Re: [pfSense] How can this be done?

[Paul Galati]

Tomato and possibly DD-WRT firmware make great travel routers as well 
inexpensive openvpn clients for pfsense.

> On Jul 31, 2014, at 10:15 PM, Moshe Katz  wrote:
> 
>> On Thu, Jul 31, 2014 at 8:44 PM, Kenward Vaughan  
>> wrote:
>> In my quest to set up a computational lab at my school, the IT department 
>> has offered us the freedom to create this specialized lab as long as we 
>> aren't hooked up to the school's network--we are to be completely isolated.  
>> They have no one to maintain it software-wise (we will be doing that), and 
>> (I believe) fear security breaches, etc, emanating from there.
>> 
>> They would allow us to go outside through the Wifi spots, though, as long as 
>> it is through the open (insecure) side.  There is an accessible secure 
>> (internal) network as well.
>> 
>> Is there a way to set up pfSense either on the internal server or a separate 
>> Internet side box to control outbound traffic by having it sign into that 
>> network then having the other machines have access?
>> 
>> I'm not any sort of network person (self-taught in Linux/computers in 
>> general), so please accept my apology up front if this is an idiotic 
>> question.
>> 
>> Thanks!
>> 
>> 
>> Kenward
> 
> As Adam said, yes this can be done.  Also as Adam said, it's probably a good 
> idea to ask someone with a little bit of network experience.
> 
> The only thing I have to add over Adam's reply is that, yes, pfSense should 
> natively be capable of using a WiFi connection as its "WAN" and a wired 
> network connection as its "LAN".  If you set the WiFi interface to 
> "Infrastructure (BSS)" mode, it will connect to an existing wireless network. 
>  The only caveat is that you need to make sure your wireless card is one of 
> the properly supported ones - otherwise you might end up with intermittent 
> dropouts and all kinds of unexplained problems.  Again, as Adam said, doing 
> it this way really should be your last resort, just because there are too 
> many things that could go wrong with it.  Finally, I should note that all of 
> this is true on paper, and I have not actually tested it myself in the field 
> - I don't have a spare wireless card.
> 
> If all of Adam's other suggestions don't work, and you really need to go with 
> WiFi, Adam's other idea about using a travel router is actually something I 
> have done in practice at a construction site - the travel router and a 
> pfSense box are in the construction trailer connected to each other by 
> Ethernet, the travel router connects to a wireless network coming from 
> offsite, and the pfSense box sees the travel router as just another regular 
> network connection.  Performance was as good as could be expected from 
> long-range WiFi - poor, to say the least, but that was because of WiFi signal 
> strength, not because of the setup itself.  I used an Apple Airport Express 
> as my travel router, but there are others that may work better - and the 
> Airport Express is very hard to troubleshoot because it has no web interface.
> 
> Moshe
> 
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732
>  
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How can this be done?

[Kenward Vaughan]

On 07/31/2014 06:10 PM, Adam Thompson wrote:

On 14-07-31 07:44 PM, Kenward Vaughan wrote:

In my quest to set up a computational lab at my school, the IT
department has offered us the freedom to create this specialized
lab

...


I'm not any sort of network person (self-taught in Linux/computers
in general), so please accept my apology up front if this is an
idiotic question.

Thanks!

Kenward


Short answer: Yes, this can be done.  Please have someone with
networking experience set this up, unless you want to spend the next
few months learning networking!  This isn't really a pfSense-related
issue at this point.

...

On 07/31/2014 07:15 PM, Moshe Katz wrote:> On Thu, Jul 31, 2014 at 8:44
PM, Kenward Vaughan 
> wrote:

In my quest to set up a computational lab at my school, the IT


...


As Adam said, yes this can be done.  Also as Adam said, it's probably
a good idea to ask someone with a little bit of network experience.

The only thing I have to add over Adam's reply is that, yes, pfSense
should natively be capable of using a WiFi connection as its "WAN"
and a

...


"Thank you!" to both of you.  Those options are ones I will certainly 
explore with them.


I really appreciate your quick and thoughtful responses.


Kenward
--
In a completely rational society, the best of us would aspire to be
*teachers* and the rest of us would have to settle for something less,
because passing civilization along from one generation to the next
ought to be the highest honor and the highest responsibility anyone
could have. - Lee Iacocca

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How can this be done?

[Moshe Katz]

On Thu, Jul 31, 2014 at 8:44 PM, Kenward Vaughan 
wrote:

> In my quest to set up a computational lab at my school, the IT department
> has offered us the freedom to create this specialized lab as long as we
> aren't hooked up to the school's network--we are to be completely isolated.
>  They have no one to maintain it software-wise (we will be doing that), and
> (I believe) fear security breaches, etc, emanating from there.
>
> They would allow us to go outside through the Wifi spots, though, as long
> as it is through the open (insecure) side.  There is an accessible secure
> (internal) network as well.
>
> Is there a way to set up pfSense either on the internal server or a
> separate Internet side box to control outbound traffic by having it sign
> into that network then having the other machines have access?
>

> I'm not any sort of network person (self-taught in Linux/computers in
> general), so please accept my apology up front if this is an idiotic
> question.
>
> Thanks!
>
>
> Kenward


As Adam said, yes this can be done.  Also as Adam said, it's probably a
good idea to ask someone with a little bit of network experience.

The only thing I have to add over Adam's reply is that, yes, pfSense should
natively be capable of using a WiFi connection as its "WAN" and a wired
network connection as its "LAN".  If you set the WiFi interface to
"Infrastructure (BSS)" mode, it will connect to an existing wireless
network.  The only caveat is that you need to make sure your wireless card
is one of the properly supported ones - otherwise you might end up with
intermittent dropouts and all kinds of unexplained problems.  Again, as
Adam said, doing it this way really should be your last resort, just
because there are too many things that could go wrong with it.  Finally, I
should note that all of this is true on paper, and I have not actually
tested it myself in the field - I don't have a spare wireless card.

If all of Adam's other suggestions don't work, and you really need to go
with WiFi, Adam's other idea about using a travel router is actually
something I have done in practice at a construction site - the travel
router and a pfSense box are in the construction trailer connected to each
other by Ethernet, the travel router connects to a wireless network coming
from offsite, and the pfSense box sees the travel router as just another
regular network connection.  Performance was as good as could be expected
from long-range WiFi - poor, to say the least, but that was because of WiFi
signal strength, not because of the setup itself.  I used an Apple Airport
Express as my travel router, but there are others that may work better -
and the Airport Express is very hard to troubleshoot because it has no web
interface.

Moshe

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How can this be done?

[Adam Thompson]

On 14-07-31 07:44 PM, Kenward Vaughan wrote:
In my quest to set up a computational lab at my school, the IT 
department has offered us the freedom to create this specialized lab 
as long as we aren't hooked up to the school's network--we are to be 
completely isolated.  They have no one to maintain it software-wise 
(we will be doing that), and (I believe) fear security breaches, etc, 
emanating from there.


They would allow us to go outside through the Wifi spots, though, as 
long as it is through the open (insecure) side.  There is an 
accessible secure (internal) network as well.


Is there a way to set up pfSense either on the internal server or a 
separate Internet side box to control outbound traffic by having it 
sign into that network then having the other machines have access?


I'm not any sort of network person (self-taught in Linux/computers in 
general), so please accept my apology up front if this is an idiotic 
question.


Thanks!


Kenward


Short answer: Yes, this can be done.  Please have someone with 
networking experience set this up, unless you want to spend the next few 
months learning networking!  This isn't really a pfSense-related issue 
at this point.


Easiest, surest (but not cheapest) way: get a separate DSL or Cable 
connection for your lab, and connect to the internet through that link 
(possibly using pfSense).  Don't connect to the existing school [wired] 
network or WiFi [network] at all, not even the public wifi.


Cheaper (and still secure): if the school has a firewall (it most likely 
does), ask if you can be connected to a dedicated interface on that 
firewall.  That way, IT still has control over what you can and can't 
access, and they can protect themselves from you.


Also cheaper (and still secure): the school's WAN provider may allow you 
to connect more than one device to the WAN connection.  This might 
require adding a switch between the service provider's equipment and the 
school's firewall, if the service provider doesn't give you a multi-port 
device of some sort.  Either way, you plug your dedicated (possibly 
pfSense) firewall into another port on the WAN device.  Many DSL & Cable 
providers install a "modem" that includes a 4- or 5-port switch built 
right in.


Most difficult to get working: install your firewall (possibly running 
pfSense) as a client on the school's public wireless network.  I'm not 
sure if pfSense even supports this natively; you may have to use an 
external ethernet-to-wireless bridge (but these are fairly common 
devices now, anything sold as a "travel router" can probably do it, most 
SoHo routers & APs can do it, too). There are many variables here, and 
many things to get wrong.  On the other hand, this requires relatively 
little (i.e. possibly even zero) effort from the existing IT group, and 
doesn't cost much.


If you have to "sign in" to the public WiFi network, especially through 
some sort of login web page (like you do at public hotspots) then 
connecting a firewall to it is probably not going to work well, if at all...


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] How can this be done?

[Kenward Vaughan]

In my quest to set up a computational lab at my school, the IT 
department has offered us the freedom to create this specialized lab as 
long as we aren't hooked up to the school's network--we are to be 
completely isolated.  They have no one to maintain it software-wise (we 
will be doing that), and (I believe) fear security breaches, etc, 
emanating from there.


They would allow us to go outside through the Wifi spots, though, as 
long as it is through the open (insecure) side.  There is an accessible 
secure (internal) network as well.


Is there a way to set up pfSense either on the internal server or a 
separate Internet side box to control outbound traffic by having it sign 
into that network then having the other machines have access?


I'm not any sort of network person (self-taught in Linux/computers in 
general), so please accept my apology up front if this is an idiotic 
question.


Thanks!


Kenward
--
In a completely rational society, the best of us would aspire to be
*teachers* and the rest of us would have to settle for something less,
because passing civilization along from one generation to the next
ought to be the highest honor and the highest responsibility anyone
could have. - Lee Iacocca

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Traffic shaper related error

[Erik Anderson]

v 2.1.4...

I configured a traffic shaper earlier this week (Monday I believe),
and I just started getting errors on the web UI stating:

[There were error(s) loading the rules: pfctl: DIOCGIFSPEED: Invalid
argument - The line in question reads [0]: ]

Grepping through my syslog server, the first occurrence of this error
was at 06:43 this morning (the 31st):

Jul 31 06:43:38 pfsense-01.invenshure.com php:
rc.filter_configure_sync: New alert found: There were error(s) loading
the rules: pfctl: DIOCGIFSPEED: Invalid argument - The line in
question reads [0]:

No config changes would have happened at this point that would trigger
configuration reload.

Googling around, I found this bug:

https://redmine.pfsense.org/issues/2901

Following the lead of the user that posted this bug (and then
abandoned it), I removed my shaper and that fixed the problem. That's
not a viable long-term solution for me, though.

Does anyone have guidance as to what the cause of this bug is?

I'd be glad to provide config snippets if that would be helpful - just
specify which section(s) of the config would be helpful.

Thank you!
-Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] KVM virtualization: Fatal trap 9: general protection fault while in kernel mode

[compdoc]

> Did you ever had troubles with virtio drivers?

I have a pfSense guest that runs fine with all virtio drivers (lan,storage)
but you might want to switch back to IDE just to see if your virtio storage
driver is causing the issue. 

Your xml file looks very much like a pfSense guest I have running on Ubuntu
12.04, except mine has these differences:

hvm
(I've had problems with some OSes with the wrong 'machine' type)



(I use files because I don't have a need to dedicate a disk, and pfSense
uses very little drive space. Also makes it easy to back up the guest by
copying the file)


Speaking of drives, do you have a way to read the SMART values from the hard
drives on your raid controller? Drives can fail slowly, but to know you have
to read the following SMART values:

Reallocated sector count
Current Pending sector count
Uncorrectable sector count
GSense error rate (if the drive has experienced a shock while running. More
likely on laptops)


Also, when you're seeing weird problems, booting and running memtest86 on
the host for several passes will test the systems RAM. Best to let it run 4
or 5 passes, or even letting it run overnight if possible.






___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Captive portal with local users

[Rodolfo Edgar]

Hi list,

I have a problem, I have pfsense in latest version and I have dhcp
server and dns forward when I enabled captive portal with
authentication local user (I create system users) and save, I see the
captive portal but users can not log in, the answer says login failed,
but when I choose in captive portal without authentication the user
can log in (they see the captive portal and insert the user and
password then they log in), is strange for me is correct the
procedure?  a tutorial that I see in internet was
https://doc.pfsense.org/smiller/Captive_Portal.htm, help me
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] sshlockout

[Luis G. Coralle]

Hi all,

1. Is there a way to view/edit from a terminal the file that corresponds to
the menu "Diagnostics-> Tables-> sshlockout"?

2. The number of attempts to ssh access before being added to the table
"sshlockout" is set in the file "/etc/inc/system.inc" ( with
/usr/local/sbin/sshlockout_pf 15 command )
What could be happening this blockage occurs in the attempt number 4 and
not 15?

Pfesnse version is 2.1.4

Thanks

-- 
Luis G. Coralle
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ZFS warning message on local console during boot

[Paul Mather]

On Jul 30, 2014, at 9:07 PM, Jim Thompson  wrote:

> 
>> On Jul 30, 2014, at 7:20 PM, Paul Mather  wrote:
>> 
>> Despite all that FreeBSD ZFS love, I still would not recommend it on
>> FreeBSD/i386-based installations (as the OP said he was using).  It is
>> much more of a headache to use in that milieu, and, IMHO, doesn't get
>> the testing and general care and feeding that the FreeBSD/amd64 version
>> gets.
> 
> Note that I said any use we make would be amd64 only.

That's a sane decision.

> 
>> Also, ZFS would not be a good fit on low-memory embedded hardware.
>> There are enough problems getting ARC to play nicely on high-memory
>> systems under memory pressure... :-)
> 
> What do you consider ‘low-memory’?

I'm thinking of these 256 MB and 512 MB ALIX-style systems people have 
been talking about on here as of late.  As you say, though, these are 
getting harder to obtain (as the designs are being phased out) as 4 GB 
RAM seems to be a de facto minimum nowadays.

I'm also thinking of "old junker" hardware that people at home might 
want to cobble together to protect their cable modem traffic.  Maybe I 
just hold onto hardware too long, but most of what I have available for 
that at home is i386-vintage with < 2 GB RAM. :-)

> It’s getting difficult to put less than 4GB in some systems.  ZFS works 
> really well on a 4GB system with around 100GB of ssd/m-sata.

I agree.  ZFS does work really well on a 4 GB FreeBSD/amd64 system.  
I've not put a pool on an SSD/m-SATA, so I can't speak to the lifespan 
of such a setup.  (The closest I've come is setting up a FreeNAS system 
at $WORK that has FreeNAS on a 32 GB SATA DOM; L2ARC on a 128 GB SSD; 
and the main data pool on 12 x 3 TB SATA hard drives.  FreeNAS mounts 
most everything, OS-wise, read-only, and tries to store configuration 
data on the data pool.  It's a good setup because it makes the FreeNAS 
software itself a FRU that's easily replaced should the disk it's on 
die.)

> auto-tuned ARC maximum is physical RAM less 1GB, or 1/2 of available RAM.  on 
> a 2GB system, this is 1GB, on a 4GB system, its 2GB.
> Have you looked at memory usage in pfSense lately?

Not really; mine is not heavily used in the grand scheme of things and 
so has lots of free RAM.  I don't use any add-on packages, though, that 
could compete in that arena.

It's nice to see RAM being appreciated, though.  When I bought a 
Netgate FW-7541 for $WORK it shipped with the i386 version of pfSense.  
I asked them nicely if I could please have an amd64 version so I could 
actually use all of the 4 GB of RAM and they kindly obliged.  
Hopefully, they are shipping amd64 versions as standard now on 64-bit 
capable 4+ GB RAM systems. ;-)

> Most of the ‘tuning guides’ consider fileserver/webserver/db applications.   
> pfSense is none of these.  There are several applications that would
> like to reliably write logfiles / rrd files, etc., however.

I agree about standard tuning guides, but also, with pfSense, I'd be 
concerned with the responsiveness of ARC to severe memory pressure.  
There have been many improvements in this area, but problems still 
remain (as I understand it) and ARC can still be sluggish and reluctant 
to allow the system to reclaim memory from ARC.  ARC memory is wired 
memory, and so it is competing with MBUFs and pf, both of which use 
kernel memory.  ARC responsiveness is one of the reasons why people 
still don't recommend to put swap on ZFS, or at least didn't the last 
time I looked.  The last thing you'd want is a spike in traffic to be 
stymied by ARC not getting out of the way quickly enough.  Unlike UFS, 
ZFS is not as intimately integrated into the VM subsystem and so is not 
as well orchestrated in the memory dance.

In the ~7 years I've used ZFS on FreeBSD I've lost ZFS pools twice.  
Admittedly, that was before the deep rollback functionality became 
available for pool imports, or even before zdb got how it is today.  It 
is HIGHLY reliable, IMHO, but, on the other hand, it isn't bulletproof. 
:-)

I do applaud the news that the developers are looking at ways to 
leverage ZFS to improve update and rollback.  That's one of the areas 
of ZFS I've greatly appreciated at $WORK, using beadm to create 
rollback checkpoints.  ZFS also takes Jail admin to another level!

Cheers,

Paul.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ZFS warning message on local console during boot

[b...@todoo.biz]

Le 31 juil. 2014 à 03:04, Jim Thompson  a écrit :

> tl;dr:  I wouldn’t run ZFS… yet.
> 
> I didn’t see the error message, you’re barking up a tree attempting to use it 
> right now.
> 
> That said, there are certain advantages to ZFS, and there are internal 
> experiments underway looking to use it for a future (64-bit only) release of 
> pfSense.
> 
> The data integrity and resiliency (due to COW semantics & checksumming) (etc) 
> is one thing.  I’ve had pretty good results turning on LZJB
> compression and ‘copies=2”, which is nearly as good as a nanobsd image with 2 
> separate slices, and, since you have a live filesystem,
> has NONE of the drawbacks of the nanobsd approach.  One could even 
> ‘checkpoint’ (snapshot) the zvol prior to any change (pkg install, config 
> change, etc),
> and, of course "zfs send | ssh foo; zfs receive” makes it entirely trivial to 
> keep your entire firewall backed up, rather than (just) the config file.
> 
> People who say, “I can’t fathom a sensible use care for using ZFS on pfSense” 
> or “why use it to replace nanobsd?” are (likely) stuck in a 
> system admin mindset/mentality(*).  I get the same pushback about bhyve (“why 
> would you use that on a firewall?”) from people stuck in the same
> headspace.   I’m not going to reveal everything here, because it’s going to 
> be post-2.2 before any of this comes about, and I’m keeping the focus on 2.2.
> 
> In short: ZFS is not just about building a NAS.
> 
> Jim

ZFS rocks and I don’t see any reason It won’t rock harder with the upcoming 2.2 
based on FBSD 10. 

Multithreading + higher end hardware + more memory = potential fluid usage for 
ZFS. 


So get on the starting block and let’s see what’s going on ! 


«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§

BSD - BSD - BSD - BSD - BSD - BSD - BSD - BSD -

«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§

PGP ID --> 0x1BA3C2FD

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ZFS warning message on local console during boot

[Tom Müller-Kortkamp]

Am 31.07.2014 um 03:31 schrieb Dave Warren :

> On 2014-07-30 13:23, Paul Mather wrote:
>> I swear by ZFS on my regular FreeBSD systems (though I was having
>> trouble with it on FreeBSD/i386 latterly).  I don't think there's any
>> "bashing" of ZFS per se, just a wondering why you'd use it on a
>> firewall appliance that's basically a nanobsd setup at heart...
> 
> Maybe it's just me, but I want my firewall to "just work" after power 
> failures, on failing drives, etc is a big plus. Having a self-repairing, 
> snapshotting file system sounds like a huge benefit, but I don't know what 
> the drawbacks are in this context, so I can't make an actual recommendation.
> 
> Imagine having snapshots before updates or major changes so that things can 
> be reverted to a working state, rather than relying on the piecemeal XML 
> backups which, at best, brings you a "moderately similar to the previous 
> state" configuration.
> 
> Being immune to corruption due to power-failures would be nice too; when I 
> was running squid on pfSense, an unexpected power failure virtually always 
> resulted in file system corruption being repaired, still resulting in a 
> broken squid cache -- I have the impression that zfs would give me a lot more 
> resiliency here (but possibly not, perhaps squid simply can't ever recover 
> gracefully)

From my point of view ZFS needs to much RAM for a Firewall and It should not be 
installed on i386. So pfSense would only run on amd64 mit > 2GB RAM.
UFS is a fast, reliable and economical filesystem which worked perfect for 
years.
BTW: ZFS ist not immune to corruption due to power-failures! Your hardware 
needs a BBU to be safe! Maybe you should put your cache-dir on e special volume 
using UFS+J?


Just my 2ct

Tom


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list