Re: [pfSense] IPSEC VPN - NAT in Phase 2 - NAT Rules?
>From the 2.1 book: "If you need to perform NAT on your local IPs to make them appear as a different subnet, or one of your public IPs, you may do so using the NAT fields underneath Local Network . If you specify a single IP address in Local Network and a single IP address in the NAT field, then a 1:1 NAT rule will be added between the two. " I changed both the local LAN address and the remote incoming NAT'd address to an address instead of a /32 network. Does the 1:1 NAT rule get added behind the scenes or should it show in the NAT Rules table as a linked rule or is it invisible in the webGUI ? Thanks, - Original Message - > - Original Message - > > Hi, > > > We are running pfSense 2.1 nano on a Soekris - experiencing an > > issue > > with an IPSEC tunnel to a remote Sonicwall. We have two Phase 2 > > entries defined for two remote hosts on the remote endpoint. We are > > exposing 1 host on our network which is NAT'd in the Phase 2 entry > > on our side, we used the NAT field in the Local Network section in > > P2. example - the NAT IP they provided us on their side is 1.2.3.4, > > our host is 4.5.6.7. > > Both the remote NAT'd IP and the local IP's are identified as /32 > Networks in P2 > > 1. The tunnel comes up fine. > > > 2. We can ping and connect to both hosts on their side for each P2 > > > 3. They cannot make a connection to our NAT'd host on our side. > > > Do we need to set a NAT rule to allow this traffic to pass on the > > IPSEC interface? NAT port forward 1.2.3.4 to 4.5.6.7? > > > Best Regards, > > > -- > > > Mark Street, D.C., RHCE > > > Chief Technology Officer > > > Alliance Medical Center > > > (707) 433-5494 > > > "Trust decentralization over centralization, voluntarism over > > coercion, bottom-up over top-down, > > > adaptation over planning, openness over secrecy, practice over > > ideology, and markets over politics." > > > Eric Raymond > > > ___ > > > List mailing list > > > List@lists.pfsense.org > > > http://lists.pfsense.org/mailman/listinfo/list > > -- > Mark Street, D.C., RHCE > Chief Technology Officer > Alliance Medical Center > (707) 433-5494 > "Trust decentralization over centralization, voluntarism over > coercion, bottom-up over top-down, > adaptation over planning, openness over secrecy, practice over > ideology, and markets over politics." > Eric Raymond > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list -- Mark Street, D.C., RHCE Chief Technology Officer Alliance Medical Center (707) 433-5494 "Trust decentralization over centralization, voluntarism over coercion, bottom-up over top-down, adaptation over planning, openness over secrecy, practice over ideology, and markets over politics." Eric Raymond ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IPSEC VPN - NAT in Phase 2 - NAT Rules?
- Original Message - > Hi, > We are running pfSense 2.1 nano on a Soekris - experiencing an issue > with an IPSEC tunnel to a remote Sonicwall. We have two Phase 2 > entries defined for two remote hosts on the remote endpoint. We are > exposing 1 host on our network which is NAT'd in the Phase 2 entry > on our side, we used the NAT field in the Local Network section in > P2. example - the NAT IP they provided us on their side is 1.2.3.4, > our host is 4.5.6.7. Both the remote NAT'd IP and the local IP's are identified as /32 Networks in P2 > 1. The tunnel comes up fine. > 2. We can ping and connect to both hosts on their side for each P2 > 3. They cannot make a connection to our NAT'd host on our side. > Do we need to set a NAT rule to allow this traffic to pass on the > IPSEC interface? NAT port forward 1.2.3.4 to 4.5.6.7? > Best Regards, > -- > Mark Street, D.C., RHCE > Chief Technology Officer > Alliance Medical Center > (707) 433-5494 > "Trust decentralization over centralization, voluntarism over > coercion, bottom-up over top-down, > adaptation over planning, openness over secrecy, practice over > ideology, and markets over politics." > Eric Raymond > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list -- Mark Street, D.C., RHCE Chief Technology Officer Alliance Medical Center (707) 433-5494 "Trust decentralization over centralization, voluntarism over coercion, bottom-up over top-down, adaptation over planning, openness over secrecy, practice over ideology, and markets over politics." Eric Raymond ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] IPSEC VPN - NAT in Phase 2 - NAT Rules?
Hi, We are running pfSense 2.1 nano on a Soekris - experiencing an issue with an IPSEC tunnel to a remote Sonicwall. We have two Phase 2 entries defined for two remote hosts on the remote endpoint. We are exposing 1 host on our network which is NAT'd in the Phase 2 entry on our side, we used the NAT field in the Local Network section in P2. example - the NAT IP they provided us on their side is 1.2.3.4, our host is 4.5.6.7. 1. The tunnel comes up fine. 2. We can ping and connect to both hosts on th eir side for each P2 3. They cannot make a connection to our NAT'd host on our side. Do we need to set a NAT rule to allow this traffic to pass on the IPSEC interface? NAT port forward 1.2.3.4 to 4.5.6.7 ? Best Regards, -- Mark Street, D.C., RHCE Chief Technology Officer Alliance Medical Center (707) 433-5494 "Trust decentralization over centralization, voluntarism over coercion, bottom-up over top-down, adaptation over planning, openness over secrecy, practice over ideology, and markets over politics." Eric Raymond ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] ICMP host unreachable and RFC1918
pfsense 2.1 I have internal subnets in the 10.0.0.0/14 address space and also a public subnet x.x.x.240/28 that is routed statically to pfsense's WAN address. pfsense sits at the edge of the network and I have another router whose only internet access is through pfsense. The x.x.x.240/28 public subnet is behind this second router, so pfsense has a static route to that network through the other router. So the network looks like this: Internet | pfsense | (OPT1--10.0.0.18/30) | router (WAN--10.0.0.17/30, gw--10.0.0.18) | (LAN--x.x.x.254/28) pfsense's first outbound NAT rule translates source 10.0.0.0/14 to the WAN IP address. The second router does no NAT. When I do a packet dump on pfsense's WAN, I see packets like this: tcpdump -n -i pppoe0 net 10.0.0.0/8 09:31:19.923384 IP 10.0.0.17 > 182.150.115.24: ICMP host x.x.x.246 unreachable, length 68 09:32:10.850594 IP 10.0.0.17 > 93.174.93.67: ICMP host x.x.x.250 unreachable, length 48 The addresses x.x.x.250 and x.x.x.246 are not currently in use on this network, although they belong to me, so my interpretation is that the internal router is correctly responding to attempts by outside hosts to connect to those addresses. What I don't understand is why pfsense is passing those packets onto the WAN with the 10.0.0.17 source IP address unaltered. Shouldn't the outbound NAT rule act on these? Am I not breaking RFC1918 by sending these packets onto the internet? Is there a better way to handle this situation? db ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Possible MTU/PMTU/MSS issue with HE IPv6 tunnel over PPPoE DSL connection
Check again. I found that the new servers that google deployed were not working properly. They would receive the PMTU packetĀ² packet to bigĀ² and would not scale down. They had over 200 servers that had a problem. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Ipredator VPN service and PFsense
I can not get Ipredator VPN service to work with openvpn on PFsense. When I think it is set up as it should be I get an error in the log: openvpn[15718]: Options error: --local and --nobind don't make sense when used together and the connection attempt fails. This is the contents of client.conf ..http://goo.gl/MT2H5P This is the log after removing "nobind" from the conf. http://goo.gl/tUv3s5 The attempted connection stops. This is the problem 4 years ago. https://redmine.pfsense.org/issues/282#change-1617. Any help on this is apprediated. Thanks, Jeff ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
Thanks for this. As before, we'll supply a solution for pfSense on the ERL after 2.2 (based on FreeBSD 10) after 2.2 drops. -- Jim > On Feb 11, 2014, at 7:25, Eugen Leitl wrote: > > http://rtfm.net/FreeBSD/ERL/ > > FreeBSD 10.0 on Ubiquiti EdgeRouter Lite > > The Ubiquiti EdgeRouter Lite is a neat little device that costs less than > US$100, has three Ethernet ports, and can run FreeBSD/mips. It's based on the > Cavium Octeon CN5020 platform and features a dual core 500mhz MIPS64 > processor, 512MB RAM, and 4GB storage on removable USB. > > The EdgeRouter Lite in the foreground, near a Netgear WNDR3700 and a bulky > ISP-provided cablemodem. > > This page provides ready-to-use images of FreeBSD 10.0-RELEASE. Thanks to the > open nature of the EdgeRouter Lite, it's very easy to install and use these > images; just follow the instructions below. Thanks to the fine folks at the > FreeBSD Project, building your own is almost as easy. A script to build them, > along with instructions, is also provided. Special thanks is due to Juli > Mallett and Warner Losh, without whose hard work and generous assistance none > of this would be possible. > > Note that this is experimental software which comes with no warranty of any > kind. These builds are works in progress and are not fit or suitable for any > purpose whatsoever. By proceeding you assume all risks. > > On my EdgeRouter Lite, the builds provided below are stable and pretty much > fully functional. There are two outstanding issues: > > Performance could be a little better, though it's more than adequate for my > home Internet connection. Basic packet passing between two Gigabit hosts > seems to top out at about 250Mbits/sec. > > There is currently no way to pass boot options (such as single-user mode) to > the kernel from U-Boot. > > Hardware crypto acceleration via /dev/crypto seems to work. Use AES in CBC > mode to see a huge speedup over CTR. > > etc. > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
http://rtfm.net/FreeBSD/ERL/ FreeBSD 10.0 on Ubiquiti EdgeRouter Lite The Ubiquiti EdgeRouter Lite is a neat little device that costs less than US$100, has three Ethernet ports, and can run FreeBSD/mips. It's based on the Cavium Octeon CN5020 platform and features a dual core 500mhz MIPS64 processor, 512MB RAM, and 4GB storage on removable USB. The EdgeRouter Lite in the foreground, near a Netgear WNDR3700 and a bulky ISP-provided cablemodem. This page provides ready-to-use images of FreeBSD 10.0-RELEASE. Thanks to the open nature of the EdgeRouter Lite, it's very easy to install and use these images; just follow the instructions below. Thanks to the fine folks at the FreeBSD Project, building your own is almost as easy. A script to build them, along with instructions, is also provided. Special thanks is due to Juli Mallett and Warner Losh, without whose hard work and generous assistance none of this would be possible. Note that this is experimental software which comes with no warranty of any kind. These builds are works in progress and are not fit or suitable for any purpose whatsoever. By proceeding you assume all risks. On my EdgeRouter Lite, the builds provided below are stable and pretty much fully functional. There are two outstanding issues: Performance could be a little better, though it's more than adequate for my home Internet connection. Basic packet passing between two Gigabit hosts seems to top out at about 250Mbits/sec. There is currently no way to pass boot options (such as single-user mode) to the kernel from U-Boot. Hardware crypto acceleration via /dev/crypto seems to work. Use AES in CBC mode to see a huge speedup over CTR. etc. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Deploy openVPN client through AD gpo
On Tue, Feb 11, 2014 at 3:45 PM, Nishant Sharma wrote: > > May be something is amiss related to the permissions while installation > is going on. Since, it installs "tun/tap" driver, full permission is > required and a reboot is necessary. > GPO is applied on as a computer policy, However i think it may be because it asks for user input while installation, Can we completely automate the installer from client export as in a silent mode. > > I guess, it has got something to do with GPO's on your Samba4 or Windows > AD. > I have configured the GPO's and tested other softwares as well, it seems to work fine. > > By the way, do you get anything on Windows event logs? They are pretty > explanatory, though hard to read. > Nothing much, I am still tryin to go through them. > > Hope some Windows power users chip in. > I hope for the same :) ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Deploy openVPN client through AD gpo
On Tuesday 11 February 2014 03:39 PM, rajan agarwal wrote: > it, but the installation is not at all successfull. I am not a windows > guy and work on linux and opensource, Can't figure out the way around here. Same here :-) May be something is amiss related to the permissions while installation is going on. Since, it installs "tun/tap" driver, full permission is required and a reboot is necessary. I guess, it has got something to do with GPO's on your Samba4 or Windows AD. By the way, do you get anything on Windows event logs? They are pretty explanatory, though hard to read. Hope some Windows power users chip in. Regards, Nishant ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Deploy openVPN client through AD gpo
Hi Nishant, On Tue, Feb 11, 2014 at 3:35 PM, Nishant Sharma wrote: > Hi Rajan, > > On Tuesday 11 February 2014 03:08 PM, rajan agarwal wrote: > > It works but i need the management UI from pfsense Client export as my > > users are not given any administrative privileges. > > Just export the config from pfSense GUI and see the parameters added for > Management Interface. Add them to your MSI installer config and it > should work. > Thanks for the quick reply, I have done that but it doesn't work, Client tries to install the client on a reboot and takes a lot of time doing it, but the installation is not at all successfull. I am not a windows guy and work on linux and opensource, Can't figure out the way around here. -- Rajan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Deploy openVPN client through AD gpo
Hi Rajan, On Tuesday 11 February 2014 03:08 PM, rajan agarwal wrote: > It works but i need the management UI from pfsense Client export as my > users are not given any administrative privileges. Just export the config from pfSense GUI and see the parameters added for Management Interface. Add them to your MSI installer config and it should work. Thanks & regards, Nishant ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Deploy openVPN client through AD gpo
Hi, I want to deploy the openVPN client exported through the client export utility using a gpo in MS AD. Wondering if someone has done this for the client exported by pfsense. I have tried this for the openVPN client from openvpn.net following the below link: http://docs.openvpn.net/how-to-tutorialsguides/administration/active-directory-deploying-the-access-server-connect-client-via-gpos/ It works but i need the management UI from pfsense Client export as my users are not given any administrative privileges. Hoping for some help :) Thanks Rajan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IPv6 address data validation
On Mon, Feb 10, 2014 at 10:23 AM, Brian Candler wrote: > [For some reason the 'New Issue' button on redmine is no longer visible > to me, so I'll record this minor issue here] > > I misunderstood redmine's permissions and broke that temporarily, should work now. If not, please contact me off-list. I opened a ticket with this one. https://redmine.pfsense.org/issues/3444 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list