Re: [pfSense] acme package: DNS-nsupdate configurable update zone
I found another way to use DNS01 challenges without which doesn't require modifying the pfSense acme package, and doesn't use CNAME records. Simply, for each you create a separate zone _acme-challenge., with its own TSIG key. This is a better solution than CNAME into a shared dynamic update zone, because a compromised server can't issue certificates for any domain other than its own. Step-by-step instructions are below, in case they are useful to anyone else. Regards, Brian. -=-=-=-=- For each certificate that the firewall wants: 1. In the DNS, add an NS record for `_acme-challenge.` pointing at . 2. Create new TSIG host key named `_acme-challenge.` dnssec-keygen -r /dev/urandom -a hmac-md5 -b 128 -n HOST _acme-challenge. The only bit you need is the base64 key from K_acme-challenge..+157+.key. Note this and you can delete the K*.key and K*.private files. 3. Create new zone `_acme-challenge.` on key "_acme-challenge." { algorithm hmac-md5; secret ""; }; zone "_acme-challenge." { type master; file "/var/cache/bind/_acme-challenge."; masterfile-format text; allow-update { key "_acme-challenge."; }; }; Ensure that this config snippet is in a separate file only readable by nameserver (chown bind:bind, chmod 400) and included from the main config. 4. Create skeleton zone file `/var/cache/bind/_acme-challenge.` and ensure it is writable by server (chown bind:bind) $TTL 60 @ SOA . hostmaster.. ( 20 3600 1800 604800 60 ) @ NS . 5. Validate and reload server named-checkconf /etc/bind/named.conf rndc reload grep _acme-challenge /var/log/syslog Then configure the pfSense acme client under Domain SAN List with: Method: DNS-NSupdate / RFC 2136 Server: Key Type: host key Key Algorithm: HMAC-MD5 Key: DNS Sleep: 2 (The sleep assumes you are only pointing at a single nameserver, which is fine for this purpose. In fact you can have a separate nameserver just for ACME challenges, which is unrelated to your main DNS infrastructure) ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] acme package: DNS-nsupdate configurable update zone
On 16/11/2017 10:30, Brian Candler wrote: Unfortunately in the pfSense (2.4.1) GUI, I can't see a way to configure this. I would like either: - an extra setting for "dynamic update zone", which is appended to the nsupdate name - an override for the whole name (i.e. can replace _acme-challenge.www.foo.com with an arbitrary nsupdate target) Does this sound reasonable? FYI, I was able to make it work by manually hacking /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh +NSUPDATE_SUFFIX=acme.example.net. - _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\"" + _info "adding ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt \"${txtvalue}\"" -update add ${fulldomain}. 60 in txt "${txtvalue}" +update add ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt "${txtvalue}" - _info "removing ${fulldomain}. txt" + _info "removing ${fulldomain}.*${NSUPDATE_SUFFIX}* txt" -update delete ${fulldomain}. txt +update delete ${fulldomain}.*${NSUPDATE_SUFFIX}* txt Of course, this will probably be overwritten by some future update :-( In addition, I had to change the generation of the key name in acme_inc.sh, to match the key name on the DNS server, otherwise I got TSIG error "NOTAUTH(BADKEY)". In my case, the key name on the server is "acme-update", so I changed this line: file_put_contents("{$nsupdatefileprefix}_acme-challenge.{$nsupdatedomain}.key", "*acme-update* IN KEY {$flags} {$proto} {$key_algo} {$nsupdatekey}\n"); Being able to override the key name via the GUI would also be helpful. Cheers, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] acme package: wrong agreement URL
Trying to use the acme package with pfsense 2.4.1 and the LetsEncrypt staging server Certificate enrolment failed, although all the output was in green. /tmp/acme//acme_issuecert.log shows HTTP 400 errors, with the following response: [Thu Nov 16 10:28:19 UTC 2017] response='{"type":"urn:acme:error:malformed","detail":"Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]","status": 400}' I couldn't see how to change this in the GUI, so I had to edit /usr/local/pkg/acme/acme.sh I presume the package needs updating? Thanks, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] acme package: DNS-nsupdate configurable update zone
Hi, I have a feature request which I thought I'd discuss here before creating a ticket. I use Letsencrypt with the DNS01 challenge, so I can get certs for internal DNS names which are not reachable over the Internet. To avoid making all my zones subject to dynamic updates, I use CNAME records to point to a single dynamic domain. Say my dynamic update zone is "acme.example.com", but I want to issue a cert for "www.foo.com". I add a CNAME record like this: _acme-challenge.www.foo.com. CNAME _acme-challenge.www.foo.com.acme.example.com. Then I configure the nsupdate request to put the TXT record under _acme-challenge.www.foo.com.acme.example.com. instead of _acme-challenge.www.foo.com. When using dehydrated or acme.sh, that's just a question of configuring the challenge script properly. This all works nicely, and is pretty standard: e.g. https://www.crc.id.au/using-centralised-management-with-lets-encrypt/ Unfortunately in the pfSense (2.4.1) GUI, I can't see a way to configure this. I would like either: - an extra setting for "dynamic update zone", which is appended to the nsupdate name - an override for the whole name (i.e. can replace _acme-challenge.www.foo.com with an arbitrary nsupdate target) Does this sound reasonable? Thanks, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.3.2 upgrade only offers 2.3.3_1
On 28/07/2017 09:42, Brian Candler wrote: Is that expected? That is, do I need to go stepwise to 2.3.3_1, reboot, and then upgrade again? Or should I have been offered the direct upgrade? And oddly - an old 2.2.4 box I have access to is offering direct upgrade to 2.3.4 (although not 2.3.4_1) ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] 2.3.2 upgrade only offers 2.3.3_1
I have an instance of 2.3.2, and when I ask for system updates it only tells me that 2.3.3_1 is available - whereas I know 2.3.4_1 has been released. Is that expected? That is, do I need to go stepwise to 2.3.3_1, reboot, and then upgrade again? Or should I have been offered the direct upgrade? Thanks, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Inbound HAProxy or Load Balancer
On 07/02/2017 18:00, list-requ...@lists.pfsense.org wrote: i try to get an internal load balancer running. I Setup HA proxy with an public IP: 123.123.123.123 and i have 2 webservers: 10.0.3.99 and 10.0.3.98. When i connect from outside of 10.0.3.0/24 it works as expected but when i try to use make a connection from the internal lan 10.0.3.0/24 i got no response. (Presumably you mean when you connect from 10.0.3.x to 123.123.123.123) Are you actually using the HAproxy package, or are you just using regular load-balanced pools (Services > Load Balancer)? If you are using load-balanced pools, read on. I read somethink about NAT reflection but i didnt understand how to configure it correctly. https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks Go to System>Advanced, Firewall/NAT, scroll down to "NAT Reflection mode for port forwards", and change from "Disabled" to "Pure NAT" What happens is: * packet is sent from client with src 10.0.3.5 (say), destination 123.123.123.123 * packet follows default gateway and arrives at pfSense * as well as rewriting the dest to 10.0.33.98 (or 99), NAT reflection means that it rewrites the source to 10.0.3.1 (or whatever your pfSense LAN addr is) * the packet arrives at the destination web server with src 10.0.3.1 and dest 10.0.33.98 * the return packet has src 10.0.33.98 and dst 10.0.3.1 * hence it arrives back at pfSense * pfSense rewrites it to src 123.123.123.123 dest 10.0.3.5 This ensures that pfSense is in the loop for both the outbound and inbound packets. However your webserver logs will show the connection coming from 10.0.3.1, not from the true client IP address. HTH, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Restoring XML config file from URL at console
If youre using VMware to run your VM why not just create a template from your working pfSense VM and export it then each time you need this to role-out just import it in the destination virtualization host the same thing if your using KVM. I am using packer.io. This is a tool for building images directly from the original ISO. It fires up a qemu/kvm virtual machine and does stuff to it (including blind typing if necessary). > > However I'm happy to drop down either to the Linux shell or the PHP shell. pfSense is based on FreeBSD. Oops, sorry about that. Force of habit :-) Anyway I've cobbled together a PHP script (below) based on bits and pieces found in other scripts. It would be nice though if the existing "pre-flight install" functionality could be exposed as a simple script I could call. Regards, Brian. #!/usr/local/bin/php-cgi -q $file = file_get_contents('http://{{ .HTTPIP }}:{{ .HTTPPort}}/config-class-gw.xml'); if ($file === False) { echo 'Failed to load config'; exit(1); } file_put_contents('/tmp/config.xml', $file); conf_mount_rw(); config_restore('/tmp/config.xml'); /* from /usr/local/www/diag_backup.php */ touch('/conf/needs_package_sync_after_reboot'); conf_mount_ro(); ?> ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Restoring XML config file from URL at console
On 07/10/2016 12:09, Brian Candler wrote: I would like to be able to restore an XML config from a HTTP(S) URL at the console prompt. Is this possible? The use case is for a rapid rebuild of a node entirely at the console: * Run through the installer in express mode * Configure just vtnet0 as WAN (no additional config needed if DHCP is available) * Fetch XML config from URL * Reboot That's it. The new node is now fully prepared, with no need to configure the LAN interface or connect to the GUI. Other use case: I am trying to set up an automated build of a pfSense VM. The VM builder tool I'm using (packer.io) can put the config file on a floppy disk image, or can serve it from a local http server. I found this: https://doc.pfsense.org/index.php/Automatically_Restore_During_Install which is almost what I want, except (a) packer creates a floppy device (not usb); and (b) packer only puts files in the root directory. As far as I can see, pfSense doesn't have a /dev/fd0 - nor does it have a loadable module for the floppy driver. I guess it's reasonable to minimise the image size by removing legacy hardware. So really I need to pull the config XML via HTTP. Regards, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Restoring XML config file from URL at console
I would like to be able to restore an XML config from a HTTP(S) URL at the console prompt. Is this possible? The use case is for a rapid rebuild of a node entirely at the console: * Run through the installer in express mode * Configure just vtnet0 as WAN (no additional config needed if DHCP is available) * Fetch XML config from URL * Reboot That's it. The new node is now fully prepared, with no need to configure the LAN interface or connect to the GUI. The most convenient would be as a new option at the console menu: similar to "15) Restore recent configuration" but using a remote URL. However I'm happy to drop down either to the Linux shell or the PHP shell. I can see that option 15 (/etc/rc.restore_config_backup) simply calls PHP function config_restore(file). And the main thing that function does is overwrite /config.xml However, looking in diag_backup.php it looks like other things might be needed too, e.g. mark_subsystem_dirty("restore"); touch("/conf/needs_package_sync_after_reboot"); unlink config.cache stuff in /boot/loader.conf various stuff to do with m0n0wall config migration ... etc etc. Maybe this code could be factored out into a helper function which could be invoked from the command line? Or is it safe simply to call config_restore() from the PHP shell, and then reboot? Regards, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Dynamic DNS and Route 53
On 11/03/2015 10:09, Tiernan OToole wrote: Any tips on checking this properly? How can i see what is being sent and received from the server? I don't know about that (tcpdump perhaps), but here's how to check what's published in the DNS: $ dig +trace @8.8.8.8 tiernanotoolephotography.com. a ; DiG 9.8.3-P1 +trace @8.8.8.8 tiernanotoolephotography.com. a ; (1 server found) ;; global options: +cmd .2466INNSl.root-servers.net. .2466INNSh.root-servers.net. .2466INNSk.root-servers.net. .2466INNSi.root-servers.net. .2466INNSg.root-servers.net. .2466INNSj.root-servers.net. .2466INNSd.root-servers.net. .2466INNSa.root-servers.net. .2466INNSf.root-servers.net. .2466INNSb.root-servers.net. .2466INNSm.root-servers.net. .2466INNSe.root-servers.net. .2466INNSc.root-servers.net. ;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 51 ms com.172800INNSa.gtld-servers.net. com.172800INNSb.gtld-servers.net. com.172800INNSc.gtld-servers.net. com.172800INNSd.gtld-servers.net. com.172800INNSe.gtld-servers.net. com.172800INNSf.gtld-servers.net. com.172800INNSg.gtld-servers.net. com.172800INNSh.gtld-servers.net. com.172800INNSi.gtld-servers.net. com.172800INNSj.gtld-servers.net. com.172800INNSk.gtld-servers.net. com.172800INNSl.gtld-servers.net. com.172800INNSm.gtld-servers.net. ;; Received 506 bytes from 192.203.230.10#53(192.203.230.10) in 33 ms tiernanotoolephotography.com. 172800 INNS ns-99.awsdns-12.com. tiernanotoolephotography.com. 172800 INNS ns-718.awsdns-25.net. tiernanotoolephotography.com. 172800 INNS ns-1318.awsdns-36.org. tiernanotoolephotography.com. 172800 INNS ns-1983.awsdns-55.co.uk. ;; Received 214 bytes from 192.31.80.30#53(192.31.80.30) in 119 ms tiernanotoolephotography.com. 300 INA79.97.100.91 tiernanotoolephotography.com. 172800 INNS ns-1318.awsdns-36.org. tiernanotoolephotography.com. 172800 INNS ns-1983.awsdns-55.co.uk. tiernanotoolephotography.com. 172800 INNS ns-718.awsdns-25.net. tiernanotoolephotography.com. 172800 INNS ns-99.awsdns-12.com. ;; Received 198 bytes from 205.251.197.38#53(205.251.197.38) in 6 ms So to eliminate any local DNS caching as an issue, you should ask one of the four servers which is authoritative for your domain for the answer. $ dig +short +norec @ns-99.awsdns-12.com. tiernanotoolephotography.com. a 79.97.100.91 This seems to match what you were expecting, so it appears to have worked now. If you have a client which is still resolving to the old address then flush its cache, and check there's no static hosts entry. For OSX clients, you can flush their DNS cache like this: sudo killall -HUP mDNSResponder For Linux clients running nscd, even restarting nscd won't flush the cache. You need to do: nscd --invalidate=hosts For Windows clients, best to just reboot them :-) Regards, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VIPs : CARP vs IP Alias
I guess it's time for me to dig out the actual configurations to settle this. * the box with a proxy ARP VIP is running pfSense-2.0.1. (OK, it's probably due an upgrade, but when things just work they tend to be left alone :-) The WAN address is x.x.x.x/6.28, and the proxy ARP virtual IP is x.x.x.7/32 (i.e. it *is* in the same subnet) * the box with an IP alias VIP is pfSense-2.1. (Also due an upgrade :-) It is actually part of a failover pair. The WAN addresses are y.y.y.{229,230}/28 and the WAN-CARP interface is y.y.y.228/28. The IP Alias interface is y.y.y.238/28 and attached to the WAN-CARP interface. I think I did it this way so that the alias moved with the CARP master. In both cases the alias is being used for NAT, and it's working fine, i.e. happily responding to ARP from upstream router. The thing to note about the configuration is that the Proxy ARP VIP has a /32 netmask (so it only responds to one address) and the IP Alias VIP has a /28 netmask (to match the subnet it is aliased on) Regards, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VIPs : CARP vs IP Alias
On 09/03/2015 11:40, Espen Johansen wrote: if so a reboot of pfsense and router/modem should clear that up quickly Unlikely. The problem is the ARP cache in the upstream router, and rebooting pfSense won't help that unless you have a direct ethernet connection to that router (in which case the link going down at layer 1 will probably clear the ARP cache on that interface upstream) ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VIPs : CARP vs IP Alias
On 09/03/2015 11:24, Espen Johansen wrote: As far as a true alias goes it is not implemented afaik. Try ifconfig in a shell and see if your aliases are listed as ips on the interface. wan_vip102: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet y.y.y.228 netmask 0xfff0 inet y.y.y.238 netmask 0xfff0 carp: MASTER vhid 102 advbase 1 advskew 0 That's how FreeBSD works (i.e. ifconfig vm0 alias x.x.x.x/x). If you were expecting to see vm0:0, that's a Linux-ism. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VIPs : CARP vs IP Alias
On 09/03/2015 10:34, Matthias May wrote: A CARP address has it's own MAC. The IP alias shares the MAC of it's parent interface. Ah, good point. If you change this while running, your upstream routers/switches will have the wrong MAC address for your IP cached. Sending a GARP might help with this. Or simply wait for the caches to expire. (This can take a long time) If it's a Cisco router upstream, its default ARP timeout is 4 hours :-( An interesting workaround (untested) might be to keep the CARP interface on some unused/private IP address, and add the new VIP on the real IP address. This means your machine should still continue to accept frames on the old MAC address during the time it takes the upstream router to change over to the new one. After half a day it should be safe to remove the CARP interface. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VIPs : CARP vs IP Alias
On 09/03/2015 10:47, Espen Johansen wrote: Actually you cant use proxy arp as it has a limit affecting you. Proxyarp IPs cant be in same subnet. Sorry. Are you sure? I have a pfsense box where it's working. What you really want is a alias ip on the interface and pfsense does not support this even if the underlying freebsd does this. Are you sure? I have another pfsense box where that's working too. There was (is?) reasons for this but las time I tried to implement that was in 2006/2007 You don't think there's any possibility pfSense has changed or improved since then? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VIPs : CARP vs IP Alias
On 09/03/2015 09:51, Bryan D. wrote: So it sounds like the IPsec and OpenVPN traffic would be such traffic? IPSEC traffic is addressed *to* the firewall (at least the IKE stuff on udp 500 is, since it is received by strongswan/racoon) But the firewall already has a public IP address for IPSec. Are you saying you want different clients' IPSEC tunnels to terminate on different public IP addresses on the firewall WAN side? That I've never tried, and I don't know if it's possible. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VIPs : CARP vs IP Alias
On 09/03/2015 10:05, Chris L wrote: Are you saying you want different clients' IPSEC tunnels to terminate on different public IP addresses on the firewall WAN side? That I've never tried, and I don't know if it's possible. It listens (binds) on whatever interface/VIP is specified in the Interface drop-down in the IPSec/OpenVPN config. Sure: I was asking if the requirement is to have *multiple* IPSEC VIPs which are processed differently. If not, then why not just terminate IPSEC on the firewall's primary IP address? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VIPs : CARP vs IP Alias
On 09/03/2015 10:10, Bryan D. wrote: Nope, it's a fully functioning setup (has been, in this form, for a few years) ... just wanted to switch off CARP VIPs since I'm not using failover. The only question is why won't IP Alias VIPs replace the CARP VIPs? If these extra addresses belong on the firewall's outside (WAN) subnet, then they need to respond to ARP. As far as I can see, both Proxy ARP VIP and IP Alias VIP ought to work for this. I have one firewall with a similar setup here (extra public IP for inbound NAT), and it uses a Proxy ARP VIP. And I have another firewall which is using an IP Alias VIP, in this case attached to a WAN-CARP interface. Both are working. As long as all these NAT rules are attached to WAN interface, and your VIP is also attached to WAN interface, I can't see why it wouldn't work. As others have said - changing the type while the firewall is running might break things. Possibly deleting it and then re-adding it would be better, but that's only a guess. If minimising downtime is important then simulate the configuration in a virtual environment first. Regards, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.2 Strongswan rekeying issues
On 25/02/2015 09:07, Brian Candler wrote: How does one prevent the plugin being loaded? I found these: /etc/pfSense_md5.txt:MD5 (/usr/local/lib/ipsec/plugins/libstrongswan-unity.so) = 66080ad3f0fd624958e8307492f6488b /etc/installed_filesystem.mtree:libstrongswan-unity.so \ but I can't see code which says which plugins to load. Should I just move it out of the way and restart strongswan? In the end I renamed libstrongswan-unity.so to libstrongswan-unity.so.orig and restarted. Confirmed that the module wasn't present using ipsec statusall | grep unity It's now just over 3 days later and the tunnel has remained up all that time, so I think it's solved the problem, or at least, is a usable workaround. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] default firewall rules
On 28/02/2015 15:16, Randy Bush wrote: if i upgraded, can i cause it to switch to unbound? Yes: pfSense 2.2 comes with unbound *instead of* bind. pfSense 2.1.x can have unbound installed as a package. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.2 Strongswan rekeying issues
On 24/02/2015 21:44, Brian Candler wrote: Many thanks. I've made that change now and I'll see over the next few days if it stays up. Unfortunately it didn't :-( 2015 Feb 25 06:07:30 Group = X.X.X.219, IP = X.X.X.219, Error: dynamic map SYSTEM_DEFAULT_CRYPTO_MAP: * to any not permitted. 2015 Feb 25 06:07:30 Group = X.X.X.219, IP = X.X.X.219, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 10.26.0.0/255.255.0.0/0/0 on interface outside 2015 Feb 25 06:07:30 Group = X.X.X.219, IP = X.X.X.219, QM FSM error (P2 struct 0xcbf3d218, mess id 0xc9a0458c)! 2015 Feb 25 06:07:30 Group = X.X.X.219, IP = X.X.X.219, Removing peer from correlator table failed, no match! What I had done is: VPN IPSec Advanced settings Check Disable Unity Plugin Stop IPSEC service Start IPSEC service And I can see this has been applied (except I've not rebooted the firewall) : grep unity /var/etc/ipsec/strongswan.conf cisco_unity = no There was one person reporting that wasn't adequate, the plugin had to be not loaded at all, not just disabled like that. How does one prevent the plugin being loaded? I found these: /etc/pfSense_md5.txt:MD5 (/usr/local/lib/ipsec/plugins/libstrongswan-unity.so) = 66080ad3f0fd624958e8307492f6488b /etc/installed_filesystem.mtree:libstrongswan-unity.so \ but I can't see code which says which plugins to load. Should I just move it out of the way and restart strongswan? Regards, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.2 Strongswan rekeying issues
On 24/02/2015 20:33, Chris Buechler wrote: That's this: https://redmine.pfsense.org/issues/4178 disabling Unity on the Advanced tab, followed by a manual stop and start (not just restart) of strongswan may resolve that. There was one person reporting that wasn't adequate, the plugin had to be not loaded at all, not just disabled like that. I haven't yet had a chance to try to duplicate that circumstance. Many thanks. I've made that change now and I'll see over the next few days if it stays up. Regards, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.2 Strongswan rekeying issues
Interestingly, if we kick the tunnel from the pfSense GUI, it negotiates both P1 and P2 successfully. pfSense log: Feb 24 14:06:42charon: 07[ENC] generating QUICK_MODE request 1807616002 [ HASH ] Feb 24 14:06:42charon: 07[IKE] CHILD_SA con1000{1} established with SPIs _i _o and TS 10.19.0.0/16|/0 === 10.26.0.0/16|/0 Feb 24 14:06:42charon: 07[IKE] con1000|48 CHILD_SA con1000{1} established with SPIs _i _o and TS 10.19.0.0/16|/0 === 10.26.0.0/16|/0 Feb 24 14:06:42charon: 07[ENC] parsed QUICK_MODE response 1807616002 [ HASH SA No ID ID ] Feb 24 14:06:42charon: 07[NET] received packet: from Y.Y.Y.155[500] to X.X.X.219[500] (164 bytes) Feb 24 14:06:42charon: 07[NET] sending packet: from X.X.X.219[500] to Y.Y.Y.155[500] (204 bytes) Feb 24 14:06:42charon: 07[ENC] generating QUICK_MODE request 1807616002 [ HASH SA No ID ID ] snip all the P1 negotiation However based on Nagios logs, after the tunnel has been up for pretty much exactly one hour, it drops out again. This would coincide with the P2 SA expiring and being re-negotiated. It would be *really* helpful if the debug message generating QUICK_MODE request included the P2 parameters being requested, in the same way the CHILD_SA message does (TS 10.19.0.0/16|/0 === 10.26.0.0/16|/0), as according to the Cisco, it's asking for the wrong ones. Regards, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.2 Strongswan rekeying issues
We appear to have the same problem here after upgrading a box from pfSense 2.1.5 to 2.2. The other side is a Cisco ASA5505. X.X.X.219 = pfSense, internal subnet 10.19.0.0/16 Y.Y.Y.155 = Cisco, internal subnet 10.26.0.0/16 Here is the log we get from the Cisco: 2015 Feb 24 13:20:03 Group = X.X.X.219, IP = X.X.X.219, Error: dynamic map SYSTEM_DEFAULT_CRYPTO_MAP: * to any not permitted. 2015 Feb 24 13:20:03 Group = X.X.X.219, IP = X.X.X.219, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 10.26.0.0/255.255.0.0/0/0 on interface outside 2015 Feb 24 13:20:03 Group = X.X.X.219, IP = X.X.X.219, QM FSM error (P2 struct 0xcc9648f8, mess id 0x4c6e71f9)! 2015 Feb 24 13:20:03 Group = X.X.X.219, IP = X.X.X.219, Removing peer from correlator table failed, no match! From this, it looks pretty clear that the phase 2 request from pfSense is wrong: it is requesting 0.0.0.0/0 - 10.26.0.0/16, instead of 10.19.0.0/16 - 10.26.0.0/16 Here is the log from the pfSense side: Feb 24 13:20:03charon: 08[IKE] received INVALID_ID_INFORMATION error notify Feb 24 13:20:03charon: 08[IKE] con1000|42 received INVALID_ID_INFORMATION error notify Feb 24 13:20:03charon: 08[ENC] parsed INFORMATIONAL_V1 request 3283507075 [ HASH N(INVAL_ID) ] Feb 24 13:20:03charon: 08[NET] received packet: from Y.Y.Y.155[500] to X.X.X.219[500] (260 bytes) Feb 24 13:20:03charon: 08[NET] sending packet: from X.X.X.219[500] to Y.Y.Y.155[500] (204 bytes) Feb 24 13:20:03charon: 08[ENC] generating QUICK_MODE request 1282306553 [ HASH SA No ID ID ] Feb 24 13:20:03charon: 14[KNL] creating acquire job for policy X.X.X.219/32|/0 === Y.Y.Y.155/32|/0 with reqid {1} which basically just says that pfSense tried to negotiate phase 2 and the Cisco rejected it. The output of setkey -D -P on pfSense currently looks reasonable: we have a number of other tunnels but it includes ... 10.26.0.0/16[any] 10.19.0.0/16[any] any in ipsec esp/tunnel/Y.Y.Y.155-X.X.X.219/unique:1 created: Feb 24 13:26:35 2015 lastused: Feb 24 13:44:50 2015 lifetime: 9223372036854775807(s) validtime: 0(s) spid=912 seq=4 pid=18754 refcnt=1 ... 10.19.0.0/16[any] 10.26.0.0/16[any] any out ipsec esp/tunnel/X.X.X.219-Y.Y.Y.155/unique:1 created: Feb 24 13:26:35 2015 lastused: Feb 24 13:49:56 2015 lifetime: 9223372036854775807(s) validtime: 0(s) spid=911 seq=0 pid=57004 refcnt=1 I don't see any policies with 0.0.0.0/0 in them. When the tunnels had failed to negotiate the SA appeared to still be there, although the time between 'created' and 'lastused' was more than 1 hour, so this may have been showing a stale SA. This *is* reproducible, unfortunately reproducing several times per day :-( We need to manually kick the tunnel to get it to come up again. When the tunnel is up, the Cisco shows: asa1# sh crypto ipsec sa peer X.X.X.219 peer address: X.X.X.219 Crypto map tag: outside_map0, seq num: 4, local addr: Y.Y.Y.155 access-list outside_cryptomap_3 extended permit ip 10.26.0.0 255.255.0.0 10.19.0.0 255.255.0.0 local ident (addr/mask/prot/port): (10.26.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.19.0.0/255.255.0.0/0/0) current_peer: X.X.X.219 ... The configuration in the pfSense GUI shows the tunnel with a single phase 2 entry (mode tunnel; local subnet 10.19.0.0/16; remote subnet 10.26.0.0/16; P2 Protocol ESP; P2 Transforms AES (128 bits), 3DES; P2 Auth Methods SHA1) Regards, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Migrating from /32 + /29 to just /29
On 12/06/2014 23:06, Jon Gerdes wrote: My new ISP only provides a /29 from which WAN always gets the first one via PPPoE. I put the second address from the /29 onto an interface and the remaining four onto my externally facing systems. You should be able to use the same IP address for both WAN and LAN (Cisco calls this 'unnumbered': your PPP interface is using the IP address from another interface) 192.0.2.1 = WAN interface of firewall 192.0.2.1/29 = LAN interface of firewall 192.0.2.2..6 = other devices This saves the provider burning a /32 for the WAN (or even a /30 point-to-point subnet, old skool) Regards, Brian. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Dependencies on older packages?
I went to install wget on a pfsense ( *2.1-RELEASE*) box, and I got this: # pkg_add -r wget Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/wget.tbz... Done. Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/All/pkg-config-0.25_1.tbz... Done. Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/All/libidn-1.22.tbz... Done. pkg_add: warning: package 'libidn-1.22' requires 'libiconv-1.13.1_2', but 'libiconv-1.14_1' is installed pkg_add: warning: package 'libidn-1.22' requires 'gettext-0.18.1.1', but 'gettext-0.18.3' is installed pkg_add: warning: package 'wget-1.13.4_1' requires 'libiconv-1.13.1_2', but 'libiconv-1.14_1' is installed pkg_add: warning: package 'wget-1.13.4_1' requires 'gettext-0.18.1.1', but 'gettext-0.18.3' is installed It seems that the wget package is out of date, as it depends on older versions of packages than the ones already installed. Is this to be expected? The only other package I had installed was iperf (via the GUI). Thanks, Brian. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ICMPv6 filtering recommendations with pfSense?
On 08/05/2014 11:51, Olivier Mascia wrote: On the WAN interface, I’m currently allowing full ICMPv6 in, albeit only from Global Unicast and Multicast addresses. That is: only from 2000::/3 and ff00::/8. I don't think you'll see any packets with multicast source addresses. It's possible you could see packets with Link-Local source addresses (fe80::/64) from the upstream router, but you may not care. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On 15/04/2014 20:12, Jim Thompson wrote: We dropped the price, too. -- Jim Which price are you referring to? I see that a support subscription is now $200 for 2 hours plus $200 per extra hour. The one my client purchased a couple of months ago was $600 for 5 hours and (I think) $100 per extra hour. That doesn't sound like a price drop to me :-) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Odd symptoms from embedded 2.1-RELEASE
On 20/03/2014 18:24, Ryan Coleman wrote: I put the device that was working from home last night on the network with the configuration unchanged and it’s working again. Is this a situation I need to consider using CARP for? I'd say definitely not. CARP is for handling total hardware failures (link stops responding). If the software misbehaves, then it will just misbehave. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Proxy filter
On 20/03/2014 19:37, A Mohan Rao wrote: Ok, Actually i have 600 internet users and i have 22 Mbps leased line. I m not gave any users to full permission but some users are go to out of the way with lots of free proxy sites download videos or movies thats why i need to watch that user https and ftp traffic. Consider what are the problems you are trying to solve: * Some people are using excessive amounts of limited resources (bandwidth) * Some people are using the network for purposes not related to their work or studies * Some people are using the network for undesirable or maybe even illegal activities What you need is called an AUP - Acceptable Use Policy. In that you define: * What users are allowed and are not allowed to do * That they consent to their use being monitored and logged * What the consequences of failing to comply are For example if this is a university environment, you can say that their access may be suspended or withdrawn, and that they may also be subject to the university disciplinary procedure, up to and including explusion. All users need to read (and preferably sign) this document. They can do this as part of getting access, e.g. at enrollment time. Then you monitor your users. There are a bunch of different tools for this: my favourite is Netflow, which together with collection tools (e.g. nfdump and nfsen) can quickly identify, say, the top 10 bandwidth hogs on your network over a chosen time range, and then lets you drill down into the detail of exactly what they were doing, in terms of the network addresses and ports they were communicating with. Another is Snort, which can identify suspicious activity like virus-infected machines and bittorrent. (There are legitimate uses for bittorrent of course - but your Netflow data will tell you much they were uploading or downloading, and you can investigate further) If this is an open computer lab, then maybe a bit of shoulder surfing will do the trick. Finally, you need to be able to associate traffic on an IP address with an individual. If you can get users to login to the network before they use it, e.g. using a captive portal, or WPA Enterprise on wireless, that's ideal. Or if they are logging into an Active Directory domain that may give you the information you need. Using ARP and bridge forwarding tables, you can identify an IP address down to which physical port they are plugged into. Ultimately this is an issue of behaviour and discipline, not technology. A firewall can't decide what's acceptable or not. And as you've found yourself, any technology blocks you put in place will be circumvented by those clever enough, whilst inconveniencing the rest of your users. Regards, Brian. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] http://pfsense.org/ip.php and wget
On 19/03/2014 09:15, Stefan Baur wrote: Am 19.03.2014 10:09, schrieb Stefan Baur: Hi List, is there a particular reason why wgetting http://pfsense.org/ip.php gives a blank result? Works just fine when using a regular GUI browser like Firefox, but not on the command line with wget. Oh. I just noticed it's redirecting to https, and wget throws this error: ERROR: The certificate of `www.pfsense.org' is not trusted. What do I have to install to make it work? Depends what platform you are running wget on. On OSX, wget https://pfsense.org/ip.php; works fine for me. That's with wget 1.15. openssl s_client -connect pfsense.org:443 will show you what certificate it has (it's GlobalSign) If you are using an Ubuntu/Debian flavour of Linux, then check you have the ca-certificates package installed, and that /etc/ssl/certs contains a bunch of symlinks. Then, check if wget https://dropbox.com/ is accepted but wget https://pfsense.org/ is not. That's a problem I can replicate with Debian Wheezy. I find that openssl s_client -CApath /etc/ssl/certs -connect pfsense.org:443 is happy, so my guess it's a problem with wget 1.13.4 - maybe it doesn't do SNI. In that case, the solution is to change to a less broken client. Try: apt-get install curl curl https://pfsense.org/ index.html which works for me. By the way: pfsense.org has a record but refuses connections on port 443 on IPv6. $ telnet pfsense.org 443 Trying 2610:160:11:11::69... telnet: connect to address 2610:160:11:11::69: Connection refused Trying 208.123.73.69... Connected to pfsense.org. Regards, Brian. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Fwd: Firewall Log
On 19/03/2014 11:59, Brian Caouette wrote: Original Message Subject: Firewall Log Date: Thu, 13 Mar 2014 12:48:33 -0400 From: Brian Caouette bri...@dlois.com To: pfSense support and discussion list@lists.pfsense.org Also seeing this in the log: Mar 13 11:37:36 WAN 0.0.0.0:68 255.255.255.255:67 UDP Mar 13 11:37:35 WAN 0.0.0.0:68 255.255.255.255:67 UDP Mar 13 11:37:34 WAN 0.0.0.0:68 255.255.255.255:67 UDP Mar 13 10:38:46 WAN 0.0.0.0:68 255.255.255.255:67 UDP Mar 13 10:38:44 WAN 0.0.0.0:68 255.255.255.255:67 UDP Mar 13 10:38:43 WAN 0.0.0.0:68 255.255.255.255:67 UDP Mar 13 09:58:24 WAN 0.0.0.0:68 255.255.255.255:67 UDP Mar 13 09:58:23 WAN 0.0.0.0:68 255.255.255.255:67 UDP That's some device on the WAN network sending DHCP broadcasts, and getting no response. Maybe something like a switch which hasn't been configured with a management IP address. You can add some reject-without-log rules at the end of your ruleset to silence these logs. Or you can identify the offending device (e.g. find its MAC address from tcpdump -e) and correct its config. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Odd symptoms from embedded 2.1-RELEASE
On 19/03/2014 18:17, Ryan Coleman wrote: 95% of HTTP traffic does not pass. In fact if you load Yahoo.com it stalls when it hits a new hostname (s.yimg.com, for example, as part of their CDN). A couple of things spring to mind. (1) MTU problem / PMTU discovery / blocked ICMP It could be that the remote host is trying to send you 1500-byte datagrams, but some intervening host is blocking them and either not sending back ICMP fragmentation-needed, or ICMP is being blocked. Difficult to prove without being able to tcpdump on the far end. If you happen to have access to a remote web server (e.g. a free virtual machine in EC2 with Apache installed) and can replicate the problem to that webserver, and do a tcpdump at that side, and you see the same TCP packet being re-sent repeatedly at increasing intervals - that would prove it. Another way to test it is to manually configure the browser machine with a lower MTU, say 1400, and see if that makes the problem go away. However, this doesn't explain why mail and the like are unaffected. (2) Transparent web proxy inline Some upstream inline web proxy is present, intercepting your port 80 traffic, but it is broken. This is relatively unusual these days. The way I would test: telnet news.bbc.co.uk 80 GET / HTTP/1.0 Host: www.google.com hit enter If you get back the BBC response (which is a redirect to http://www.bbc.co.uk/news/) then you probably don't have a cache inline. If you get back the google response, then you have a transparent cache in the way. Restoring settings doesn’t resolve the issue under any circumstances, it requires a new image. That is, if you re-image the board, and then restore the XML, it starts working again?? Then I have no idea :-) Regards, Brian. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] screen package for pfsense
Is there a screen package for pfsense? Can I just take an off-the-shelf FreeBSD package? This would be really useful, e.g. if I need to leave a tcpdump running for a few hours to capture traffic to/from a particular host. Regards, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] hardware recommendation -- something with POE
Just curious -- is there a pfsense platform (not too expensive) that has one or two POE ports 802.1af? (Presumably to power other devices, not to *be* powered by 802.1af?) If you don't mind a two-box solution, then Netgear GS110TP switch works well for me. 8 ports of PoE plus 2 ports SFP; metal case; recent firmware (5.4.2.10) supports management over IPv6. Maybe pfsense will get ported to the ubiquiti EdgeRouter POE - there is talk of it being ported to the EdgeRouter Lite. http://www.ubnt.com/edgemax#edge-router-poe ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Are WAN rules needed for ISAKMP and ESP?
Is it necessary to add explicit rules to allow inbound ISAKMP (UDP 500) and ESP (IP protocol 50) on the WAN interface? I had a problem with pfsense 2.0.1 failing to accept sessions initiated by a Cisco ASA5505. tcpdump showed the ASA was sending ISAKMP phase 1 and pfsense was not replying. I added a rule to allow UDP 500 in and after that it worked. Is the same required for ESP? Does pfsense 2.1 also require this? I have a new site with pfsense 2.1 which hasn't shown this problem (yet), but that could just be through luck. Thanks, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] What's full-duplex,master as media status?
I have a pair of Dell R210's running pfsense 2.1 On the dashboard, one of them sometimes shows full-duplex,master which after a few seconds changes to full-duplex (without the trailing angle-backet) This is on the slave box so it's carp BACKUP. # ifconfig bce1 bce1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=c00bbRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE ether xx:xx:xx:xx:xx:xx inet ppp.pp.pp.230 netmask 0xfff0 broadcast ppp.pp.pp.239 inet6 fe80:::xxff:fexx:%bce1 prefixlen 64 scopeid 0x4 inet6 x:x:x:x::x prefixlen 64 nd6 options=1PERFORMNUD media: Ethernet autoselect (1000baseT full-duplex,master) status: active # ifconfig | grep -i carp carp: BACKUP vhid 101 advbase 1 advskew 100 carp: BACKUP vhid 102 advbase 1 advskew 100 carp: BACKUP vhid 201 advbase 1 advskew 100 carp: BACKUP vhid 202 advbase 1 advskew 100 carp: BACKUP vhid 100 advbase 1 advskew 100 carp: BACKUP vhid 200 advbase 1 advskew 100 All the other interfaces show only full-duplex, as do all the interfaces on the master pfsense box. Can someone tell me what's going on? And also why does the web interface truncate the ,master part off after a few seconds? Thanks, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] can ping gateway on link
On 24/02/2014 22:31, David Burgess wrote: You do have an interface on the same subnet as 10.1.0.253, and its state is UP? Does netstat -rn show a route to this network? Yes: netstat -rn | grep 10.1.0 10.1.0.0/24link#9 U 0 8799 em0_vl 10.1.0.253 10.1.0.253 UGHS026448 em0_vl 10.1.0.254 link#9 UHS 00lo0 10.2.0.0/1610.1.0.253 UGS 0 21 em0_vl 10.3.0.0/1610.1.0.253 UGS 0 35 em0_vl 10.3.0.254 10.1.0.253 UGHS0 1233 em0_vl 69.165.225.240/28 10.1.0.253 UGS 0 480 em0_vl This looks wrong. I don't see why destination 10.1.0.253 has a static route to 10.1.0.253. For comparison, here's a pfSense 2.1 machine I manage whose IP address is 10.0.99.2, CARP 10.0.99.1, and has recently pinged 10.0.99.21 netstat -rn | grep 10.0.99; arp -an | grep 10.0.99 10.0.99.0/24 link#3 U 0 1637850 bce0 10.0.99.1 link#10UH 00 lan_vi 10.0.99.2 link#3 UHS 00lo0 ? (10.0.99.2) at xx:xx:xx:xx:xx:xx on bce0 permanent [ethernet] ? (10.0.99.21) at yy:yy:yy:yy:yy:yy on bce0 expires in 1187 seconds [ethernet] That's on its LAN side. On its WAN side: netstat -rn | grep ppp.pp.pp; arp -an | grep ppp.pp.pp defaultppp.pp.pp.225 UGS 0 960003 bce1 ppp.pp.pp.128/26 127.0.0.1 US 00lo0 ppp.pp.pp.224/28 link#4 U 061869 bce1 ppp.pp.pp.228 link#11UH 00 wan_vi ppp.pp.pp.229 link#4 UHS 00lo0 ? (ppp.pp.pp.229) at xx:xx:xx:xx:xx:xx on bce1 permanent [ethernet] ? (ppp.pp.pp.225) at yy:yy:yy:yy:yy:yy on bce1 expires in 30 seconds [ethernet] ? (ppp.pp.pp.226) at zz:zz:zz:zz:zz:zz on bce1 expires in 1113 seconds [ethernet] You can see that the default route (ppp.pp.pp.225) does not appear as a separate entry in the forwarding table. Regards, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] can ping gateway on link
On 25/02/2014 13:58, David Burgess wrote: After some playing with it I've learned a few things. The gateway groups appear to be irrelevant to my problem. Setting a gateway as DNS server breaks the system. Reversing the setting doesn't fix the problem because the self-referring route remains. Ah. I imagine pfsense is trying to be helpful by adding a static route to the DNS server via that link, so that it's always reachable (even when defaultroute is not pointing that way). However it is not helpful if the DNS server happens to *be* the gateway :-) Sounds like a bug to report. I think the solution is not add the static route if the DNS server is already on the same subnet as the link. I tried deleting the route in the shell but I got an error that the route doesn't exist. It's possible I got the syntax wrong: 'route del 10.1.0.253 gw 10.1.0.253'. No gw I believe. That's a Linux-ism. As a bonus, when I was doing this, the default route didn't come up properly after the reboot. Fortunately for me, the 10.1.0.253 route was working at that point so I was able to come in the back door. This is what I saw: netstat -rn | grep pppoe0 0.0.0.00x4c0abf06 69.165.224.55 US 00 pppoe0 76.10.191.6link#18UH 0 10 pppoe0 What you have there is a non-contiguous netmask, a long time since I saw one of those :-) 0x4c0abf06 = 76.10.191.6 So this is a route to address 0.0.0.0 netmask 76.10.191.6. No idea how you got it. I didn't think PPP IPCP could set a netmask, in which case you can't blame the far end. I was able to ping the gateway, but nothing beyond it. Restarting the pppoe session brought the default route up properly. I'm assuming this was a one-off error and not related to the current topic of discussion. I think you're right. Regards, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [v2.1] configuring OPT1 as hosted services firewall?
On 24/02/2014 01:46, Ryan Coleman wrote: I think the “wiser” solution is to spin up another firewall for the shared services and give it all 4 IPs (.2-.5) I don't see a particular reason to do this, unless you want to delegate administration of the ruleset for those IPs to someone else. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] can ping gateway on link
On 24/02/2014 21:56, David Burgess wrote: [2.1-RELEASE][root@pfsense]: ping 10.1.0.253 PING 10.1.0.253 (10.1.0.253): 56 data bytes ping: sendto: Invalid argument Do you see anything in 'dmesg' when you do this? You do have an interface on the same subnet as 10.1.0.253, and its state is UP? Does netstat -rn show a route to this network? You don't have static ARP entries configured? https://forum.pfsense.org/index.php?topic=65165.0 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [v2.1] configuring OPT1 as hosted services firewall?
On 22/02/2014 01:13, Ryan Coleman wrote: I'm moving away from single server design on my ESXi box to dedicated guests for each service but I cannot seem to get those dedicated services through the firewall. I have a 29bit subnet (IPs 1 through 5). Everything is internal to the ESXi (5.1) server. .1 = pfSense Firewall .2 = OPT1 interface on pfSense .3 = Customer VM (will port over to OPT2 after this works) .4 = All-in-one hosted VM .5 = Same All-in-one hosted VM I am going to eliminate .4 and .5 as I pull specific services out and into VMs (I've already moved the basic part of the FTP, the entire SQL server and LDAP to internal systems). It's not clear to me how the all-in-one hosted VMs are connected, and how this /29 subnet is connected. Is this /29 subnet the LAN side of your pfSense firewall? In that case, do you have a different IP address on the WAN interface? Is this /29 subnet public IPs, or private and you are using NAT? Once that's clear, we can decide how to separate out the services onto different VMs. There are a few straightforward observations to make though: 1. If you want dedicated guests for each service, then each guest needs its own IP address. 2. If you don't have enough IP addresses in your existing network, then you need more addresses, or NAT with private addresses 3. If you want these dedicated guests to be *behind* the firewall then they need to be on a different subnet, so that traffic is routed through the firewall. So, let me pencil out one of the possibilities for what you're trying to do. It might look like this: ---+-- 192.0.2.0/29# external public IPs |.1 |WAN pfSense |LAN |.1 | ---+-+++-- 192.168.0.0/24 ||| VMs .2 .3 .4 etc For NAT, you could configure 1:1 NAT between (say) 192.0.2.4 on the WAN side and 192.168.0.4 on the LAN side. Or, if you need to share the 192.0.2.4 address so that various different services hit different VMs on the LAN side, then you'd use port forwarding instead. But I cannot see why this should require any re-architecting of your network or your firewall, over and above what you already have. In particular it should not require any OPT1 or OPT2 interface to be created, unless you want to put the VMs on different subnets behind the firewall; and you'd only want to do that if you want to block VM-to-VM traffic, which might be the case if the VMs belong to different customers. So if you *do* want to do that, then you'll need separate subnets for OPT1 and OPT2, say 192.168.1.0/24 and 192.168.2.0/24. The pfSense firewall will have an IP address on each of them. And has been pointed out already, you definitely don't want your OPT1 IP address to be in the same range as either the LAN or WAN subnets. Each interface must be in a separate subnet. This is just how IP routing works. Regards, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [v2.1] configuring OPT1 as hosted services firewall?
On 22/02/2014 20:43, Brian Candler wrote: And has been pointed out already, you definitely don't want your OPT1 IP address to be in the same range as either the LAN or WAN subnets. Each interface must be in a separate subnet. This is just how IP routing works. What may have caused confusion is the proxy ARP magic which goes along with NAT, if the NAT public address is on the same subnet as the firewall's WAN interface. Let's say the pfsense firewall's WAN address is 192.0.2.1/29, and its LAN address is 192.168.0.1/24. You have a VM connected to the firewall's LAN interface on 192.168.0.2. You could then set up 1:1 NAT between 192.0.2.2 and 192.168.0.2. When an incoming packet arrives for 192.0.2.2, the firewall accepts the packet on the WAN interface *as if it were for itself*. It then translates the destination address to 192.168.0.2 and re-sends it out of the LAN interface. You could then do the same thing to map 192.0.2.3 to a private address which is on the OPT1 network if you wanted. That VM really exists on the OPT1 network (say 192.168.1.5), but incoming traffic is addressed to a public IP on the WAN side of the network. So you might be tempted to say that 192.0.2.3 is the public IP of the OPT1 network, but it isn't. It's a public IP on the WAN side, which gets translated to some particular address on the OPT1 interface. Indeed, using port forwarding NAT, one address could be shared between different VMs, which could be on different networks. You might for example port-forward 192.0.2.3 port 80 to 192.168.1.5 on the OPT1 interface, and forward 192.0.2.3 port 21 to 192.168.2.7 on the OPT2 interface. Hope this doesn't make it any more confusing :-) Regards, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsync state full resync
On 16/02/2014 20:25, Joel Robison wrote: Hey guys- good questions! I remember asking myself the same question and what helped me was reading the RFC for VRRP/CARP. essentially when the old master domes back up it will pick up the changes because there will already be a master running on the pvid, what used to be the slave. That makes no sense. VRRP/CARP are responsible for failing over the virtual IP address - nothing more. pfsync is responsible for keeping the firewall state tables on the master and slave firewalls in sync. My question was how pfsync deals with the case of a machine startup, when it has an empty state table. Does it request and receive a full state dump from the other firewall, and does this happen before CARP fails back? Otherwise, any existing sessions going through the firewall will be dropped. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsync state full resync
On 17/02/2014 14:33, Jim Thompson wrote: See your link http://www.openbsd.org/faq/pf/carp.html Yes I've read it. As far as I can see, it talks about state change messages and state table updates only. I see nothing about re-synchronising the entire state table; if that happens, under what circumstances it happens; nor whether CARP failover is delayed until the machine has completed synchronising its state table. I *have* now found a third-party document which says this happens: http://www.countersiege.com/doc/pfsync-carp/ When the pfsync interface first comes up, pfsync broadcasts a request for a bulk update of the entire state table. After this, all updates to the state table are on a per-state, best effort basis. pfsync attempts to prevent carp from taking ownership of the common addresses until the bulk update has completed. I don't know whether the version of pf in pfsense/FreeBSD 8.3 implements this. If this functionality has been in there since the introduction of pfsync then presumably it does. Also: pfsense optionally lets you configure an IP to unicast state table updates to. If you do this, how does the second box send updates back to the first box when it's master? You'd put different unicast destination addresses on the two boxes? Regards, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfsync state full resync
I have a question about pfsync failover. Suppose you have a master/slave firewall pair; the master is broadcasting updates to its state table and the slave is picking them up. Then you reboot the master firewall. The slave firewall takes over. When the master firewall comes back, its state table will initiallly be empty. So does it have a way to request from the slave a dump of the current state table? And will this transfer be completed before it becomes master on any CARP interfaces? I can't see this situation described at http://www.openbsd.org/faq/pf/carp.html http://www.openbsd.org/cgi-bin/man.cgi?query=pfsyncsektion=4manpath=OpenBSD+5.4 It talks about state change messages but not a full resync. However, I can find a hint of a bulk transfer here: http://www.freebsd.org/cgi/man.cgi?query=pfsyncsektion=4 and in this old posting: http://lists.freebsd.org/pipermail/freebsd-net/2006-May/010823.html Thanks, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On 13/02/2014 19:43, Jostein Elvaker Haande wrote: The thing that brand names as Netgear now sells out of the box products with re-imaged pfSense distributions is for me a no brainer. Not only does it increase the user base of pfSense, meaning that bugs, performance issues etc are more easily uncovered and fixed in a timely manner, but it also means that EFS generates more revenue, which goes back into funding the continued development of the free product that all of us use. As long as the current business model remains, where external funding is used to enhance pfSense as it stands today, and it remains free for everyone, I see no problems at all. EFS also has commercial support avaiable, that both helps EFS run as a company and also helps the community as a whole, which is great! We all have different needs, and some might*never* require such support. I welcome Netgear to the pfSense community as a most welcome addition, and I hope to see similar additions in the time to come. That would be Netgate, not Netgear :-) Regards, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Firewall Aliases: DNS resolving of domains broken
On 14/02/2014 16:48, Thinker Rix wrote: - Everything works fine, pfsense can resolve IPs. Examples: The dashboard says that I am on the latest version (=url is resolved), diagnosticsping and diagnosticstraceroute work with domain names. ... Any ideas what could be the problem? I suggest that you go to the command line, run # tcpdump -i bce0 -nnv -s0 udp port 53 # replace bce0 as appropriate and then reload the aliases, and see what DNS traffic is generated. Look carefully at source and destination IPs. I'd also try adding 8.8.8.8 and 8.8.4.4, at least temporarily, as your hard-coded DNS servers, and see if that makes a difference. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] IPv6 address data validation
[For some reason the 'New Issue' button on redmine is no longer visible to me, so I'll record this minor issue here] When creating a network alias which contains an IPv6 address, some additional data validation is required. Specifically, it lets you enter the following: Firewall Aliases [+] Name: foo Type: Network(s) Network(s): [+] [fc00:123::/48] [ /48 ] This happened to me for real when copy-pasting a subnet into the first field. The data is accepted, and the alias then has value fc00:123::/48/48. However, this prevents the ruleset from loading. More seriously, the entire ruleset is left empty. That is: after clicking Apply, 'pfctl -sr' shows nothing at all, and the firewall is open. If you then navigate to another page, you do see an error notification: 02-10-14 17:11:31 https://localhost:9902/firewall_aliases.php# [ There were error(s) loading the rules: /tmp/rules.debug:26: syntax error - The line in question reads [26]: table { fc00:123::/48/48 } ] https://localhost:9902/firewall_aliases.php# You can fix or delete the offending alias to correct the problem. Suggestion: either reject an alias which contains /nnn, or else use the /nnn part to override the CIDR drop-down selector (which would be convenient for copy-pasting aliases) Regards, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Restoring from XML prevents VM from booting [SOLVED]
On 05/02/2014 17:47, Espen Johansen wrote: Might be that serial redirection makes it show nothing. Yes, the serial port was the problem - thank you! The production physical box (which this XML was pulled from) *was* configured to use a serial port, but the boot loader hangs if it can't find one inside the VM. Solution: go into VirtualBox VM settings Ports Serial Ports Port 1 [X] Enable Serial Port Port Number: (leave at COM1) Port Mode: Disconnected Alternatively, you can set Port Mode: Raw File Port File/Path: /tmp/serial-pfsense1 and then it writes both to the VGA console and the serial port file. When you restore XML via the web interface, I now see some boot loader settings are tweaked. Comparing a machine restored via the web interface versus one where I just copied config.xml, I find that the one restored via web interface has: * an extra file /boot.config containing -D * extra settings in /boot/loader.conf boot_multicons=YES boot_serial=YES comconsole_speed=115200 console=comconsole,vidconsole Thanks again for pointing me in the right direction. Regards, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Restoring from XML prevents VM from booting [SOLVED]
On 06/02/2014 12:23, Stefan Baur wrote: I find that the one restored via web interface has: * an extra file /boot.config containing -D * extra settings in /boot/loader.conf boot_multicons=YES boot_serial=YES comconsole_speed=115200 console=comconsole,vidconsole So these parameters are added blindly regardless of whether they were set before, is that what you're saying? If so, that sounds like a nasty bug to me. Not exactly blindly: the boot config is overwritten based on what's in the XML. See setup_serial_port() in /etc/inc/pfsense-utils.inc $fd = fopen($boot_config_file,w); ... if(isset($config['system']['enableserial'])) { fwrite($fd, -D); } ... if(isset($config['system']['enableserial'])) { $new_boot_config[] = 'boot_multicons=YES'; $new_boot_config[] = 'boot_serial=YES'; $new_boot_config[] = 'comconsole_speed=' . $serialspeed . ''; $new_boot_config[] = 'console=comconsole,vidconsole'; Regards, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Restoring from XML prevents VM from booting
This is a really strange behaviour, I wonder if anyone has seen anything similar. I've just been trying to replicate a production config in a VirtualBox VM (vbox 4.3.6, OSX 10.9.1). I can install pfsense fine, and manually set up a LAN IP address on vboxnet0 so that I can get into the web and use Diagnostics Backup/Restore to upload an existing XML config. But then the VM refuses to boot properly. It only gets as far as: F1 pfSense F6 PXE Boot: F1 | and then hangs at that point (vertical bar, not spinning). This is repeatable if I reinstall and re-restore the same XML config. I was able to workaround the problem by reinstalling, using scp to copy /cf/conf/config.xml directly from another machine, and then reboot. So it's not a show stopper, but it's most bizarre - how can a *config* upload prevent the kernel from booting?? Any thoughts welcome :-) Regards, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Tutorials links broken?
The CARP tutorial is linked from https://doc.pfsense.org/index.php/Tutorials and https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) Both these pages point to http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm However this link is broken - it just gives a generic downloads page, suggesting you choose a mirror close to you (without listing any mirrors). If I follow links to just show me the mirrors http://www.pfsense.org/download/mirror.php?section=downloads#mirrors then all I get is the pfsense images, not any tutorials. Can someone tell me where the tutorials have moved to? Thanks, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Setting PPPoE MTU
I am running pfsense 2.1, and auto-update tells me this is the latest version. My uplink is using PPPoE into a DSL router in bridged mode. The connectivity is fine, but the MTU is 1492 and I would like to bump this up to 1500 (assuming the router will take ethernet frames which are 1508 bytes). On the WAN settings page I have tried setting MTU=1500 or MTU=1508, and then Apply to apply the changes. However nothing changes: at a shell prompt I see # ifconfig bce0 bce0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ... # ifconfig pppoe0 pppoe0: flags=88d1UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST metric 0 mtu 1492 Even after a full reboot it remains the same. I found ticket https://redmine.pfsense.org/issues/2209 which is supposed to be resolved, although I notice the ticket remains open. Has anyone else been able to make this work? Thanks, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Setting PPPoE MTU
I should add: when I Click Here for Advanced and MLPPP options (takes me to interfaces_ppps_edit.php) I don't see any settings relating to MTU/MRU. But in the HTML there are 6 hidden tables. tr style=display: none id=link0 td width=22% valign=top id=linklabel0 class=vncellLink Parameters (bce0)/td .. table with rows for bandwidth, MTU, MRU, MRRU /td /tr .. repeat for link1 to link5, although they don't show (bce0) It seems to me that at least the link0 entry should be shown. I don't see any MTU/MRU/MRRU options even if I select two ethernet interface under Link interface(s) Maybe some Javascript which is supposed to be un-hiding them isn't doing so? But I don't see any errors in Javascript console. I'm using Chrome 32.0.1700.102 under OSX. I have also tried Firefox 26.0 - no difference. Regards, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Setting PPPoE MTU
On 29/01/2014 11:20, Brian Candler wrote: Maybe some Javascript which is supposed to be un-hiding them isn't doing so? But I don't see any errors in Javascript console. I'm using Chrome 32.0.1700.102 under OSX. Hah, found it. --- /usr/local/ppps_edit.js.orig2013-09-11 23:25:50.0 +0100 +++ /usr/local/www/javascript/interfaces_ppps_edit/ppps_edit.js 2014-01-29 11:33:30.0 + @@ -30,7 +30,7 @@ advanced = #advanced_ + j.toString(); jQuery(advanced).show(); } -jQuery('#adv_show').html = 1; +jQuery('#adv_show').html(1); show_hide_linkfields(select_list); } else { jQuery('#advanced_').show(); ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Setting PPPoE MTU
On 29/01/2014 11:37, Brian Candler wrote: On 29/01/2014 11:20, Brian Candler wrote: Maybe some Javascript which is supposed to be un-hiding them isn't doing so? But I don't see any errors in Javascript console. I'm using Chrome 32.0.1700.102 under OSX. Hah, found it. Raised as https://redmine.pfsense.org/issues/3416 Now this just leaves MTU behaviour. I find that I can happily set the MTU to something *lower*, e.g. setting 1480 either on the main WAN page or on the per-link settings gives me pppoe0 with MTU 1480. However if I try to set MTU 1500 I still get pppoe0 with MTU 1492. Checking /var/etc/mpd_wan.conf I find set link mtu 1500 so the value I entered has ended up in the right place. Something else is clamping MTU or MRU to 1492. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Setting PPPoE MTU
On 29/01/2014 11:46, Chris Bagnall wrote: I looked at this about a year ago when we started getting clients with FTTC connections here in the UK (which are basically VDSL), and at the time it looked like RFC4638 support (baby jumbos) wasn't supported in pfSense. I'm in the UK too. The line I'm discussing is ADSL on Plusnet. (*) I've just done a quick search for 'pfSense RFC4638' and found this thread from May last year: https://forum.pfsense.org/index.php?topic=61876.0 That's useful, thanks. Doing a tcpdump on the WAN interface, after the initial PADI exchange (which doesn't include a PPP-Max-Payload tag) I see that at the LCP stage, pfsense is offering MRU=1492, whilst the BRAS side is offering MRU=32725 Regards, Brian. (*) At home I have FTTC on Plusnet, and that definitely works with MTU=1500. However I'm using their provided router, which does PPPoE to the BT VDSL modem. I'd like to be able to change to pfsense at some point. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list