[pfSense] SquidGuard Allow facebook/company url only?

[Alberto Moreno]

Hi.

I'm trying to figure out how to allow our users just access Facebook
company site:

www.facebook.com/My-Company/

I add in Target Categories the url above, I select the Target as whitelist
in our users, but SG is not accepting my url, I have try different inputs
like:

www,
.facebook

different settings, but checking squid log I got this:

ERROR: URL-rewrite produces invalid request: GET ERR HTTP/1.1

My SG log I had this:

facebook.com:443 Request(RH/blk_BL_socialnet/-) equezada CONNECT REDIRECT

For some reason my Target Whitelist is not working because SG jump and go
to the socialnet block and done, block our users.

RH  {
pass FB whitelist !in-addr !blk_BL_anonvpn !blk_BL_porn
!blk_BL_socialnet blk_BL_searchengines all
redirect
http://192.168.100.2:80/sgerror.php?url=403%20Sitio%20Prohibido%20para%20el%20departamento%20de%20RH=%a=%n=%i=%s=%t=%u
log block.log
}

We don't want them to access social sites just our company-site inside
facebook.

Is possible?

Pfsense 2.3.5, thanks.

-- 
LIving the dream...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense can get to Internet but LAN cannot

[Steve Yates]

1) we're not using NAT
2) ...which means this is the answer because the router on the WAN side doesn't 
know to route that subnet back to the pfSense.  D'oh!

Adding a manual NAT rule lets it work.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Holger Bauer
Sent: Thursday, November 30, 2017 4:19 PM
To: pfSense support and discussion 
Subject: Re: [pfSense] pfSense can get to Internet but LAN cannot

Hi Steve,

Any chance outbound nat got messed up, when setting up carp? Check the
settings there and check diag>states if nat works.

Holger

Am 30.11.2017 10:43 nachm. schrieb "Steve Yates" :

Short version: a PC on the LAN cannot ping the router's gateway,
though the router can ping it and get to the Internet.  Routing table looks
OK, default firewall rule isn't blocking packets (rule to allow LAN to any
is in place), and it's not a private IP address.  Looking for suggestions?

We are replacing two routers using CARP with two 4860s.  I edited
the saved configuration files to add two LAGGs, and changed the interfaces
to match the new hardware.  As I said ping/traceroute/nslookup from the
pfSense to the Internet works fine.  Route table shows the proper gateway
IP as the default.  We have tried changing off the LAGGs, no difference.  A
traceroute from the PC shows the pfSense router LAN IP as expected but not
the gateway which is the next hop.  It's as if the routing isn't sending
packets out the WAN?  I have rebooted the routers, and disabled CARP and
disconnected the second router (and changed the PC gateway accordingly).

Changing the PC to an IP on the WAN side and plugging it into the
gateway router works fine to get past the gateway.

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense can get to Internet but LAN cannot

[Steve Yates]

A couple clarifications...the ping from LAN to the WAN gateway is timing out, 
not saying "unreachable" or something like that.  I can ping the router's WAN 
IP (and CARP WAN IP) from the LAN, as allowed by firewall rule.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates
Sent: Thursday, November 30, 2017 3:44 PM
To: pfSense Support and Discussion Mailing List 
Subject: [pfSense] pfSense can get to Internet but LAN cannot

Short version: a PC on the LAN cannot ping the router's gateway, though 
the router can ping it and get to the Internet.  Routing table looks OK, 
default firewall rule isn't blocking packets (rule to allow LAN to any is in 
place), and it's not a private IP address.  Looking for suggestions?

We are replacing two routers using CARP with two 4860s.  I edited the 
saved configuration files to add two LAGGs, and changed the interfaces to match 
the new hardware.  As I said ping/traceroute/nslookup from the pfSense to the 
Internet works fine.  Route table shows the proper gateway IP as the default.  
We have tried changing off the LAGGs, no difference.  A traceroute from the PC 
shows the pfSense router LAN IP as expected but not the gateway which is the 
next hop.  It's as if the routing isn't sending packets out the WAN?  I have 
rebooted the routers, and disabled CARP and disconnected the second router (and 
changed the PC gateway accordingly).

Changing the PC to an IP on the WAN side and plugging it into the 
gateway router works fine to get past the gateway.

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense can get to Internet but LAN cannot

[Holger Bauer]

Hi Steve,

Any chance outbound nat got messed up, when setting up carp? Check the
settings there and check diag>states if nat works.

Holger

Am 30.11.2017 10:43 nachm. schrieb "Steve Yates" :

Short version: a PC on the LAN cannot ping the router's gateway,
though the router can ping it and get to the Internet.  Routing table looks
OK, default firewall rule isn't blocking packets (rule to allow LAN to any
is in place), and it's not a private IP address.  Looking for suggestions?

We are replacing two routers using CARP with two 4860s.  I edited
the saved configuration files to add two LAGGs, and changed the interfaces
to match the new hardware.  As I said ping/traceroute/nslookup from the
pfSense to the Internet works fine.  Route table shows the proper gateway
IP as the default.  We have tried changing off the LAGGs, no difference.  A
traceroute from the PC shows the pfSense router LAN IP as expected but not
the gateway which is the next hop.  It's as if the routing isn't sending
packets out the WAN?  I have rebooted the routers, and disabled CARP and
disconnected the second router (and changed the PC gateway accordingly).

Changing the PC to an IP on the WAN side and plugging it into the
gateway router works fine to get past the gateway.

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfSense can get to Internet but LAN cannot

[Steve Yates]

Short version: a PC on the LAN cannot ping the router's gateway, though 
the router can ping it and get to the Internet.  Routing table looks OK, 
default firewall rule isn't blocking packets (rule to allow LAN to any is in 
place), and it's not a private IP address.  Looking for suggestions?

We are replacing two routers using CARP with two 4860s.  I edited the 
saved configuration files to add two LAGGs, and changed the interfaces to match 
the new hardware.  As I said ping/traceroute/nslookup from the pfSense to the 
Internet works fine.  Route table shows the proper gateway IP as the default.  
We have tried changing off the LAGGs, no difference.  A traceroute from the PC 
shows the pfSense router LAN IP as expected but not the gateway which is the 
next hop.  It's as if the routing isn't sending packets out the WAN?  I have 
rebooted the routers, and disabled CARP and disconnected the second router (and 
changed the PC gateway accordingly).

Changing the PC to an IP on the WAN side and plugging it into the 
gateway router works fine to get past the gateway.

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

[Steve Yates]

It would help if someone updated the pfSense doc page to clarify that, then, 
since I asked that question on this list in July and got a different answer 
than yours.
https://doc.pfsense.org/index.php/Upgrade_Guide#Packages

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Ryan Coleman
Sent: Wednesday, November 29, 2017 1:54 PM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

Anything that isn’t a maintenance release (2.x.y … the “y” here) should be 
considered a major release.

macOS 10.11 is a major release. 10.11.1 is not.

—
Ryan

> On Nov 29, 2017, at 1:37 PM, Steve Yates  wrote:
> 
> Does it work if you uninstall haproxy first?  I know pfSense recommends 
> uninstalling packages for "major" version upgrades but (per my past thread 
> here ) I would think point versions are minor upgrades.
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
> Sent: Wednesday, November 29, 2017 12:02 PM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
> 
> yes. looks like very similar problem :)
> 
> Eero
> 
> 2017-11-29 18:59 GMT+02:00 Tom Müller-Kortkamp :
> 
>> Did you had any packages installed?
>> I filed this bug 2 Days ago:
>> https://redmine.pfsense.org/issues/8135
>> 
>>> Am 29.11.2017 um 00:11 schrieb Steve Yates :
>>> 
>>>  https://redmine.pfsense.org/ is the bug tracker.
>> https://www.netgate.com/support/contact-support.html for tech support.
>>> 
>>> --
>>> 
>>> Steve Yates
>>> ITS, Inc.
>>> 
>>> -Original Message-
>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
>> Volotinen
>>> Sent: Monday, November 27, 2017 12:37 AM
>>> To: pfSense Support and Discussion Mailing List ;
>> j...@netgate.com
>>> Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
>>> 
>>> Hi,
>>> 
>>> Looks like "online" upgrade (2.3.5 -> 2.4.2) trashes sg-8860 unit to
>>> "non-working state". (ie. ssl libraries missing and so on)
>>> 
>>> Where I can file critical bug ticket? :D
>>> 
>>> --
>>> Eero
>>> 
>>> 2017-11-26 19:53 GMT+02:00 Daniel :
>>> 
 I Updates 3 Firewalls all without any problems.
 
 
 
 Am 26.11.17, 13:04 schrieb "List im Auftrag von Eero Volotinen" <
 list-boun...@lists.pfsense.org im Auftrag von eero.voloti...@iki.fi>:
 
   just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there
 any
   known issues?
 
   it's not so complex setup, but running as our hq main firewall. so,
 some
   ipsec and openvpn connections are running against it.
 
 
 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] FRR restart prevention

[Daniel]

Hi there,

 

anyone know how to prevent FRR to restart every time when the config has chaned?

Problem can be dampeing for example are network unreachability.

 

Just as an Idea, use only somethink like that:

 

vtysh -e "sh ip bgp sum"

vtysh -e "clear ip bgp *"

And so on.

 

In this case you also can configure the BGP/OSPF deamon without any hard 
restarts are needed. It’s just a Hint to make it more better.

 

Cheers

 

Daniel

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] FRR restart prevention

[Daniel]

Hi there,

 

is there anyway to prevent the whole restart of FRR when the config has changed?

Problem is durin a restart the connectivity gets lost and when you do this a 
couple of time it could be that you network is flapping and maybe some 
providers user damping.

 

Cheers

 

Daniel

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold