[pfSense] PfSense Captive Portal Blocking Outbound After Auth
Hi List, PfSense 2.0.1 captive portal do not allow outbound access even after successful authentication. 1.) captive portal page displays alright ! 2.) Radius User/Pass ! 3.) Login Successfully ! 4.) Keep on showing redirecting 5.) If i ping google.com then I cannot (even after authentication) LAN / WAN Rules any 2 any * * * * * If i disable captive portal i am immediately able to ping world. if i click enable access is blocked again. anyone can help ? Thanks ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] is it possible
Hi Everyone, I am curious to know if it is possible to have a pair of pfSense servers swap IP's on an interface or vlan interface when they failover, just like the Cisco ASA can. So on a pair of failover ASA's I only need to use either 1 or 2 IP's (if I want to) to handle moving the gateway IP between the pair, including setting the mac address. I have been playing with pfSense to see if I set CARP to try to do the same thing, but so far I haven't seen a way to do it or I am just missing it. It seems like CARP acts more like HSRP in the fact it needs 1 IP set on the interface of each pair and then will only move any IP I set as a CARP IP. Which is they way I understand HSRP works. Now with VRRP I only need 2 IP's total to handle failover and with the ASA failover I can reduce it down to a single IP. Any thoughts or suggestions on if pfSense can do this or how I would make it do it? I am curious to see if it can be done. Thanks everyone Joe ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] OpenVPN CARP, but OpenVPN-Client instead of OpenVPN-Server in v2.0.2
hello, in pfsense 2.0.2 it is now new and great, that the CARP master will handle the tunnels of openvpn, and the CARP backup will stop the openvpn _SERVER_ however: - setup site2site - outpost has also 2 pfsense boxes for HA - both in OpenVPN CLIIENT mode - OpenVPN sync in Virtual IP / carp settings on master activated here is the same problem: - the CARP backup must STOP the openvpn client - the CARP master must START the openvpn client how can I achieve this ? actual both clients try parallely to connect to the server, and this effectively interrupts tunnel. only master must start openvpn client May here is the solution to buildin: what I have to change in rc.carpmaster and rc.carpbackup ? thanks in advance stephan http://www.wolfsec.ch ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN CARP, but OpenVPN-Client instead of OpenVPN-Server in v2.0.2
On Fri, Jan 4, 2013 at 6:19 PM, WolfSec-Support supp...@wolfsec.ch wrote: hello, in pfsense 2.0.2 it is now new and great, that the CARP master will handle the tunnels of openvpn, and the CARP backup will stop the openvpn _SERVER_ however: - setup site2site - outpost has also 2 pfsense boxes for HA - both in OpenVPN CLIIENT mode - OpenVPN sync in Virtual IP / carp settings on master activated here is the same problem: - the CARP backup must STOP the openvpn client - the CARP master must START the openvpn client how can I achieve this ? It's done automatically in 2.0.2 and newer. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN CARP, but OpenVPN-Client instead of OpenVPN-Server in v2.0.2
Hi Chris, 2013/1/5 Chris Buechler c...@pfsense.org It's done automatically in 2.0.2 and newer. nope, only on CARP members with usage of openvpn server it will work. here in my v2.0.2 setup with 2 openvpn clients it won't work. also the carp backup tries permanently to open the tunnel via his openvpn client any additional hint ? thanks in advance stephan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN CARP, but OpenVPN-Client instead of OpenVPN-Server in v2.0.2
@cris: in rc.carpmaster and rc.carpbackup is the same relevant code: /* Stop OpenVPN clients running on this VIP, since multiple active OpenVPN clients on a CARP cluster can be problematic. */ global $config; if (is_array($config['openvpn']) is_array($config['openvpn']['openvpn-client'])) { foreach ($config['openvpn']['openvpn-client'] as $settings) { if ($settings['interface'] == $argv[1]) { log_error(Stopping OpenVPN instance on {$settings['interface']} because of transition to CARP backup.); openvpn_restart('client', $settings); } } } but both will: --- openvpn_restart('client', $settings); should the rc.carpbackup not stop the client ? I'm not yet that familiar wit the pfsense code in rc. scripts ;-/ thanks in advance stephan 2013/1/5 WolfSec-Support supp...@wolfsec.ch Hi Chris, 2013/1/5 Chris Buechler c...@pfsense.org It's done automatically in 2.0.2 and newer. nope, only on CARP members with usage of openvpn server it will work. here in my v2.0.2 setup with 2 openvpn clients it won't work. also the carp backup tries permanently to open the tunnel via his openvpn client any additional hint ? thanks in advance stephan -- Stephan Wolf WolfSec Rairing 65 CH-8108 Dällikon +41 43 536 1191 +41 76 566 8222 http://www.wolfsec.ch ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN CARP, but OpenVPN-Client instead of OpenVPN-Server in v2.0.2
On 1/4/2013 7:39 PM, WolfSec-Support wrote: --- openvpn_restart('client', $settings); That code is smart enough to not start if it's in backup mode. The key is that the VPN must be bound to a CARP VIP. If you did not bind the VPN to a CARP VIP in its interface setting, then it will not automatically start/stop. It works for both clients and servers, it worked for clients before servers actually. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN CARP, but OpenVPN-Client instead of OpenVPN-Server in v2.0.2
hi jim, 2013/1/5 Jim Pingle li...@pingle.org On 1/4/2013 7:39 PM, WolfSec-Support wrote: --- openvpn_restart('client', $settings); That code is smart enough to not start if it's in backup mode. The key is that the VPN must be bound to a CARP VIP. ah, ok. - only the LAN of the outpost has a carp vip - the WAN of both boxes is on DHCP - simple outpost firewall failover solution so: - is there a possibilty to modify that code, that it works like expected for me - or any other alternative to have stable tunnels from such a setup to my openvpn server thanks in advance stephan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN CARP, but OpenVPN-Client instead of OpenVPN-Server in v2.0.2
On Fri, Jan 4, 2013 at 7:21 PM, WolfSec-Support supp...@wolfsec.ch wrote: hi jim, 2013/1/5 Jim Pingle li...@pingle.org On 1/4/2013 7:39 PM, WolfSec-Support wrote: --- openvpn_restart('client', $settings); That code is smart enough to not start if it's in backup mode. The key is that the VPN must be bound to a CARP VIP. ah, ok. - only the LAN of the outpost has a carp vip - the WAN of both boxes is on DHCP - simple outpost firewall failover solution so: - is there a possibilty to modify that code, that it works like expected for me - or any other alternative to have stable tunnels from such a setup to my openvpn server That's not a proper supported HA config, but it should work if you bind the client to the LAN CARP IP. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN CARP, but OpenVPN-Client instead of OpenVPN-Server in v2.0.2
hi chris 2013/1/5 Chris Buechler c...@pfsense.org That's not a proper supported HA config, but it should work if you for sure, I know. simply here is necessary http and VPN für users. so we need no CARP / VIP on WAN. also the ISP can not provide in this contractmodel fixed PA's bind the client to the LAN CARP IP. great !! that works !! - I modified the open vpn client config to use as Interface the LAN VIP - enabled CARP synchronizing or OpenVPN settings again now failover works fine, and also OpenVPN status shows on CARP backup that there is no master daemon running many, many thanks for help cheers stephan http://www.wolfsec.ch ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list