Re: [pfSense] Squid transparent ssl proxy
Am 25.07.2012 05:17, schrieb Jerome Alet: Any idea what I'm doing wrong ? This is what you're doing wrong: Now I'd like to set it up as an HTTPS transparent proxy as well. HTTPS traffic is encrypted, and squid is lacking the proper keys/certificates to decrypt it. In theory, you could set up squid with its own certificates, but that will turn squid into a man-in-the-middle, i.e. all your clients will complain that the certificate doesn't match the sites they're trying to access. IOW: Just don't do it. I'd suggest looking into browser autoconfiguration using auto.pac / wpad.dat files. -Stefan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid transparent ssl proxy
Good evening, From: Stefan Baur newsgroups.ma...@stefanbaur.de Sent: Wed Jul 25 17:51:19 NCT 2012 To: list@lists.pfsense.org Subject: Re: [pfSense] Squid transparent ssl proxy Am 25.07.2012 05:17, schrieb Jerome Alet: Any idea what I'm doing wrong ? This is what you're doing wrong: Now I'd like to set it up as an HTTPS transparent proxy as well. HTTPS traffic is encrypted, and squid is lacking the proper keys/certificates to decrypt it. In theory, you could set up squid with its own certificates, but that will turn squid into a man-in-the-middle, i.e. all your clients will complain that the certificate doesn't match the sites they're trying to access. I know this is man in the middle, and I even wrote that we were OK with the browser message which clearly says there's something like a man in the middle attack going on. Since I've added its own certificate to Squid, it isn't lacking them, and so it *should* work from what I've read on the net about this subject. But clearly I'm missing something because instead of having the traffic decrypted by Squid and then encrypted again by Squid for local clients, I've got a Protocol Error. So my original question was not about it being OK to do it or not, but more about why it didn't work as expected. Thanks for your feedback anyway, if I can't do otherwise I'll play with autoconfiguration scripts. bye -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Routing stops momentarily and then recovers - How do I diagnose
Just an update to this Physically back in the office today and I have received a maintenance letter today, yes today, from our ISP informing us of planned maintenance last week! Cheers for the help folks, MTR looks like a handy tool. Gavin -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Gavin Will Sent: 23 July 2012 00:12 To: pfSense support and discussion Subject: Re: [pfSense] Routing stops momentarily and then recovers - How do I diagnose Thanks for everyones input. I'm confident pfsense is working fine and is another networking issue that is the real cause. However I feel that pf sense will be able to assist in finding the issue. States are 'normal' and well within the limits. I will check with ISP on Monday if there has been any change their side. Thanks again all. On 22 Jul 2012, at 23:07, Chris Buechler c...@pfsense.org wrote: On Sun, Jul 22, 2012 at 5:48 PM, Michael Schuh michael.sc...@gmail.com wrote: setup an mtr and let it run, watch for packet loss... This. i had such behaviour too and it was sourced by an improper routing setup from the ISP That's my guess as well. The only firewall-sourced issue I can think of that would match that description is state table exhaustion, check your States RRD graph to see if you were at/near your configured limit at the time of the failures. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Firewire?
On Tue, Jul 24, 2012 at 06:11:47PM -0500, Adam Thompson wrote: You can run IP over firewire. It's fairly straight-forward after that. ... For connecting to pfSense boxes back-to-back, sure, use fwe interfaces... but they'll generally only run at 1394a speeds (aka 400Mbit/sec), so you're better off with another Gigabit Ethernet port, or even using VLANs to share a single GigE port. IIRC latency is pretty lousy, too. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DynDNS troubles, once again
Hi Stefan, you are in Germany - right? i suggest: most DSL-Providers spend you a firm IP-Address if you ask. Most times it will cost you just the phone call. some will bill you 5 €. So no more dynamic dns needed. no hussle, no troubles. HTH greetings m. 2012/7/25 Stefan Baur newsgroups.ma...@stefanbaur.de Hi list, as previously mentioned on this list, I'm running my pfSense boxes within private address space, so they can't detect the WAN ip change on their own interface, as what they believe is their WAN ip is just another private address. Therefore, I need to rely on the mechanism that connects to checkip.dyndns.org. My previous understanding was that /etc/crontab by default contains 1 1 * * * root/usr/bin/nice -n20 /etc/rc.dyndns.update (which means that the script only gets called at 01:01 AM each day), and changing that to */5 * * * * root/usr/bin/nice -n20 /etc/rc.dyndns.update would solve my issues. However, it does not work (any more?). When I log in to the GUI, I see the IP displayed in red, meaning it is not current. Logging into pfSense on the command line and executing fetch -q -o - http://checkip.dyndns.org | sed 's/^.*Current IP Address: \(.*\)\/body.*$/\1/' gives me the current IP, so I know that connecting to checkip.dyndns.orgworks. Hitting the Save button in the GUI will update the IP, so my credentials are correct, too. What do I have to change so that pfSense will contact checkip.dyndns.orgevery 5 minutes, and will update the record when required? (Note that it should not blindly update every 5 minutes, as that would be considered abuse by most Dynamic DNS providers.) Kind Regards, Stefan __**_ List mailing list List@lists.pfsense.org http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DynDNS troubles, once again
Am 25.07.2012 18:02, schrieb Michael Schuh: Hi Stefan, you are in Germany - right? i suggest: most DSL-Providers spend you a firm IP-Address if you ask. Most times it will cost you just the phone call. some will bill you 5 €. So no more dynamic dns needed. no hussle, no troubles. HTH Sadly, no. That doesn't scale well (we're talking a 2-digit number of installations, with a lot more planned, and various providers). -Stefan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DynDNS troubles, once again
On Wed, Jul 25, 2012 at 9:55 AM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: */5 * * * * root/usr/bin/nice -n20 /etc/rc.dyndns.update would solve my issues. However, it does not work (any more?). When I log in to the GUI, I see the IP displayed in red, meaning it is not current. I thought there was a maximum allowable frequency (e.g. 10 minutes) for hitting checkip.dyndns.org, but can't currently find documentation of that. Have you tried with 10-20 minutes? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DynDNS troubles, once again
On Wed, Jul 25, 2012 at 10:19 AM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: I thought there was a maximum allowable frequency (e.g. 10 minutes) for hitting checkip.dyndns.org, but can't currently find documentation of that. The limit is for hitting the update server, not for hitting checkip.dyndns.org (but feel free to prove me wrong). Here you go: http://dyn.com/support/developers/checkip-tool/ ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DynDNS troubles, once again
Am 25.07.2012 18:24, schrieb RB: On Wed, Jul 25, 2012 at 10:19 AM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: I thought there was a maximum allowable frequency (e.g. 10 minutes) for hitting checkip.dyndns.org, but can't currently find documentation of that. The limit is for hitting the update server, not for hitting checkip.dyndns.org (but feel free to prove me wrong). Here you go: http://dyn.com/support/developers/checkip-tool/ Okay, indeed it says so there (and I've updated my crontab accordingly). Thanks for pointing that out. However, repeatedly firing off fetch -q -o - http://checkip.dyndns.org | sed 's/^.*Current IP Address: \(.*\)\/body.*$/\1/' within the same minute doesn't error out, so it doesn't look like a limit that's enforced by dyndns. Anyways, I guess all I can do now is wait for the next IP update (probably around 4:00am CEST) and see if it works with the 10 minute setting. -Stefan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DynDNS troubles, once again
On Wed, Jul 25, 2012 at 10:32 AM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: Okay, indeed it says so there (and I've updated my crontab accordingly). Thanks for pointing that out. Not a problem, the problem you outline is of interest to me because I even see DDNS update issues having a public IP on my WAN; the trigger doesn't seem to work very well whereas a cron job does tend to. However, repeatedly firing off fetch -q -o - http://checkip.dyndns.org | sed 's/^.*Current IP Address: \(.*\)\/body.*$/\1/' within the same minute doesn't error out, so it doesn't look like a limit that's enforced by dyndns. My only guess is that they're enforcing by trend rather than burst. Regardless, I'll be interested to know your outcome. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DynDNS troubles, once again
Am 25.07.2012 23:30, schrieb Fuchs, Martin: I also had many problems and since I use noip now, the problems have gone... It's still the case that dyndns updates sometimes work and sometimes not :-( I *am* using no-ip, however, pfSense uses the checkip.dyndns.org server to check for the current IP (at least that's how I remember it from one of our Gurus on this list, probably Chris or Seth). -Stefan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Using pfSense to route inbound traffic via Domain Name instead of IP
On Wed, Jul 25, 2012 at 10:24 PM, Joseph Hardeman jharde...@cirracore.comwrote: Hi Everyone, ** ** I have done some searching and I think this is possible, but I thought I would ask to make sure. It’s an interesting question that was asked of me. ** ** I wanted to know if pfSense can route inbound traffic based off of Domain Name instead of IP. For instance, let’s say I have 4 web sites, all of which have SSL enable. Normally I would have to use 1 public IP to 1 internal IP to use SSL (I know Apache you can use SNI for Virtual Domains and it does work) but let’s throw an IIS server into the mix. So let’s say I have 2 web sites on an Apache server and 2 on an IIS server and I would normally have something like this setup: ** ** Public IP - Domain Name - Internal IP 1.1.1.2 - www.domain1.com - 192.168.1.2 1.1.1.3 - www.domain2.com - 192.168.1.3 1.1.1.4 - www.domain3.com - 192.168.1.4 1.1.1.5 - www.domain4.com - 192.168.1.5 ** ** This definitely allows me to pass all ports right, but what if I wanted to do something like this: ** ** Public IP - Domain Name - Internal IP 1.1.1.2 - www.domain1.com - 192.168.1.2 1.1.1.2 - www.domain2.com - 192.168.1.3 1.1.1.2 - www.domain3.com - 192.168.1.4 1.1.1.2 - www.domain4.com - 192.168.1.5 ** ** Can pfSense route via the Hostname on inbound traffic? I know you can setup Aliases and such, just never played with it. ** ** Any thoughts or suggestions on how to do this and conserve Public IP’s to direct the traffic to the proper internal IP/Ports would be greatly appreciated. ** ** Joe ** ** There isn't really any built-in way to do this. What you really want is a reverse-proxy server (which could or could not be running on the pfSense box). However, your Reverse Proxy would either have to support SNI or have a single certificate with all of the domains on it. Your reverse-proxy would then route by domain name. I know that there are people who have gotten Pound ( http://www.apsis.ch/pound/) to run on a pfSense box, but there is currently no package for it and therefore no GUI. Two parenthetical notes about SNI: - IIS 8 (release next month or so, RC currently available) does support SNI. - Windows XP does not support SNI. (Firefox on XP does, as well as Chrome 6 do). Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
