Re: [pfSense] openvpn per user/cert client package creation

[Kevin Tollison]

Be sure you are creating a cert with each user account or assigning one to
them.



-- 
Kevin Tollison

On September 14, 2017 at 10:47:08 PM, Randy Bush (ra...@psg.com) wrote:

> as far as i can determine, the openvpn-client-export package only
> exports the admin account (or is it the logged in account?) and
> packages the corresponding cert.
>
> i want to generate (mostly viscosity) openvpn per-user cert packages.
> clue bat, please.
>
> randy
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Site to Site VPN behind nat

[Kevin Tollison]

Buy the Gold membership. The pfSense book has a ton of VPN setup docs.

Kevin

On Sun, May 1, 2016 at 8:18 PM Dane Reugger  wrote:

> I'm looking for some docs or a walk through on creating a site to site VPN
> that will work with the client the client behind NAT. Ideally we could plug
> in behind another router and have it dial in and create the tunnel?
>
> I've seen this done with Aruba but not sure it's possible with PfSense but
> if it is I would love a guide to get it going.
>
> Thanks,
> -Dane
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP trouble.

[Kevin Tollison]

I ran into this issue with a couple of sites using ftp on an as400. Even
opened a ticket with pfSense support. Was never able to resolve it. Sites
are unfortunately still running 2.1.5. Anything in the 2.2 series and ftp
fails immediately.

as400 vendor is working on a sftp or ftps update and has been for 9 months.
I gave up on trying to pass that traffic on pfSense 2.2

Support kept sending me back to this document.
https://doc.pfsense.org/index.php/FTP_without_a_Proxy

On Thu, Feb 11, 2016, 2:25 PM J. Echter 
wrote:

> Hi,
>
> i have a tool which uodates its data by ftp. Nothing sepcial...
>
> But, i cant use it as i get errors like 'no data', error 227 'entering
> passive mode' and so on.
>
> As far as i know should passive mode be working without any afford.
>
> Where can i have a look what is going wrong?
>
> I read about FTP helper and FTP CLient Proxy, but imho FTP Helper isn't
> in 2.2 anymore and was more for ftp servers behind pfsense.
>
>
> Please, any hints are welcome :)
>
> Thanks.
>
> Juergen
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] OpenVPN Support Forum • Critical denial of service vulnerability in OpenVPN servers : Announcements

[Kevin Tollison]

https://forums.openvpn.net/topic17625.html
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Making an install CD

[Kevin Tollison]

Or cdburnerXP. That is my favorite free one for Windows.
On Oct 29, 2014 12:58 AM, Ryan Coleman ryan.cole...@cwis.biz wrote:

 Does windows 7 actually burn disc images? Have you tried active ISO
 instead to burn the image? I believe it's free.

 --
 Ryan Coleman
 Publisher, d3photography.com
 ryan.cole...@cwis.biz
 m. 651.373.5015
 o. 612.568.2749

 On Oct 28, 2014, at 20:07, Mark Hisel mark_hi...@yahoo.com wrote:

 I can't seem to make an install CD.  I downloaded the ISO, unzipped it
 from the gz file using 7-ZIP, and burnt the disk image using win7.  The CD
 has a bunch of directories but only one file; the copyright.  What did I do
 wrong? I'm trying to install onto an HP DL380 but the CD is a non-system
 disk.

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 802.11ac Mini PCI Express adapter for pfSense

[Kevin Tollison]

On Jul 20, 2014 5:53 PM, Nickolai Leschov nlesc...@gmail.com wrote:

 I would like to use a PC Engines APU series board with pfSense as a
wireless router.

 In their store, I can see 802.11n cards, at most, but can I use 802.11ac
already? Does anyone have positive experience with a 802.11ac and can
recommend a particular model?

 Best regards,
 Nickolai


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

I have used internal card in the past and they typically work well. We have
found that an external AP gives a lot more flexibility to an install. For
AC support the Engenius ECB1750 is a good choice when it becomes available.

I have used the ESR1750 AC router and get some pretty amazing throughout.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Pix Replacement?

[Kevin Tollison]

On May 24, 2014 6:41 PM, David Hicks dhi...@509j.net wrote:

 Group...

 I realize that I'm posting to a pfSense list, but figure it is still
worth posing the question.  We are a school district with approximately
2000 internal devices.  We are looking at replacing our aging Cisco pix
firewalls and are trying to decide between going with a Juniper SRX240 or
moving to pfSense.  Our expectation is to use for simple firewall and NAT
with an openVPN setup for a small number of remote connections.  We've been
using pfSense in a very simple configuration at one of our smaller school
districts for a year with no issues whatsoever. I'm wondering if it is time
to make the leap to pfSense for our larger operation and if there are any
major cautions people might have that would suggest it is a safer bet to go
with a standard name like Juniper.

 I apologize if this is too broad a question, but figured I'd see if
anyone has any feedback to provide.

 Thank you very much,
 David

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

I'd recommend talking to Chris directly. I'm sure he can generate a support
plan that is much more cost effective than anything Juniper has to offer.

We have had a support contact for about a year now. Only used it twice.
Both issue ended up not being pfSense, but the support team was on the
issue almost immediately.

Not a direct answer, but a direction I would investigate first for a
site(s) of that size.

Kevin
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense Book (Buechler / Pingle)

[Kevin Tollison]

Even easier. I have a support subscription. I just uploaded the epub to my
Google Drive.
On Apr 13, 2014 12:22 PM, Chris Bagnall pfse...@lists.minotaur.cc wrote:

 On 13/4/14 4:25 pm, Adam Thompson wrote:

 As to the liberated comment, let us know when you've figured out how
 to make a completely open eReader that doesn't sell for $1000.


 Nexus 7 + fbreader (freely available)?
 Opens all the usual suspects (pub, mobi, pdf, etc.)

 If you don't mind one of the 1st gen Nexus 7s, you can probably pick one
 up for sub-£100.

 Kind regards,

 Chris
 --
 This email is made from 100% recycled electrons
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Strange Block on LAN interface

[Kevin Tollison]

Somewhat, but the issue turned out to be a little deeper.

I ended up going the Commercial support route for this one. Those guys are
excellent and very responsive.


On Fri, Sep 13, 2013 at 8:22 AM, Matthias May matth...@may.nu wrote:

  On 12/09/13 01:23, Kevin Tollison wrote:

 I am getting an odd behavior on 2.1RC2 . Hopefully I have just missed
 something.

  My site is setup as follows

  PfSense -  Site 1 192.168.1.0/24  -  Adtran router 192.168.1.3
 - PPPT1 ---Site2 Adtran Router 192.168.3.3

  I have added a static route in for the Adtran and everything works great
 with one exception.

  We have some intermec scanners at site2 connecting to a Win2008 server
 at site 1


  When I initiate a connection from the handheld to the server i get a
 failed connection with this in the firewall logs

[image: block] https://192.168.1.254/diag_logs_filter_dynamic.php# Sep
 11 19:15:56 LAN 192.168.1.98 192.168.3.77:1139 TCP:SA  [image: 
 block]https://192.168.1.254/diag_logs_filter_dynamic.php# Sep
 11 19:15:59 LAN 192.168.1.98 192.168.3.77:1139 TCP:SA  [image: 
 block]https://192.168.1.254/diag_logs_filter_dynamic.php# Sep
 11 19:16:05 LAN 192.168.1.98 192.168.3.77:1139 TCP:SA  [image: 
 block]https://192.168.1.254/diag_logs_filter_dynamic.php# Sep
 11 19:16:17 LAN 192.168.1.98 192.168.3.77:1139 TCP:R


  I can connect fine to the server RDP from a PC.  I have internet
 connectivity as well from a PC

  The default in rule is triggering it.  I have added regular rules to
 allow and floating rules. I have also checked the box to bypass firewall
 rules on the same interface.


  As a side note. We have another site using a pfsense over a VPN tunnel
 that works great.  Unfortunately I'm stuck with this private Point to point
 here.

  This was working through a DSL modem/router with static routes prior.

  Thanks

  Kevin










 ___
 List mailing 
 listList@lists.pfsense.orghttp://lists.pfsense.org/mailman/listinfo/list


 Most probably this:

 https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




-- 
--
Kevin Tollison
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Strange Block on LAN interface

[Kevin Tollison]

I am getting an odd behavior on 2.1RC2 . Hopefully I have just missed
something.

My site is setup as follows

PfSense -  Site 1 192.168.1.0/24  -  Adtran router 192.168.1.3
- PPPT1 ---Site2 Adtran Router 192.168.3.3

I have added a static route in for the Adtran and everything works great
with one exception.

We have some intermec scanners at site2 connecting to a Win2008 server at
site 1


When I initiate a connection from the handheld to the server i get a failed
connection with this in the firewall logs

 [image: block] https://192.168.1.254/diag_logs_filter_dynamic.php# Sep
11 19:15:56 LAN 192.168.1.98 192.168.3.77:1139 TCP:SA [image:
block]https://192.168.1.254/diag_logs_filter_dynamic.php# Sep
11 19:15:59 LAN 192.168.1.98 192.168.3.77:1139 TCP:SA [image:
block]https://192.168.1.254/diag_logs_filter_dynamic.php# Sep
11 19:16:05 LAN 192.168.1.98 192.168.3.77:1139 TCP:SA [image:
block]https://192.168.1.254/diag_logs_filter_dynamic.php# Sep
11 19:16:17 LAN 192.168.1.98 192.168.3.77:1139 TCP:R**


I can connect fine to the server RDP from a PC.  I have internet
connectivity as well from a PC

The default in rule is triggering it.  I have added regular rules to allow
and floating rules. I have also checked the box to bypass firewall rules on
the same interface.


As a side note. We have another site using a pfsense over a VPN tunnel that
works great.  Unfortunately I'm stuck with this private Point to point here.

This was working through a DSL modem/router with static routes prior.

Thanks

Kevin
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] 2.1 and Netflix

[Kevin Tollison]

Decided a few weeks ago to upgrade my 2.03 box to 2.1RC at home.  I have
updated to the latest snapshot at least once a week as well.

Strange issue came up with Netflix.  I could launch and play from any PC,
but not from my tablet, Chromecast, or Samsung DVD SmartHub.

Found this thread http://forum.pfsense.org/index.php?topic=65559.0

None of those worked.  My config is basically default.  Single Allow All
rule on LAN, tried with UPnP on and off, No luck.

Had pretty much convinced myself nothing in the router could cause it. I
remembered I had an old ASA5505 in the closet.  Did a quick config and
connected it up. Everything is working again.

What could have possibly changed in 2.1 to cause this?  2.03 worked
flawlessly

Let me know if you need any specific details.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.1 and Netflix

[Kevin Tollison]

It is very strange. It only occurs with the Netflix App. The Android and
Windows 8 app have the same behavior. Error 13007. The chromecast and DVD
were error ui-108 or 109 iirc. The DVD is hardwired and the AP is external
(Engenius ENH200EXT)

One thing I failed to mention was that Netflix works fine on the XBox360.
Not sure how it connects, but it is tied to a Live account.

Now the chromecast work fine streaming YouTube or a Chrome tab. The tablet
works fine for everything else as well. If i start a movie on a pc then
cast it, I get the same error.
On Aug 28, 2013 10:14 PM, Jeremy Porter jpor...@electricsheepfencing.com
wrote:

  I can't see this is a netflix issue specifically.  Perhaps is some type
 of DNS or IPv6 difference?
 The forum post talks about an issue with chromecast setup. But its hard to
 see how that would impact netflix streaming to other devices.
 I'm running 2.1 (and have been) with no problems with netflix to PCs,
 Tablets, or a Boxee box.

 Now there of course is the possibility of a problem with chromecast, but
 without more details its hard to say.
 Upgrading to 2.1 doesn't seem like it could make a difference, unless the
 wireless AP is running in the pfSense box.



 On 8/28/2013 8:10 PM, Kevin Tollison wrote:

 Decided a few weeks ago to upgrade my 2.03 box to 2.1RC at home.  I have
 updated to the latest snapshot at least once a week as well.

  Strange issue came up with Netflix.  I could launch and play from any
 PC, but not from my tablet, Chromecast, or Samsung DVD SmartHub.

Found this thread http://forum.pfsense.org/index.php?topic=65559.0

  None of those worked.  My config is basically default.  Single Allow All
 rule on LAN, tried with UPnP on and off, No luck.

  Had pretty much convinced myself nothing in the router could cause it. I
 remembered I had an old ASA5505 in the closet.  Did a quick config and
 connected it up. Everything is working again.

  What could have possibly changed in 2.1 to cause this?  2.03 worked
 flawlessly

  Let me know if you need any specific details.


 ___
 List mailing 
 listList@lists.pfsense.orghttp://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.1 and Netflix

[Kevin Tollison]

On Aug 29, 2013 12:03 AM, Jim Pingle li...@pingle.org wrote:

 On 8/28/2013 10:23 PM, Kevin Tollison wrote:
  It is very strange. It only occurs with the Netflix App. The Android and
  Windows 8 app have the same behavior. Error 13007. The chromecast and
  DVD were error ui-108 or 109 iirc. The DVD is hardwired and the AP is
  external (Engenius ENH200EXT)
 
  One thing I failed to mention was that Netflix works fine on the
  XBox360. Not sure how it connects, but it is tied to a Live account.
 
  Now the chromecast work fine streaming YouTube or a Chrome tab. The
  tablet works fine for everything else as well. If i start a movie on a
  pc then cast it, I get the same error.

 It could be a broken IPv6 on your home network. If your tablet believes
 it has an IPv6 connection, Netflix may be trying to use that rather than
 IPv4. However, if you don't _actually_ have IPv6 connectivity, it
 wouldn't work.

 I'm on 2.1 at home and Netflix works for me on the PC (Windows 7 and
 Windows 8), Android tablet and phones, TiVo, two Blu-Ray players, Wii U,
 and 3DS. I don't have a Chromecast on hand (yet) or I'd try it out there.

 Check your firewall's LAN config and make sure IPv6 is disabled there
 and on WAN, too, if you aren't using it.

 Also if you have any packages loaded such as squid or snort, they could
 be interfering.

 Jim

IPv6 is disabled on all interfaces. I did do an upgrade from 2.03. Maybe
something didn't upgrade cleanly.

May try to write a clean card and see what that does.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Site to Site VPN issue in PFsense

[Kevin Tollison]

I recall a bug being fixed in 2.02 that had to do whit openVPN
authentication. Is it possible to upgrade all the boxes to 2.03.
On Aug 19, 2013 11:38 AM, Vick Khera vi...@khera.org wrote:


 On Wed, Aug 14, 2013 at 7:07 AM, pratap koppal pratap.kop...@gmail.comwrote:

 My head office and along with two branch office deployed with pfsense.
 Head Office and one of Branch office deployed with PFsense 2.0.1, and other
 branch office PFsense 2.0.3. My branch offices are linked with HO through
 site-to-site open vpn. HO has two Internet lines for failover, when one wan
 fails, i have to shift my site-to-site vpn to another wan gateway. In this
 process branch with version 2.0.1 works perfectly, but one with 2.0.3
 site-to-site tunnel damages. I have to recreate the tunnel, then it works.
 Please help.


 What VPN are you using? IPSec or OpenVPN?


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] OpenVPN over satellite broadband

[Kevin Tollison]

We are working with a vendor using TVWS. Could be a solution for you.
Speeds top out at about 16/8 Mbps.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Vlan Trunk

[Kevin Tollison]

On May 3, 2012 1:34 PM, Abdullah Nihan abd@gmail.com wrote:

 Guys Please help me on this!
 I have posted my issue on Forum can you please take look and comment.

 I really thank you for your valuable time spend on helping Thank you! :)

 FORUM POST LINK:
http://forum.pfsense.org/index.php/topic,49043.msg259653.html#msg259653


Dude,

 Begging will not get you far.  People only respond for free when they have
time.  If the issue is this serious throw Chris and Scott a bone they will
have you going in no time
https://portal.pfsense.org/index.php/subscribe-for-access

Or buy the book.  It has helped me out of a few jams.

http://www.amazon.com/gp/product/0979034280?ie=UTF8tag=pfsense-20linkCode=as2camp=1789creative=9325creativeASIN=0979034280
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snapshots are back

[Kevin Tollison]

On Fri, Mar 23, 2012 at 6:47 AM, Eugen Leitl eu...@leitl.org wrote:

 On Thu, Mar 22, 2012 at 09:48:54PM -0400, Jim Pingle wrote:
  FYI-
 
  2.1 snapshots are going again.
 
  http://snapshots.pfsense.org/

 Great. How stable are they? Useful for limited production?

  If you want to track via auto update...
 
  pfSense i386 2.1 DEVELOPMENT snapshots
 
 http://snapshots.pfsense.org/FreeBSD_RELENG_8_3/i386/pfSense_HEAD/.updaters
 
  pfSense amd64 2.1 DEVELOPMENT snapshots
 
 http://snapshots.pfsense.org/FreeBSD_RELENG_8_3/amd64/pfSense_HEAD/.updaters
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




Awesome. I think I will start testing, at least at my home lab.  Will
provide some feedback as I find things.
--
Kevin
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NAT reflection and SIP registration

[Kevin Tollison]

On Dec 6, 2011 6:52 PM, Kelly Hays kelly.h...@jkhfamily.org wrote:

 On Wed, Nov 23, 2011 at 8:16 PM, David Burgess apt@gmail.com wrote:
  I have the SIP client in my Android 2.3 phone set up to register to my
  local Askozia (Asterisk) PBX. The problem I'm having is that if I use
  the FQDN of the PBX server, the SIP client only registers when I'm off
  the network. In order to have the SIP client register successfully
  when on the local network, I have to drop the domain part and just use
  the hostname. Obviously this creates problems when I'm not on the
  local network.
 
  It used to work to just use the FQDN and the SIP client would register
  whether I was local or not. I'm not sure why it quit working, whether
  it was the upgrade from pfsense 2.0-RC to 2.0-RELEASE, or if it was
  the upgrade of the phone from Cyanogenmod 7.0 to 7.1.
 
  The PBX server has a RFC1918 address and pfsense is doing NAT for it
  to the internet. I'm using pfsense's DNS Forwarder on the internal
  network along with the first two DHCP options. If I ping the PBX
  server's hostname from the Android terminal I get a response from the
  internal address. Likewise, if I ping the PBX's FQDN I get a response,
  again from the internal address. If I do an nslookup on the FQDN from
  Android, I get the WAN address as a response, even if I create a host
  override entry in pfsense's DNS Forwarder.
 

 I wonder if the phone is doing the FQDN DNS lookup via the cell
 network even when connected to wifi?


  Any ideas on the problem or a workaround?
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

I am using the Media5 softphone (free) on my Android 2.3 phone. It has a
nice SIP Trace log function built in and the logs can be exported.  This
may give you some insight.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list