Re: [pfSense] USB3 to ethernet adaptor

[Seth Mos]

Op 2-5-2016 om 15:57 schreef WebDawg:
> On May 2, 2016 1:56 AM, "Frans Meulenbroeks" 
> wrote:
>>
>> Hi,
>>
>> Has anyone experience using USB3 to ethernet adapters ? I need an extra
>> interface but my HW (Intel NUC) does not have room for another card).
>> Anything recommendable?
>>
>> Best regards, Frans.
>> ___
> 
> If you can skip the USB stuff and enable vlans...in my opinion it is worth
> it.

A relatively simple HP Procurve 1810 supports VLANs and gives you
another few ports you can use as a WAN.

Cheers,

Seth
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPV6 WAN/LAN routing

[Seth Mos]

Op 20-4-2016 om 18:38 schreef Olivier Mascia:
> Dear all,
> 
> I must be tired or something but I have a strange thing with IPv6 on a new 
> box I just setup.
> 
> Have a x:y:z:d800::/56 routed to me.
> WAN is static IPv6 on x:y:z:d800::1/64, gateway is 
> x:y:z:d800::::: (not a nice one but that is what they gave 
> me).
> LAN is static IPv6 on x:y:z:d801::1/64, no gateway as usual for LAN interface.
> 
> From a host on the LAN side, at x:y:z:d801::100 (or any other), I can reach 
> pf LAN interface on x:y:z:d801::1, I can also reach pf WAN interface on 
> x:y:z:d800::1, but I can't get a packet to go further.
> 
> Yet, from pf itself, I can reach (ping for instance) www.google.com (IPv6) 
> from WAN interface, but not from LAN interface.
> 
> I would have thought "ok I miss a pass rule on the LAN interface", but there 
> is one. This by far is not my first pfSense box, and they all have various 
> kind of IPv6 links. Not that I couldn't be awfully wrong somewhere. So what 
> obvious detail am I overlooking here? If you have any idea?
>

Do you have radvd configured (from the DHCP6 settings) so that clients
on the lan can find the gateway? Or is the client statically configured?
If you only do DHCP6d on pfSense but no RADVD no clients will end up
with a route.

Kind regards,

Seth
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.6 and IPv6 RA

[Seth Mos]

Op 22-1-2016 om 8:53 schreef Antonio Prado:
> Hi,
> 
> on a fresh installed box, IPv4 configured on 2 NICs (WAN and LAN), IPv6
> not configured, pfSense starts advertising itself as IPv6 gateway on LAN
> using its link-local address (fe80::/64).
> 
> That's not the correct behavior I guess.
> 
> Is it a bug?

No, that sounds about right, it advertises itself as the gateway.

You can safely run RA on the LAN even without a public prefix, this
works fine in combination with static addressing as well.

Some devices only allow you to set a static address, but not the
gateway, they will pick it up from RA.

I think you'll find that the RA has no options set for auto configuration.

Cheers

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.6 and IPv6 RA

[Seth Mos]

Op 22-1-2016 om 12:15 schreef Antonio Prado:
> On 1/22/16 11:02 AM, Seth Mos wrote:
>>> on a fresh installed box, IPv4 configured on 2 NICs (WAN and LAN), IPv6
>>> not configured, pfSense starts advertising itself as IPv6 gateway on LAN
>>> using its link-local address (fe80::/64).
>>>
>>> That's not the correct behavior I guess.
>>>
>>> Is it a bug?
>>
>> No, that sounds about right, it advertises itself as the gateway.
> 
> well, let me disagree.
> when a router (pfSense) has RA disabled (as previously stated in my
> message), it simply should not per RFC 4861.
> 
> in other words, nevertheless pfSense 2.2.6 has no IPv6 configured (i.e.
> no v6 address on interfaces, RA disabled), it advertises itself as IPv6 gw.

Is your LAN interface not configured for IPv6 with address fe80::1:1? It
should be, it's in the default config, unless you disable it.

Regards,
Seth
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Slow speed on 100Base TX full duplex.

[Seth Mos]

Op 11-1-2016 om 14:46 schreef Muhammad Yousuf Khan:
> em0@pci0:4:0:0: class=0x02 card=0x15d9 chip=0x10968086 rev=0x01
> hdr=0x00
> class  = network
> subclass   = ethernet
> em1@pci0:4:0:1: class=0x02 card=0x15d9 chip=0x10968086 rev=0x01
> hdr=0x00
> class  = network
> subclass   = ethernet
> 
> We had a switch in b/w Pfsense and Colo uplink. we even removed that switch
> and directly plug the cable with pfsense interface. but still getting the
> same low bandwidth.
> 
> is it a good idea. to install two new interfaces of 100Mbps and set them to
> Auto instead of making it static 100Base TX full dublex out of Gig
> Interfaces.  ?
> 
> Any help will be highly appreciated.

Only set the interface hard if the other side does that as well. You can
set it to 100 Mbit Full duplex, but if the other side does not force it
to the same value it will autonegotiate from the ISP or switch to Half
Duplex.

Overruns and runts galore.

If you put a unmanaged switch in between you will get this. If the ISP
switch is set to auto it will do the same thing.

So just leave it on auto, setting interfaces hard shouldn't be needed
anymore since we helft Nortel gear behind in the year 2000.

Cheers,
Seth
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfSense 2.1.5 crashing

[Seth Mos]

Hi,

Just a heads up, this week we have had multiple 2.1.5 firewall on
different hardware in different locations crashing hard and rebooting.

These firewalls have been running for over a year before they rebooted,
with no rule changes lately.

Anybody else seeing these hard crashes with respect to 2.1.5?

I've uploaded the crash reports, but I don't have a crash report handy
at this moment.

Kind regards,

Seth
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Large amount of tunnels failing on 2.2.4 upgraded from 2.1.5

[Seth Mos]

Hi,

We attempted a upgrade from 2.1.5 to 2.2.4 today and it backfired
entirely requiring a reinstall of both nodes to get back to a working
situation. We did make config backups beforehand, but rolling back is a
bit painful in this regard.

We have about 300 IPsec tunnels with Draytek Vigor (2820/2850) routers.
Of the 300 tunnels, just 2 managed to come online immediately, and never
more then about 10 in half an hour. This was taking way too long and
meanwhile the phone was getting hammered.

What appeared to be happening is that these routers are too
aggressive, triggering the DoS protection in charon. Some tunnels were
establishing but triggering DPD and falling off again.

We disabled DPD entirely, but alas, this was not enough to get anywhere
fast.

After searching some more I see that strongswan.conf had options for the
SA table size, as well as a option for disabling the Dos protection.
Unfortunately, none of these are listed in the UI.

The dos_protection is enabled per default, something which racoon never
had. It does however need adjusting, or disabling above n tunnels. And
the cookie settings need adjusting for the larger amount of tunnels too.
Does the ikesa_table_size = 32 and ikesa_table_segments = 4 need
ajusting too?

The init_limit_half_open = 1000 needs to be twice the number of tunnels
for succesful negotiation. So this default should be good for 500
tunnels. Although if there are multiple attempts I could see people
running out.

Another thing I hit on the way was the initial phase1 negotiation timing
out. For Linux the default is 165 seconds, but I have no idea what the
defaults for FreeBSD are.

Apart from the issues with IPsec I didn't appear to have any other
issues relating to firewall rules or CARP, so it was a succes in that
respect. Still a shame that we missed 2600 calls just this morning
because the network broke.

Kind regards,

Seth Mos
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Connect pfSense as client to a Hotel WLAN?

[Seth Mos]

Chris Buechler schreef op 30-7-2015 om 8:55:
 On Wed, Jul 29, 2015 at 7:59 PM, Ray r...@renegade.zapto.org wrote:
 Hi,

 I run pfSense on a few ALIX boxes, usually as tunnel end and as access
 point. When I can plug one of these machines into any (wired) network, I
 have easy access to my home network through the private WLAN the ALIX
 provides.

 This works beautifully.

 I travel a lot and today hotels only provide WLAN access. Ethernet ports in
 hotel rooms are relics of the past.

You have a few choices here too, the term travel router has become a
lot more common then before. The cheapest are ~30-40 euro.

However, these are single radio, multiple SSID operation. This is bad as
it has a large impact on the RF bandwidth, you double the amount of RF
space you use with this method. Hotels and other networks really don't
appreciate this.

The current crown goes to the Dlink DIR510L which is a dual band travel
router with dual radios (dual band) and a 4Ah battery for charging
phones or operating on it. This you can attach to the wireless over
2.4Ghz and connect your laptop/ipad/phone to the hotspot router over
5Ghz and not impact the lackluster 2.4Ghz band.

Excellent for sticking to a window where you do have reception in some
of the concrete bunkers that we call hotel rooms. Also works well for
RV's (Campers) when mounted on a stick or inside the roof window to get
above all those aluminium boxes on wheels.

I've considered building a package for pfSense to perform this travel
router scenario to make it easier to do without requiring logging into
pfSense itself. I never got round to it.

I've found the wireless client support to be lacking in some respects
during the 2.1 Cycle, might be quite a bit different now since I last
tried this. In my case it started flapping the wireless link and cycling
with DHCP requests. It was less then optimal :)

Cheers,
Seth
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Access Point Recommendations?

[Seth Mos]

Karl Fife schreef op 23-7-2015 om 17:46:
 Your point about having a one-off solution is a great one. Installing a
 single UniFi AP would be unnecessarily complex.

In a pinch I use the Linksys E2500 or EA2700 dual band wireless access
points. Set a static IP, disable the DCHP server and connect the cable
to the LAN ports. That's handy for connecting the Xbox in the living
room. I mounted it behind the TV using one of the VESA mount screw holes
for hanging it off, and route the wires through the base of the TV.
Excellent wireless signal in the room.

You get a 3 free switch ports on location as well for just ~40 euros.

 The TP-Link TL-WA801nd is a BGN-only device.  Do you (or anyone) have a
 preferred stand-alone AC access point?

If anyone is going to deploy anything new then BGN is not a valid
solution anymore. I see way too many issues with channel overlap in
2.4Ghz. Especially in densely populated areas.

The record so far is 38 SSIDs from a table at a cafe in Barcelona,
Spain. Then there was the genius that installed all APs on the same
channel, don't do that :(

At work we use the Ubiquiti Unifi-Pro access points, about 20 of them.
One of them is a repeater with a wireless backhaul (over 5Ghz). We have
a Debian VM for the controller which is handy as well.

All wireless traffic is put on a seperate VLAN, and that works well as
intended, pfSense routes it out to the internet. I've also not found any
issues so far with the IPv6 support on any of the devices attached to
the wireless, it works.

The roaming is also quite good, I have no dropping 3CX soft phone calls
whilst roaming through the building.

Cheers,
Seth
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Pfsense + Cloudflare

[Seth Mos]

Roy Sandbergen - Webguru schreef op 30-4-2015 om 16:02:
 Hi All,
 
 Does anyone have his site behind pfsense and cloudflare?
 
 I have the problem that my pfsense only see the ipadresses of the cloudflare 
 servers not the original ip of the client. Does anyone have a solution for 
 that problem?
 I cannot find a solution online for Pfsense 2.2 icm cloudflare

That's how cloudflare works, it's basically a great box Varnish (proxy)
box, so yes, you will only see the cloudflare servers.

If you want any meaningful address information you need to look at the
headers that the proxy service provides you.

Regards,

Seth
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2-RELEASE now available!

[Seth Mos]

Sorry to reply to myself here, but 2.2 in combination with the Intel
X540-2 card isn't very stable. The card keeps dropping the Phy which is
fine on 2.1.5.

I've just reverted and reinstalled 2.1.5 with a backup config.

Although the nmbclusters change did make the 2nd port of the ix card
power on it eventually hung the network after half an hour or so.

Due diligence.

Regards,

Seth

Seth Mos schreef op 26-1-2015 om 11:12:
 Chris Buechler schreef op 24-1-2015 om 3:24:
 Details on the blog:
 https://blog.pfsense.org/?p=1546
 
 2 Upgrades done so far, one had a different Architecture autoupdate URL,
 that one updated from AMD64 to i386, please don't do that.
 
 Also, I have issues with the Intel X540-2 10G card now, it's throwing a
 few errors. Port 0 goes into a flapping state while port 1 never comes up.
 
 [zone: mbuf_jumbo_9k] kern.ipc.nmbjumbo9 limit reached
 ix1: Could not setup receive structures
 
 That didn't happen on 2.1.5 at all, apparently the limits have changed.
 
 In FreeBSD 10 these changes need to into loader.conf during boot,
 different from before.
 https://pleiades.ucsc.edu/hyades/FreeBSD_Network_Tuning
 
 kern.ipc.nmbclusters=262144
 kern.ipc.nmbjumbop=262144
 kern.ipc.nmbjumbo9=65536
 kern.ipc.nmbjumbo16=32768
 
 Regards,
 
 Seth
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2-RELEASE now available!

[Seth Mos]

Chris Buechler schreef op 24-1-2015 om 3:24:
 Details on the blog:
 https://blog.pfsense.org/?p=1546

2 Upgrades done so far, one had a different Architecture autoupdate URL,
that one updated from AMD64 to i386, please don't do that.

Also, I have issues with the Intel X540-2 10G card now, it's throwing a
few errors. Port 0 goes into a flapping state while port 1 never comes up.

[zone: mbuf_jumbo_9k] kern.ipc.nmbjumbo9 limit reached
ix1: Could not setup receive structures

That didn't happen on 2.1.5 at all, apparently the limits have changed.

In FreeBSD 10 these changes need to into loader.conf during boot,
different from before.
https://pleiades.ucsc.edu/hyades/FreeBSD_Network_Tuning

kern.ipc.nmbclusters=262144
kern.ipc.nmbjumbop=262144
kern.ipc.nmbjumbo9=65536
kern.ipc.nmbjumbo16=32768

Regards,

Seth
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Road Warrior open vpn

[Seth Mos]

A Mohan Rao schreef op 22-1-2015 om 10:18:
 someone more ..

Are you sure that the devices on the LAN are using the same gateway as
the pfSense machine, could be assymetric routing.

Regards,
Seth
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Road Warrior open vpn

[Seth Mos]

A Mohan Rao schreef op 21-1-2015 om 11:30:
 Hello,
 
 successfully configured Road Warrior OpenVpn also vpn client is
 connected from remote area but not able to access server end LAN or
 server's.

Add firewall allow rules on the OpenVPN Server interface


 
 
 Thanks
 
 Mohan 
 
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 4 Byte ASN

[Seth Mos]

Adam Thompson schreef op 8-1-2015 om 17:24:
 On 15-01-08 10:02 AM, Seth Mos wrote:
 To clarify this a bit better. You speak BGP to your ISP from each
 pfSense node and generally use CARP as the router address on the
 internal side. You still need to exchange routes between both pfSense
 nodes. The moment CARP fails over you drop your BGP session anyhow, so
 both pfSense nodes need the routing tables (Unless you use default only). 
 
 Uh...
 
 https://doc.pfsense.org/index.php/OpenBGPD_package
 
 says it better than I can.  Note that there have been a ton of bug-fixes
 relating to set nexthop and CARP in the last year or so, which don't
 appear to have made it into the FreeBSD port yet.
 
 I run a pair of BGP routers using CARP to an upstream peer who only
 wants to configure a single IP address and a single session.  Works OK
 in practice under OpenBSD, not sure how well the pfSense package
 (FreeBSD port) handles it.
 

Yep, that's a good reason to use CARP, but you might drop some traffic
on reconfiguration depending on the amount of routes you have.

Regards,
Seth
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 4 Byte ASN

[Seth Mos]

Bryant Zimmerman schreef op 8-1-2015 om 17:22:
 
 *From*: Seth Mos seth@dds.nl
 *Sent*: Thursday, January 8, 2015 11:02 AM
 *To*: list@lists.pfsense.org
 *Subject*: Re: [pfSense] 4 Byte ASN
  
 Jim Thompson schreef op 8-1-2015 om 16:52:
 On Jan 8, 2015, at 9:23 AM, Seth Mos seth@dds.nl wrote:

 You do not want to use CARP with with BGP in any situation. Each node
 needs it's own session with the remote BGP peer. You need to use iBGP
 between the nodes instead.

 We run a pair of c2758s behind each link and CARP between these, announcing 
 the routes out via BGP. (Technically this occurs on a different pair (R200) 
 boxes that play the role of router (one per link).
 
 To clarify this a bit better. You speak BGP to your ISP from each
 pfSense node and generally use CARP as the router address on the
 internal side.
 
 You still need to exchange routes between both pfSense nodes.
 
 The moment CARP fails over you drop your BGP session anyhow, so both
 pfSense nodes need the routing tables (Unless you use default only).
 
 Regards,
 
 Seth
  
  
 What my current design is.  3 Routers in a CARP stack at each location.
 A single fiber link. We have a fiber vlan between the locations.
 I was thinking of BGP announcing from the CARP stack in the event of a
 router failure the next unit in line should take on the load for the
 firewall and BGP.  We don't want to drop existing connection if possible.
 Now I know if a connection goes down hard we may drop while it switches
 over to the alternate site. I just don't want to drop due to an internal
 router failure.
  
 Am I approaching this the wrong way?

You will drop the BGP session because only one pfSense node will have a
connected session from the openbgpd.

A virtual IP is nice, but that only applies for traffic traveling
through the firewall, not a process running *ON* the firewall.

Depending if you do default, customer only or full routing, both pfSense
nodes need the same routing table. Since openbgpd takes care of
inserting routes into the routing table, this needs to happen on both nodes.

If you bind openbgpd to the CARP address, node B will setup a new
session on failover, exchange routes, install routes during which time
you will drop traffic with destination unreachable. Hopefully the remote
peer has soft-reconfiguration inbound.

Cheers,

Seth
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 4 Byte ASN

[Seth Mos]

Bryant Zimmerman schreef op 8-1-2015 om 15:28:
 We are working on getting our own ASN with ARIN so we can get our own
 blocks of address.
 We are doing this because we are using multiple ISP's and want to
 announce our own addresses, For better fail over.

It's so much nicer then multi-wan, I don't regret it in the least.

 We are currently using pfSense boxes with CARP at both our locations.
 Will the open BGP package available for pfSense work correctly with --4
 Byte ASN's

Yes

 --Does carp function correctly with Open BGP for fail over.

You do not want to use CARP with with BGP in any situation. Each node
needs it's own session with the remote BGP peer. You need to use iBGP
between the nodes instead.

Regards,

Seth


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 4 Byte ASN

[Seth Mos]

Jim Thompson schreef op 8-1-2015 om 16:52:
 On Jan 8, 2015, at 9:23 AM, Seth Mos seth@dds.nl wrote:

 You do not want to use CARP with with BGP in any situation. Each node
 needs it's own session with the remote BGP peer. You need to use iBGP
 between the nodes instead.
 
 We run a pair of c2758s behind each link and CARP between these, announcing 
 the routes out via BGP.  (Technically this occurs on a different pair (R200) 
 boxes that play the role of router (one per link).

To clarify this a bit better. You speak BGP to your ISP from each
pfSense node and generally use CARP as the router address on the
internal side.

You still need to exchange routes between both pfSense nodes.

The moment CARP fails over you drop your BGP session anyhow, so both
pfSense nodes need the routing tables (Unless you use default only).

Regards,

Seth
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] APU and SSD: full install or NanoBSD

[Seth Mos]

Jim Thompson schreef op 30-10-2014 16:33:
 
 On Oct 30, 2014, at 9:28 AM, Jeppe Øland jol...@gmail.com
 mailto:jol...@gmail.com wrote:

 3 year old Kingston SSDs are not like new Kingston SSDs.

 Agreed.

 On the other hand, I tend to distrust manufacturers that shipped
 completely unreliable drives without any thought.
 Kingston/OCZ/Crucial are all in this boat for me.
 
 I’m sure I’ve been burned at least as badly by these, and others, and I
 still buy from them.
 
 Samsung 840s are the darling of the “cheap, fast SSD” and they turn out
 to suck, too:
 http://www.pcper.com/news/Storage/Samsung-Germany-acknowledges-840-Basic-performance-slow-down-promises-fix

We have about 70 Dell optiplex desktops that have a Samsung 830 in them
that appears to be doing fine. None has failed yet.

We also have 300 cash registers running the Intel 320 series 80GB and so
far 3 have failed in 8MB mode, eventhough they do have the correct
firmware. It's basically the way it tells you something went wrong.

We are very picky about our Intel SSD models, only a few have power
protection circuits. Basically only the models with the in-house Intel
controller have this. (X25-M, Intel 320, Intel S3500/S3700).

We did have 1 OCZ Vertex 2 that predictably died just after the 1st year
in a developers laptop, that was a train wreck waiting to happen, and it
did.

Another production box is a 12 disk Raid 6 (~2TB) with 300GB Intel 320
series, it's been fine on a light write workload. (70/30).

Cheers,
Seth
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] LAN: IPv6 static configuration

[Seth Mos]

Erik Anderson schreef op 10-10-2014 3:51:
 Any thoughts on this?
 
 Unfortunately, all of the examples and documentation I can find on
 IPv6 configures with pfSense are geared towards consumer-class
 circuits using DHCP-PD, and I've not found anything about proper
 static configuration.

Well, mine is proper static configuration since I started, but I've not
run into this case.

However, do keep in mind that I configured all this in the 2.1
development cycle and never tried this on 2.1 RELEASE or later.

My setup is 2 sequential carp clusters complete with ip4 and ip6
configuration including ip6 carp addresses. I have never run into this
issue before.

What you do might want to check on the firewall is the routing. I've
seen a few cases where any changes to the gateways after 2.1.1 results
in all sorts of hilarious behaviour except properly adding and removing
routes.

I was also not amused when this broke my HE.net tunnel at home, tunneled
interfaces after 2.1.1 are apparently very different gateway wise now.
The end result being that I can't properly switch gateways now when you
have 2 tunnels and NPt.

So check your routing with netstat -r before and after changing and see
if you lost your default gateway.

Regards,

Seth

 Again, I thought this would be simple, but at least during my first
 attempt at configuration, I ran into major issues.
 
 Thank you all!
 -Erik
 
 
 On Wed, Oct 8, 2014 at 2:19 PM, Erik Anderson erike...@gmail.com wrote:
 Good afternoon-

 This is in regards to pfsense-2.1.4-RELEASE.

 This morning my ISP (finally) turned on IPv6 on our circuit. They
 assigned a /126 P2P link for the WAN and are routing a /48 to us. I
 have the WAN interface configured without issue, and am able to ping6
 from the router itself to external addresses.

 The problem arose when I added the static IPv6 configuration to my LAN
 interface. I chose an arbitrary /64 subnet for the LAN and assigned an
 IP to the interface. When I applied this configuration, *all* traffic
 to and through the router (both v4 and v6) stopped. I couldn't ping
 the v4 address of the router, etc. I ended up having to attach to the
 serial console and restore a previous config file in order to restore
 connectivity.

 My questions are:

 1) How was adding v6 addressing information to the LAN interface able
 to affect v4 traffic?

 2) How can I add static v6 configuration to the LAN interface sucessfully?

 This all seemed like it should be a very simple task, but apparently
 I'm missing something.

 Thank you!
 -Erik
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] v2.1.5: OpenVPN + IPv6. Any success?

[Seth Mos]

Erik Anderson schreef op 16-9-2014 6:32:
 I recently got IPv6 turned up on my Comcast cable circuit. They're
 delegating a /60 to my router. I have successfully configured
 interface tracking on the LAN interface and that is working great.
 
 Next, I'd like to get the OpenVPN server configured to enable v6
 communication with mobile VPN clients. Has anyone had success with
 this? When configuring the LAN interface, it is set to track the WAN
 interface, and I can set a prefix ID to provide a unique subnet to LAN
 clients. As far as I've seen, there's no equivalent configuration
 available for OpenVPN, correct? Sure, I could probably pick an
 arbitrary subnet from the block delegated to me and assign IPs from
 that to OpenVPN clients, but what happens if my delegated block
 changes? Then everything breaks. I'm not certain that Comcast will
 always assign the same block.

Good question, I never envisioned it this way but it does make sense.

Using a arbitrary subnet is your best solution for now. I have ~40 dual
stacked laptops hanging off my OpenVPN with the Viscosity client on windows.


 Is there a graceful way to handle this situation?

What you need isn't in 2.1.5 and it needs to be made. So no, i'm afraid.

The same method we built for other interfaces could be applied to
OpenVPN server interfaces, so it's not too different. Probably about 2
days to build and a day to test.

Cheers,
Seth
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Upgrade from 2.1 to 2.1.3 RA misses subnet

[Seth Mos]

Hi,

Maybe it was just my install, but when I upgraded from 2.1 to 2.1.3 the
RADVD settings changed. I did not explicitly setup a subnet to announce
for radvd, it previously just picked up the interface subnet.

I was wondering where my IPv6 went off to.

Kind regards,

Seth
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Problems with gateways on IPv6 Tunnels?

[Seth Mos]

Hi,

I just upgraded to 2.1.3 at home and tried to switch my IPv6 default gateway 
around.

Unfortunately, when I try to set my HE.net tunnel gateway as the default it 
throws an error that the gateway address is not in the interface subnet. 

I’ve set the prefix length in both the GIF interface settings and the OPT4 
Interface settings to /120. Unfortunately it still throws that error. Strangely 
enough the gateway status widget and status page tell me the gateway is 
reachable fine and with proper response time.

This makes no sense. Anybody else seeing this?

Kind regards,
Seth
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ICMPv6 filtering recommendations with pfSense?

[Seth Mos]

On 21-5-2014 9:11, Olivier Mascia wrote:
 Le 14 mai 2014 à 03:37, Chris Buechler c...@pfsense.com
 mailto:c...@pfsense.com a écrit :
 
  IMO, I agree that it's best to let ICMP flow free on IPv6. ICMP
 has had
  a bad reputation for a long time, and it's mostly undeserved in
 recent
  times.
 
  Jim

 How should I interpret the code you pointed to?
 That pfSense do let ICMPv6 flow freely (at least most of it deemed
 to be required for IPv6 correct behavior) by default, and it then
 is not dropped by the default block rule?


 The ICMPv6 traffic that's considered required for things to function
 properly is automatically allowed. 
 
 Excellent. Thanks!

The rules should automatically allow ICMP6 echo, packet to big and
neighbor discovery on the link-local addresses so that basic
functionality works.

Iirc ICMP6 echo is not allowed from the internet using the GUA
addresses, but ND, RA and RS is for normal operation.

The rules are specifically higher in the ruleset to prevent accidentally
blocking (and breaking) your IPv6 internet.

To be fair, we could make the RA and RS rules a bit more fine grained
for ICMP6, but those would apply to the link-local scope and are of
limited reachability (atleast not from the internet).

We already toggle a sysctl if we want to accept a RS for a given
interface, so that would be of limited use.

Regards,
Seth
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] vzw uml290

[Seth Mos]

On 18-4-2014 0:49, Ryan Coleman wrote:
 I’ve found many devices do not honor this.

+1

There is a AT command to reset the device, but this has the unfortunate
side effect that it can cause FreeBSD to kernel panic. I noticed this
when I was working on the 3G support.

Regards,

Seth

 
 
 On Apr 17, 2014, at 2:40 PM, Vick Khera vi...@khera.org wrote:
 
 On Thu, Apr 17, 2014 at 1:23 PM, Oliver Hansen oliver.han...@gmail.com 
 wrote:
 Hi Vick, I don't think I have much information for you but I have seen those
 similar logs before. I don't use mine as a backup but as a mobile router for
 events and only a couple of times a year. Usually in my experience it has
 been when there is not a strong signal that I see these problems. Because
 yours has worked just fine in the same place this may not be the cause.

 I managed to get someone to physically unplug and re-insert the
 device. Once I re-saved the PPP config, it connected immediately.
 Clearly the usbcontrol power_off/power_on was not sufficient.

 I hope this is not a regular occurrence :(
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense 2.1.2 is released

[Seth Mos]

On 15-4-2014 7:41, Chris Buechler wrote:
 On Sun, Apr 13, 2014 at 7:33 AM, Doug Lytle supp...@drdos.info wrote:
 Jim Thompson wrote:
 pfSense release 2.1.2 is now available.  pfSense release 2.1.2 follows less 
 than a week after pfSense release 2.1.1, and is primarily a security 
 release.

 Okay,

 I've just upgraded from 2.1.1 to 2.1.2, now I notice that my firewall
 logs are being spammed with IPV6 ICMP notifications.

 
 The now I notice being the key part there. Nothing related to that's
 changed. If you don't check Allow IPv6 under SystemAdvanced, you
 have a block all rule on IPv6 with logging. Things on your LAN will
 have link local addresses and spew multicast stuff. Probably want to
 configure some block rules for v6 with no logging.
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 

To be extra clear here, if you check Allow IPv6, it won't
automatically allow IPv6 traffic, it just means you can now create rules
for IPv6 traffic instead of the default IPv6 deny all.

Also, iirc, when the Allow IPv6 is checked the default deny rule will
log IPv6 as it will IPv4. And if you don't check Allow IPv6 it will
silently drop IPv6 traffic as it did previously.

Also, if you've been using the 2.1 snapshots in 2012 and 2013 the config
will had that setting enabled, which corresponds with your firewall
logs. Maybe you have a upgraded config.

2.1-RELEASE and later do *not* set that on upgrade though, it was
primarily for people tracking the snapshots at the time.

Kind regards,

Seth
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Remote office redundancy

[Seth Mos]

On 9-4-2014 16:50, Vick Khera wrote:
 I just dug up this old thread to implement IPsec and OpenVPN failover
 coming to my main office from a remote location. The main office
 already has a gateway group for the two different ISPs, so my first
 step is to set up a dynamic DNS for it.
 
 This is where I get stuck... the RFC2136 client portion of the dynamic
 DNS configurator does not let me monitor the failover group -- only
 LAN, WAN, and WAN2. The DynDNS client config does offer the gateway
 group.  Is this a limitation of RFC2136 client or just an oversight in
 the UI?

Uhm, yeah, oversight on my part when I built this. Also, I didn't have a
RFC2136 server to talk to. So instead of adding something broken I
didn't add it at all.

 Presuming I get past this part, on my remote clients, I just configure
 IPsec and OpenVPN to use this dynamic host name as the end point and
 then it just works to failover automatically when WAN goes down and
 fails over to WAN2 at the office? Is it really that simple?

Should be.

 Running pfSense 2.1 (waiting for 2.1.2 to hit before upgrading to
 minimize downtime.)
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPSEC bug in 2.1

[Seth Mos]

On 12-12-2013 10:48, Jon Gerdes wrote:

 There exists an IPSEC bug in pfSense 2.1

 When the router's modem is restarted, the IPSEC tunnel fails to come back
 up.

The problem exists if you have IPsec tunnels with the hostname, the
reload process fails to reload the firewall filters so IPsec never
negotiates.

edit /etc/rc.newipsecdns and add the line:

filter_configure();

near the end, this causes firewall rules to reload properly. We had this
issue too on 2 seperate clusters with about 300 tunnels.

Kind regards,

Seth


 This bug is documented in the following places by numerous people:

 https://redmine.pfsense.org/issues/3321 
 http://forum.pfsense.org/index.php/topic,69235.0.html 
 http://forum.pfsense.org/index.php/topic,68776.0.html 
 http://forum.pfsense.org/index.php/topic,67929.0.html 
 http://forum.pfsense.org/index.php/topic,67625.0.html 

 Regards,
 Christian Borchert
 
 Christian
 
 I run an awful lot of IPSEC tunnels and I generally don't get the problem you 
 describe in your trouble ticket which is not the same as the fault that is 
 barely described in the first forum posting you link.  The rest are TL;DR for 
 me.
 
 Please try disabling DPD at both ends and set the address that you ping to 
 any address other than those on the other end's router  - that address 
 doesn't even have to exist, it just has to be within the remote subnet but 
 not one that is bound to the router doing the IPSEC.
 
 Incidentally your report in Redmine does not describe what the other end 
 actually is - is it another pfSense box or something else?
 
 Cheers
 Jon
 
 Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA
 Registered England  Wales - 3981322
 
 CONFIDENTIAL INFORMATION
 This e-mail and any files attached with it are confidential and for the sole 
 use of the intended recipient(s).  If you are not the intended recipient(s) 
 you are prohibited from using, copying or distributing this or any 
 information contained in it and should immediately notify the sender and 
 delete the message from your system.
 
 Internet communications are not secure and Blueloop Limited is not 
 responsible for unauthorised use by third parties nor for alteration or 
 corruption in transmission.  Furthermore, while Blueloop Limited have taken 
 reasonable precautions to minimise the risk of software viruses, it cannot 
 accept liability for any damage which you may suffer as a result of such 
 viruses, and we therefore recommend you carry out your own virus checks on 
 receipt of any e-mail.
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Seth Mos]

On 11-10-2013 11:57, Adrian Zaugg wrote:
 Dear all
 
 After having read the whole NSA thread on this list, it came up to my
 mind that pfsense web GUI could declare itself conform to US laws upon
 the point when there are known backdoors included or otherwise the code
 was compromised on pressure of govermental authorities. It would be the
 sign for the users to review the code and maybe to fork an earlier
 version and host it in a free country, where the protection of personal
 data is a common sense and national security is not so much an issue.

?

And which country would that be? I mean the Brittish MI4? tapped the
Belgian telecom network for over a year to listen into the EU politicians...

I don't see the point in this.

I've been a developer since november 2005 and since that time I have
never seen any evidence that this is the case. Not to downplay the trust
issue, it is always good to do a background check on what we put into
pfSense (which we do).

Pretty much everything we have in pfSense is checked in the version
control system. Even in the beginnings (0.83) with CVS. Even our builder
scripts are in a RCS system, and it verifies all checksums on external
(mostly FreeBSD ports) software we download for the build.

The most realistic way to get a backdoor in pfSense would have to come
from a upstream source. And FreeBSD generally has this properly in order
and a security team that acts properly.

The way the most intelligence agencies these days perform the wire
tapping is by getting a switch mirror port at a internet exchange. Even
fiber optics can be tapped without too much problems.

In .NL all large ISPs have a mandatory wiretap in place that stores
datetime stamped headers of the internet traffic for discovery purposes
from the authorities. The best part of this, it is paid for by the
customers, since the ISP needs to pay for the system and storage.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Seth Mos]

On 11-10-2013 11:57, Adrian Zaugg wrote:
 Dear all
 
 After having read the whole NSA thread on this list, it came up to my
 mind that pfsense web GUI could declare itself conform to US laws upon
 the point when there are known backdoors included or otherwise the code
 was compromised on pressure of govermental authorities. It would be the
 sign for the users to review the code and maybe to fork an earlier
 version and host it in a free country, where the protection of personal
 data is a common sense and national security is not so much an issue.

?

And which country would that be? I mean the Brittish MI4? tapped the
Belgian telecom network for over a year to listen into the EU politicians...

I don't see the point in this.

I've been a developer since november 2005 and since that time I have
never seen any evidence that this is the case. Not to downplay the trust
issue, it is always good to do a background check on what we put into
pfSense (which we do).

Pretty much everything we have in pfSense is checked in the version
control system. Even in the beginnings (0.83) with CVS. Even our builder
scripts are in a RCS system, and it verifies all checksums on external
(mostly FreeBSD ports) software we download for the build.

The most realistic way to get a backdoor in pfSense would have to come
from a upstream source. And FreeBSD generally has this properly in order
and a security team that acts properly.

The way the most intelligence agencies these days perform the wire
tapping is by getting a switch mirror port at a internet exchange. Even
fiber optics can be tapped without too much problems.

In .NL all large ISPs have a mandatory wiretap in place that stores
datetime stamped headers of the internet traffic for discovery purposes
from the authorities. The best part of this, it is paid for by the
customers, since the ISP needs to pay for the system and storage.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] RRD traffic lost after 2.0.3 - 2.1

[Seth Mos]

On 7-10-2013 21:23, petes-li...@thegoldenear.org wrote:
 What you can try is dumping the old 2.0 config with RRD data, and then
 restore that after upgrade. Try that.

 It should also retrigger a config upgrade at that point and upgrade the
 databases.
 
 Thanks for your suggestion. I tried backing up just RRD data and restoring
 that, and a complete config backup including RRD data and restoring that,
 neither of which caused the issue to fix itself. Obviously this is all
 post-upgrade, having already upgraded 2.0.3 to 2.1.
 Have you any more suggestions please?

No, you need to supply the 2.0 config with RRD data, otherwise it won't
work. The 2.1 config is of no use as it considers the data to already be
upgraded.

You should have a full backup from before you started the upgrade, right?

Alternatively you can try this:

Go to the command prompt page
include(shaper.inc)
include(upgrade_config.inc)
include(rrd.inc)
upgrade_080_to_081();

Make sure to backup beforehand.

Kind regards,

Seth

 No idea why it isn't doing that for you. I only know of issues on nanobsd.
 
 I'm seeing this on the 7 upgrades I've done so far.
 
 Thanks
 
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] RRD traffic lost after 2.0.3 - 2.1

[Seth Mos]

On 1-10-2013 9:47, petes-li...@thegoldenear.org wrote:
 Hi. After upgrading 2.0.3 to 2.1.0 on an x86 full install, RRD Graphs -
 Traffic says There has been an error creating the graphs. Please check
 your systemlogs for further details.
 
 This is from the log:
 
 php: rc.bootup: The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool
 update /var/db/rrd/ovpns1-packets.rrd N:U:U:U:U:U:U:U:U' returned exit
 code '1', the output was 'ERROR: expected 4 data source readings (got 8)
 from N:U:U:U:U:U:U:U:U'

That means the RRD database was not upgraded during boot. It should have
8 fields now, instead of 4.

What you can try is dumping the old 2.0 config with RRD data, and then
restore that after upgrade. Try that.

It should also retrigger a config upgrade at that point and upgrade the
databases.

No idea why it isn't doing that for you. I only know of issues on nanobsd.

Cheers,
Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] RRD traffic lost after 2.0.3 - 2.1

[Seth Mos]

On 1-10-2013 11:45, petes-li...@thegoldenear.org wrote:
 Additionally, I'm now seeing this in the log:
 
 php: /status_rrd_graph_img.php: Failed to create graph with error code 1,
 the error is: ERROR: No DS called 'inpass6' in
 '/var/db/rrd/wan-traffic.rrd'/usr/bin/nice -n20 /usr/local/bin/rrdtool
 graph /tmp/wan-traffic.rrd-day.png --start 1380526543 --end 1380612943
 --step 300 --vertical-label bits/sec --color SHADEA#ee --color
 SHADEB#ee --title `hostname` - WAN :: Traffic - 1 day - 5 minutes
 average --height 200 --width 620
 DEF:wan-in_bytes_pass=/var/db/rrd/wan-traffic.rrd:inpass:AVERAGE:step=300
 DEF:wan-out_bytes_pass=/var/db/rrd/wan-traffic.rrd:outpass:AVERAGE:step=300
 DEF:wan-in_bytes_block=/var/db/rrd/wan-traffic.rrd:inblock:AVERAGE:step=300
 DEF:wan-out_bytes_block=/var/db/rrd/wan-traffic.rrd:outblock:AVERAGE:step=300
 DEF:wan-in6_bytes_pass=/var/db/rrd/wan-traffic.rrd:inpass6:AVERAGE:step=300
 DEF:wan-out6_bytes_pass=/var/db/rrd/wan-traffic.rrd:outpass6:AVERAGE:step=300
 DEF:wan-in6_bytes_block=/var/db/rrd/wan-traffic.rrd:inblock6:AVERAGE:step=300
 DEF:wan-out6_bytes_block=/var/d

Correct, you are requesting fields that are not in the RRD file, because
it wasn't upgraded.

Regards,
Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Seth Mos]

On 27-9-2013 18:13, Adam Thompson wrote:

 I firmly agree with previous posts that outline why this allocation
 policy is suboptimal.
 However, I do *not* want to be renumbering my IPv6 hosts down the road
 simply because I wanted to be the most efficient guy on the block.  Nor
 do I want to be the guy who can't run protocol XYZ because I didn't use
 /64s.

Wait, what? Renumbering in IPv6 is different from IPv4 how?

I had to renumber my IPv4 connections 6 times in the past decade, and I
mean in the globally routed way, not the internal LAN. Now the size here
is a fair bit of external servers, and those have public addresses,
firewall rules and/or NAT mappings. Then there is the host config etc.

I finally bit the bullet and signed up for PI space with a ASN and
hopefully that's that.

In retrospect, I should have done that ages ago. It would have saved the
company tons of money in labor. You see, cheaping out with the smaller
plans seemed like a good idea (cheap multiwan) but it turns out to be
far more expensive in the long run with migration.

Renumbering is cumbersome but it's really no different now then it was
before.

For all that it matters, I expect this not to happen so much with IPv6,
because the default /48 allocation is so much larger. It's easy to do
some aggregated routing without ending up with /29's everywhere.

A IPv4 /24 was effectively 254 hosts, until you wanted to do routing and
the effective number of hosts go downhill very fast from there.

I had to renumber twice in IPv4 alone because I got a larger netblock.
This because you needed to provide a reasonable requirement, and you
can't get larger without a decent motivation and actually using those
addresses.

I think the default IPv6 size of /48 is well chosen.

The moral is: If your company is Multiwan and has about 100 desktops,
apply for a ASN and get BGP connections. It is the right business decision.

Regards,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Seth Mos]

On 30-9-2013 10:53, Chris Bagnall wrote:
 On 30/9/13 7:56 am, Seth Mos wrote:
 I finally bit the bullet and signed up for PI space with a ASN and
 hopefully that's that.
 
 Worth mentioning here that no more IPv4 PI ranges will be allocated - at
 least not within RIPE jurisdiction (conservation rules kicked in when we
 started on the last /8). Other RIRs might be different.

On that note: This is a last call to people in the US to get one before
they are stuck in a hard place.

We got ours just in time before the last /8 policy in RIPE land.

Like the whole IPv6 migration, better plan ahead then get stuck between
a rock and a hard place.

Cheers,
Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.1 on WRAP

[Seth Mos]

On 20-9-2013 9:45, Odette Nsaka wrote:
 First of all, thanks to the developers for the new fantastic 2.1 release.
 
  
 
 I've been using Alix by PC Engines (WRAP's successor) succesfully for a
 lot of time. I was just wandering about PC Engines not releasing new
 versions of Alix.
 
 And it seems to me they are going to be soon too old for next pfSense
 releases.
 
 So I was asking:
 
 - the system requirement will be enough so the development of pfSense
 will continue for a reasonable ammount of time on Alix ?
 
 - Has already been designed the new successor for our dear grandma Alix?
 Or a suggested platform for embedded solutions?

The main limitation here is RAM, if your Alix has 256 MB it should be
fine really. The forwarding rate is limited to about 70 mbit, so if you
need more only the newer Soekris 6500 series would work.

Kind regards,
Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Optimal Setup

[Seth Mos]

On 19-9-2013 11:52, Joseph W. Joshua wrote:
 Hello all,

 Currently, my internet comes in through a linksys router, in which I have set 
 up the above rules. However, we would like to introduce a proxy server, and 
 also internet use monitoring and banning of excessive users.

Squid with ldap or ntlm auth works well, block default outbound 80 and
443 so people actually use the proxy server. Find out that Silverlight
does not work with authenticated proxy servers. (Really MS?)

It does stop some malware in it's tracks though.

 I have tried setting up pfSense as follows:
 
 --el0 as LAN Interfase (192.168.0.1)
 --el1 as WAN Interface (ISP IP)
 --My laptop pointed to 192.168.0.1 as Router and DNS
 --The pfSense installation has internet access, but my laptop cannot get 
 online.
 
 What could I be doing wrong?

Make sure that the private networks rule is not active on your WAN.

Am I safe to assume that you are not using the linksys in front of the
pfSense WAN and the public IP terminates on pfSense directly?

Assymetric routing doesn't work, and overlapping subnets does not either.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.1 on WRAP

[Seth Mos]

On 19-9-2013 15:22, Ugo Bellavance wrote:
 Hi,
 
 My old PC Engines WRAP is still surviving, and I'd like to install 2.1
 on it.  Are these instructions still valid for 2.1?
 https://doc.pfsense.org/index.php/NanoBSD_on_WRAP
 
 Anyone built a WRAP-compatible image for 2.1?

There is a nasty RRD file upgrade bug that might affect you. When
upgrading on embedded the temporary files are not removed causing /tmp
to fill up.

The fix was easy, but you need a re-done image for nanoBSD. Not sure if
that is planned yet.

Cheers,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] captive portal with sms for registration

[Seth Mos]

On 18-9-2013 10:54, budi wibowo wrote:
 Hi
 have situation like this:
 - user register via web portal and password sent via sms
 any module in pfsense for this?
 as i used before the captive portal not have registration page

Not impossible to do if there is a 3G dongle connected to pfSense. You
can send SMS with those via the controle port.

It's not standard functionality though.

Cheers,
Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense and Cable Modem Throughput

[Seth Mos]

On 12-9-2013 19:16, Bas van Dieren wrote:
 Greetings,
 
 Most cable providers rate limit only when there are too many states at high 
 speeds. It clould be a combination of the two. 
 I know at least 2 cable providers who rate limit (drop packets) when you have 
 over 5k of sessions at 1Gbit speed and don't if the speed is at 100mbit.
 Try setting the speed and duplex to 100mbit full duplex and see how it goes 
 with a lot of states.

That reminds me of the Arris cable modems in .nl where eMule or torrent
traffic with a upload over 1 mbit (of 2) would cause the actual voip
port to fail and unable to call. Intruiging failure before that one was
acknowledged, they ended up rolling out the Motorola Surfboard.

So eventhough the cable modem is effectively a bridge, it did actually
keep state causing hard to diagnose failures and issues.

Also, maybe just a strange thought, but did you check the pfSense LAN
port as well? It could be either port causing the issues, since all
traffic flows through it.

Although IRQ conflicts should really be gone by now, you might try
seating the card in a different slot (if that is possible).

Cheers,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense and Cable Modem Throughput

[Seth Mos]

On 12-9-2013 17:28, Adam Piasecki wrote:
 First I'm almost certain this is a cable modem/provider problem. We have
 a 20mb ethernet circuit that works fine with the same pfSense.
 
 We upgraded to a 100/10mb cable modem, when we put this on the WAN of
 the pfsense, we are getting major packet loss during peak times, and
 speed test sites that won't even load. Non-peak times we get no packet
 loss, good speed tests (50+mb)
 
 The problem I'm having is that when we take the pfSense out and plug a
 PC directly into the cable modem, the speedtests look fine and the
 dropped packets go away. Both during peak times and non-peak.
 
 My thought is the number of packets going over the cable modem with the
 pfSense is a lot greater then just one PC doing a speedtest, and the
 cable modem can't handle it. We have about 100 clients behind the
 pfSense trying to access the internet during peak times. The traffic
 graphs on pfSense only indicate we are doing  5-10mbs download and 1-5
 upload, so we are no where near maxing out the cable modem bandwidth wise.
 
 I've checked wan ethernet settings 1gig full duplex, no collisions or
 errors on the pfSense side. I don't see any problems in the log, we are
 not doing any traffic shaping.
 
 The cable modem provider says if you plug a PC into the modem and you
 get a good speed test, then it's your firewall. I tend to agree with
 him, but the firewall works fine with the 20mb Ethernet circuit, and it
 also works fine during non-peak times when not many users are on.
 
 Has anyone run into a problem like this before, or have any tips to
 prove what could be the problem.

Try a different cable, no really. Gigabit ethernet can be picky, also
try a longer.

Cheers,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] insert a pfsense box to handle high network load (botnet attack)

[Seth Mos]

On 6-9-2013 2:56, Roberto Nunnari wrote:
 Hi all.
 
 I have a problem with my home internet connection.

Aha!

 My vdsl router gets on the wan interface about 40-50 requests per second
 on port 80 and when I configure it so that it forwards that traffic to
 my web server, the router can't bear the load and freezes after a few
 seconds. All that traffic is not normal.. it's a botnet attack.. on my
 server I have scripts that examines the logs and adds the violator IPs
 as DROP in iptables. After a week, this morning I counted over 140'000
 unique IP DROP entries! The server seems to face well the attack.. but
 when the load it's so high, the vdsl router just freezes.

It's running out of ram, all 8MB of it.

 So, I thought I may configure the vdsl router as a bridge and put a
 pfsense box in between the bridge and my home network.

Sane choice.

 Apart from the fact that yet I don't know how the router will behave
 when configured as a bridge (will it bear the network load? what will

Yes, it will work fine, it does not need to maintain any state that
consumes memory for forwarding traffic.

 happen to the four lan ports? only one will be left active?), I would

That depends entirely on the software in the modem, often all 4 stay
active, but you can only build one pppoe session.

 like to know how should I configure the pfsense box.. I mean.. would it
 be enough to just move the configuration from the vdsl router to the
 pfsense box? The vdsl router is now configured with PPPoE over PTM
 (POTS).. would it be fine if I configure pfsense as PPPoE on the wan
 interface?

Just PPPoE is fine.

Regards,
Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] A unique problem requires a unique solution. PFsense behind shorewall

[Seth Mos]

On 5-9-2013 13:09, Asim Ahmed Khan wrote:
 Hi,
 
 Let me first briefly explain my setup. I have redundant internet link
 from two ISPs. Before pfsense, I was using two gateway boxes. One for
 each internet link. Each box is CentOs, with Shorewall + Squid. I have
 certain rules imposed on each box. Each box has two NIC, one for public
 IP from is, and one for LAN.
 
 Now to implement failover and few other things, i setup a pfsense box.
 Now network is like :
 
 Both Gateway boxes' public interface has been reconfigured on different
 subnet which is being shared by pfsense's local NIC. i.e. Both old
 gateways get internet from pfsense instead of ISPs.
 
 Now what I need to do (or at least know if possible), is to be able to
 see who from my LAN is consuming most bandwidth. pfsense provide
 bandwidthd for that. But the problem is, pfsense only see the two
 clients connecting to it and those are public interfaces of gateway
 boxes. So I can't get the real picture. Is there anyway, pfsense can see
 who actually is sending request to pfsense through public interface of
 gateway ?

Maybe I'm mistaken here, but the shorewall devices are behind your
pfSense firewall and they perform NAT making only those 2 addresses visible.

If that is the case you need to set up static routes on pfSense and drop
the NAT on the gateway boxes.

I'm not understanding too well why you don't put everything into one
box, or maybe add carp for failover. This seems very convoluted.

Regards,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dibbler-client PD under PfSense

[Seth Mos]

On 29-5-2013 10:13, Slawomir Kosowski wrote:
 Thanks for your reply. 
 Following the advice, we've configured WAN in SLAAC, and then tried to
 do track interface on LAN, but there was no interface in roll-down menu.
 Not sure why (probably done something wrong - what ?).
 Isn't it caused by function get_configured_interface_with_descr() - line
 1863 in interfaces.php ?

Normally on 2.1, you select DHCP6 on the WAN interface and select the
correct prefix size provided by the ISP.

Then, you can set the LAN interface to track the WAN interface and
enter 0 for the prefix ID.

This should automatically configure the LAN interface and setup RA and a
DHCP6 service on the LAN for hosts. If the prefix size from the ISP is
large enough the DHCP6 service should automatically configure internal
DHCP-PD as well for downstream routers.

The Wide dhcp6c client should just work.

Regards,
Seth

 We've tried to use DHCPv6-PD to get our PD from ISP and uncommented
 lines 1768 to 1784  in interfaces.php, however, our ISP provides 10
 byte-long DUID which was not compatible (not sure how it goes with RFC
 3315). Maybe it's due to our ISP's configuration, but they're using
 Cisco to deliver IPv6.
 Anyway, we've only managed dibbler-client to run with that, so this is
 why we compiled it to run on PfSense. 
 We're always keen on seeing a simpler solution. Working in limited time
 with open-source is sometimes hectic ...
 
 BTW: any news about: http://forum.pfsense.org/index.php?topic=40186.0 ?
 
 Best
 Slawomir Kosowski
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense as a datacentre router (was: dual ISP BGP)

[Seth Mos]

On 29-5-2013 11:05, Chris Bagnall wrote:
 On 29/5/13 9:39 am, Eugen Leitl wrote:
 Which hardware are you using? If you're pushing 5 GBit/s you
 might be running into hardware limitations. There was a thread
 about it on nanog a week or two ago.
 
 I'm quite impressed Mikrotik hardware is able to sustain 5Gbps with full
 BGP tables from multiple transits to be honest.
 
 Is anyone using pfSense's BGP package with 2.1 and v6 support? Given our
 usage in this case is a great deal less than 5Gbps, I'm seriously
 considering giving it a try - it would certainly make management a lot
 easier, and mean they wouldn't need to call me every time they want to
 change a VLAN config :-)
 
 But v6 is a requirement. I couldn't in all good conscience deploy
 something that isn't v6 capable these days.

It works for me.

Keep Listen on IP blank (a v4 here causes issue), fill in Router IP
Add both networks v4 or v6 in the networks rows.

Configure the IPv4 and IPv6 neighbors.
In the neighbor config, configure the remote neighbor v6 address and the
add a row for Remote AS with the remote AS.
Add a row Local Address, fill in the local v6 address here.

It's been connected dual stack here for about 7 weeks now, but it's a
test box not passing traffic.

Cheers,

Seth


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Remote office redundancy

[Seth Mos]

On 23-5-2013 17:17, Peter Milazzo wrote:
 Hi All,
 
 I have a remote office running version 2.0.3 with a T1 that has been
 stable for years and recently added a Cable connection on a second WAN
 port for faster web browsing etc... both connections are setup for
 failover. There is also an IPsec tunnel that is configured to connect
 this office with our main office for VOIP calls between offices and
 access to servers, etc... 
 
 My questions are, do I need to setup a second IPsec tunnel for the cable
 connection (which I believe you can't do) if it fails over  and what
 will the routing look like? Is there a better way to set this up to
 accomplish the redundancies?

In 2.1 you can make the IPsec endpoint a gateway group for failover. If
you also create a dynamic DNS entry with that same failover group the
remote can automatically reconfigure if needed.

I currently use this on 1 site with 2.1.

Regards,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Need advise or best practice for pfsense NAT

[Seth Mos]

On 22-5-2013 6:27, Makara wrote:
 Hi List,
 
 We are using pfsense for NAT purpose, around 1000 customers concurrent
 and the bandwidth is around 500MBPS. We have problem the pfsense is
 stuck around 1 or 2 week always. 
 
 HW: Dell Optiplex 7010
 OS: Pfsense 2.0-RC3(We downgrade the latest version because it's too
 many problem that this version)

When pushing that much traffic with that amount of customers I recommend
purchasing 2 real servers with Intel network cards and ECC memory and
setting up a carp cluster.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] SOHO Router for VPN to pfSense

[Seth Mos]

On 29-4-2013 16:01, j...@millican.us wrote:
 On 4/29/2013 9:35 AM, j...@millican.us wrote:
 Hello,

 Thank You,
 JohnM
 Forgot to add that I have been looking at the Buffalo WZR-300HP. Any
 opinions?

We almost exclusively use Draytek Vigor routers with IPsec tunnels and
pfSense. We use Dell PowerEdge R310 servers as the endpoint.

We have about 300 tunnels, we always had the Draytek Vigor 2800VGI
model, but are now moving forward with the Draytek Vigor 2850 model, it
is a ADSL/VSDL combo modem, supports 3G/4G via USB stick (We use the
Huawei E392) and also Ethernet WAN using port 4 of the gigabit LAN ports.

It's a very versatile model.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Shell Logout time

[Seth Mos]

On 26-4-2013 10:48, Odhiambo Washington wrote:
 I am using ShellGuard as the ssh client. My ssh sessions don't time
 out with other hosts except my pfSense box. My pfSense box is
 connected to the same switch as my workstation PC so I am lost as to
 what causes these timeouts. BTW, I think it's just with this 2.0.3 box
 i am seeing the timeouts.

If you have state killing actived and/or connecting to the external
address of the pfsense box this could cause it.

If you have nat reflection enabled and/or a nat forward you are
connecting through (interface set to any) could cause this too.

Cheers,
Seth
 
 On 26 April 2013 11:32, Espen F. Johansen pfse...@gmail.com wrote:
 Try turning on tcp-keepalive in your ssh client this fixes it for putty
 f.ex.

 Espen F. Johansen


 Sent with AquaMail for Android
 http://www.aqua-mail.com



 On 25. april 2013 21:57:23 Jerome Alet jerome.a...@univ-nc.nc wrote:

 Hi,

 On Thu, Apr 25, 2013 at 12:37:36PM -0400, Jim Pingle wrote:
 On 4/25/2013 11:20 AM, Odhiambo Washington wrote:
 Whenever I am logged into my pfSense box via SSH, I always get logged
 out within some time, even when I am running something. Where can I
 change that timeout value?

 As others have mentioned there is no timeout value. pfSense will leave
 active connections open, even if idle, for 24 hours at least. A WAN
 getting disconnected would flush its states, or there could be something
 else involved cutting them off.

 I've noticed the very same problem when connecting through ssh directly
 from my PC to our slave pfSense in our cluster of two : automatic
 disconnect from the slave after maybe one minute or even less.

 If I first connect to the master pfSense from my PC, then from there to
 the slave, there's no disconnection.

 I've never noticed such a problem when connecting to the master.

 bye

 --
 Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système
 d'Information
   Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX
Tél : +687 290081  Fax : +687 254829
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 
 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dandy pfSense appliance

[Seth Mos]

On 24-4-2013 20:18, Chris Bagnall wrote:
 On 24/4/13 7:05 pm, Mathieu Simon wrote:
 Depends what you think about high specs many 1 GE ports or even 10 GE,
 lots of cores etc?
 
 FWIW, we've been using the ALIX boards for several years, and despite
 their apparently low spec, they'll happily route an FTTC 80Mbps/20Mbps
 connection without breaking too much of a sweat.

+1
60/6 Ziggo cable internet

 Also worth mentioning that in my experience, WiFi is best done with a
 separate access point (or access points). It enables you to position it
 in the best location for signal dispersion, which might not be the same
 location as your internet connection's ingress.

+1
I use 2 linksys e3000 units with DHCP disabled as a 4 port Gigabit
switch with AP. One in the living room, and another upstairs. 5Ghz
doesn't get through concrete ceilings very well, but the speed is excellent.

Cheers,
Seth


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dandy pfSense appliance

[Seth Mos]

On 25-4-2013 10:30, Odhiambo Washington wrote:
  What I meant with high specs is to do with CPU, Disk Storage and RAM.
 Why? For instance in the particular case I went to address, there was
 a DDoS issue. Some app installed on one of the computers on that LAN
 was sending millions of HTTP GET requests to www.ffssc.net. In just
 about 5 minutes, my squid log file had grown to 50MB! If this was a
 small appliance, I am thinking it would have given up on service in no
 time.. So high specs for me means something like 256MB or more
 storage, 1GHz+ CPU and say, 1GB+ RAM - but still small enough in size
 to fit into my backpack. That would be  my Swiss Knife for network
 troubleshooting when needed

Find a nice Intel Atom board with dual gigabit nics, vlans are optional
but should atleast suffice for a quick replacement.

We recommend Intel SSD drives, these have failed the least for me
atleast. A 40GB thingy should suffice for pfSense easily.

There are quite a few smallish portable cases for the mini itx boards.

Cheers,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dandy pfSense appliance

[Seth Mos]

On 25-4-2013 10:42, Odhiambo Washington wrote:
 Hi Seth,
 
 Any pointers to these Intel Atom boards with dual NICs?? Gigabit or
 otherwise, I think I am looking for something like that.

I see the Lexcom Brik with 4x lan. Or a Lanner LEC2055
http://www.lannerinc.com/DM/LEC-2055_DM.pdf

We use a FW7535 at work, and it's been fine so far. It has 1GB of ram
and a laptop disk.

Cheers,
Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dandy pfSense appliance

[Seth Mos]

On 25-4-2013 11:39, Odhiambo Washington wrote:
 Hi Seth,
 
 Did you install pfSense (or other OS) in these? I am looking for how
 to connect the Display:)

pfSense 2.1 with serial console.

 
 On 25 April 2013 11:53, Seth Mos seth@dds.nl wrote:
 On 25-4-2013 10:42, Odhiambo Washington wrote:
 Hi Seth,

 Any pointers to these Intel Atom boards with dual NICs?? Gigabit or
 otherwise, I think I am looking for something like that.

 I see the Lexcom Brik with 4x lan. Or a Lanner LEC2055
 http://www.lannerinc.com/DM/LEC-2055_DM.pdf

 We use a FW7535 at work, and it's been fine so far. It has 1GB of ram
 and a laptop disk.

 Cheers,
 Seth

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 
 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[Seth Mos]

On 24-4-2013 18:24, Chris Bagnall wrote:
 Some ISPs that are particularly stingy with IPs and bad at routing have
 been doing this.
 
 I might be missing something, but it does seem like a pretty awful, and
 at best very temporary 'solution' to IPv4 shortage.
 
 I must admit if I were the OP, I'd probably be looking for a new DSL
 provider.
 
 Roll on widespread v6 adoption and NAT64 for access to the 'legacy
 internet' :-)

It looks like 464xlat is one of the better things that has come forth,
however, it needs to be implemented on the client.

Till that time, DNS64 and NAT64 will have to do. And it ain't pretty.

Dual stack if you can folks! The water is fine!

Cheers,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] native IPv6 static

[Seth Mos]

On 2-4-2013 23:58, Fuchs, Martin wrote:
 have an installation in suisse with native IPv6 with a /48 net.
 
 It's needed to configure it with static IPv6 on the WAN interface, i too can 
 ping the externam WAN IPv6 address.

The ISP should have set up a static route for the delegated /48 to the
external WAN address, just like routed subnets in IPv4 (with a /30 uplink).

Some of the ISPs will route the delegated /48 network per default to
WANprefix::2 which should be your WAN Address.

Other ISPs use the 1st all zeros prefix from the /48 for the WAN and
route to PDprefix::2 which should be your WAN address. The drawback
from this is that you can never user the all zeros prefix on your LAN,
which is a shame because it is shorter to write.

For the LANs you set up static routing, DHCPv6 and RA just like you
would previously. It is not required to route both IPv4 and IPv6 in the
same pfSense install (Dual Stack), but it is the most common.

Since IPv6 is an entirely new and different network you can setup
different CARP clusters for IPv4 and IPv6, we actually have some of
those installs still working today within the pfSense project as part of
the early deployment.

People should be thinking of this as migrating off IPX ;)

Kind regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense reload config.xml problems

[Seth Mos]

On 27-3-2013 2:43, Simon tiong wrote:
 Dear All,
 
 I am Simon from Malaysia.
 I faced a error, which I manually edit the config.xml, and my concern is
 without any reboot firewall needed.
 Basically I changed, the IP address for my LAN Interface from 10.2.28.1
 to 10.10.10.1.
 
 I have committed :
 1) rm /tmp/config.cache
 2) /etc/rc.reload_all
 
 Whereby the commands above will refresh and reload all firewall
 configuration.
 
 But I found that the new IP does not update on the widget DashBoard, but
 it does changed inside the LAN configuration, under interface.php.
 
This is exactly why it is not supported, I'd say edit and save the LAN
interface and see if that fixes it without reboot.

Regards,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] HA and bgp

[Seth Mos]

On 20-3-2013 0:29, Zach Underwood wrote:
 I am setting up a pair of pfsense servers in front of a web hosting
 setup. I have two firewalls, two network switches(layer 3 stacked), and
 two isp links using BGP. I plan on using OSPF on the network switches to
 pass the routeing tables to pfsense. The way I am think of doing is this
 way 
 https://docs.google.com/drawings/d/1AE-Uif6n0qrFxnDp6JkxUPaYEwVZJoa69pnCMAIW-4E/edit?usp=sharing
 . Is this the best way or there a better way.

Indeed it looks right from here.

The situation will be as follows, you setup a iBGP or OSPF between the 2
pfSense hosts. Careful with OSPF that you don't accidentally export
internal routes to BGP.

Each pfSense node should have 1 session with a BGP peer but a shared LAN
CARP address. You should never tie the BGP session to a CARP address,
and often that isn't even possible because you get a unrouteable /30
uplink anyhow.

- If a pfSense node fails, internal BGP/OSPF will re-route the traffic
out the other pipe.
- If a BGP session drops, internal BGP/OSPF will re-route the traffic.
- LAN hosts always use the CARP address as the gateway.
- You can not stateful firewall on the pfSense nodes, traffic is
inherently asymmetric when using BGP. (e.g. traffic goes out BGP1 but
returns on BGP2)

Regards,
Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Blocking Websites

[Seth Mos]

On 1-3-2013 22:44, Kevin Hayes wrote:
 Hello,
 
  
 
 I am trying something that I thought would be fairly simple but is
 turning out to be more confusing than I had hoped.
 
  
 
 We have several computers that are considered critical and I would like
 to block the internet except for a short list of approved websites that
 may be accessed from those desktops.  What would be the easiest
 suggestion on how to do this.  I’ve been looking at pfBlocker and it
 seems by its description to do what I need, I found where I can block
 whole countries but not specific sites on specific ip addresses.

A proxy server is well suited for this purpose. Block outbound traffic
and setup a transparent proxy.

If that's not possible a manually configured proxy also works, the trick
is to make sure they can't access 80 and 443 without going through the
proxy. That's what a firewall rule on the LAN accomplishes.

It's a good policy in larger corporate networks to block outbound
traffic per default. You have very granular controls on what people can
access through the proxy. Because it also accomplishes this for https.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] firewall rules: destination host or network

[Seth Mos]

Op 18-9-2012 8:23, Vieri schreef:

Hi,

I'm having trouble understanding a very simple concept.

Suppose I have several interfaces, eg. lan, wan, dmz, corp2.
Most public IP addresses are in 'wan' but some may be accessible through 
'corp2'.
Let's say I would like to add a firewall rule for a specific destination.
I can create an alias or specify a network or single host but how do I apply a 
rule from lan to a specific host in wan?
eg. lan single host 10.215.144.48/32 can access 8.8.8.8/32 through 'corp2' but 
cannot access 8.8.8.8/32 through 'wan'.

Should that be done only through static routing?


Firewall rules are top down.
Make a allow rule for that single host and a block rule below that.

Cheers
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense 2.0.1-RELEASE, Restoring partial config.xml does not work

[Seth Mos]

Good news. Support for just that and a few other items have been included in 
pfSense 2.1

Regards,
Seth

Stefan Baur newsgroups.ma...@stefanbaur.deschreef:

Am 23.07.2012 15:10, schrieb Oliver Hansen:
 Hi Stefan, I can't be sure but I think I have run into this before. Have
 you tried uploading a config with ONLY those parts that you want to
 change? I think it is intended to be restored from a backup that only
 contained those parts.

While it indeed does work that way, it doesn't really make sense to me.

If I cannot import selected sections from a full config.xml, what would 
the select menu be good for?
And if I only have a partial config, say, I saved the aliases, then 
obviously I would want to restore the aliases from it and not the 
(non-existent) firewall rules.

IMO, this is a bug that needs to be fixed.

-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] wan interface losing ip address

[Seth Mos]

Op 18-7-2012 0:30, b...@bitrate.net schreef:

Jul 17 07:55:30 gw1 kernel: ue0: link state changed to DOWN
Jul 17 07:55:30 gw1 kernel: ue0: link state changed to UP
I see a few occasions of your ethernet link flapping, could be a modem 
rebooting or something else, bad cable, maybe.


Although it should really recover from this when the link is back. I've 
noticed similar behaviour to dhcp on wireless. I have not managed to 
debug that further.


Regards,
Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Forwarding Protocol 41 for 1:1 IP Addresses

[Seth Mos]

Good question,

Op 27 jun 2012, om 20:53 heeft Yehuda Katz het volgende geschreven:

 I would like add a HE IPv6 tunnel to two of my servers without adding a 
 tunnel for the whole network.
 I was looking at adding an option for each 1:1 to forward protocol 41 just 
 for that public IP. (maybe a checkbox on the 1:1 create/edit page)
 Is there any reason this would not work?

Theoretically not impossible. A port forward might be a better match though, 
rdr is a forward, binat is a 1:1, don't think binat allows for protocol 
selection.

 If I understand the code correctly, a rule would look something like:
 rdr on {$natif} proto ipv6 from any to {$dstaddr} - {$target}

binat on {$natif} proto 41 from {$endpoint} to {$dstaddr}

Perhaps, patched accepted.

Cheers,
Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Possible bug in gateway monitoring in 2.1 snapshot (Sat Jun 16 08:16:08 EDT 2012)

[Seth Mos]

Hi,

Op 22 jun 2012, om 04:30 heeft Moshe Katz het volgende geschreven:

 On Wed, Jun 20, 2012 at 4:50 PM, Jerome Alet jerome.a...@univ-nc.nc wrote:
 Hi there,
 
 While playing with gateways and monitoring alternative IP addresses,
 I've noticed a problem.
 
 When you add an alternative IP address to monitor, a static route is
 added between the gateway address and the address to monitor.
 
 But when you delete this alternative IP address, click on save and
 then on apply changes, the static route is not removed as can be seen
 with netstat -nr.
 

This is a clear bug, it's supposed to delete the route to that host. Is this a 
v4 or v6 monitor ip, I could see the delete command failing for ipv6 here.

Cheers,

Seth

 I opened an issue in the pfSense Redmine to track this: 
 http://redmine.pfsense.com/issues/2513
 
 Moshe
 
 --
 Moshe Katz
 -- mo...@ymkatz.net
 -- +1(301)867-3732
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Question about failover setup

[Seth Mos]

Op 20-6-2012 5:34, Jerome Alet schreef:

Hi,

On Tue, Jun 19, 2012 at 08:35:38AM +0200, Seth Mos wrote:

Op 18-6-2012 23:26, Jerome Alet schreef:

So now that I'm trying to replicate the OpenBSD configuration on my
pfSense 2.1 boxes, I'm wondering if I really need 3 distinct IP
addresses on each vlan and what are the consequences of using only one
on the carp interface ?

For pfSense you definitely need 3 addresses per vlan.

Thanks for your answer.

No, maybe a stupid question... Is it mandatory that all three addresses
are in the same subnet, or is it possible to have the virtual one in a
different subnet than the two real ones (still all three would be on
the same vlan, but on different subnets) ?
Mandatory, how would the pfSense firewall itself reach the internet for 
DNS and updates? It can't source everything from the CARP vip. Although 
theoretically the traffic going through the firewall should be 
unaffected. It's a crapshoot though that generally does not work too well.


We hope that the CARP overhaul that is included in FreeBSD9 will help us 
in this case, but we can't guarantee that it will work this way either.


Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Question about failover setup

[Seth Mos]

Op 18-6-2012 23:26, Jerome Alet schreef:

Hi there,

So now that I'm trying to replicate the OpenBSD configuration on my
pfSense 2.1 boxes, I'm wondering if I really need 3 distinct IP
addresses on each vlan and what are the consequences of using only one
on the carp interface ?


For pfSense you definitely need 3 addresses per vlan.

You can not set it up without. Maybe the OpenBSD cluster used carpdev 
which FreeBSD does not have.


Cheers,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] CARP with public IP's and managed GW

[Seth Mos]

Not with bridging, no.

Cheers,
Seth

Op 12 jun 2012, om 23:55 heeft bsd het volgende geschreven:

 Hello, 
 
 
 I have an ISP which is providing me a bloc of public IP's /27and a GW 
 (managed GW inside the given bloc). 
 Generally in order to filter in such situation, I create a bridge on the WAN 
 and filter on the bridged if. 
 
 I wanted to know if It was possible to use CARP in such situation and how to 
 proceed ? 
 
 
 Sincerely yours. 
 
 G.B. 
 
 ––
 - Grégory Bernard Director -
 --- www.osnet.eu ---
 -- Your provider of OpenSource appliances --
 ––
 OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] High interrupt load on LAGG with LACP

[Seth Mos]

Op 5-6-2012 3:53, Glenn Kelley schreef:

Good to know.

For us we just need 100-300mbps in the sky (literally 300 foot up a tower)


The soekris net6501 may be a good fit, it can do PoE iirc. It's a 
600-1.6Ghz Intel Atom.


I've benchmarked the faster Intel Atom 1.8 Dual core in a Lanner Inc 
FW7535 at 220mbit full duplex.


Cheers,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] HEADSUP: 2.1 snaps currently broken

[Seth Mos]

Under investigation, please hold off.

More later.

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Duplicate icmp echo

[Seth Mos]

Hi,

Op 1 jun 2012, om 23:03 heeft David Miller het volgende geschreven:

 I have pfsense 2.01-release, built Mon Dec 12 17:53:52 EST 2011 running on a 
 soekris 6501.
 
 The WAN port is seeing duplicate icmp echo requests, and it happens 
 bi-directionally:
 tcpdump run on the pfsense box shows duplicate incoming packets.
 
 This only happens on the WAN port.
 
 
 Where do I look for why this is occuring?

I have seen this occuring in multiple places, but often wireless or something 
else with large buffers. The latency doesn't seem too bad though.

Cheers,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] modern hardware selection

[Seth Mos]

Op 29-5-2012 15:50, Vick Khera schreef:

Also, I have three IPsec VPNs connecting to other data centers and the
main office, which need to push at peak 40Mbps for a couple of hours a
day during backups.


I use Dell PowerEdge 860 servers with a Core i3 3.2Ghz and I can flatten 
my 100mbit pipe with it over IPsec.


Cheers,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] OpenVPN: offsite configuration

[Seth Mos]

Hi,

To make sure things stay working as it is. I have a hostname in the remote 
access list so that even if the main office needs to relocate (DR) i can still 
access the remote machine.

I also ship routers with a dyndns name that every now and then will turn up a 
rfc1918 ip but i can still see where the host came from.

It has served me well over the years.

Cheers,
Seth

typed on a tiny touchscreen, why exactly?

Gavin Will gavin.w...@exterity.comschreef:

I have shipped pfSense boxes before. 

What I do is setup remote access to the web configurator (only allowing the 
source address of our main office) and then post the box. 

If the WAN is dhcp then you are all set, get a person at remote office to do a 
what is my ip or http://forum.pfsense.org/ip.php and get them to tell you 
the remote ip

Connect up via https://remoteip

Only issue would be if it is PPOE or static but in theory you should know this 
before the service is live and can preconfigure.

The nature of Open VPN you have a client and a server. The client IP can be 
dynamic so you can configure the OpenVPN before shipping and it will connect 
as soon as it has a public IP.

Gavin


-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] 
On Behalf Of runi...@gmail.com
Sent: 25 April 2012 08:54
To: pfSense support and discussion
Subject: [pfSense] OpenVPN: offsite configuration

I'm new to pfSense and OpenVPN but my questions cross both products.

Is it conceivable to ship a pfSense system to a remote office location and 
have the onsite systems tech set the public IP address using some simple 
instructions?

Can OpenVPN be configured in such a way that the same shipped system, as 
above, be pre-configured as a client with the OpenVPN server (PSK) address 
pre-set so once the public IP address is added the VPN connection will come up?

Once again, the pfSense system will be shipped to a remote office with an 
inexperienced local technician required to install on the internet.
I am hoping to do as much of the configuration before shipping to minimize 
what the technical guy at the remote site will have to do to bring the office 
online.

I hope these questions make sense to the group.

Thanks,  R
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense product support lifecycle?

[Seth Mos]

Op 24-4-2012 9:13, Stefan Baur schreef:

Hi list,




The thing is, I rolled out 2.0.1 (upgrading from 1.2.3) between November
2011 and February 2012, IIRC. I'd prefer to stay on 2.0.1 for a while,
as I don't need the IPv6 features of 2.1 just yet. I'm just wondering
how long after June 6, 2012 it will be safe to do so.


Well, we currently only really support the last one. The product mostly 
evolves through repetition.


There's a lot of other fixes unrelated to IPv6 in 2.1 that you'll find 
which you will probably like.


Ofcourse we don't immediately drop the old release the moment a new one 
arrives. But at all efforts go into the last one mostly.


Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 configuration in a delegated /64

[Seth Mos]

Op 23-4-2012 9:53, bsd schreef:

Le 23 avr. 2012 à 07:38, Seth Mos a écrit :



So do you think I could manage to have a full IPv6 support on LAN by using 
DHCPv6 on WAN ?

How would you manage to achieve this ?


If you want to use DHCP6, select it on the WAN, Select a Prefix 
Delegation size.


The smallest prefix delegation you can request is /64, which is length 
0. If this is set to None, pfSense will only request an address, not a 
prefix.


You can configure the LAN interface as Track Interface for IPv6 and it 
should automatically configure the LAN interface appriopriately.


Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Upgrade 2.0.1 to 2.1

[Seth Mos]

Op 23-4-2012 11:02, Eugen Leitl schreef:

On Sun, Apr 22, 2012 at 10:54:51PM -0400, Chris Buechler wrote:

On Sun, Apr 22, 2012 at 10:47 PM, Drew Lehmandleh...@digitatech.com  wrote:

Apparently the Git option is not longer valid to upgrade 2.0.1 to 2.1 since
so much has changed.  Does anyone know if there is an upgrade image
someplace or do I need to backup the settings and wipe it all?


There are snapshots.
http://forum.pfsense.org/index.php/topic,47540.0.html


Is it realistic to expect 2.1 with full IPv6 support by 6th June?


Define Full.

If you want to get onto the IPv6 internet, then yes, most of the things 
work. Static IPv6, DHCP6, PPPoE+DHCP6, 6to4 (Tunnel), 6rd (Tunnel, 
limitations) and 6in4 (Tunnel). Those are confirmed working.


Theoretically PPtP with DHCP6 should work but don't have access to.

Basic firewalling is not a issue, if you run packages you'll find that 
almost none support it yet. This is partly outside of our control.


CARP clusters work as long as you use static addressing and not 
advertise the router. We can not yet advertise the CARP addresses which 
is required for that.


If you have CARP and you want to server clients with this the only 
workaround for this currently is running only a router advertisement on 
the Master and not the backup. This will be fixed before 2.1-RELEASE


On the server side it's a bit less, PPPoE Server and PPtP server don't 
support it. Pushed off for 2.2


OpenVPN server works, as does the Windows Client. Both Viscosity and 
Tunnelblick don't support it either yet.


IPsec works for both IPv4 and IPv6 tunnels.

I've attached a PDF that might help.

We hope to release 2.1 before June 6th still.

Cheers,

Seth


pfSense IPv6 Status.pdf
Description: Adobe PDF document
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Upgrade 2.0.1 to 2.1

[Seth Mos]

Op 23-4-2012 14:30, Chris Bagnall schreef:

Are there any plans to incorporate something like NAT64 (or another
4-to-6 translation method) to allow v6-only networks?


Yes, for 2.2 at it's earliest. There is a patch for pf in OpenBSD in 
circulation but that's not useful right now.


http://redmine.pfsense.org/issues/2358

Any NAT that translates from one address family to another is a huge 
pain since any sort of handle it is obscured.


It combines with DNS64 which translates A records into crafted  
records, you can probably see where this is going from here.


Then another NAT64 gateway downstream which puts it back on the IPv4 
internet. It doesn't make for a good medium. And you still have double NAT.


So with that in mind I'd rather have CGN/LSN double NAT for IPv4 in the 
future and a clean IPv6 path. NAT444 is already convoluted, and with 
NAT64 it only gets worse from there. It might change in the future.


I now have a IPv6 only internet at work and it's barely useful at all. I 
mean, pfSense works fine with it, and I can do auto firmware updates 
just like normal. But that's because we have our infrastructure online 
on both IPv4 and IPv6.


People that only have IPv6 will run into things like gitsync not 
working, which is pain because I now can't check out code on the box I'm 
developing on.


I've contacted github but their response is lukewarm at best. A lot of 
companies seem to be in the position that this somehow is not a issue 
for them.


If you operate a website and only have it reachable through IPv4 you 
_are_ going to run into people that only have IPv6 and thus can not 
reach your website.


I'm using GitHub here because that's what the pfSense project uses, and 
lot's of people check out the tree using the gitsync playback in pfSense.


Also useful to know is that GitHub does have issues to work through 
DNS64 and NAT64. So much for that.


In the mean time I've setup a haproxy instance in the DC that listens on 
github.iserv.nl which has both v4 and v6 and talks to github.com over 
v4. That way people can still gitsync.


Obviously I can't do that for every website.

Cheers,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Pfsense Ipad / Iphone - Android - Smartphone App

[Seth Mos]

Op 23-4-2012 16:28, justino garcia schreef:

Hi Group,
I noticed Checkpoint, Cisco, Sonicwall, and bunch of other firewalls
have a App for SmartPhones and Tabelts.
Any idea for Pfsense, IPSEC ssl vpn app???
I would like simple setup for vpn
Thanks,


There is a OpenVPN app in the works for Android 4.0 devices, but it's 
not finished yet.


Regards,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 configuration in a delegated /64

[Seth Mos]

Hi,

Op 22 apr 2012, om 22:03 heeft bsd het volgende geschreven:

 Hello my friends, 
 
 
 My ISP is providing a full /64 network which looks similar to 
 2a01:e35:2436:7e20::/64

That's the limitation you get with the Free.fr, they only subnet a single /64. 
That means it's impossible to put a IPv6 router behind it.

They don't give you the option anywhere to request more then 1 single /64 which 
is downright silly.

Even 6to4 gives you a /48 per default, and most dutch ISPs are giving you a /48 
or /56. The smallest i've seen so far is /60, which atleast gives you 16 
networks so you can easily place a router behind your connection.


 By activating the DHCP6 on my WAN I have an IPv6 attributed immediately… But 
 on the WAN if ! 

Yeah, there is no going around that, and NPt won't help you either, because you 
don't have a prefix to translate.

If you have a public IPv4 address, or if their CPE allows for it, request a 
tunnel from HE.net. Although that is probably not the answer you wanted. If the 
CPE has a bridge mode you could configure the WAN in pfSense and configure the 
delegated /64 on your lan. Theoretically.

Cheers,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 configuration in a delegated /64

[Seth Mos]

Hi,

Op 23 apr 2012, om 00:38 heeft bsd het volgende geschreven:


 If the CPE has a bridge mode you could configure the WAN in pfSense and 
 configure the delegated /64 on your lan. Theoretically.
 
 The CPE has a bridge mode (which I am using since a very long time for IPv4), 
 It allows me to have the IPv4 WAN address on my WAN interface of pfSense. 
 I have configured the /64 on my WLAN, but this doesn't really seem to work… 

Make sure to configure the WAN for 6rd, which is what Free.fr uses. Enter their 
prefix and their tunnel broker address and you should be able to configure the 
6rd prefix on your LAN interface, and that should work really.

Afaict they do not use DHCP6 on the WAN but I could be mistaken. Unless they do 
both 6rd and DHCP6 simultaneously, which is not impossible.

Regards,

Seth


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] issues with 2.1 snapshot

[Seth Mos]

Op 3-4-2012 8:33, Brian Henson schreef:

Yes i have it set to managed. I pulled the branch down when i was on 2.0
RC3 and got it working. but this is a fresh install of 2.0 upgraded to 2.0.1


Don't you mean 2.1? IPv6 support is only available there. In 2.0 the 
global IPv6 disable flag would drop all ipv6 traffic.


Regards,

Seth



On Tue, Apr 3, 2012 at 2:33 AM, Seth Mos seth@dds.nl
mailto:seth@dds.nl wrote:

Op 3-4-2012 8:20, Brian Henson schreef:

I have checked the /64 and the wan is on the wan and the Lan is
setup
right. Files and info requested are below. I had this setup
perfectly
before its just not wanting to work now.


Yeah, your config file and configuration check out. I wasn't aware
that this setup worked previously.

I see that your network is set to managed, is that correct?

We only just switched out rtadvd for radvd and don't know all the
possible error messages it can throw. And more importantly, for what
reason.

Regards,

Seth
_
List mailing list
List@lists.pfsense.org mailto:List@lists.pfsense.org
http://lists.pfsense.org/__mailman/listinfo/list
http://lists.pfsense.org/mailman/listinfo/list




___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snapshots are back

[Seth Mos]

On 23-3-2012 11:47, Eugen Leitl wrote:
 On Thu, Mar 22, 2012 at 09:48:54PM -0400, Jim Pingle wrote:
 FYI-

 2.1 snapshots are going again.

 http://snapshots.pfsense.org/
 
 Great. How stable are they? Useful for limited production?

There are a couple of tickets open, a bunch related to IPv6 and some others.

There are issues if you are running CARP with IPv6 or CP, and CARP is
currently moving entirely so hold off on that.

For home use with DHCP-PD, Static IPv6 or IPv6 tunnels they work fine.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Parallel setup for testing/migration

[Seth Mos]

Op 23 mrt 2012, om 19:08 heeft Ugo Bellavance het volgende geschreven:

 Hi,
 
 During my Checkpoint to pfSense transition, I'll have, during a few days, two 
 ISP active at the same time at the office.  The firewall is the only router 
 of the organisation, but has several networks attached to it.  Would it be 
 possible to have the two firewalls active at the same time and migrate my 
 services one by one?  It doesn't matter if I can't migrate all of my services 
 without interruptions, but if I could test a few things on the new setup 
 before the cutover, it would be nice.

Sure, take care of assymetric routing which breaks traffic, but if you have the 
free external public addresses in place it should be as simple as changing the 
lan hosts gateway to the new firewall.

This can frequently go very wrong though, do take care of assymetric routing or 
IP conflicts.

Rebuild the entire network with VMs in ESX, vswitches and all, then bring up 
vms on various vswitches for testing, ping, tcp, udp etc.

I rebuilt my entire production work network in ESX, carp et all so I can 
perform upgrade testing.

Fire is bad m'kay

Cheers,
Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense error, maybe hard drive?

[Seth Mos]

On 21-3-2012 18:08, Adam Piasecki wrote:

 What hard drive is recommended for pfSense. Or can someone tell me what
 your running.

Any ide or sata drive should do.

If you really want a SSD drive I recommend the Intel 320 series SSD
drives. These have a capacitor inside which means it will survive a
power failure gracefully.

We have 12 of those in a raid 6 (LSI Sas HBA, external enclosure), and
another few in a raid 10 (Dell R610).

We also have another 10 or so in various laptops and desktops and have
had zero issues yet.

We are planning to upgrade about 35 more desktops with the 120GB variant
and 350 cash registers with the 80GB variant.

We have about 70 Dell Optiplex 790 desktops which ship with the Samsung
830 series SSD drives which appear to work well too.

For reference, I have a Corsair P256 (Samsung OEM SSD) which is still
working well in my laptop. That's from the looks of it from july 2009 so
it's now over 2 years old.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense error, maybe hard drive?

[Seth Mos]

On 21-3-2012 18:40, Jeppe Øland wrote:
 I deployed about a dozen Kingston 64G SSDs about a
 year and a half ago  (in laptops and desktops) and I've seen about a quarter
 of them fail with different symptoms in each case. Garbage
 
 Totally agree. I have gone through 2 Kingston 4GB industrial SSDs so
 far - and it didn't take long either. They fail fast! (Now I'm using
 the 3rd one with an embedded install ... it seems to stay alive when
 nobody is writing to it).

The dirty little secret from Kingston is that they do not manufacture
anything themselves. The situation with SD/CF and microSD cards is horrific.

You can easily end up with cards without proper production information
indicating it's either from a test production runup or overtime
production. Neither of which you want.

http://www.bunniestudios.com/blog/?page_id=1022

The intel drives are a bit more coherent since they take a far different
approach to manufacturing, they have used either their own 10 channel
controller design (X25-M/320 series) or the Marvell controller (520
series). They coupled that with their own joint venture IMFT flash.

That is a very tightly coupled process.

Samsung does it very similar. The PB22J was a own design and memory, as
was the 430 and 830 series. Which is probably the biggest reason for
it's success with the large OEMs like Dell and Apple.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] icmp best practices

[Seth Mos]

Hi,

Op 19 mrt 2012, om 19:16 heeft Adam Thompson het volgende geschreven:

 Denying ICMP is mainly only useful in the Security By Obscurity model.
 There are many valid reasons to allow ICMP, especially from the inside, and 
 in my opinion we all may as well get used to allowing it, since blocking 
 ICMPv6 will effectively not be possible.

in 2.1 we allow echo for link-local always on all interfaces. It is also 
impossible to block a few other ICMPv6 types in 2.1 because it would cause 
general network issues.

We don't allow echo requests for global addresses per default though.

But blocking ICMPv6 outright is bad m'kay

It never worked properly in v4 either. I have a rather large LAN but I have a 
blanket icmp allow rule as well. If your network is larger then a few nets it's 
not worth the effort.

I do have icmpv6 block echo rules for incoming traffic though. But that's about 
it. 

Cheers,

Seth

 -Adam
 
 
 Ugo Bellavance u...@lubik.ca wrote:
 
 Hi,
 
 The system I inherited of denies all ICMP requests by default, even 
 internally.  Is that a good idea?  I think that echo/reply should at 
 least be allowed internally.  Opinions?
 
 Thanks,
 
 Ugo
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] schrappen

[Seth Mos]

On 10-2-2012 12:08, Michel Servaes wrote:
 Goede middag,
 
 Kan u dit mail adres schrappen om te mailen aub.
 
 Hartelijke groeten,
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

Ik stel voor dat U het bovenstaande linkje gebruikt om U uit te schrijven.

met vriendelijke groet,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Request for help: Seeking pfSense user with access to 6RD IPv6 WAN

[Seth Mos]

Op 1-2-2012 16:41, Chris Bagnall schreef:

On 1/2/12 2:15 pm, Seth Mos wrote:

I am seeking a user(s) that has access to a 6RD IPv6 connection so we
can test our development 6RD code.


Out of curiosity (and this is more aimed at ISPs than end users), is 
implementing the various IPv6 'workarounds' - for want of a better 
word - actually any easier/cheaper than just implementing proper 
native IPv6?

There are just so many factors here. Let me see if I can explain some of it.

The short summary, no, it's cheaper to deploy native then it is to 
implement workarounds.


Except for:

- You are a ISP and you didn't put IPv6 as a hard demand on the 
equipment you purchased in 2008. Buying a new 120K euro core router is 
not a option, you only make x euros profit per year per user. If they 
call the helpdesk once it's gone.
- The vendor sold the equipment in 2008 promising a firmware update 
supporting IPv6 soon. Now 4 years later the vendor still hasn't 
shipped firmware.
- Vendors asking new licenses for IPv6 to get feature parity to actually 
deploy to users. Seems really stupid, but it happens. It's not something 
that should be licensed, that's stupid.
- The 2008 Equipment has the features and the licenses but they 
encountered a show stopping bug that brings the chassis to it's knees 
and it's so ingrained in the hardware that it can't be solved except for 
forklift upgrades.
- Backend systems for deployment, provisioning and billing don't support 
it, this is pretty much true on the larger ISPs where these are very 
heavily integrated.
- Time to deploy using 6RD is just very fast from a ISP standpoint. 
Considering the 1st impact in europe might be somehwere this summer this 
is another factor. It's basically ISP controlled 6to4 with added smarts.


I can't help but think that if half the effort that has gone into 
developing workarounds had gone into native IPv6 implementation, we'd 
(as an industry) be a lot further on than we are.


Yes we would, like starting in 2002 instead of waiting to next year. 
Whenever that is. And now we need it this summer for real and it sucks, 
because that just got you 5 months and a hard deadline.


To be fair, I only started the IPv6 work in pfSense in december 2010, 
that's over a year ago and I'm finally getting round to this. We did 
have dhcp-pd summer 2011 which is a actual native solution and static 
addressing in feb 2011.


6RD is fast to deploy because you can bring up a big 6RD broker on your 
huge ass chassis with multiple 10GE pipes.
Each client enables the 6RD knob and presto they can use a /60 (in the 
case of Swisscom) on their own router.

Everything in between can be ignored from the ISP standpoint.

Swisscom communicated with me that this platform will be here for the 
next 5 years. Which I don't believe because the will run out of their 
public IPv4 allocation way before then and that stops 6RD from working 
iirc.


Tunneling is still one of the more native connections. You get good 
throughput because the tunnel goes over the same pipe as your v4 path. 
And you have control of where it terminates.


The current CPE situation is absolutely quite horrid right now. The 
amount of support in stuff they still sell is almost nonexistant. Some 
support IPv6 in the 100~200 euro models but no such luck in the 35 euro 
devices everybody ships with the dsl subscription they just got.


As far as workarounds go, 6RD is not bad. It's quite usable. Some other 
dynamic tunneling options are highly disapproved of. Like 6to4 or 
Teredo. Sure those work too, but any sort of performance guarantees 
can't be given for those.


Regards,

Seth


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 and v2.1

[seth . mos]

Quoting Oliver Schad ad...@automatic-server.com:


Hello,

can somebody estimate when version 2.1 with IPv6 support will be   
released? One

month, 6 months, 1 Year?


If all goes according to plan, somewhere this spring. Which sounds  
vague but should be before may and definitely before World IPv6 day.


You can install a pfSense 2.1 snapshot from  
http://files.pfsense.org/jimp/ipv6/


That is the last IPv6 snapshot we made and it's in relatively large  
use for people that needed IPv6 support. I have atleast 3 carp  
clusters in active production with IPv6 on this version.


2.1 is mostly a 2.0 with IPv6 support though, don't expect as big a  
leap as 1.2.3 to 2.0 was.



I would like to use the IPv6 stuff and don't like the idea to patch v2.0.1
manually.


We have the snapshots for that.

Regards,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] rrd error

[Seth Mos]

On 24-1-2012 11:19, İhsan Doğan wrote:

Hi,

I'm running the NanoBSD version of pfSense, Version 2.0.1. This system
was upgraded from 1.2.3 through 2.0.


The initial 2.0 did not correctly upgrade the RRD files from 1.2.3. A 
fix is in 2.0.1 so that upgrades from 1.2.3 work.


However, if you have already upgraded from 1.2.3 to 2.0 you will need to 
reset the RRD data or attempt to upgrade the files manually when on 2.0.1.


Please so ticket http://redmine.pfsense.org/issues/1758 for the manual 
upgrade instructions if you are now on 2.0.1.


Regards,

Seth





When I try to access the traffic graph page, I'm getting this error in
the system log:

php: /status_rrd_graph_img.php: Failed to create graph with error code
1, the error is: ERROR: No DS called 'inpass' in
'/var/db/rrd/wan-traffic.rrd'/usr/bin/nice -n20 /usr/local/bin/rrdtool
graph /tmp/wan-traffic.rrd-4year.png --start 1200910447 --end 1327400047
--vertical-label bits/sec --color SHADEA#ee --color SHADEB#ee
--title `hostname` - WAN :: Traffic - 4 years - 1 day average --height
200 --width 620
DEF:wan-in_bytes_pass=/var/db/rrd/wan-traffic.rrd:inpass:AVERAGE
DEF:wan-out_bytes_pass=/var/db/rrd/wan-traffic.rrd:outpass:AVERAGE
DEF:wan-in_bytes_block=/var/db/rrd/wan-traffic.rrd:inblock:AVERAGE
DEF:wan-out_bytes_block=/var/db/rrd/wan-traffic.rrd:outblock:AVERAGE
CDEF:wan-in_bits_pass=wan-in_bytes_pass,8,*
CDEF:wan-out_bits_pass=wan-out_bytes_pass,8,*
CDEF:wan-in_bits_block=wan-in_bytes_block,8,*
CDEF:wan-out_bits_block=wan-out_bytes_block,8,*
CDEF:wan-in_bytes=wan-in_bytes_pass,wan-in_bytes_block,+
CDEF:wan-out_bytes=wan-out_bytes_pass,wan-out_bytes_block,+

How can I fix this?



Ihsan



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Soekris 6501 installation question

[Seth Mos]

Hi,

Op 23 jan 2012, om 18:21 heeft David Miller het volgende geschreven:

 Is it plugged in questions are welcome, I'm probably missing something 
 about that simple.  It's my first time with a soekris, and first time trying 
 to boot pfsense off the memstick image.
 
 The soekris was set to 19200.  I tried 9600 on it as well (boot, ctrl-P, set 
 ConSpeed=9600, reboot) to no avail.  Also 115200.

The soekris or alix is either 19200 or 38400 stock, we are still using 
9600,n,8,1 for all our embedded builds.

If this is a memstick image you should not expect serial output iirc. Only the 
nanobsd images have serial, the nanobsd images with VGA even have VGA instead.

Maybe I've missed something, but I believe this is the case.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Fatal trap 12 page fault

[Seth Mos]

Hi,

On 4-1-2012 12:53, Hiren Joshi wrote:
 And another one: 
 http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560450091_525x290.jpg

 
http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560450095_525x291.jpg

 http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560450097_525x294.jpg
 
 
 We're not upgrading to pfsence 2.0 and will change the memory over
 soon...

A bit late to chip in here, but is there a clogged fan or a busted
capacitor? That was a huge issue in a lot of computer equipment
produced in 2007.

I've seen a number of random crashes by faulty power supplies too.

Ram is always the most obvious, but consider the other options, the
good news is that you easily replace the entire firewall by just
restoring a config file on another machine.

Regards,

Seth

 
 Thanks for all the pointers so far.
 
 Josh.
 
 -Original Message- From: list-boun...@lists.pfsense.org
 [mailto:list-boun...@lists.pfsense.org] On Behalf Of Russell Howe 
 Sent: 03 January 2012 17:44 To: list@lists.pfsense.org Subject: Re:
 [pfSense] Fatal trap 12 page fault
 
 On 02/01/12 06:45, Russell Howe wrote:
 I've managed to get screen captures of two crashes, with
 backtraces:
 
 Crash #1 
 http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560312285.png

 
http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560312283.png

 
 Crash #2 
 http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560312282.png

 
http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560312286.png

 http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560312287.png

  Any ideas as to what might be going on? I've also see the
 secondary node reboot when it takes over the CARP addresses,
 although that doesn't happen every time. I assume it's crashing
 but I'm not prepared to put the debug kernel on both nodes at the
 same time.
 
 
 We had another occurrence:
 
 http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560367903.png

 
http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560367904.png

 
 We ran memtest for a few hours on this machine back in October when
 we first began to have these resets and it came back clean,
 although I know some memory errors can be quite hard to reproduce
 with memtest.
 
 Still, new RAM is on order so we'll see if that makes any
 difference.
 
 We're also going to try an upgrade to 2.0.x
 
 ___ List mailing list 
 List@lists.pfsense.org 
 http://lists.pfsense.org/mailman/listinfo/list 
 ___ List mailing list 
 List@lists.pfsense.org 
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] relayd fails to start after 2.0.1 upgrade

[Seth Mos]

On 27-12-2011 9:31, Andrew Mitchell wrote:
 lbpool/
 lbaction/
 lbprotocol/

it's these tags that cause it.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] particular site not working

[Seth Mos]

Hi,

Op 17 dec 2011, om 05:19 heeft Guruprasad R het volgende geschreven:

 action taken:
 - i disabled transparent proxy and configured 3128 as my proxy port in 
 browser as well as pfsense
 - i stopped the squid/squidguard services
 - i tried different browsers from different systems behind the firewall.
 but all in vain
 
 observation:
 - i could ping bsnl.co.in which responds back with its static ip.

Set the MTU to something like 1400 and try again, could be that there is a MTU 
issue along the way causing larger packets to fail.

Does a telnet to the host port 80 connect? If so, that likely be the issue.

Regards,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Blackberry Playbook VPN and Connecting up to PFSense

[Seth Mos]

On 12-12-2011 16:35, Gavin Will wrote:
 Hi there, 
 
 Curious if anyone has setup a VPN for a Blackberry Playbook to connect to a 
 PFsense Box.
 
 Playbook supports many commercial devices such as Juniper / Cisco. The only 
 option I feel I can use is Generic IKEv2 VPN Server Is Pfsense classed as 
 such a thing? I would presume It can handle IKEv2 IPsec. 
'
The current IPsec daemon in pfSense only supports IKE version 1.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Silly question - using a PC + pfsense + dual ethernet NIC + wlan PCI card as wifi router

[Seth Mos]

On 8-12-2011 9:21, Chris Buechler wrote:
 Though that'd be pretty ugly too given the 11 Mb limit of USB 1.x
 you'd find on such a box, aside from the fact USB NICs tend to be ugly
 in general driver-wise, and I can't recall seeing a USB wifi card
 whose chipset supported hostap mode.

Ralink usb chipsets do work, but they default to 1Mbit unless you force
them to use 54Mbit. I've used them as wireless access points in a cinch
but they fell over in about a day of use.

 Maybe the OP's best bet is getting a WRT54G off ebay (can be had for
 ~$20 USD shipped in the US at least, generally cheaper than any wifi
 NIC you're going to find), and use it for wifi only.

Considering that the placement of your Wifi antenna is pretty critical
for good coverage I second this.

Getting a old wifi router on the cheap is easy, some people even give
you the old one, you might even have one laying around.

Disable the dhcp server on it, plug the cable into the LAN port and you
get a 4 port switch as a bonus.

I have mine in the living room below the TV. This makes wifi in the
living room excellent (where I use it most) and I use the extra ports
for the media player and xbox.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Silly question - using a PC + pfsense + dual ethernet NIC + wlan PCI card as wifi router

[Seth Mos]

Hi,

Op 8 dec 2011, om 18:07 heeft ernst het volgende geschreven:
 How expensive is your electricity?  When you look at it from a 1-2 year total 
 cost of ownership of keeping that old PC running 24/7, you are (eventually) 
 further ahead to buy one of those embedded computers (Alix / Soeokris) or 
 that shiny new router at Best Buy.
 
Experience has taught me that shiny new router at store will likely drop 
long lasting idle connections like ssh or irc because they run out of memory. 
And not provide the coverage you need^W want. (e.g. backyard, upstairs, garage, 
bedroom, etc.)

Prices have been going down steadily for all flash chips, so for the same money 
you would get more memory. That's not the goal of the manufacturers, instead, 
they make the same model for less. So we still get routers with 4 or 8 MB ram 
and they still need to actively prune connections to stop the thing from 
running out of memory.

And a expensive router with wifi is roughly 70 to 120 euros. A Alix 2D3 is 
about a 100 euros. This nets me more (general) processing power and 256MB of 
ram and a couple of USB2 ports. It also uses just 5 Watts idle or so.

I'm still using the same Alix I got over 3 years ago. I have since replaced the 
wifi accesspoints multiple times. From 11b to 11g, then to 11n dual band. Going 
to dual band was the single largest leap forward, 2.4 Ghz is getting way to 
crowded. 200KB/s on a 2.4Ghz 11n network is a clear indicator that something is 
up.

I also need 2 wireless accesspoints so I have reception upstairs, which is a 
pretty common issue for the most of us. So 2 cheap wireless routers of ebay 
will net you far better coverage and speed then 1 expensive router.

Cheers,

Seth___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Forwarding stopped between two local networks.

[Seth Mos]

HI,

Op 8 dec 2011, om 18:27 heeft Joshua Schmidlkofer het volgende geschreven:

 Yesterday, for no discernible reason, new connections ceased, in one
 direction between two local subnets.   I have two interfaces, alc0 to
 10.2.0.0/16 (BuildingA), and re2 to 10.3.0.0/16 (BuildingB).
 
 My pfSense box is a single box, with multiple internet uplinks, and is
 the default gateway for both networks.  We have no filtering between
 10.3.0.0 and 10.2.0.0.  They are in another building and connected to
 us via high speed wireless.
 
 At some point yesterday, 10.3.0.0 stopped being able to initiate
 connections to hosts on 10.2.0.0.   BuildingA may create new
 connections to BuildingB without incident.   BuildingB may not connect
 to BuildingA at all.   The packets enter PFsense, I can't get them to
 log at all, tcpdump shows them.  Once in, they never come out.   There
 is no log of them going anywhere.  They simply cease.

Added a firewall rule with a gateway for policy routing without making a 
exception rule for the directly connected building A?

You need to make sure that there is a rule without a gateway to building A and 
vice versa.

This is one of the fixes in 2.0.1.

Cheers,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Ipad Road Warrior + VPN (secure connection) to my home network??

[Seth Mos]

Hi,

Op 8 dec 2011, om 22:55 heeft justino garcia het volgende geschreven:

 
 I want to gain secure (VPN) access on the road, to my home network from my 
 ipad, Anyone setup PFsense for this, or do you recomend something else 
 (OpenVPN and Ipad support???)

The built in ipsec client in the iPad works with pfSense mobile ipsec vpn on 
2.0. That's how we use it at work.

You will need to create a local user on pfSense in the user manager and assign 
the xauth attribute.

Then in the Ipsec VPN you can create a mobile ipsec policy.

Cheers,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Any suggestions on how filter in pfSense for SQL Injections?

[Seth Mos]

Hi,

Op 7 dec 2011, om 00:26 heeft Chuck Mariotti het volgende geschreven:

 At our datacenter managed to not get hit. However, I guess I would like to 
 ask for suggestions on how to stop this type of attack at the pfSense 
 firewall and what/how to implement something that would allow us to manage 
 such attacks.

There is no magic button that filters out sql injection attacks, without it 
tools like phpmyadmin would also instantly fail to work. These send sql queries 
via the web too in plain text. Since it's supposed to do that.

This is a application issue where people forgot or just never considered input 
validation. 

The snort approach is not guaranteed to prevent this since people can be very 
crafty. It's hard to get right. Just make sure that you web apps are kept up to 
date. Ask your vendors about SQL injection attacks, demand this in writing 
facing penalties, install the next update they release shortly afterwards.

And if you have a datacenter you would better have a really good box to make 
sure that none of your HTTP traffic takes a hit from being processed through 
snort.

Some other IDS'es note the event, then block. Which can still leave you with a 
broken database if they succeed on the 1st shot. It also just blocks a IP, 
which is easily circumventable.

One can wish for the world.

Regards,
Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 3G USB Modem installation on PFSENSE

[Seth Mos]

Hi,

Op 4 dec 2011, om 20:51 heeft Oliver Hansen het volgende geschreven:

 There are actually quite a few modems that work with pfSense 2.0. It's not 
 plug and play but if you follow the documentation it's not too hard to set 
 up. I don't know if your specific modem is supported but I suggest looking at 
 the documentation: http://doc.pfsense.org/index.php/Known_Working_3G-4G_Modems

One issue is that they don't come online when booting after a power failure. A 
warm reboot or a save on the wan interface fixes it.

I added a ticket for it.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing CheckPoint Firewall-1 with pfSense

[Seth Mos]

On 23-11-2011 19:34, Ugo Bellavance wrote:
 Hi,
 
 We're thinking about replacing our CheckPoint Firewall-1 by pfSense.  We
 are using only those features on Firewall-1 (R65):
 
 - Security (default deny on everything)

Delete the LAN - any rule on the LAN interface and you are good to go.
The rest is default deny.

 - NAT (inbound (for internet-facing hosts) and outbound (selective,
 workstations go out through a proxy, other selected hosts are NAT'd
 based on destination host and port(s))

Well, you can assign multiple VIPs on the WAN and create manual outbound
NAT rules to tie different LAN hosts to different external addresses.
This aside from things like 1:1 NAT.

 - We do have some security rules defined in their SmartDefense, but it
 is a nightmare to configure without having many false positives.  I'm
 pretty sure we could go without or simply add Snort to pfSense

Unfamiliar with that. I scrapped a watchguard Firebox years ago before
UTM was a common thing.

 We had a project of roaming users VPN but it's on the ice right now.  We

Use OpenVPN. Install the client exporter package, it includes a windows
client and config files for 2 Macintosh clients. Do you need the AD auth
as well? I am using it against a radius server though.

 are using SSH tunnels to connect home user's PC to the corporate network
 and we will need a solution for the few corporate laptops to connect to
 the corporate network. However, I guess that with all the options
 available in pfSense regarding VPN, I don't think this would be a problem.

IPsec vpns are commonly used for site-site tunnels. OpenVPN tunnels can
work too.

 - Our Firewall-1 version is not supported anymore so we have to upgrade
 anyway

+2 Watchguard Fireboxes.

 - Service contracts are a lot cheaper

Is it a service contract if they take 8 months to fix a issue?

 - We would have to pay extra $$ for a redundant setup (CARP pfSense is
 free)

Getting gigabit, we have new shiny model you can buy for some randomly
generated 5 figure price.

 - Server load balancing can be used for simple HA setups

Inbound as well as outbound if you have multiwan.

 - DHCP server on the firewall (no need for DHCP relay)

These can be made redundant too, that's what I have here for the past
few years.

 - Other interesting packages

OpenVPN client exporter is very popular.

 We are thinking about running a redundant (CARP) setup with one pfSense
 on our VMWare cluster, and one on a physical, separate machine.

Don't. Either do both in a VM or both physical. I tried and it burned.
For ~1k euro you get a Dell R310 with 6 gig nics.

 1- NAT Reflexion - We don't have a split-DNS setup.  CheckPoint does
 seem to manage NAT Reflexion perfectly.

For 1:1 NAT you need to add port forwards on top of your 1:1 and it will
work.

 2- Ease to migrate the configuration to pfSense - I would set a pfSense
 VM in parallel and start migrating all the rules manually, but I'm
 scared about missing some or seeing a situation where the Firewall-1 can
 do it and not pfSense.

You will need to write one to convert various bits of config to the
pfSense XML format.

 3- Backups.  Are automated backups (of the config, at least) possible
 even w/o a service contract?

Some use SSH/rsync with public keys. If you have a support contract you
can use the ACB package. It comes with the subscription.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list