Re: [pfSense] 2.4.3 - cannot define table bogonsv6

[Jim Pingle]

On 04/19/2018 04:54 AM, Eero Volotinen wrote:
> fix is in reddit thread ..
> 
> Someone should fix this on pfsense default config..

It has been fixed for over two weeks in the repo:

https://redmine.pfsense.org/issues/8417

There have been numerous threads about it on the forum, reddit, and
elsewhere.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Maximum CARP Addresses?

[Jim Pingle]

On 02/16/2018 10:09 AM, ad^2 wrote:
> Ok I understand. What are the limitations here? How many aliases can be
> stacked on one CARP VIP?
> 
> Is anyone out there running +255 VIPs?  My implementation will required at
> least 500 floating IPs right away.

While there is no known practical limit, if you feel you need that many
VIPs, most likely your design is deeply flawed in some way.

If you explain the purpose of the setup and how the IP addresses are
delivered to your firewall, there is likely a better way to reach your goal.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FRR and IPv6 Bug

[Jim Pingle]

On 12/17/2017 12:54 PM, Daniel wrote:
> it seems i found a bug when using FRR with IPv6.
> 
> I enabed and configured a IPv6 BGP Peer but it seems that the GUI make a 
> wrong IPv6 BGP peering config.
> 
> In s hip bgp sum I can see that IPv6 peers are configured but in sh ipv6 bgp 
> sum (this it has to be) is shown: No IPv6 Unicast neighbor is configured
>  
> 
> This happened because the FRR config puts all IPv6 related stuff in in IPv4 
> Stack configuration.
> 
> Is there any way to to it correctly with the GUI or should I use raw config 
> instead?

I don't have any IPv6 peers setup in FRR but can you elaborate more on
your configuration and the changes you made that allowed it to work?

Looking at the FRR code, the only place it manually specifies ipv4 or
ipv6 is when defining the networks to distribute.

If you can show me the settings in the GUI, the "broken" config, and
then what you think it should look like I can try to get that fixed up
in the package.

You can send that to me privately if you don't want to send it to the list.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Floating rule with multiple interfaces not generated with reply-to

[Jim Pingle]

On 12/5/2017 5:34 AM, Shamim Shahriar wrote:
> Now, if I select multiple interfaces, since there is no reply-to on the
> rule, I am unable to communicate with the pfsense box from outside. Which
> makes me wonder, am I misunderstanding the purpose/functionality of
> floating rules entirely? I know one good thing about them is to be able to
> add "quick" so the rules are checked before other interface bound ones, but
> is this also not a feature (i.e., put same rule for multiple interfaces in
> one go)?

What you are seeing is expected behavior. If you have multiple
interfaces selected, it cannot possibly use reply-to because it can't
specify reply-to on rules for multiple interfaces. Interface groups have
the same limitation.

If you need reply-to, the rules must only apply to a single interface.

For that reason, multiple interface rules (groups or floating) are
primarily useful only for internal interfaces.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] quagga/bgp

[Jim Pingle]

On 11/17/2017 08:29 AM, Daniel wrote:
> I don’t want to use openBGPd and I also don’t want to use FRR because I am 
> completely new in FRR.

If you know quagga, you know FRR. FRR is a fork of quagga and they work
nearly the same. Most people probably won't know the difference, except
that FRR will probably work better.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] may a bug / v2.4.x problems with more than 6 NIC's Intel pro1000 / emX

[Jim Pingle]

On 11/05/2017 03:35 PM, WolfSec-Support wrote:
> remark:
> as written v2.3.4 works well WITHOUT tuned anything
> 
> so seems to have an dependency with freebsd 11.1 kernel ?

That doesn't mean much, the newer base/drivers could be enabling
features on the NICs that require more resources. It's not the first
time that's happened.

Do you see any errors in the boot log (/var/log/dmesg.boot) or on the
console when it starts up with all of the NICs present?

What does "netstat -m" show? "netstat -mb"?

Is this bare metal hardware or a virtualized system? Describe the
hardware/hypervisor in more detail.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] may a bug / v2.4.x problems with more than 6 NIC's Intel pro1000 / emX

[Jim Pingle]

On 11/5/2017 12:09 PM, WolfSec-Support wrote:

> if a host has more than 6x emX then the NICs are initialed, but only em0
> can see traffic from switch.
> em1 and higher see not any traffic from network / see only their self
> generated traffic.

Sounds like it's running out of mbufs and doesn't have enough to
initialize all of the NICs and their queues.

https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards#mbuf_.2F_nmbclusters

Try setting that higher, like 100

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HAProxy edits not saving

[Jim Pingle]

On 9/18/2017 2:44 AM, maina maish wrote:
> Am editing /var/etc/haproxy/haproxy.cfg but looks like changes are getting
> cleared if someone uses Services/HAProxy/Frontends and applies changes
> using WebGui.
> 
> Is there way to make sure changes made through command line do not get
> cleared?

The GUI configuration for pfSense or a package will always overwrite
config files edited manually. That is part of the core design of the
entire system. There is no way for the GUI to know that a change to a
file was intentional, the config.xml settings are always assumed to be
correct.

If you don't want to use the GUI to maintain the haproxy configuration,
then don't install the GUI package; Install haproxy itself using pkg
from a shell prompt.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Factory Default / Cleanup(script) of binaries + config backups + etc

[Jim Pingle]

On 08/07/2017 08:09 AM, WolfSec-Support wrote:
> Well, Jim, you are completely right - and as paranoid as I am normally :)
> 
> Here it is for INTERNAL use only - simply colleagues etc should not see
> all old data

Which is my point. Without a wipe+reload, inevitably _something_ is
going to get left behind, especially with package data.

Since it is staying internal, a reinstall is sufficient and not a full
disk wipe.

> And - to be honest:
> in general it would be really helpful to HELP/ANSWER a question, instead
> to decline it by default.
> The people have also thought about their idea before - if it foits not
> YOUR requirements, may it fits THEIRS ;)

I focus on the goal rather than the methods. If someone asks "How can I
do X so I get Y", I answer how to reach "Y" in the best way, because
often "X" is not the most efficient or correct method.

I am answering the question of how to reach your goal in the safest and
most secure way possible. The specific method you're inquiring about is
not going to achieve your goal and could easily result in unintended
behavior or information exposure. Technically, yes, what you want to do
could be achieved by a script, via ssh commands, or by any number of
methods, but all of those techniques suffer from the same problems.

I'd rather you have the most stable, secure, and reliable experience
possible, and following your suggested methods would most likely not
have that result.

Reinstalling does not take long, and in most cases all you have to do is
press Enter a few times in a row. If all of your hardware is identical
with identical drives you could even take a disk image of a stock
install and write that out any number of ways, but that would still be
slower than a reinstall in most cases.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Factory Default / Cleanup(script) of binaries + config backups + etc

[Jim Pingle]

On 8/7/2017 2:20 AM, WolfSec-Support wrote:
> Goal is to put devices on stock for replacements in a nearly clean state
> for internal usage and shipping to other sites

A wipe+reload is the only proper way to accomplish this acceptably.

No matter how careful you are, something will most likely be left behind
and may surprise you later.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Acme client - DNS server setup/dns client secret issue.

[Jim Pingle]

On 8/6/2017 9:47 PM, Walter Parker wrote:
> How do I  get the Acme package to let me update the sample.com
>  zone, to add the host for
> _acme-challenge.fw.sample.com ? I
> think I missed a step. This is for a firewall that I don't want to setup
> external web access on.

At the moment it only supports host keys, not zone keys. It will need to
have a key made for that host specifically.

Also, make sure the update-policy for the dynamic zone grants the
ability to update TXT records specifically, or ANY.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Acme client - DNS server setup/dns client secret issue.

[Jim Pingle]

On 8/6/2017 8:03 PM, Walter Parker wrote:
> I think I'm missing something simple with my Acme Client setup in pfsense.
> I followed the following steps and I'm get a TSIG error (note NSUPDATE
> worked when run by hand).
> 
> 
>- dnssec-keygen -a HMAC-MD5 -b 512 -n HOST fw.sample.com
>- Copy secret from Kfw.sample.com.*.key (note this secret has a space in
>the middle)

Use the copy of the key from the .private file. It shouldn't have a
space in it.

Jim P.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] uncomplete update to 2.3.4, no route to host

[Jim Pingle]

On 05/12/2017 12:47 PM, Steve Yates wrote:
>They're missing the DNS record for pkg.pfsense.org.  Per the SOA 
>ad...@netgate.com is the contact; I've bcc'd this there.

pkg does not use A/ records, it uses SRV records, which are present
and work fine:


$ host -t srv _https._tcp.pkg.pfsense.org
_https._tcp.pkg.pfsense.org has SRV record 10 10 443 files00.netgate.com.
_https._tcp.pkg.pfsense.org has SRV record 10 10 443 files01.netgate.com.

OPs problem is not related to DNS. "No route to host" indicates they
have a problem with their connectivity, for example they may have broken
or half-configured IPv6 that is present but not usable for routing.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 (CARP and DHCPv6 failover)

[Jim Pingle]

On 03/22/2017 02:16 PM, hamid ashraf wrote:
> I have 2 pfsense FW 2.3.3 p1 version, one is Master and Second is Backup. 
> CARP configured between both firewalls  for IPv4 and all the configurations 
> are successfully syncing. When I configured the DHCPv6 on master firewall, 
> that configuration didn't replicated to the backup one and everything works 
> perfectly from outside to inside and vice versa on master. When firewall 
> failover IPv6 connectivity is gone. My questions: 
> 
> 1. Does pfsense does not support IPv6 Failover?

No, because the ISC DHCP daemon for IPv6 does not have any concept of
failover baked in at this time. And last I heard, they are holding out
waiting for an IPv6 DHCP failover standard to be written. There are a
couple drafts floating around but last I saw, none have yet move beyond
that stage.

> 2. Does pfsense does not support DHCPv6 failover as I observed nothing has 
> been synced to backup firewall, related to DHCPv6?

It could, but it doesn't, because of the above limitation. You have to
manually configure a different range on both boxes, or use only SLAAC
for automatic assignment. You could configure the same pool on both
units but since the two units cannot share lease information, you end up
relying on IPv6 DAD to prevent conflicts.

Since the potential IPv6 address pool for a subnet is huge (/64), using
a separate range on each unit shouldn't be a problem. But it does mean
you have to configure them manually.

> 3. Please suggest a design to get IPv6, IPv4 workig together in failover with 
> DHCPv6 synced between them and if the firewall failover it should be seemless.

You have to setup each node manually for DHCPv6 but it works fine this way:

Primary:
* DHCPv6 enabled
** DHCPv6 set for a given range (say...
:::xxx0::1:-:::xxx0::1:)
** DHCPv6 DNS server set to the LAN IPv6 CARP VIP

* Router advertisements enabled
** RA set to Managed
** RA Router priority set to Normal
** RA interface set for the LAN IPv6 CARP VIP. Binding to the CARP VIP
interface ensures that radvd only runs on the node which is master.
** RA DNS Server 1 set to the LAN IPv6 CARP VIP (or check the box to use
the same settings as DHCPv6 server)

Secondary:
* DHCPv6 enabled
** DHCPv6 set for DIFFERENT range (say...
:::xxx0::2:-:::xxx0::2:)
** DHCPv6 DNS server set to the LAN IPv6 CARP VIP

* Router advertisements enabled
** RA set to Managed
** RA Router priority set to Normal
** RA interface set for the LAN IPv6 CARP VIP
** RA DNS Server 1 set to the LAN IPv6 CARP VIP (or check the box to use
the same settings as DHCPv6 server)

Then repeat that for each local interface (e.g. DMZ, guest network, etc)

It may seem clunkier than its IPv4 sibling but they both transition at
nearly the same rate.

As an alternative, you could bind the RA daemon to the LAN directly and
set the primary to high, secondary to normal or low. That way nodes
would always know about both gateways and they would decide which one to
use automatically.

Jim P
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense upgrade problems?

[Jim Pingle]

On 2/22/2017 1:23 PM, Eero Volotinen wrote:
> The process will require 14 MiB more space.
> 
> 73 MiB to be downloaded.
> 
> Fetching php56-5.6.30.txz: .. done
> 
> pkg: php56-5.6.30 failed checksum from repository
> 
> 
> something wrong with the packages?

Nothing on our side as far as we've seen. Large numbers of completed
upgrades without issue.

Probably the transfer was cut off or something happened upstream, or
potentially a local storage issue.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Jim Pingle]

On 01/25/2017 01:10 PM, Karl Fife wrote:
> The piece that's still missing for me is that there must have been some
> change in default system setting for FreeBSD, or some other change
> between versions, because the system booted fine with pfSense v 2.2.6

Aside from what has already been suggested by others, it's possible that
the newer drivers from FreeBSD 10.3 in pfSense 2.3.x enabled features on
the NIC chipset that consumed more mbufs. For example, it might be using
more queues per NIC by default than it did previously.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forward => load balancer

[Jim Pingle]

On 12/02/2016 06:04 AM, Ugo Bellavance wrote:
> I'd like to know if there is a way to switch from a port forward to a
> server load balancer configuration without downtime.  Can I create
> everything in the load balancer config and then remove the port forward
> at the end?
> 
> v 2.3.2-RELEASE-p1


Using relayd (Services > Load Balancer) or the HAProxy package?

If using relayd, then maybe but probably not. relayd hooks in using NAT
similar to a port forward but it would take precedence. The moment the
frontend is setup it would likely take over the port forward even if you
were not ready. If it all happened to work on the first try, then it
would be fine.

If you're using the haproxy package then that would work fine. It would
bind to the outside address directly but the port forward would bypass
that. After you've tested it from the inside you could disable the port
forward and it would take over from there.

Given the choice between the two, I would always take HAProxy.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.3.2-p1 RELEASE Now Available

[Jim Pingle]

On 10/13/2016 5:53 PM, Volker Kuhlmann wrote:
> I can't believe there is a major fault, but where is the download for
> 2.3.2-p1?

There are no installers for 2.3.2-p1. You have to install 2.3.2 and
update to patch 1 once it's installed.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Mailing List Posts from Non-Members

[Jim Pingle]

Hello,

Lately the mailing list moderation queues have been overrun with a large
volume of spam on a daily basis. To make it easier on the list admins,
we have changed the default list policy to discard messages from
non-members on all of our lists rather than holding them for manual
moderation.

The change should not impact many people because only on rare occasions,
usually once a month or less, would someone post a message without being
a list member. We had to manually look for and approve such requests
among the thousands of spam messages in the queues.

If you want to post from multiple addresses, you can subscribe from the
additional addresses and set the alternate addresses to "nomail" that
way you won't receive multiple copies of the list mail but it can still
post. The same procedure can be used for an address where the sender
does not want to receive the list by e-mail, but follows the list using
the list's web archive and occasionally wants to post.

You can change your mailing list subscription options or sign up your
other addresses from the list management pages, such as
https://lists.pfsense.org/mailman/listinfo/list

Thanks!

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DHCP Implicit rule processing order

[Jim Pingle]

On 8/31/2016 9:30 PM, Karl Fife wrote:
> This suggests the implicit rules are evaluated BEFORE the explicit
> rules.  Is there a good reason they're evaluated first? I'd expect them
> to be after to allow for debugging, logging, blocking, etc.
> 

Yes, that is done on purpose. Otherwise it would be far too easy for a
user to block DHCP with a manual rule on the tab and then lose connectivity.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pf rule error

[Jim Pingle]

On 08/09/2016 09:46 PM, Joseph L. Casale wrote:
> I recently received an error that the pf table was wedged and had been reset
> while making changes. A few days later, a vlan stopped passing dhcp traffic
> and filter reload did not resolve it, I actually had to reboot the unit.
> 
> Has anyone seen this, are there configurations known to produce this behavior
> or would hardware be the first suspect?

The two are unlikely to be related.

The "pf wedged" message can happen in some race conditions if multiple
actions are happening, attempting to hit pf in the same way at the same
moment. In most cases it's noteworthy but otherwise harmless.

There isn't enough detail in your description to speculate about why a
VLAN might have stopped passing traffic, but it's unlikely to be related
to a filter reload or pf in general unless you were changing rules on
the interface at the time.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] multiple:multiple

[Jim Pingle]

On 8/5/2016 3:13 PM, Karl Fife wrote:
> All of the states in the pfsense states display make sense to me:
> e.g. http://www.cs.hofstra.edu/~cscccl/c333/tcp.gif
> 
> Maybe I'm having a brain fart, but I'm not finding a good treatise on
> the "multiple:multiple" state?
> Anyone?

That "state" should only be seen with UDP and other stateless protocols.
You'll see SINGLE:NO_TRAFFIC when one side sends a single packet to the
other but has not yet received a response, and MULTIPLE:MULTIPLE when
both sides have sent multiple packets that match the state.

You can also see various combinations of these depending on the
protocol. For example you might see SINGLE:MULTIPLE from a perfectly
normal DNS request or you might see it on a partially working (or even
broken) ESP state for IPsec.

Essentially it's a counter that lets you know if 0, 1 or 2+ packets have
been observed matching the state.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Removing obsolete packages

[Jim Pingle]

On 07/26/2016 05:38 PM, Chris Bagnall wrote:
> It would, however, be rather nice to remove the obsolete references.

At the moment there is no automated way to do that, but you can edit
them out of your config.xml. Either by editing in-place using "viconfig"
if you're daring, familiar with vi, and don't mind the potential for
danger. Or the safer route is to download a backup, edit them out, and
then restore the backup.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] yesterday update to 2.3.2 has not worked - these machines now can not update any more

[Jim Pingle]

On 07/27/2016 12:48 AM, WolfSec-Support wrote:
> Any hint to solve the broken upbated-boxes ?

Use ssh or the console and either use option 13, or use option 8 and
from the shell, execute "pfSense-upgrade -d"

Early in the upgrade process, pkg is updated and from that point, the
GUI for updates and packages can't interpret the new pkg data format, so
the console update is required.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Alerts

[Jim Pingle]

On 07/27/2016 07:47 AM, Luis G. Coralle wrote:
> Hello everyone.
> Someone knows how pfsense considered an alert? They can be customized?
> There is list?

There isn't an official list, but it's not very long. Usually
emergency-level events or events at the very least that require the
attention of an administrator, such as:

* config.xml missing or unreadable
* SSH keys on the firewall changed
* GEOM Mirror drive status changed (e.g. degraded or rebuilt)
* Firewall ruleset failing to load
* XMLRPC communication errors for HA configurations
* RAM too low to properly run pfSense
* Problems with the configuration that were not rejected in previous
versions but are invalid (Alias names consisting of only numbers,
removed features that were deactivated like L7)
* Virtual IP addresses that cannot be applied to interfaces
* DHCP configuration problems that prevent the service from starting

There are a couple others but that's the bulk of them. At the moment
there is not a way to customize the list.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS-forwarder through OpenVPN "stopped working" with 2.3.2

[Jim Pingle]

On 07/27/2016 08:45 AM, Philipp Tölke wrote:
> since the update to 2.3.2 yesterday our external devices do not get
> DNS-Replies anymore.

What version was this firewall running previously?

> We have configured the DNS-Forwarder to listen on the interface and
> sockstat show it's listening on *:53. We have a rule allowing everything
> to pass to "self" on port 53.
> 
> With tcpdump I can see that the queries reach the firewall but no
> responses get send out.
> 
> The log of the DNS-Forwarder shows many entries like "Jul 27 14:36:22
> dnsmasq   83840   failed to send packet: Host is down".
> 
> Is this a known problem? Is there anything I can do?

Check the system routing table. From the sound of the errors, it would
appear that the firewall routing table does not include a route back to
the VPN client subnet.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 502 Bad Gateway

[Jim Pingle]

On 07/08/2016 10:09 AM, Bill Arlofski wrote:
> I just realized something thanks to your post.  It seems that I have also
> witnessed that OpenVPN stops working when this occurs.

It would depend on the type of OpenVPN. RA or SSL/TLS using certificates
would likely fail as the scripts the verify parts of the cert and
perform the authentication are PHP. So if PHP is not functioning
properly, those can fail. The root problem is still PHP.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Update to android ipsec instructions?

[Jim Pingle]

On 6/24/2016 7:18 PM, Cheyenne Deal wrote:
> Has anyone made any updated instructions for Android 5-6 for mobile ipsec
> tunnels? I have not been able to find any instructions for newer android
> versions for pfsense

There is a bug in racoon on Android that prevents it from working
properly against strongSwan[1][2]. I'm not sure if it's been fixed in
6/MM, I don't have a device with 6 on it yet to try. Use IKEv2 with the
strongSwan app on Android if you want a better solution there for the
time being.

Jim
1: https://redmine.pfsense.org/issues/4522
2: https://wiki.strongswan.org/issues/255
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Fwd: [Openvpn-announce] New OpenVPN 2.3.10 Windows installers (I604/I003) released

[Jim Pingle]

On 05/09/2016 11:45 AM, WebDawg wrote:
> How do we get an update for the export util?

They just released OpenVPN 2.3.11 yesterday, I've pushed out an update
for the export package on pfSense 2.3, might take a bit to sync around
but it'll show up soon.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPsec: tunneling both IPv4 and IPv6 between two sites

[Jim Pingle]

On 4/30/2016 6:57 AM, Olivier Mascia wrote:
> Sorry for having asked this question.
> While I had tried to find the answer before posting, I finally found the 
> answer seconds later.
> 
> https://doc.pfsense.org/index.php/IPv6_and_VPNs
> 
> "Currently IPv6 with IPsec is functional, but traffic cannot be mixed 
> families in a tunnel. Meaning, IPv6 traffic can only be carried inside a 
> tunnel which has IPv6 endpoints, and IPv4 traffic can only be carried over a 
> tunnel using IPv4 endpoints. A single tunnel cannot carry both types of 
> traffic."

That page is a little out of date in one respect: You can't mix traffic
with IPsec using IKEv1, but you can with IKEv2. So long as both sides
support IKEv2 you can carry IPv6 and IPv4 in P2 entries.

FWIW, You can also tunnel both at once using OpenVPN.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IKEv2 with LDAP or RADIUS?

[Jim Pingle]

On 10/27/2015 6:07 PM, Adam Thompson wrote:
> I just watched the last hangout that jimp did on Remote Access VPNs, and
> I'm wondering: is there no way to do user authentication against a
> back-end LDAP or RADIUS server when using IKEv2-EAP-MSCHAP2?

There is EAP-RADIUS for RADIUS, but no means for LDAP.

I'll be following up on that in the hangout this Friday.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Kernel problem after upgrade 2.2.3 to 2.2.4

[Jim Pingle]

On 08/03/2015 04:58 AM, Carlos Vicente (Gmail) wrote:
 [...] I upgraded it to the last version (via firmware upgrade), everything
 went well till the reboot, it shows an error message:
 
 Can't find 'kernel'
 
 Error while including /boot/menu.rc. in the line:
 
 Menu-display
 
 \
 
 Can't load 'kernel'

Only time I've seen that is when the disk space ran out during upgrade.
Did you provision that VM with an unusually small disk?

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] SG-4860 vs. support pricing question

[Jim Pingle]

On 07/21/2015 04:19 PM, Adam Thompson wrote:
 Next question:  extended warranty, to wit: can I purchase an extended
 warranty on these units?

It's not there yet but it is in the works and it is a priority for us.
We hope to offer that in the coming weeks.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] SG-4860 vs. support pricing question

[Jim Pingle]

On 07/20/2015 07:09 PM, Adam Thompson wrote:
 But I do have one issue/question/comment about the pricing of that bundle: 
 there are still only 2 support incidents bundled.
 
 It seems that if I bought two 4860s and tie-wrapped them to my own shelf, I’d 
 wind up paying almost the same amount (maybe $75 more if I had to buy a new 
 shelf) but would get 4 support incidents included with my purchase.

Good news! The wording on the page is wrong, it does come with four.
Both units can be registered individually.

We'll get that wording cleared up
Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] SG-4860 vs. support pricing question

[Jim Pingle]

On 07/20/2015 07:09 PM, Adam Thompson wrote:
 Also, the price for a 2-incident support pack is $399, but I can buy a 
 SG-2220 for only $299 and get the same # of support incidents.
 
 Have I missed something?  Is this intentional?

Not sure about the other questions but this one I can answer:

The incidents you buy separately can be used for any device running
pfSense, including devices you didn't buy from us, VMs, etc.

Incidents included with a hardware purchase can only be used with that
one specific piece of hardware.

So you can't, for example, buy a 2220 and then use one of those
incidents for a problem with a custom-built device.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP issues on 1:1

[Jim Pingle]

On 7/6/2015 7:59 PM, Ryan Coleman wrote:
 Using 1:1 has turned most of my knowledge in pfSense completely useless. I 
 feel like a beginner again.
 
 FTP worked on port 21. But for security reasons I do not want it there so I 
 moved it to port 9000.
 
 ProFTPd is set up for Masquerading on its 1:1 IP, passive ports are dictated 
 in the conf (49500-52500) and configured as such in the Firewall Rules. 
 Firewall Rules also have port 8999-9001 open for the FTP server.
 
 FTP works internal to the network so the issue isn’t in the configuration of 
 ftp server but in the configuration of the firewall.

Seems the actual question/problem statement is missing. What exactly
isn't working?

Did you actually change the binding port in ProFTPd or did you redirect
21 to 9000 with a port forward?

If you mix 1:1 NAT and port forwards you will find a couple things you
may not expect due to the way pf works and how NAT happens before
firewall rules:

1. Port forwards override 1:1 NAT, which is good for doing what you want

-but-

2. If you forward a different port (e.g. 9000 to 21) your rule still
passes to the local IP on port 21 so BOTH ports are actually accessible.
In other words, you can't relocate a port and block access to the
original port.

Changing the binding in ProFTPd to 9000 should work around that.

If that's what you did, then your rule would pass to the local IP on
port 9000.

If that doesn't help, give us a bit more detail about the exact NAT and
firewall rules you have and what isn't working as expected. Include
firewall logs, states for the test connections, and perhaps a packet
capture.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Dashboard Width

[Jim Pingle]

On Jun 30, 2015, at 8:25 AM, Paul Galati paulgal...@gmail.com wrote:

 All,

 Am I doing something wrong or is the current dashboard themes limited to
 2 columns across?  With computer screens being wider than taller, it would
 be nice to be able to have a 3rd or 4th row of data rather than scrolling
 up and down.

 Just curious. Thanks.

Change your theme to pfsense_ng_fs from System  General and then you
can add columns and then add widgets to those columns.

On 06/30/2015 11:26 AM, Oliver Hansen wrote:
 You may want to look into this recent post: https://blog.pfsense.org/?p=1773

That's the long term goal, of course. In the meantime using
pfsense_ng_fs will help.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Too many VIPs

[Jim Pingle]

On 06/17/2015 09:07 PM, Brian Caouette wrote:
 I assume it's not ready yet? Mine says 2.2.2 and current.

Correct, it has not yet been released. There are snapshots for it,
however. It should be out by the end of next week if all goes well.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2

[Jim Pingle]

On 06/17/2015 09:53 AM, Adam Thompson wrote:
 So far, PPTP and IKEv2 (using EAP-MSCHAPv2) appear to be the only
 options, and while PPTP works fine, it's insecure.  (This isn't actually
 a problem for my use case, but since it's going away and certainly isn't
 getting any love in pfSense, I'm leaving it behind.)
 
 IKEv2 just... never works.  I'm pretty darn sure (99.999%) my
 certificate meets the requirements.
 
 Are there any tricks that aren't obvious?

I've set it up several times, all of the knowledge I've been able to
gather has been dumped into the wiki:

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS

I marked the most commonly missed and most important parts of the
configs with a warning graphic to help them stand out. Usually problems
are with the certificate, either with generating the cert (missing the
SAN, for example) or importing it into the client properly (perhaps it
wasn't imported into Trusted Root Certification Authorities under
Local Machine).

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Documentation about Firewall Lookup Process, State Table, Firewall Rules Table

[Jim Pingle]

On 06/03/2015 09:47 AM, Espen Johansen wrote:
 Don't double post please.

Looks like his other post was stuck in the moderation queue and
approved, I'd have killed it but I didn't notice he'd already managed to
get it through to the list.

 Hello everybody,
 
 Is there any documentation about:
 
  * the process how pfSense firewall handles packets (lookup in firewall
rules, lookup in state table, add new state, ...) e.g. a flow chart
  * how the firewall rules are beeing (data structure)
  * how the connection states are beeing (data structure)
 
 Any hints are greatly appreciated!

While not that low level (which as others have stated could be found in
PF docs from FreeBSD and/or OpenBSD, plus the source), this should also
be of interest:

https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Fwd: freak vulnerable for pfsense

[Jim Pingle]

On 03/19/2015 06:27 AM, Amit Saxena wrote:
 I am working on pfsense firewall as well as configured as a Opnevpn server
 I got the information that Freak vulnerable so i want to know  it
 affected to Pfsense box
 My pfsense Detail
 
 Pf sense version 2.1 and opnessl version 0.9.8y

The firewall GUI itself is not vulnerable as a server, even on that version.

The OpenSSL library on that version may be vulnerable as a client,
however. If you do not have anything on the firewall that makes outbound
connections to arbitrary servers that would use SSL, it may not be a
factor for you, but upgrading to 2.2.1 is still advised.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1-RELEASE sudo issues?

[Jim Pingle]

On 3/17/2015 4:48 PM, Manojav Sridhar wrote:
 Just upgraded my pfsense to 2.2.1-RELEASE, 
 
 [2.2.1-RELEASE][user@host]/usr/lib: sudo
 Shared object libintl.so.9 not found, required by sudo
 
 Cant seem to fin the libintl.so.9, this breaks the sudo package. Anyone
 else run into this? 

Try the latest version of the sudo package, there is a fix for this.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Issue with OpenVPN certificate depth validation and long certificate subjects

[Jim Pingle]

On 03/07/2015 04:32 PM, David Durrleman wrote:
 There seems to be an issue in pfsense's custom certificate depth
 verification for OpenVPN connections. When long certificate subjects are
 used, the validation fails. Here is how to repro:

Probably this (already fixed in 2.2.1):
https://redmine.pfsense.org/issues/4329

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] VIPs : CARP vs IP Alias

[Jim Pingle]

On 03/08/2015 06:50 PM, Bryan D. wrote:
 My interpretation of the nice chart and notes on
 https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
 leads me to believe that I can switch the CARP VIPs to be IP Alias VIPs.  
 However, when I do that, the 2 servers for the 2 domains tied to the VIPs are 
 no longer accessible from the Internet (but IIRC, the mobile VPNs still work).
 
 Can anyone suggest what it is that I don't understand (well, limited to this 
 behavior, at least)?

As has been hinted at elsewhere in the thread, your problem is likely
layer 2-related.

CARP VIPs get their own unique MAC address. Proxy ARP and IP Alias VIP
MAc addresses are shared with the NIC itself.

Changing from CARP to Proxy ARP or IP Alias would cause the MAC address
of the VIP to change, which may require clearing the ARP cache on the
modem/upstream router/etc.

Another possibility is that your upstream requires each additional IP
address to have a unique MAC address. We have seen this with some ISPs /
certain modems and it's a bit of a pain. CARP works around it because
each VIP on a different VHID has a unique MAC address, where IP alias
and Proxy ARP VIPs all have the same MAC address.

So there isn't a clear answer here. Likely, it would be OK to use Proxy
ARP, but you'll need to reboot the modem or upstream router. If that
still fails and CARP works, then your ISP or upstream equipment must be
expecting each IP to have a unique MAC address.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multi WAN IPv6

[Jim Pingle]

On 03/09/2015 10:28 AM, Tiernan OToole wrote:
 But there is a problem... The Multi-WAN one assumes that both WAN
 connections give IPv6 addresses, which in my case is false, and the
 Tunnel Broker assumes you have one WAN connection... Last time i tried
 this, mind you with a different router, all traffic went though one
 connection (the one the tunnel broker knew about) and nothing went
 though the rest...
 
 
 Any one done this before?

Actually the instructions were written with a separate tunnel broker
connection on each WAN.

Though it may work with one tunnel broker and using a gateway group on
the tunnel endpoint update dyndns entry, I'm not sure anyone has tried that.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] serial port sadness

[Jim Pingle]

On 02/25/2015 12:03 PM, Bob Gustafson wrote:
 Years ago I had problems with serial cables - I invested in a little
 in-line gadget that had red and green LEDs for each line. The one I have
 uses 25 pin connectors, so the cable is a mix of 9-25 pin adapters and
 the LED viewer.
 
 You can shut down/disconnect one end to see what lights remain lit. A
 flicker on a pair of lights indicates data flow. It has been very helpful.

I picked this up a few days ago and I'm quite happy with it:

http://www.amazon.com/gp/product/B00AHYJWWG

USB to serial converter with an LED readout including transmit and
receive indicators.

FTDI chip, too.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Documentation page : wildcard DNS record

[Jim Pingle]

On 02/19/2015 07:03 AM, Guillaume wrote:
 The example wildcard DNS record given here :
 https://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder is
 inaccurate w/pfsense 2.2.

The page is correct, but if you note the name it was specific to the DNS
Forwarder only (dnsmasq), not the DNS Resolver (Unbound).

 Thanks to this post (
 https://unbound.net/pipermail/unbound-users/2009-April/000560.html ) I
 have been able to set a wildcard, with the advanced option box.
 
 In short :
 
 local-zone: FQDN redirect
 local-data: FQDN A HOST_IP
 
 
 May someone update the doc ?

I added that info to the doc and renamed it so it's clear that now it
covers both the Forwarder and Resolver.

Thanks for the updated info!

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lightsquid

[Jim Pingle]

On 02/12/2015 10:37 AM, Jim Pingle wrote:
 * Uninstall lightsquid
 * rm -rf /usr/local/lib/perl5
 * rm -rf /usr/local/www/lightsquid
 * rm /usr/local/bin/perl
 * rm /usr/bin/perl
 * Reinstall lightsquid

I missed a step, it should be:

* Uninstall lightsquid
* rm -rf /usr/local/lib/perl5
* rm -rf /usr/local/etc/lightsquid
* rm -rf /usr/local/www/lightsquid
* rm /usr/local/bin/perl
* rm /usr/bin/perl
* Reinstall lightsquid

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lightsquid

[Jim Pingle]

[Please don't top post]
On 02/11/2015 08:13 PM, Brian Caouette wrote:
 On Feb 11, 2015, at 5:24 PM, Jim Pingle li...@pingle.org wrote:
 It works fine on 2.2 under the right circumstances.

 Those being that before installing lightsquid, /usr/local/lib/perl5
 doesn't exist, and /usr/local/bin/perl is something valid or a link to
 something valid.

 If you clean up the leftovers from older broken installations it works fine.

 The package tries to do some cleanup but it can't do too much without
 potentially harming other packages.
 How do you clean left overs? I have an all but new 2.1.5 Netgate apu4
that I left upgrade to 2.2.

 Will that fix the blank page when I try to view reports? What's steps
are needed for the fix? I have the support that came with the unit.
Would somebody connect and fix it?

The nuke it from orbit method:

* Uninstall lightsquid
* rm -rf /usr/local/lib/perl5
* rm -rf /usr/local/www/lightsquid
* rm /usr/local/bin/perl
* rm /usr/bin/perl
* Reinstall lightsquid

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Visual seperators?

[Jim Pingle]

On 2/11/2015 6:55 AM, kpolb...@olberg.name wrote:
 I guess it would break the current UI to have collapsible groups. And it
 might not have been the most thought through proposal :) I do however
 still feel there is a use for a separator. With regards to your comment
 on over engineering. If something is worth doing, it's worth
 overdoing ;)

We get requests for this sort of thing from time to time but a consensus
is never reached about what might be possible, useful, and wouldn't make
the view worse for others.

Typically, though, if a set of rules is so long that they need grouping,
they likely are not making good use of aliases.

For visually identifying rules without grouping, there is also this
bounty thread on the forum that is progressing:
https://forum.pfsense.org/index.php?topic=87494.0;topicseen

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] problem with bacula-client 7.0.5 binaries on pfsense 2.2

[Jim Pingle]

On 02/09/2015 11:30 AM, Dan Langille wrote:
 There's been a bug open for 14 days regarding the configuration issues:
 
 https://redmine.pfsense.org/issues/4307
 
 I will try the packaged binaries again.

FYI for others (Dan already knows from Twitter):

Bacula should be OK now on 2.2, as of package version 1.0.6.

The main problem was the paths being used for the various configuration
file and startup script references. Once those were fixed up things seem
to be OK.

There is still some awkwardness in how to set the package GUI up but
that's the same as it always was. Have to add two directors, one local
for the firewall itself and another for the remote bacula server.

There is still a lingering issue with the rc script not restarting
properly but we're looking into that as well. Not as critical as the
other issues at least.

If anyone wants to work on making the GUI more intuitive, feel free to
collaborate and submit some patches.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] New pfSense 2.2 install

[Jim Pingle]

On 01/29/2015 10:08 AM, Doug Lytle wrote:
 I'm building a new 64bit pfSense 2.2, running under ESXi 5.5.
 
 I've noted 2 things.
 
 1.)  Bulk Alias imports button no longer exist on the main alias page.

It's still there on all mine, on each tab at the bottom there is an up
arrow (^) and it opens the bulk import page.

 2.)  When trying to create an alias that links to an online listing of
 blacklisted IP addresses, the alias that was just created disappears
 when hitting apply.

Look on the URLs tab or all tab not the IP tab.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] RRD persistence

[Jim Pingle]

On 01/07/2015 09:07 AM, Jeppe Øland wrote:
 Doesn't it automatically save the latest files when you reboot?
 I don't reboot often, but I don't remember ever having lost data
 (except if the firewall crashes - which did happen a few times in the
 past).

It does save them on a clean reboot. It can't save them if the power is
cut or the OS crashes/reboots uncleanly, though.

Some people reboot by yanking the power out from under a device or
using a hardware (or VM) reset button. That works, of course, but should
be a last resort. Rebooting via Diagnostics  Reboot or the equivalent
console/ssh menu option is best.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 32 or 64?

[Jim Pingle]

On 01/06/2015 04:08 PM, Jeppe Øland wrote:
 https://doc.pfsense.org/index.php/Upgrade_Guide#Changing_architecture_.2832-bit_to_64-bit_or_vice_versa.29_during_upgrade
 
 From that link:
 Upgrading from 32-bit to 64-bit mostly works fine with a couple caveats - the
 32-bit RRD data is invalid on the 64-bit version and will have to be deleted 
 by
 running rm -rf /var/db/rrd*. All RRD history will be lost, this cannot be 
 converted.
 
 That is only partially true, but you will have to do it manually...
 Before backup/upgrade/restore, convert your RRD files to XML and store
 them on another machine.

Read the next paragraph below the one you quoted. :-)

It does precisely that provided you start with pfSense 2.1.x.

What doesn't work is a 2.0.x backup w/RRD 32-bit to 2.1 64-bit.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 32 or 64?

[Jim Pingle]

On 01/06/2015 12:57 PM, Márcio Merlone wrote:
 I am planning to replace some Linksys boxes on remote offices with a
 virtual pfSense in the next months and was wondering  what's recommended
 for a new install today: 32 or 64 bits? I ask considering what's best
 for the mid-long term, are there any 64bit-only features now or planned?
 Will I loose something running a 32 bit version now or a few years from now?
 
 What are the advantages/disadvantages of each now and what is expected
 for a near future? I am not asking for an in-depth analysis, but rather
 a general overview and opinion of the main diffs.

If the hardware can run 64-bit, use 64-bit. If the hardware can't run
64-bit, don't buy it. :-)

https://doc.pfsense.org/index.php/Is_32-bit_or_64-bit_pfSense_Preferred
https://doc.pfsense.org/index.php/Does_pfSense_support_64_bit_systems

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Client-Side 1:1 NAT for IP address conflicts w/ VPN

[Jim Pingle]

On 12/10/2014 07:34 AM, Chris Bagnall wrote:
 On 10/12/14 6:36 am, Chris L wrote:
 That’s actually your fault for using 10/8, not Comcast's.
 Even if they were to use something like 10.58.223.0/24 they’d still
 conflict with your 10/8.
 
 There are so many different brands and models of consumer router on the
 market these days in the 10/8 and 192.168/16 range that we've pretty
 much given up on them for all new installs, instead dropping things into
 the other RFC1918 range: 172.16/12 (we usually use variants on
 172.20.x/24 where x is reasonably random).
 
 I don't think we've seen more than 1 or 2 consumer routers that default
 to anything in the 172.16/12 range - yet.

There are plenty out there using everything under the sun inside
RFC1918. It's only a matter of time before you hit a conflict.

Not that I would ever encourage such things (*cough*) but there are
other networks that could be used for VPN clients by admins who don't
feel like sticking strictly to RFC1918, and which are less likely to
conflict. Networks like those reserved for documentation (192.0.2.0/24,
198.51.100.0/24, 203.0.113.0/24) or benchmarking (198.18.0.0/15).

Which all sound good until you run across someone else who used them for
their LAN because they thought they wouldn't conflict. :-)

The Carrier-Grade NAT space should be avoided for VPN use also
(100.64.0.0/10) since clients could end up with an IP address in those
nets when connected to providers directly (3G/4G for example).

All that said, OpenVPN actually works OK in some conflicting scenarios.
At least it did last I tried it. Say the local client network at the
Hotel/airport/etc is 192.168.1.0/24, tunnel network is 10.0.8.0/24, and
the office net is 192.168.1.0/24. Except for the local gateway and the
clients actual IP address in the local network, the rest of the traffic
for 192.168.1.0/24 would still go over the VPN. They can't communicate
with other local hosts while they're connected but on a network like
that they wouldn't want to. The important thing to avoid conflict with
is the tunnel network itself.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Help with OpenVPN interface rules

[Jim Pingle]

On 10/13/2014 10:46 AM, Paul Beriswill wrote:
 Now, when I create rules for the OpenVPN_Ops interface, using
 'OPEN_VPN_OPS net' as 'Source' the rule never hits.
 It doesn't appear
 that the 'net' and 'address' aliases are being populated when the
 connection is established.  Is this correct?

I don't believe that macro works for OpenVPN interfaces. Remember, when
you assign the interface you must set it to an IP type of None which
is what that macro would have used to fill that macro.

Manually specify the source of the traffic in the rules and you'll be OK.

You could use aliases to define specific subnet(s) or groups of people
based on the addresses you intend to assign via client-specific overrides.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] new user with console menu

[Jim Pingle]

On 9/26/2014 3:51 AM, Martin Fuchs wrote:
 When i add a new user to pfSense, this user does not have a menu when
 logging into the shell…
 
 What rights does the user need to have the console menu displayed ?

The user won't have all the necessary permissions to use the menu so
they don't get one displayed.

You can install the sudo package and give someone access to run commands
and then perhaps they can run then menu via /etc/rc.initial

Through the use of sudo without a password (not recommended) and adding
the command to run the menu (/etc/rc.initial) in their login script, it
might work out to have them dropped in automatically.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] HPET timer issues?

[Jim Pingle]

On 9/23/2014 12:34 PM, Moshe Katz wrote:
 1. Has anyone else seen this behavior?

The only HPET issue I'm aware of is on older versions of ESX where the
clock would completely stop ticking. That's been patched for a long time
now though.

 2. I haven't noticed any performance issues after the switch, but is
 there anything that I need to be concerned about?

If you're not noticing any other side effects it's probably OK.

Check for a BIOS update or relevant BIOS setting, though it's probably
just something specific to that bit of hardware.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] CVE-2004-0230

[Jim Pingle]

On 9/18/2014 8:55 AM, Martin Fuchs wrote:
 Does CVE-2004-0230 affect pfSense 2.1.5 ?

As Vick mentions, practically the answer is 'no'.

There are some rare cases when it might, however. It would require:

1. Disabled pf (System  Advanced, Firewall/NAT tab, check Disable all
packet filtering)
1a. Or the default rules were replaced by interface and floating rules
in every direction set to 'no state'

2. The firewall is still reachable by the attacker

3. Connections are being made _to_ pfSense (not _through_ pfSense), e.g.
local services such as the GUI, packages such as haproxy or squid, etc,
*NOT* WAN-to-LAN or LAN-to-DMZ type connections.

If all of the above are true then it may be susceptible to the attack
described in the FreeBSD SA.

I don't think I have ever witnessed a setup that met all of those
criteria, and even those that could meet the criteria wouldn't
necessarily have long-lived connections for which such a TCP session
reset would have any meaningful impact.

We will have the fix in 2.2 but I'm not sure if there will be another
2.1.x release at this time, but we'll see what happens.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] understand the CARP advskew option

[Jim Pingle]

On 9/11/2014 7:23 PM, Martin T wrote:
 I see, thanks! However, while not the best practice, one could
 determine the master/backup role solely with advbase, couldn't he?
 Thats because host with the lowest advbase+advskew value(not just
 the advskew value) should be the preferred one?

Someone could but why would they?

pfSense automatically sets the skew for a backup during the sync, you'd
have to go out of your way to control it using only the base, and using
only the base would fail over much more slowly than using skew.

Technically, yes, it would possible to do, but there is no advantage to
doing so unless using skew alone does not work for your configuration.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] understand the CARP advskew option

[Jim Pingle]

On 9/10/2014 5:15 AM, Martin T wrote:
 1) Why does the messages interval matter to CARP? Is CARP designed in
 a way that CARP preferres system which announces CARP messages with
 shortest interval?

Yes, the fastest advertisement wins the election and becomes master.

 2) Why is advskew needed if one could determine the master/backup
 role solely with advbase?

See above. advbase is a base time added to the skew. (+1 sec per base value)

On slower networks you need to use a higher advbase on both to account
for lag in local network equipment such as when the two nodes are in
different buildings or similar situations.

Typically, base matches on both and you set the skew to give your
preferred primary node preference.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] packages.pfsense.org down!

[Jim Pingle]

On 8/5/2014 6:04 AM, Nishant Sharma wrote:
 Package installer is not working for me.
 
 https://packages.pfsense.org/xmlrpc.php shows following error:
 
 faultCode 105 faultString XML error: Invalid document end at line 1

That page isn't meant to be accessed directly by a browser. Packages
work fine from here on a all of the versions and platforms I had handy
to test.

You'll need to provide a lot more info about exactly how they fail for
you, starting with the exact version/architecture/platform of pfSense
you're using and what error message/condition you encounter when
attempting to install a package.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic shaper related error

[Jim Pingle]

Perhaps https://redmine.pfsense.org/issues/3535 or similar is happening.
Ensure that the correct interfaces are being chosen, especially if you
have reassigned the traditional WAN/LAN interface roles, since the
single WAN wizard would assume that the first interface is WAN,
regardless of what it may have been renamed.

Jim

On 8/5/2014 9:39 AM, Erik Anderson wrote:
 Just giving this a bump.
 
 As it turns out, this error appears any time I build a shaper using
 the single-wan, multi-lan wizard. I haven't given any of the other
 options a try as they don't apply to my situation, and likewise, I
 haven't yet tried manually creating all of the traffic shaper queues,
 rules, etc.
 
 Has anyone else seen this and if so, any recommendations for resolution?
 
 -Erik
 
 
 On Thu, Jul 31, 2014 at 2:08 PM, Erik Anderson erike...@gmail.com wrote:
 v 2.1.4...

 I configured a traffic shaper earlier this week (Monday I believe),
 and I just started getting errors on the web UI stating:

 [There were error(s) loading the rules: pfctl: DIOCGIFSPEED: Invalid
 argument - The line in question reads [0]: ]

 Grepping through my syslog server, the first occurrence of this error
 was at 06:43 this morning (the 31st):

 Jul 31 06:43:38 pfsense-01.invenshure.com php:
 rc.filter_configure_sync: New alert found: There were error(s) loading
 the rules: pfctl: DIOCGIFSPEED: Invalid argument - The line in
 question reads [0]:

 No config changes would have happened at this point that would trigger
 configuration reload.

 Googling around, I found this bug:

 https://redmine.pfsense.org/issues/2901

 Following the lead of the user that posted this bug (and then
 abandoned it), I removed my shaper and that fixed the problem. That's
 not a viable long-term solution for me, though.

 Does anyone have guidance as to what the cause of this bug is?

 I'd be glad to provide config snippets if that would be helpful - just
 specify which section(s) of the config would be helpful.

 Thank you!
 -Erik
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic shaper related error

[Jim Pingle]

On 8/5/2014 11:47 AM, Erik Anderson wrote:
 On Tue, Aug 5, 2014 at 9:37 AM, Jim Pingle li...@pingle.org wrote:
 Ensure that the correct interfaces are being chosen, especially if you
 have reassigned the traditional WAN/LAN interface roles, since the
 single WAN wizard would assume that the first interface is WAN,
 regardless of what it may have been renamed.
 
 Oh, interesting. In my case, my interfaces look like this:
 
 - em0 (802.1q trunk to LAN subnets)
 - em1 (WAN)
 
 Does that mean that I'll need to reverse things when going through the 
 wizard?

Not the first physical interface, but the first one assigned. For
example the one labeled WAN on the default install, if that was
renamed to something else and it's not actually WAN then the single
WAN wizard would make a false assumption.

We've done away with the extra wizards on 2.2 so now there is only the
multi/multi one that makes you select each one on its own so it can't
make bad assumptions.

The other bits wouldn't matter for shaping.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How to Enable/Disable DynDNS update e-mail notifiations?

[Jim Pingle]

On 7/10/2014 4:27 AM, Stefan Baur wrote:
 since upgrading to 2.1.3-RELEASE and enabling e-mail notifications under
 System: Advanced: Notifications, I'm receiving an e-mail whenever the
 DynDNS update script (Services: Dynamic DNS client) triggers an update.
 
 I *do* want e-mail notifications, just not for such mundane things, only
 when stuff breaks.
 
 So how do I configure that?

There is no way to selectively disable that notification at this time.

If you don't mind a simple source edit, you can disable the notification
by removing or commenting out etc/inc/dyndns.class line 1027 (on 2.1.3)
it should start with notify_all_remote

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How to Enable/Disable DynDNS update e-mail notifiations?

[Jim Pingle]

On 7/10/2014 10:38 AM, Stefan Baur wrote:
 Thank you.  I just checked, it actually appears twice, once for IPv4 and
 once for IPv6 (7 lines below the first occurrence), so I'm going to
 comment out both.

Yes, it is in there twice but IPv6 DynDNS is still fairly rare so the
second one probably isn't going to be hit often.

 (I'm kinda curious whether no one uses e-mail notifications in
 combination with DynDNS, or why I'm the first to notice/complain. I
 can't really imagine an everything OK e-mail being a desired feature
 for DynDNS updates, given their frequency.)

It was put in due to demand. People wanted to be alerted when their IP
address changed. For most it's a fairly infrequent event.

 Is there any chance of getting this disabled or made configurable via
 WebGUI checkbox in one of the next few releases?  Should I file a
 bug/feature request?

It may be possible in the future, but unless someone submits a pull
request to add the option, probably not any time soon. You can look for
an existing entry on https://redmine.pfsense.org/ for it, if one does
not already exist, feel free to create a new feature request.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NTPv6 Assignments Not Possible?

[Jim Pingle]

On 7/9/2014 11:57 AM, Mark Tinka wrote:
 I tried to add IPv6 NTP servers to my pfSense installation, 
 and it doesn't like them.
 
 Anyone know when IPv6 support for NTP servers will come to 
 pfSense?

They work on 2.1.x but have to be found by hostname and not a bare IP
address. For an example, try ntp6a.rollernet.us or ntp6b.rollernet.us

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Please update the pfSense Wiki with the attached note

[Jim Pingle]

On 6/11/2014 4:40 AM, Stefan Baur wrote:
 Hi Jim (or anyone with editing rights on the Wiki):

I added that text (with some minor edits) to the page.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ldap authentication against active directory fails with passwords containing the paragraph sign

[Jim Pingle]

On 6/5/2014 8:02 AM, Freund, Ingo wrote:
 today a user complained about not being able to login to IPsec VPN on the 
 pfSense via Shrew-Client 2.2.2 after he had changed his password.
 
 After some research and testing we have to report that passwords which 
 contain the paragraph sign '§' are not validated the right way.
 The message on the DC is: Wrong username or password.
 After changing the paragraph sign into e.g. the dollar sign, everything works 
 fine.
 
 Is this a bug?

Did you check UTF8 Encode on the LDAP server settings?

If not, then such non-standard characters may not have been sent in the
proper format for the server to understand.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Problems with gateways on IPv6 Tunnels?

[Jim Pingle]

On 6/3/2014 12:37 PM, Seth Mos wrote:
 I just upgraded to 2.1.3 at home and tried to switch my IPv6 default gateway 
 around.
 
 Unfortunately, when I try to set my HE.net tunnel gateway as the default it 
 throws an error that the gateway address is not in the interface subnet. 
 
 I’ve set the prefix length in both the GIF interface settings and the OPT4 
 Interface settings to /120. Unfortunately it still throws that error. 
 Strangely enough the gateway status widget and status page tell me the 
 gateway is reachable fine and with proper response time.
 
 This makes no sense. Anybody else seeing this?

IIRC, between 2.1 and 2.1.3 Ermal changed things so that GIF interfaces
get automatic gateways, so they should be dynamic these days. I'm not
sure if all the docs got caught up to that change.
(https://redmine.pfsense.org/issues/3484,
ddb30ebfc686165e00f0155e00df16edc17c31c5)

Mine is still set the old way but so long as I don't touch it, it works.
I haven't re-worked everything for the new method yet.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] installing vmtools

[Jim Pingle]

On 5/21/2014 2:31 PM, Florio, Christopher N wrote:
 Oh I feel dumb, the first thing is to install perl, which I can't do
 given my location on the network.
 
 Ok so nevermind, sorry.

You can fetch the .tbz file for perl and the compat package mentioned on
the page to another system and then copy it to the vm locally, and
pkg_add perl.tbz from the shell (or whatever its name may be...)

For pkg_add there isn't a remote requirement, it's easier, but it's not
necessary.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Poweredge 2850

[Jim Pingle]

On 5/20/2014 1:45 PM, Brian Caouette wrote:
 For the price paid it can't be beat.

There is more than the sticker price to be considered.

Note that these are just vague numbers that would vary by the specific
equipment power usage and local power costs.

Atom, ~35W, 24h/day @ $0.05/kWh = About $15 per year.

PE2850, ~250W, 24h/day @ $0.05/kWh = About $110 per year.

Also have to factor in the extra cooling needed to handle the higher
heat output of the server, but that is more difficult to figure.

If you are in a place where power is included in your rent, it's no big
deal, but over time that adds up considerably for most people.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Poweredge 2850

[Jim Pingle]

On 5/20/2014 4:37 PM, Harlan Stenn wrote:
 On 5/20/14 11:01 AM, Jim Pingle wrote:
 On 5/20/2014 1:45 PM, Brian Caouette wrote:
 For the price paid it can't be beat.
 There is more than the sticker price to be considered.

 Note that these are just vague numbers that would vary by the specific
 equipment power usage and local power costs.

 Atom, ~35W, 24h/day @ $0.05/kWh = About $15 per year.

 PE2850, ~250W, 24h/day @ $0.05/kWh = About $110 per year.

 Also have to factor in the extra cooling needed to handle the higher
 heat output of the server, but that is more difficult to figure.
 
 Where are you that you get electricity for .05/kWh?  Here in Oregon we
 have pretty great rates, and I think we're paying .10-.12/kWh.

It was just a random base figure for easy calculation that was in an
energy calculator site I used. Too much variance around the world to
pick any arbitrary accurate number since it wouldn't carry over.

Tiered pricing makes it even more difficult.

Either way, the power draw cost difference is substantial.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Recommendations for Analyzing Firewall logs

[Jim Pingle]

On 5/14/2014 2:16 PM, Travis Hansen wrote:
 Do you have some good grok patterns for indexing pfsense data?
 
 I started some a while back for this exact setup but gave up.

Keep an eye on the logs for pfSense 2.2. We ditched the native pflog
tcpdump style output and changed to a single line comma-separated log
output that should be fairly simple to parse by external utilities.

The logs on 2.2 have some issues on amd64 yet, but work on i386 if
you're looking to tinker right now.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] log grep inconsistency

[Jim Pingle]

On 5/13/2014 12:55 PM, David Burgess wrote:
 I have two firewalls running pfsense 2.1.3 amd64. One is nanobsd, the
 other is full install. Why is it that when I do 'grep band
 /var/log/ppp.log' on the embedded system I get the expected output of
 lines containing band, while on the full system I only get Binary
 file /var/log/ppp.log matches for output. I can cat the file and see
 its contents. Both systems have /var on ram disk.

Luck?

ppp.log is a binary circular log[1], you have to use:

clog /var/log/ppp.log | grep band

Jim
1: http://doc.pfsense.org/index.php/View_Log_Files_in_the_Shell
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] High iostat

[Jim Pingle]

On 05/12/14 23:09, Wajih Ahmed wrote:
 BTW it would be very nice to have a tool like lsof to see what files a
 pid has open and writing too.  But pfsense does not have lsof package.

In addition to the other things mentioned, run:

top -aSH

press 'm' to switch to i/o view to see what process is hogging the disk.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Port forwarding from multiple interfaces - reply packets are forwarded through the wrong interface.

[Jim Pingle]

On 5/9/2014 8:02 AM, Thierry De Leeuw wrote:
 I have some trouble to setup port forwarding with multiple interfaces.
 When a connection is initiated from the VPN tunnel (SYN), the SYN/ACK
 is sent from the VPN IP but throught the pppoe interface (which is the
 default gw, but I would expect the NAT to take care of that - maybe I
 am wrong?).
 I would like that my server is accessible from both pppoe and VPN tunnel.

The multiple interfaces bit works fine when they're both actually
WANs, but when one is a VPN it doesn't work that way by default.

To get the behavior you want with OpenVPN, where reply-to sends the
packets back the way they came in, you'll need to do the following:

1. Assign/enable the OpenVPN interface from Interfaces  (assign). Set
it to an IP type of 'none'
2. Restart the VPN (edit/save)
3. Move firewall rules from the OpenVPN tab to the new interface tab. No
rules on the OpenVPN tab can match the traffic.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ICMPv6 filtering recommendations with pfSense?

[Jim Pingle]

On 5/8/2014 1:16 PM, Adam Thompson wrote:
 Sorry for the late addition... Perhaps this was already covered, but if not:
 
 Please don't filter ICMPv6. This is one of the key points every
 intro-to-v6 class teaches: IPv6 actually *needs* ICMPv6 to function in
 pretty much every situation.
 
 The official guidance on this subject is RFC 4890, Recommendations for
 Firing ICMPv6 Messages in Firewalls.
 The TL;DR version is  just don't .
 If a firewall operator can't read the RFC, and accurately distinguish
 between transit and local traffic, then they shouldn't filter any of it.
 
 (Yes, I'm being a hard-ass here, because I already see people breaking
 IPv6 because they think it's OK to filter ICMP.)
 
 It is probably possible to extrapolate a base set of recommendations
 that pfSense might be able to build in, similar to how there's a lot of
 automatic IPv4 filtering under the hood, but I don't believe this has
 been done yet.

Code of interest here:
https://github.com/pfsense/pfsense/blob/master/etc/inc/filter.inc#L2644

IMO, I agree that it's best to let ICMP flow free on IPv6. ICMP has had
a bad reputation for a long time, and it's mostly undeserved in recent
times.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] upgrade dual ALIX netgate box?

[Jim Pingle]

On 5/7/2014 9:03 AM, Vick Khera wrote:
 I wonder then why pcengines points to the ALIX case from the APU board
 page as a recommended case.

They refreshed their cases about 6 months so they would be compatible.
The newer ALIX+APU style cases fit the ALIX and the APU both, but the
older ALIX cases are the ones that don't fit properly. I haven't tried
it myself, but someone might try to use ~1mm thick washers to gain a
little height on the stand-offs, but I wouldn't trust it to put adequate
pressure on the heat spreader to ensure proper cooling.

 Thanks for the info. Seems like it almost fits, but not quite... this 1U
 dual board form factor is very convenient for me, and having a more
 powerful system in it is attractive to me. Maybe I'll try to see if I
 can fit it using some additional mounting hardware.

Even if it did fit as expected, you may not get adequate cooling with
both units' heat spreaders pumping heat into the same single, large
metal case. Netgate is working on something to accommodate two APUs
comfortably.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Manual Outbound NAT Creates Multiple Local Host Entries

[Jim Pingle]

On 4/28/2014 11:16 AM, Adam Piasecki wrote:
 I am currently running 2.1.2, I386. It’s possible that the config was
 originally from 1.2.3 as it has been upgraded multiple times to 2.1.2.
 
 When enabling manual outbound NAT, it appears 3 entries are exactly the
 same 127.0.0.0/8 with NAT ports 1024:65535.
 
 Just wondering what the reason for this is, or if it was a bug left in
 the config from 1.2.3. It’s not causing any problems just seemed strange.
 

It depends on when you changed from Automatic to Manual. The rules would
have been made then. I thought we had fixed that before 2.1 went out but
it's possible it was still an issue there. There would be at least one
such rule per WAN you have, normally.

On 2.2 all of that was completely rewritten and it's definitely not an
issue there.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] export/import ipsec xml from pf 1.2.3 to 2.1.1

[Jim Pingle]

On 4/22/2014 2:15 PM, Alexsander Rodrigues wrote:
 I see. By upgrading the configuration file you mean to upgrade the
 pfsense 1.2.3 to 2.1.1 and then to export the configuration file?

That, or you can take the whole 1.2.3 config.xml and restore that to a
firewall already running 2.1.2, and then from there export the ipsec
section and import into another 2.1.2 system.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Interface yoyo

[Jim Pingle]

On 4/20/2014 7:02 PM, Volker Kuhlmann wrote:
 On Mon 21 Apr 2014 09:54:49 NZST +1200, Jim Pingle wrote:
 
 http://files.pfsense.org/jimp/patches/openvpn-tapbridgefix-2.1.x.diff
 
 This has no effect on the hme problem unfortunately.
 
 I rebooted and re-tested, but unplugging the cable to the wifi AP from
 the pfsense box and re-plugging it still gives a run-away system. Some
 logs below.

Some other setting appears to be causing the link on the NIC to bounce
up and down when configured. In the past we have seen that happen
because of a few things, such as spoofing a MAC address resetting the
NIC or bugs in the code causing the interface to be reset due to an
error. Those should have all been fixed/worked around, especially with
that last patch applied.

The Spoofed MAC address issue was a problem in the past with certain
drivers that sounds very similar because it got into a chicken-and-egg
scenario that went a little something like this:

* pfSense sets the MAC address
* The NIC driver resets its own link on the MAC change
* The link down/up triggered pfSense to reconfigure the NIC
* pfSense sets the MAC address again while reconfiguring the NIC
* The NIC driver resets its own link on the MAC change
* The link down/up triggered pfSense to reconfigure the NIC
* [lather, rinse, repeat]

We added some extra checks before resetting the MAC to prevent that sort
of thing from being a problem though, but it's possible that the HME NIC
is resetting its link when some _other_ setting is being applied. If you
have any special configuration on the NIC (spoofed MAC, custom MTU,
specific link speed, etc) it would help to know.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Heartbleed and OpenVPN

[Jim Pingle]

On 4/11/2014 9:57 AM, Tim Nelson wrote:
 Hot on the heels of the OpenSSL debacle, and a fresh new release of
 pfSense (THANK YOU), I'm curious about the Heartbleed vulnerabilitie's
 actual surface attack area. All of the relevant information, reports,
 and PoC's are pointing at exploit only via an affected HTTPS webserver.
 However, I have not yet seen any PoC for exploiting other SSL based
 services, specifically OpenVPN.
 
 At this time, are there PoC's for Heartbleed and OpenVPN? I understand
 regardless the upgrade/patch is needed, but curious to know if an
 exploit is yet in the wild for OpenVPN (TCP or UDP, using PKI or even
 static keys).

Static keys were never vulnerable, nor is SSL/TLS when using a TLS
Authentication Key unless the attacker has the key, in which case you
probably have larger problems... or you're on a public VPN service that
is running lots of people through common instances.

https://community.openvpn.net/openvpn/wiki/heartbleed has more info.

I also have yet to see a testing program/script/PoC that would get
anything from OpenVPN. If anyone does know of one, we'd love to see it.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] The Heartbleed Bug, CVE-2014-0160

[Jim Pingle]

On 4/8/2014 8:20 AM, b...@todoo.biz wrote:
 Mmmh, this is true : on 2.1.1 in — /usr/local/bin/openssl : 
 
 # OpenSSL 1.0.1f 6 Jan 2014
 
 I don’t know exactly how this is used… we would need to wait for Chris 
 confirmation on this. 

Many of the ports and packages (e.g. OpenVPN) link against the newer
version, and are impacted by this bug.

If only they'd announced this a week ago... :P

Not sure what the ETA is, but it shouldn't take much on our side to get
things bumped, but we'll need to do more testing and such.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] The Heartbleed Bug, CVE-2014-0160

[Jim Pingle]

On 4/8/2014 8:48 AM, Pete Boyd wrote:
 Thanks for the update Jim and for your and others' efforts in bringing
 us updated software.
 These things keep many of us in employment, but I expect you guys would
 have appreciated a little breather after releasing 2.1.1.

Actually with the release engineering process fresh in our heads/muscle
memory and everything practically set to go, it's not exactly a horrible
time for it to have happened, but not ideal.

It would have been better before the release, surely, but it could be
much worse. If our hand was forced later in the development cycle before
other parts were ready, that would have been a much larger problem.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] The Heartbleed Bug, CVE-2014-0160

[Jim Pingle]

On 4/8/2014 9:15 AM, Vick Khera wrote:
 On Tue, Apr 8, 2014 at 9:11 AM, Jim Pingle li...@pingle.org wrote:
 Actually with the release engineering process fresh in our heads/muscle
 memory and everything practically set to go, it's not exactly a horrible
 time for it to have happened, but not ideal.
 
 Would testing be faster/easier if you just disabled the heartbeat
 feature on the current open SSL version and recompiled? That
 effectively removes the vulnerability too.

IMO, If we're recompiling anything at all we may as well update to a
non-vulnerable version. No need for shortcuts.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense version 2.1.1 has been released

[Jim Pingle]

On 4/7/2014 8:38 AM, Pete Boyd wrote:
 The 2.1.0 to 2.1.1 upgrade on nanobsd (4g) on ALIX failed for me with
 Something went wrong when trying to update the fstab entry. Aborting
 upgrade.
 
 I got the same issue when using auto update, and when using local upload
 of pfSense-2.1.1-RELEASE-4g-i386-nanobsd-upgrade.img.gz.
 
 The log has 2 instances of this:
 php: /system_firmware.php: The command '/sbin/mount -u -w -o
 sync,noatime /cf' returned exit code '1', the output was 'mount: not
 currently mounted /cf'
 
 On bootup it already has this issue in the log:
 php: rc.bootup: The command '/sbin/mount -u -r -f -o sync,noatime /cf'
 returned exit code '1', the output was 'mount: not currently mounted /cf'
 
 Does anyone have any thoughts on how to remedy this please?

What does the output of mount show while booted and running?

If your /cf slice is missing/corrupt/not there, that would explain the
symptoms. No easy fix for that short of a reimage or using a new card.

Perhaps you used an image that was slightly too large for the card and
didn't see the error when imaging, or never noticed that you didn't
actually have a /cf partition.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Yealink OpenVPN to asterisk

[Jim Pingle]

On 3/11/2014 12:09 AM, Chuck Mariotti wrote:
 The data center has a single Internet connection but with two separate 
 subnets (ran out of Ip addresses). This has been setup as WAN and WAN2.
 I set up qos on pfsense but not sure if right. The single connection is 
 10Mbit... but I set up WAN1 AND WAN2 as 10Mbit... which I assume is wrong. 
 How do I set that correctly?

Don't use two interfaces for that. Add the second subnet to WAN using an
IP Alias VIP if you need to use it that way. In addition to being a
simpler config for the same result, it also eliminates any guessing
about the QoS config.

 I am also a little lost... since the voice traffic is OpenVPN, how to I make 
 certain that it is the highest priority across the board?

You need to shape both things: SIP to your upstream trunk and OpenVPN.

1. Use PRIQ for the shaper type on WAN/LAN when using the wizard.
2. Activate the VoIP screen, use your upstream SIP trunk for
prioritization, or maybe even an alias containing the SIP trunk and your
PBX.
3. Raise the priority of OpenVPN on the wizard screen to Raise/Lower
Other Protocols.
4. Adjust the resulting floating rules for OpenVPN to match all of your
OpenVPN server port(s)

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] captive portal lost name in upgrade SOLVED

[Jim Pingle]

On 2/21/2014 7:10 AM, Urs Rau wrote:
 In Dec 2013 I upgraded to the latest release of pfsense 2.1 from the 
 previously running release. It all seemed to have  gone well, but when I 
 tried accessing the captive portal page it seemed to be non existent. All I 
 got was an empty looking page with a drop down box to choose my portal zone. 
 If I clicked on the drop down I got top entry literally called empty, which 
 was also the default. And on close inspection I found that there was actually 
 a second entry below it that did not have a description. When I choose that 
 empty looking white space it refreshed and my old captive portal was back. ;-)

That was a known issue on 2.1, it's was fixed on RELENG_2_1 (what will
be 2.1.1 shortly) about two months ago.

 I am left with one question? Is there a way to have my old portal being the 
 default that does get displayed right away without me foist having to use the 
 drop down and choose it from the cp zone list?

On which page? Status? There isn't a way to have it auto-select the zone
on those pages, but it isn't a bad idea to do that if there is only one
in the list.

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] issue in operating openvpn on non standard port.

[Jim Pingle]

On 2/21/2014 2:24 AM, Muhammad Yousuf Khan wrote:
 however the problem is when i create a VPN server other then 1194 my VPN
 server does not work.

It's not a general issue, that's used all day every day by many without
problems.

 must current VPN server is listening on port 1199 on tcp port i tried
 changing it to udp but nothing help.
 
 here is my netstat outpu
 
 tcp4   0  0 1x-x-12x-82.m.1199  *.*

So the daemon is listening to the right port. FYI- sockstat is better
for checking that, and is also available in the GUI from Diagnostics 
Sockets

 Here is the firewall rule:
   IPv4 TCP/UDP*   *   WAN address 1199*   none

And that is on the WAN tab?

 i also see deny log in Firwall log.
   Feb 21 12:21:29 WAN 1x.x.xx.20x:65113   
 12x.2x.1x.8x:1199   TCP:S

If you see the deny, then either that rule somehow does not match the
traffic (maybe that rule is on the wrong tab, should be the WAN tab) or
maybe something is preventing the ruleset from reloading.

Check Status  Filter Reload, press the reload button, see if it gets
all the way to the end and shows Done, and try to connect afterward.

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Run-Away Processing Issue

[Jim Pingle]

On 2/19/2014 2:07 AM, Bryan D. wrote:
 I have a problem that I've been unable to make much progress with and could 
 use some suggestions on how to proceed.
 
 The problem is that whenever the WAN interface link on the pfSense box goes 
 down, pfSense goes into some sort of loop/run-away condition and requires a 
 reboot.  This problem is 100% reproducible (and turns a short loss of service 
 into an on-going failure).
 
 The issue is detailed at:
 http://www.derman.com/pfSense-Run-Away-Issue
 
 Any help would be appreciated.  I've setup a duplicate test system setup so I 
 can examine any ideas and troubleshoot without bringing down our network.

Try pfSense 2.1.1. There were some issues with link cycling in certain
cases that you might be hitting which were fixed on 2.1.1.

https://forum.pfsense.org/index.php/topic,71546.0.html

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsync state full resync

[Jim Pingle]

On 2/17/2014 12:17 PM, Brian Candler wrote:
 I don't know whether the version of pf in pfsense/FreeBSD 8.3 implements
 this. If this functionality has been in there since the introduction of
 pfsync then presumably it does.
 
 Also: pfsense optionally lets you configure an IP to unicast state table
 updates to. If you do this, how does the second box send updates back to
 the first box when it's master? You'd put different unicast destination
 addresses on the two boxes?

The source, as usual, is the best way to see this:

https://github.com/pfsense/pfsense/blob/RELENG_2_1/etc/inc/interfaces.inc#L1921

Jim

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] package download stuck

[Jim Pingle]

Try again now -- there was an issue with that particular server but it
should be back to normal at the moment.

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] is it possible to rename gateways in 2.1 release AMD64?

[Jim Pingle]

On 1/7/2014 3:11 PM, Joe Landman wrote:
 It doesn't allow you to change names of gateways once they are set. I am
 not sure precisely why, but it simply does not work.

To do that requires some extra code to search through all other places
where the gateway could be used (firewall rules, routes, gateway groups,
DNS, WAN settings, gateway monitoring, and so on) and update the name in
each place when it needs changed.

The odds of missing something and causing a problem after the change are
nontrivial so we've been cautious about trying to allow that to happen.

If someone wants to submit a patch to add the feature that properly
accounts for updating the gateway name everywhere in a safe manner and
restarting services as needed, feel free to submit the code.

Jim

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPSec problem with mobile IOS and Android

[Jim Pingle]

On 1/4/2014 6:03 PM, Carlos Vicente wrote:
 My PfSense version is 2.0.3 upgraded from 1.2.3. I have tried all kind
 of configs from the doc “Mobile IPsec on 2.0
 https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0”, but, as I
 said, can establish the connection but can´t access any device on LAN
 subnet.

In addition to the other points made in this thread you should also
upgrade to pfSense 2.1-RELEASE. Mobile IPsec did have some known issues
with 2.0.3 that were fixed after 2.0.3.

Jim

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Labeling OpenVPN intervaces

[Jim Pingle]

On 1/4/2014 8:49 PM, Ugo Bellavance wrote:
 On our setup, we have at least 2 openVPN interfaces (one site-to-site,
 one for roaming users).  I haven't labeled these interfaces so all my
 rules are using the global OpenVPN interface, but I think it would be
 better if I had one interface per OpenVPN instance.  What are the
 problems I may get into?  I know that once I create the interfaces, the
 rules will be to deny all, but is there anything else?

Group rules are considered before per-inteface rules, so your OpenVPN
tab rules will match before the per-interface versions.

You can assign the OpenVPN interfaces, then enable them, set the IP type
to NONE, and then after that you'll need to edit/save each VPN you
assign to make sure the VPN reattaches to the interface.

There aren't really any negative side effects to assigning them this
way, it's just a bit more to manage that most people don't need.

Once they are assigned you can give the interface a name, you can have
per-interface rules, and so on. If you do put rules on each VPN
interface be sure to remove or deactivate the rules on the OpenVPN tab.

Jim

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Lan Card Support

[Jim Pingle]

On 1/6/2014 12:42 PM, rajan agarwal wrote:
 I am about to put pfSense in a production box. I will be using IBM Quad
 Port Gigabit PCIe Ethernet Card P/N.: 39Y6136. Will pfSense version
 2.0.1 support this particular LAN card? I can't find the name of this
 LAN card on the freeBSD 8.1 hardware support page.

The 39Y6136 card appears to be an Intel Pro/1000 PT adapter using the
82571GB chip which should be supported by em(4) as far as I can see.

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] OpenVPN client bug? An IPv4 protocol was selected, but the selected interface has no IPv4 address error

[Jim Pingle]

On 12/21/2013 10:11 PM, Chris Buechler wrote:
 On Thu, Nov 28, 2013 at 4:25 PM, Dave Warren da...@hireahit.com wrote:
 I have a number of OpenVPN client sessions set up (where my pfSense connects
 to a remote OpenVPN server as a client)

 Today I needed to switch one from TCP to UDP and received An IPv4 protocol
 was selected, but the selected interface has no IPv4 address. The interface
 was properly configured using DHCPv4, and therefore has no IP address.

 
 DHCP interfaces have an IP, and would not fail that check. I just
 configured an OpenVPN client instance on a DHCP interface and it works
 fine, and have done it on production 2.1 systems more times than I can
 count. What interface are you trying to bind it to? It actually does
 have v4 connectivity?

I have hit that error when the DHCP interface was unplugged or had not
yet obtained an IP. At those points it would fail that check.

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] MultiWAN with SSH

[Jim Pingle]

On 12/13/2013 5:10 AM, Chris Bagnall wrote:
 On 13/12/13 5:48 am, Walter Parker wrote:
 What do I need to do to get the firewall to use the COMCASTGW for
 responses
 to packets sent to the COMCAST interface?
 
 Unless you're using advanced outbound NAT, this should happen
 automatically.

Actually that won't have anything to do with outbound NAT, but it will
have to do with gateways and other rules.

Make sure that your Interfaces  [WAN Name] pages have a gateway
set/selected if they are a static IP. If they are DHCP this should
happen automatically.

 You said:
 I have a rule on the Comcast interface the allows all traffic , with the
 destination of Comcast net and the the Gateway set to COMCASTGW.

Never set a gateway on WAN rules, it does not do what you're expecting
it to do.

 As an aside, if you want to easily create incoming rules in a multi-WAN
 scenario, it's often worth creating an interface group called 'WANs' or
 similar, then creating your incoming rules in there - saves duplicating
 them across multiple interfaces, especially if you have 3 or more
 interfaces.

Actually using an Interface Group or Floating rules will break it worse.

The reasoning behind all of this is the logic in how the firewall
formulates the rules for WANs in this scenario. If an interface has a
gateway selected, its rules will automatically gain a reply-to keyword
which tells the traffic to exit back the interface from which it entered
the firewall.

Using floating rules for multiple interfaces or an interface group will
cause reply-to not to be set because it can't be set for rules affecting
multiple interfaces.

So, in summary:
* WANs need to have gateways set
* Don't put gateways on WAN rules
* Don't use interface groups or multi-interface floating rules for WAN rules
* Make sure the global reply-to disable option is not set on System 
Advanced, Firewall tab
* Make sure the WAN rule passing the traffic does not have the advanced
option checkbox set to disable reply-to

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list