why? I thought the purpose of the uplink was to connect to a higher switch (in this case, the PfSense box a.k.a router). The former router (a commercial speedstream that the pfsense box replaces) worked just fine with all the switches hooked up with the uplink port. Heck, even my pfsense box at home worked just fine with my linksys switch using the uplink port. what is with this ambiguity?! Anyways, thanks to you all for help. I'm sorry if I may have caused any problems. If anybody knows why what I did works (why the uplink port seems to be a curse/miracle) please explain, I would love to know. And besides, if somebody ever has the same problem, and they search the mailing lists, they'll find the answer. Thanks again! Anthony -- Original message -- From: Bill Marquette [EMAIL PROTECTED] So let me get this straight. The cable that's plugged into the LAN nic if unplugged from LAN and plugged into each of the OPT nics works? Sounds like a switch or cable issue. Have you tried the reverse? Plug the cables that are in the non-working OPT interfaces into the known working interface (LAN)? And for that matter, plugging the known working cable and the known working interface into the switch ports that you are trying to plug the OPT interfaces in? --Bill On 3/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: nope, doesn't fix it. Just upgraded. Still as broke as it was an hour ago. The system is a Dell Optiplex (I can't find the model number at this time) It has a Pentium 3 and a 10 GB harddrive, if that helps at all. -- Original message -- From: Scott Ullrich [EMAIL PROTECTED] On 3/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: [snip] I'm using Beta 1 right now, because I don't think that upgrading to Beta2 would fix this. Upgrade. There was only 91+ fixes between beta1 and beta2 and countless FreeBSD fixes. Scott
[pfSense-discussion] Timed Rules?
I did not notice an option in PfSense that allows a user to set a rule for certain time periods. Is there any plans for this later on, or experimental versions with it now? An example for clarification: block all access until 12:00a (midnight) then allow access for an hour, and block access until the next midnight. The above could be implemented with a block rule active all the time, and in front of it(or above or on top, depending on how you look at it), a timed allow rule that only activates for the hour between 12:00a and 1:00a; I believe that would be the correct order for operation. I've thought of a hack to do this, but given my limited knowledge of PfSense, it probably wouldn't work. Basically, the rule is written to a file when the user creates it, when the time comes around a cron task puts the text into the rules, and reloads the config. Then at the time the rule it supposed to exit, a cron task runs, removes the rule (using grep), and reloads the config. Thanks Anthony
[pfSense-discussion] Why is it called pfsense?
So I was telling one of my friends the other day about PfSense. At one point, he stopped me and said, "You know what that stands for, don't you?"I said, "Duh! 'Packet Filter'" Then came his reply, "Nononono. It stands for 'Plain F**king sense'" And then I had to write this email about it. Sounds like it could be a catchy project motto, or something:"Packet Filter makes plain f-ing sense, Pfsense" If this is totally offensive to someone, my apologies. Blame my friend who wouldn't stop bugging me until I wrote this.
[pfSense-discussion] VPN woes
My client wants VPN for his company, so his franchisees can VPN connect to the domain in his office and share files or something (he's rather vague about this). Right now, I've got his PfSense box at my house so I can test it. I'd like to test the VPN from his office, but they're behind a router/firewall (a SpeedStream consumer POS). From what I can tell (and Google) PPTP is the easiest to use and I could probably use it from behind their firewall/router, but it has some serious flaws: Microsoft patched it and it randomly drops connections and is more insecure. I'd use IPSec, but IPSec requires router/firewall to router/firewall connection (to connect subnets to subnets), or so it seems, and I doubt that little crappy SpeedStream even knows what VPN means. Besides, we're both on DHCP ISPs, and it sounds like that makes things different. Once I switch his office over to the PfSense box, I could test it using my m0n0wall box at my house, but I'd rathertest that it works before I do that. OpenVPN, being experimental, is at the bottom of my list. I don't really want to deal with that at this moment in time, but it sounds like it might make it easier for my client's sometimes-computer illiterate franchisees to log in (I tried it with the windows GUI on an XP box) ... eventually. After all this complaining, I should explain completely what my client wants in the hopes that it will help you to help me. Basically, he wants to: a) be able to log into the in-office domain from his home and work there without actually having to copy the files and such. and b) have his franchisees log into the in-office domain and put their earnings and other business related information in a central place. His access from home would be from a laptop with a wireless internet (not wifi, but cingular 3G) The franchisees would be accessing from personal computers, and possibly from their own offices that I could put behind PfSense boxes (but I don't know about the offices part; my client has been a little vague in this area) ask any questions to help further clarify. Thanks
Re: [pfSense-discussion] VPN woes
The Stunnel package won't install on my PFsense box. Installing stunnel and its dependencies.Downloading package configuration file... done.Saving updated package information... done.Downloading stunnel and its dependencies... done.Checking for successful package installation... failed! Installation aborted. if there's anymore informationI could post, please tell me where to look for it, and I will. - Original Message - From: Chad Frerer To: discussion@pfsense.com Sent: Saturday, February 18, 2006 4:54 PM Subject: RE: [pfSense-discussion] VPN woes Use ssl tunnels - google for ssl explorer -chad From: DarkFoon [mailto:[EMAIL PROTECTED] Sent: Saturday, February 18, 2006 5:38 PMTo: discussion@pfsense.comSubject: [pfSense-discussion] VPN woes My client wants VPN for his company, so his franchisees can VPN connect to the domain in his office and share files or something (he's rather vague about this). Right now, I've got his PfSense box at my house so I can test it. I'd like to test the VPN from his office, but they're behind a router/firewall (a SpeedStream consumer POS). From what I can tell (and Google) PPTP is the easiest to use and I could probably use it from behind their firewall/router, but it has some serious flaws: Microsoft patched it and it randomly drops connections and is more insecure. I'd use IPSec, but IPSec requires router/firewall to router/firewall connection (to connect subnets to subnets), or so it seems, and I doubt that little crappy SpeedStream even knows what VPN means. Besides, we're both on DHCP ISPs, and it sounds like that makes things different. Once I switch his office over to the PfSense box, I could test it using my m0n0wall box at my house, but I'd rathertest that it works before I do that. OpenVPN, being experimental, is at the bottom of my list. I don't really want to deal with that at this moment in time, but it sounds like it might make it easier for my client's sometimes-computer illiterate franchisees to log in (I tried it with the windows GUI on an XP box) ... eventually. After all this complaining, I should explain completely what my client wants in the hopes that it will help you to help me. Basically, he wants to: a) be able to log into the in-office domain from his home and work there without actually having to copy the files and such. and b) have his franchisees log into the in-office domain and put their earnings and other business related information in a central place. His access from home would be from a laptop with a wireless internet (not wifi, but cingular 3G) The franchisees would be accessing from personal computers, and possibly from their own offices that I could put behind PfSense boxes (but I don't know about the offices part; my client has been a little vague in this area) ask any questions to help further clarify. Thanks No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date: 2/17/2006
Re: [pfSense-discussion] VPN woes
Besides, I'm faily certain that my client does not want his franchisees using a browser for the VPN. It defeats teh purpose of his VPN. He wants them to join the domain, so he can log whether they log in and such. And to control their access (but that could be done through the SSL-VPN tunnel). They have to be able to join the domain (as in domain logon). It's crazy. I hope there are other options that I have, or maybe a little help that doesn't involve SSL-VPN solutions. I'm not ruling them out completely yet, but I want to try other options. - Original Message - From: DarkFoon To: discussion@pfsense.com Sent: Saturday, February 18, 2006 5:09 PM Subject: Re: [pfSense-discussion] VPN woes The Stunnel package won't install on my PFsense box. Installing stunnel and its dependencies.Downloading package configuration file... done.Saving updated package information... done.Downloading stunnel and its dependencies... done.Checking for successful package installation... failed! Installation aborted. if there's anymore informationI could post, please tell me where to look for it, and I will. - Original Message - From: Chad Frerer To: discussion@pfsense.com Sent: Saturday, February 18, 2006 4:54 PM Subject: RE: [pfSense-discussion] VPN woes Use ssl tunnels - google for ssl explorer -chad From: DarkFoon [mailto:[EMAIL PROTECTED] Sent: Saturday, February 18, 2006 5:38 PMTo: discussion@pfsense.comSubject: [pfSense-discussion] VPN woes My client wants VPN for his company, so his franchisees can VPN connect to the domain in his office and share files or something (he's rather vague about this). Right now, I've got his PfSense box at my house so I can test it. I'd like to test the VPN from his office, but they're behind a router/firewall (a SpeedStream consumer POS). From what I can tell (and Google) PPTP is the easiest to use and I could probably use it from behind their firewall/router, but it has some serious flaws: Microsoft patched it and it randomly drops connections and is more insecure. I'd use IPSec, but IPSec requires router/firewall to router/firewall connection (to connect subnets to subnets), or so it seems, and I doubt that little crappy SpeedStream even knows what VPN means. Besides, we're both on DHCP ISPs, and it sounds like that makes things different. Once I switch his office over to the PfSense box, I could test it using my m0n0wall box at my house, but I'd rathertest that it works before I do that. OpenVPN, being experimental, is at the bottom of my list. I don't really want to deal with that at this moment in time, but it sounds like it might make it easier for my client's sometimes-computer illiterate franchisees to log in (I tried it with the windows GUI on an XP box) ... eventually. After all this complaining, I should explain completely what my client wants in the hopes that it will help you to help me. Basically, he wants to: a) be able to log into the in-office domain from his home and work there without actually having to copy the files and such. and b) have his franchisees log into the in-office domain and put their earnings and other business related information in a central place. His access from home would be from a laptop with a wireless internet (not wifi, but cingular 3G) The franchisees would be accessing from personal computers, and possibly from their own offices that I could put behind PfSense boxes (but I don't know about the offices part; my client has been a little vague in this area) ask any questions to help further clarify. Thanks No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date: 2/17/2006 No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date: 2/17/2006
[pfSense-discussion] Newbie rule order question
So I (finally) have a pfSense box that I can experiment with (I've been but a spectator here for the last few months) . It has several OPTx interfaces in it, and I don't want them to communicate with one another. I have made block rules on each interface blocking outgoing traffic to the other OPT i/fs and put them before the default "allow all outgoing connections" rule. Is that the correct order to give me the result I want?Unfortunately, I cannot test these rules right now because I do not have enough switches/hubs or computers to hook up each i/f and try to ping a computer on another i/f.
Re: [pfSense-discussion] Polling?
ah, man polling I forgot about that one *blushes* thanks! - Original Message - From: Scott Ullrich [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Wednesday, February 15, 2006 7:32 AM Subject: Re: [pfSense-discussion] Polling? SUPPORTED DEVICES Device polling requires explicit modifications to the device drivers. As of this writing, the bge(4), dc(4), em(4), fwe(4), fwip(4), fxp(4), ixgb(4), nge(4), re(4), rl(4), sf(4), sis(4), ste(4), vge(4), vr(4), and xl(4) devices are supported, with others in the works. The modifications are rather straightforward, consisting in the extraction of the inner part of the interrupt service routine and writing a callback function, *_poll(), which is invoked to probe the device for events and process them. (See the conditionally compiled sections of the devices mentioned above for more details.) As in the worst case the devices are only polled on clock interrupts, in order to reduce the latency in processing packets, it is not advisable to decrease the frequency of the clock below 1000 Hz. On 2/14/06, DarkFoon [EMAIL PROTECTED] wrote: I can't seem to find a list of devices that support polling on the site. Is it the exact same list as the one for m0n0wall? If so, may I reccomend that someday somebody make a more detailed list? For example, the m0n0wall website says that some support hardware VLAN tagging while others support long frames. It implies that these two are related, but they sound like different things (to me at least).
Re: [pfSense-discussion] Polling?
One more question about polling, in PfSense, if I turn on polling, but I have 1 interface that doesn't support it, does that mean they all don't have polling turned on? Or is it activated just for the ones that do support it, and the ones that don't use the regular interupt system? - Original Message - From: Scott Ullrich [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Wednesday, February 15, 2006 7:32 AM Subject: Re: [pfSense-discussion] Polling? SUPPORTED DEVICES Device polling requires explicit modifications to the device drivers. As of this writing, the bge(4), dc(4), em(4), fwe(4), fwip(4), fxp(4), ixgb(4), nge(4), re(4), rl(4), sf(4), sis(4), ste(4), vge(4), vr(4), and xl(4) devices are supported, with others in the works. The modifications are rather straightforward, consisting in the extraction of the inner part of the interrupt service routine and writing a callback function, *_poll(), which is invoked to probe the device for events and process them. (See the conditionally compiled sections of the devices mentioned above for more details.) As in the worst case the devices are only polled on clock interrupts, in order to reduce the latency in processing packets, it is not advisable to decrease the frequency of the clock below 1000 Hz. On 2/14/06, DarkFoon [EMAIL PROTECTED] wrote: I can't seem to find a list of devices that support polling on the site. Is it the exact same list as the one for m0n0wall? If so, may I reccomend that someday somebody make a more detailed list? For example, the m0n0wall website says that some support hardware VLAN tagging while others support long frames. It implies that these two are related, but they sound like different things (to me at least).
[pfSense-discussion] Polling?
I can't seem to finda list ofdevices that support pollingon the site.Is it the exact same list as the one for m0n0wall? If so, may I reccomend that someday somebody make a more detailed list?For example, the m0n0wall website says that some support hardware VLAN tagging while others support long frames. It implies that these two are related, but they sound like different things (to me at least).
Re: [pfSense-discussion] Clients... ugh
debunked. Unless each port / network is configured to have very restrictive rules and can't talk to the others at all then all you're really gaining is an individual broadcast domain per segment. Maybe that is what he wants and/or I'm overlooking something. nb On Feb 1, 2006, at 3:57 AM, Rainer Duffner wrote: DarkFoon wrote: APPLIANCE! That's the word I was looking for! Thank you! Yes, my client my client means what you said: an appliance, which is plug, go to web interface, click, click, click and it works. He has one of those (appliance) already, but like I said, its some piece of crap. It can't do hardly anything. I mean, I use m0n0wall (because I like using a CD-ROM instead of a harddisk) and it's got so many functions that I don't use. And pfSense has more, but my client could use some of them. I didn't know that I could do pfSense on a WRAP. I thought pfSense needs a harddisk (for swap and such), and I thought WRAP uses CF (which swap will wear out quickly). But the idea of a 1u rackmount unit is nice. I'll still look around for some commercial appliances that have the same features, but I'll try to push for pfSense with this renewed information. IMO, the only thing that can match and exceed pfSense is a Juniper- Netscreen Appliance. (I think they can do Active-Active clustering for bridging, too). But the bigger ones can be 10x as expensive as a similar machine built with pfSense. Multiply by 2 for a HA-solution... If you can afford it, go Netscreen. If not, pfSense or raw OpenBSD ;-) My question still stands, though: does anybody know of a commercial (linksys, d-link, and such) firewall/router appliance (that's so much faster to type) with the features my client wants? thanks http://www.juniper.net/products/integrated/ I see that Tyan now also makes appliance-barebones: http://www.tyan.com/products/html/network.html I'm not sure if the onBoard cryto-accelerator really supports FreeBSD - Cavium do mention FreeBSD on their website and it seems that some boards of the series are actually supported. Those would really make killer-appliances, but I haven't seem them sold anywhere and the price tag is probably high. cheers, Rainer -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.0/248 - Release Date: 2/1/2006
[pfSense-discussion] Clients... ugh
I've got a client who has asked me (among other things) to make him a router/firewall. Currently he has a "hardware" firewall/router but I told him that it doesn't support the features he wants. I attempted to pursuade him to use pfSense, but he would rather have a "hardware" (meaning linksys, netgear, etc.)firewall/router because he thinks they're more secure. The main features he wants are: - "isolated ports". He wants each port on the LAN to be seperate from the others, but all with the same features for each (so each has its own firewall settings, each has its own DHCP, and so on). Basically, he thinks that with this, if "hacker" breaks into the network of one port, he doesn't have access to computers on the other ports on the firewall/router. (I am not so certain that this is possible; please, prove me wrong) - VPN. He wants franchisees to be able to login over a secure (encrypted) linkand access a special place where they can put sensitive information. - DMZ (but that's pretty much standard) I figure pfSense would be able to do all these, but, like I said, he wants me to look for "hardware" firewall/routers. First,can anybody explain the difference(if any) between a computer running pfSense, and a "hardware" router/firewall?(I didn't think there was one, except for the ROM chip containing the firewall/router OS) and Secondly, does anybody know of any "hardware" firewall/routers (man, I'm tired of typing that) that have the above features? I'm not trying to snub pfSense; I'd love to use it, but I can't convince him (well, possibly, but he wants me to first look for a "hardware" solution) I am asking here first because I have been watching the mailing list for several months now, and I trust the opinions and information of (most) of the people here. ;) Thanks for your help/time. Anthony Rossi
