Re: [pfSense] 2.2-RELEASE now available!
On Jan 26, 2015, at 6:43 AM, Tim Hogan t...@hoganzoo.com wrote: After running those commands all of my previous data was available. Cool! I'll give that a go, Doug ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Virus Detected
Because it’s a target for spammers and spoofers. On Jan 26, 2015, at 3:53 AM, Mikey van der Worp mvdw...@utelisys.com wrote: Eh? Why am I receiving virus tools from an official mailing list? -Oorspronkelijk bericht- Van: MailScanner [mailto:postmas...@mail.utelisys.nl] Verzonden: maandag 26 januari 2015 03:41 Aan: postmas...@mail.utelisys.nl Onderwerp: Virus Detected The following e-mails were found to have: Virus Detected Sender: list-boun...@lists.pfsense.org IP Address: 208.123.73.78 Recipient: mvdw...@utelisys.com Subject: [pfSense] Message could not be delivered MessageID: 2FAE948963.AD206 Quarantine: Report: Clamd: message was infected: Worm.Mydoom-27 Report: Clamd: letter.zip was infected: Worm.Mydoom-27 Full headers are: Received: from lists.pfsense.org (lists.pfsense.org [208.123.73.78]) by mail.utelisys.nl (Postfix) with ESMTP id 2FAE948963 for mvdw...@utelisys.com; Mon, 26 Jan 2015 03:40:56 +0100 (CET) Received: from localhost.my.domain (localhost [127.0.0.1]) by lists.pfsense.org (Postfix) with ESMTP id 3F2C6EB3E5; Sun, 25 Jan 2015 20:44:47 -0600 (CST) Received: from lists.pfsense.org (unknown [122.227.187.178]) by lists.pfsense.org (Postfix) with ESMTP id B9321EB3E1 for list@lists.pfsense.org; Sun, 25 Jan 2015 20:44:42 -0600 (CST) From: Bounced mail mailer-dae...@lists.pfsense.org To: list@lists.pfsense.org Date: Mon, 26 Jan 2015 10:41:13 +0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0003_2FA5C790.F167EF43 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600. Subject: [pfSense] Message could not be delivered X-BeenThere: list@lists.pfsense.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: pfSense Support and Discussion Mailing List list@lists.pfsense.org List-Id: pfSense Support and Discussion Mailing List list.lists.pfsense.org List-Unsubscribe: https://lists.pfsense.org/mailman/options/list, mailto:list-requ...@lists.pfsense.org?subject=unsubscribe List-Archive: http://lists.pfsense.org/pipermail/list/ List-Post: mailto:list@lists.pfsense.org List-Help: mailto:list-requ...@lists.pfsense.org?subject=help List-Subscribe: https://lists.pfsense.org/mailman/listinfo/list, mailto:list-requ...@lists.pfsense.org?subject=subscribe Errors-To: list-boun...@lists.pfsense.org Sender: List list-boun...@lists.pfsense.org Message-Id: 20150126024447.3f2c6eb...@lists.pfsense.org -- MailScanner Email Virus Scanner www.mailscanner.info ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] [2.2] IPSec and default route
aparently the VPN is not routing any traffic, not even if I manually add the route on the client. - Messaggio originale - Da: Lorenzo Milesi max...@ufficyo.com A: list list@lists.pfsense.org Inviato: Lunedì, 26 gennaio 2015 9:11:12 Oggetto: [pfSense] [2.2] IPSec and default route Hi. Over the weekend I upgraded to 2.2 and the process went fine. Now I'm connecting from remote using mobile clients setup and I see I cannot use the VPN anymore as default route. I see in my client's syslog: Jan 26 08:48:54 dharma NetworkManager[979]: info VPN connection 'YO' (IP4 Config Get) reply received from old-style plugin. Jan 26 08:48:54 dharma NetworkManager[979]: info VPN Gateway: 5.2.3.1 Jan 26 08:48:54 dharma NetworkManager[979]: info Tunnel Device: tun0 Jan 26 08:48:54 dharma NetworkManager[979]: info IPv4 configuration: Jan 26 08:48:54 dharma NetworkManager[979]: info Internal Address: 10.22.124.1 Jan 26 08:48:54 dharma NetworkManager[979]: info Internal Prefix: 24 Jan 26 08:48:54 dharma NetworkManager[979]: info Internal Point-to-Point Address: 10.22.124.1 Jan 26 08:48:54 dharma NetworkManager[979]: info Maximum Segment Size (MSS): 0 Jan 26 08:48:54 dharma NetworkManager[979]: info Static Route: 10.10.122.0/24 Next Hop: 10.10.122.0 Jan 26 08:48:54 dharma NetworkManager[979]: info Forbid Default Route: yes Jan 26 08:48:54 dharma NetworkManager[979]: info Internal DNS: 10.10.122.10 Jan 26 08:48:54 dharma NetworkManager[979]: info DNS Domain: '(none)' Why strongSwan introduced that Forbid default route: yes? I didn't find any option to re-enable it in pfSense UI. I used this [1] guide to set up Mobile VPN on 2.1. thanks [1] https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/ ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/ ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2-RELEASE now available!
I've also noted this morning that the 3 systems I've upgraded, all of them have lost their limiter rules. I've read the release notes, nothing that I saw stated they'd be removed. Doug ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Message could not be delivered
It's not from list. Sender is spoofed. -lsf 26. jan. 2015 10:28 skrev Geoff Jankowski geoff.jankow...@me.com: Am I the only person to receive this? It contains a .scr file which would not do anything to me but will to any gamers out there. I hope the lists address has not been compromised for other scammers to use. -- *Geoff * +44 20 7100 1092 +44 7770 58 48 38 +33 5 46 97 13 89 +33 6 22 93 00 53 -- On 26 Jan 2015, at 03:41, Bounced mail mailer-dae...@lists.pfsense.org wrote: Dear user of lists.pfsense.org, We have detected that your e-mail account has been used to send a large amount of spam during this week. Obviously, your computer was compromised and now contains a trojan proxy server. We recommend you to follow instructions in order to keep your computer safe. Sincerely yours, lists.pfsense.org technical support team. letter.zip___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2-RELEASE now available!
Sorry to reply to myself here, but 2.2 in combination with the Intel X540-2 card isn't very stable. The card keeps dropping the Phy which is fine on 2.1.5. I've just reverted and reinstalled 2.1.5 with a backup config. Although the nmbclusters change did make the 2nd port of the ix card power on it eventually hung the network after half an hour or so. Due diligence. Regards, Seth Seth Mos schreef op 26-1-2015 om 11:12: Chris Buechler schreef op 24-1-2015 om 3:24: Details on the blog: https://blog.pfsense.org/?p=1546 2 Upgrades done so far, one had a different Architecture autoupdate URL, that one updated from AMD64 to i386, please don't do that. Also, I have issues with the Intel X540-2 10G card now, it's throwing a few errors. Port 0 goes into a flapping state while port 1 never comes up. [zone: mbuf_jumbo_9k] kern.ipc.nmbjumbo9 limit reached ix1: Could not setup receive structures That didn't happen on 2.1.5 at all, apparently the limits have changed. In FreeBSD 10 these changes need to into loader.conf during boot, different from before. https://pleiades.ucsc.edu/hyades/FreeBSD_Network_Tuning kern.ipc.nmbclusters=262144 kern.ipc.nmbjumbop=262144 kern.ipc.nmbjumbo9=65536 kern.ipc.nmbjumbo16=32768 Regards, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Message could not be delivered
I get one of these messages from 'pfsense' about once a month.. It is more often than from other lists I am member of. Bob G On 01/26/2015 03:28 AM, Geoff Jankowski wrote: Am I the only person to receive this? It contains a .scr file which would not do anything to me but will to any gamers out there. I hope the lists address has not been compromised for other scammers to use. *Geoff * +44 20 7100 1092 +44 7770 58 48 38 +33 5 46 97 13 89 +33 6 22 93 00 53 On 26 Jan 2015, at 03:41, Bounced mail mailer-dae...@lists.pfsense.org mailto:mailer-dae...@lists.pfsense.org wrote: Dear user of lists.pfsense.org http://lists.pfsense.org, We have detected that your e-mail account has been used to send a large amount of spam during this week. Obviously, your computer was compromised and now contains a trojan proxy server. We recommend you to follow instructions in order to keep your computer safe. Sincerely yours, lists.pfsense.org http://lists.pfsense.org technical support team. letter.zip___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] upgrade 2.1-2.2 experience (serial console on C2758)
I had been running 2.2-RC on my home router for a while now with no issues, so I figured I'd try upgrading my office firewalls to 2.2 from 2.1.5 this morning. Everything seems to have gone just fine with one minor exception: the IPMI serial port console stopped working. I upgraded my backup firewall first, then the primary. The only thing that went down was the site-to-site vpn, since OpenVPN does not properly detect and fail over to the backup box because I have a gateway group with two WANs. Nobody even noticed anything else drop any connections. Anyhow, for anyone else interested in the serial console change necessary, here it is. On the pfSense/Netgate C2758 the motherboard has an on-board IPMI module that provides among other things a serial port over LAN (SoL) that shows up as COM2 to the motherboard. In FreeBSD 8, to set the console to the alternate port, in /boot/loader.conf.local you need to set these: hint.uart.1.flags=0x10 hint.uart.0.flags=0x00 However, these look to be ignored by FreeBSD 10 for actually choosing the console. Now, it seems if you set this: comconsole_port=0x2f8 it does the right thing. The only other tweak I needed to make was to update /etc/ttys as follows: ttyu0 /usr/libexec/getty al.115200 cons25 onifconsole secure ttyu1 /usr/libexec/getty al.115200 cons25 onifconsole secure That is, the ttyu0 line was changed from on to onifconsole and ttyu1 was cloned from that. So now I have my serial console back via IPMI, and I can remote manage these things easily. On my data center systems which run on different Supermicro motherboards, the IPMI serial port is COM3, so I need to set comconsole_port=0x3e8 and add the ttys line for ttyu2. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] [2.2] IPSec and default route
aparently the VPN is not routing any traffic, not even if I manually add the route on the client. racoon accepted misconfiguration: https://doc.pfsense.org/index.php/Upgrade_Guide#IPsec_Changes | Behavior changes where an incorrect configuration that worked before no longer will – There may be things that worked with racoon which were | technically not configured correctly, but still worked. The only instance of this we’ve seen is for mobile IPsec clients, where Internet traffic | could pass in some circumstances without having specified 0.0.0.0/0 as the local network in the mobile phase 2 configuration. | If your mobile IPsec clients need to access the Internet via IPsec, your mobile phase 2 must specify 0.0.0.0/0 as the local network. -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/ ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2-RELEASE Via Padlock
On Mon, January 26, 2015 09:16, Nenhum_de_Nos wrote: On Sun, January 25, 2015 22:59, Peder Rovelstad wrote: Hello. Has Via Padlock Hardware Crypto support been disabled in pfSense/FreeBSD 10? Not a big deal for me as I can stay on 2.1.5, but may be for others. Also, when will x86 support disappear entirely? Burdened by old hardware here... Thanks. Hi, amd64 images can run on net6501 already ? the soekris board has a acpi issue that would make the amd64 kernel need one extra kernel conf line. I will try and tell here. matheus Unfortunately, its no good. 1 pfSense 2 pfSense 5 Drive 0 F6 PXE Boot: 1 /boot/config: -h Consoles: serial port BIOS drive C: is disk0 BIOS drive D: is disk1 BIOS 620kB/2096000kB available memory FreeBSD/x86 bootstrap loader, Revision 1.1 (root@pfsense-22-amd64-builder, Thu Jan 22 15:01:25 CST 2015) Loading /boot/defaults/loader.conf /boot/kernel/kernel text=0x1213f88 data=0x8819b0+0x357620 syms=[0x8+0x16db38+0x8+0x16accb] Hit [Enter] to boot immediately, or any other key for command prompt. Booting [/boot/kernel/kernel]... KDB: debugger backends: ddb KDB: current backend: ddb ACPI BIOS Error (bug): A valid RSDP was not found (20130823/tbxfroot-223) panic: running without device atpic requires a local APIC cpuid = 0 KDB: enter: panic [ thread pid 0 tid 0 ] Stopped at kdb_enter+0x3e: movq$0,kdb_why db The solution is here http://lists.soekris.com/pipermail/soekris-tech/2011-December/018026.html Are there any plans to it ? thanks, matheus ps: I tried to build pfSense myself to have this. A work not finished though :( -- We will call you cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- We will call you Cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] FW: Virus Detected
Eh? Why am I receiving virus tools from an official mailing list? -Oorspronkelijk bericht- Van: MailScanner [mailto:postmas...@mail.utelisys.nl] Verzonden: maandag 26 januari 2015 03:41 Aan: postmas...@mail.utelisys.nl Onderwerp: Virus Detected The following e-mails were found to have: Virus Detected Sender: list-boun...@lists.pfsense.org IP Address: 208.123.73.78 Recipient: mvdw...@utelisys.com Subject: [pfSense] Message could not be delivered MessageID: 2FAE948963.AD206 Quarantine: Report: Clamd: message was infected: Worm.Mydoom-27 Report: Clamd: letter.zip was infected: Worm.Mydoom-27 Full headers are: Received: from lists.pfsense.org (lists.pfsense.org [208.123.73.78]) by mail.utelisys.nl (Postfix) with ESMTP id 2FAE948963 for mvdw...@utelisys.com; Mon, 26 Jan 2015 03:40:56 +0100 (CET) Received: from localhost.my.domain (localhost [127.0.0.1]) by lists.pfsense.org (Postfix) with ESMTP id 3F2C6EB3E5; Sun, 25 Jan 2015 20:44:47 -0600 (CST) Received: from lists.pfsense.org (unknown [122.227.187.178]) by lists.pfsense.org (Postfix) with ESMTP id B9321EB3E1 for list@lists.pfsense.org; Sun, 25 Jan 2015 20:44:42 -0600 (CST) From: Bounced mail mailer-dae...@lists.pfsense.org To: list@lists.pfsense.org Date: Mon, 26 Jan 2015 10:41:13 +0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0003_2FA5C790.F167EF43 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600. Subject: [pfSense] Message could not be delivered X-BeenThere: list@lists.pfsense.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: pfSense Support and Discussion Mailing List list@lists.pfsense.org List-Id: pfSense Support and Discussion Mailing List list.lists.pfsense.org List-Unsubscribe: https://lists.pfsense.org/mailman/options/list, mailto:list-requ...@lists.pfsense.org?subject=unsubscribe List-Archive: http://lists.pfsense.org/pipermail/list/ List-Post: mailto:list@lists.pfsense.org List-Help: mailto:list-requ...@lists.pfsense.org?subject=help List-Subscribe: https://lists.pfsense.org/mailman/listinfo/list, mailto:list-requ...@lists.pfsense.org?subject=subscribe Errors-To: list-boun...@lists.pfsense.org Sender: List list-boun...@lists.pfsense.org Message-Id: 20150126024447.3f2c6eb...@lists.pfsense.org -- MailScanner Email Virus Scanner www.mailscanner.info ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2-RELEASE now available!
Chris Buechler schreef op 24-1-2015 om 3:24: Details on the blog: https://blog.pfsense.org/?p=1546 2 Upgrades done so far, one had a different Architecture autoupdate URL, that one updated from AMD64 to i386, please don't do that. Also, I have issues with the Intel X540-2 10G card now, it's throwing a few errors. Port 0 goes into a flapping state while port 1 never comes up. [zone: mbuf_jumbo_9k] kern.ipc.nmbjumbo9 limit reached ix1: Could not setup receive structures That didn't happen on 2.1.5 at all, apparently the limits have changed. In FreeBSD 10 these changes need to into loader.conf during boot, different from before. https://pleiades.ucsc.edu/hyades/FreeBSD_Network_Tuning kern.ipc.nmbclusters=262144 kern.ipc.nmbjumbop=262144 kern.ipc.nmbjumbo9=65536 kern.ipc.nmbjumbo16=32768 Regards, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Message could not be delivered
Geoff Jankowski wrote: Am I the only person to receive this? No, But my spam filter has been catching them. Doug -- Ben Franklin quote: Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2-RELEASE now available!
Le 24 janv. 2015 à 03:24, Chris Buechler c...@pfsense.com a écrit : Details on the blog: https://blog.pfsense.org/?p=1546 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold Congratulation to the pfSense team for the quality of the update : Beside snort and couple of other packet re-install, the update is very smooth, filled with new features and one click away. I have rarely seen such a good updates anywhere else. Bravo ! «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ Your provider of OpenSource Appliances www.osnet.eu «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ PGP ID -- 0x1BA3C2FD ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Message could not be delivered
Am I the only person to receive this? It contains a .scr file which would not do anything to me but will to any gamers out there. I hope the lists address has not been compromised for other scammers to use. Geoff +44 20 7100 1092 +44 7770 58 48 38 +33 5 46 97 13 89 +33 6 22 93 00 53 On 26 Jan 2015, at 03:41, Bounced mail mailer-dae...@lists.pfsense.org wrote: Dear user of lists.pfsense.org, We have detected that your e-mail account has been used to send a large amount of spam during this week. Obviously, your computer was compromised and now contains a trojan proxy server. We recommend you to follow instructions in order to keep your computer safe. Sincerely yours, lists.pfsense.org technical support team. letter.zip___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] [2.2] IPSec and default route
Hi. Over the weekend I upgraded to 2.2 and the process went fine. Now I'm connecting from remote using mobile clients setup and I see I cannot use the VPN anymore as default route. I see in my client's syslog: Jan 26 08:48:54 dharma NetworkManager[979]: info VPN connection 'YO' (IP4 Config Get) reply received from old-style plugin. Jan 26 08:48:54 dharma NetworkManager[979]: info VPN Gateway: 5.2.3.1 Jan 26 08:48:54 dharma NetworkManager[979]: info Tunnel Device: tun0 Jan 26 08:48:54 dharma NetworkManager[979]: info IPv4 configuration: Jan 26 08:48:54 dharma NetworkManager[979]: info Internal Address: 10.22.124.1 Jan 26 08:48:54 dharma NetworkManager[979]: info Internal Prefix: 24 Jan 26 08:48:54 dharma NetworkManager[979]: info Internal Point-to-Point Address: 10.22.124.1 Jan 26 08:48:54 dharma NetworkManager[979]: info Maximum Segment Size (MSS): 0 Jan 26 08:48:54 dharma NetworkManager[979]: info Static Route: 10.10.122.0/24 Next Hop: 10.10.122.0 Jan 26 08:48:54 dharma NetworkManager[979]: info Forbid Default Route: yes Jan 26 08:48:54 dharma NetworkManager[979]: info Internal DNS: 10.10.122.10 Jan 26 08:48:54 dharma NetworkManager[979]: info DNS Domain: '(none)' Why strongSwan introduced that Forbid default route: yes? I didn't find any option to re-enable it in pfSense UI. I used this [1] guide to set up Mobile VPN on 2.1. thanks [1] https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/ ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2-RELEASE now available!
I was able to get vnstat to work by running the following commands cd /var mkdir lib cd lib ln -s /cf/conf/vnstat After running those commands all of my previous data was available. Regards, Tim On 1/25/2015 3:54 AM, Doug Lytle wrote: Brian Caouette wrote: Lightsquid and vnstat2 do not work with 2.2 Can anyone else confirm? I cannot comment on Lightsquid, but I can confirm my vnstat2 is non-functional. I've just re-installed the package, I'll see if that fixes it. Doug ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] NAT-before-IPsec scenario (2.1 and 2.2), or: why won't you work!
Hi everyone,
I'm currently trying to solve a simple problem for a customer, which
is turning out to be more difficult than I thought (at least, on pfSense).
For the record, I've read https://forum.pfsense.org/index.php?topic=58140.0,
but that doesn't solve the issue.
Summary:
{internet}. [remote] 11.22.33.0/27
:
:
[pfSense 2.2] (statics pointing to .11 for 192.168.103.0 10.1.0.0/21)
| .10
|
---+--- 192.168.1.0/24 (data center backbone)
| .11
[PE router]
:
:
[CPE]
|
---+---+--- 192.168.103.0/24 (customer's main office)
|
[router]
:
10.1.0.0/21 (customer remote offices)
Summary:
- customer @ 192.168.103.0/24 wants to talk to 11.22.33.0
- VPN between pfsense 2.1 (now 2.2) and remote (probably Cisco)
is up and running in no time
- customer realizes they also want their remote offices (10.1.0.0/21
spread over several sites) to talk to 11.22.33.0
* Plan A:
At this point, the sane thing would be to just add 10.1.0.0/21 as
an additional Phase 2 scope to the tunnel between pfSense and remote.
But it's ia painful (read: slow) process to get the paperwork done
and get the other side to change things.
* Plan B:
My suggestion to customer: NAT on their CPE so they hide
10.1.0.0/21 behind an IP from 192.168.103.0/24, but they don't
want to do that.
* Plan C:
Last resort - nat on pfSense before IPsec using a second Phase 2 def.
Now, I know that according to the above link, I should be able to
add a second Phase 2 scope for 10.1.0.0/21, mapped to 192.168.103.123/32
(an IP in the customer's net). This is aliases to localhost via a VIP.
Let's remember for a second that 192.168.103.0 is *not* directly connected
to the pfSense, but 2 hops away via 192.168.1.11.
Anyway, I tried the above, set up the second phase 2 scope with the above
mapping. It doesn't work - or rather, it only works IF traffic from 10.1.0.0/21
hits the VPN while there are no SAs yet (i.e.: if it comes first). In that
case, then traffic from 192.168.103.0/24 and 10.1.0.0/21 makes it through (at
least in the direction customer - 11.22.33.0/27).
If the traffic from 192.168.103.0/24 hits the VPN first, then that works,
but it just drops traffic from 10.1.0.0/21. I haven't debugged this *yet*,
as I need a working solution now. I looked at the console, and can see that
there's a NAT rule set up on enc0, and, as stated before, it works if traffic
from 10.1.0.0/21 is seen first.
* Plan D: ok, let's do manual outbound NAT on the inside IF - NAT
is disabled on this box (it's a VPN concentrator exclusively), so
I create the following rule:
NAT, inside interface, source 10.1.0.0/21, destination 11.22.33.0/27,
NAT to: interface address (VIP alias) - 192.168.103.123/32
Well, that doesn't work either.
Now, I've been using FreeBSD for 20ish years, and in the past, I have
(and still) solve this kind of problem as follows:
# ipfw add 10 divert natd ip from 192.168.103.0/24 to 11.22.33.0/27 via $int_if
# natd -reverse -n 192.168.103.123
... and traffic gets natted to IP 192.168.103.123 as it enters the
system via $int_if (thus, -reverse), before it gets processed by IPsec.
Then, I'd create a tunnel with an SP for 192.168.103.123/24 - 11.22.33.0/27.
Except it doesn't seem to be possible to do this with pfSense. Either that,
or I'm dense (or plan C should work).
So here I am - any good suggestions ? I'd rather avoid having to hack something
from the command line - I like to be able to upgrade smoothly without local
kludges.
PS: IP addresses have been changed to protect the innocent. No animals have
been harmed, pigeons or otherwise.
Yes, this has been tested with both 2.1 and 2.2 - same issue.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2-RELEASE Via Padlock
On Sun, January 25, 2015 22:59, Peder Rovelstad wrote: Hello. Has Via Padlock Hardware Crypto support been disabled in pfSense/FreeBSD 10? Not a big deal for me as I can stay on 2.1.5, but may be for others. Also, when will x86 support disappear entirely? Burdened by old hardware here... Thanks. Hi, amd64 images can run on net6501 already ? the soekris board has a acpi issue that would make the amd64 kernel need one extra kernel conf line. I will try and tell here. matheus -- We will call you cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
