Re: [pfSense] massive CARP Failover
On 2017-06-02 08:13 AM, Daniel wrote: Hi there, i run 2 pfsense Firewalls. I tried to use CARP but it will turn over every 1-2-3 hours. Sometimes it is so fast the pf1 is master and pf2 has the routes. In this case I need to reboot the both Servers. After I tried a lot id ont find any solutions. I took a different brand (Sophos UTM) and here is the same behave. So I think this could be a network problem. Is there any important thinks which must be enabled or disabled in the Switch? Or need the Switch some special configurations? When I use Linux with Bondig it also switch the NICs very often. We use 2 Switches from Netgear JGS524Ev2 Mayme someone has some experience with it? Can you give us more information? You do have 3 IP addresses per interface? How is your switch configured? Any tagged vLANs involved? Is the switch's firmware up to date? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Firewall rules enabled/disabled depending on WAN status?
On 2017-05-28 09:37 PM, Jeppe Øland wrote: For a while, I was playing around with having 2 WAN connections to my house. The primary connection was the only one I cared about, and the secondary was just there so I could get to important services in the event my primary ISP was down. I had a super cheap wireless connection (through FreedomPop) ... but over time it started costing more and more due to web traffic hitting my web server. Is the wireless connection the secondary or primary? It costs more because you're charged for the bandwidth you use per month? Nothing pointed to the secondary IP, so I assume this was either bad luck in the IP I got - or script kiddies scanning the Internet and attacking anything visible. If you're saying that nothing points to the secondary IP, how come you get traffic? People targeting your IP address directly? How do you do your DNS failover in the case of an outage on the primary, manually? I was thinking this problem could be eliminated if I could turn the WAN2 rules off if WAN1 was up and running This is probably not possible to do, but would it be simple to add ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Network interruption on pfSense Firewall
On 2017-05-19 10:22 AM, WebDawg wrote: If you have your router virtualized, there are CPU requirements for the virtual NICs that I do not think you can see from 'inside'. You have to look from the hypervisor in. It depends on how you have everything configured and what virtualisation you are using. Are you using PCI passthrough to have a true nic? No, the NIC is shared with all the other VMS. 2 10G NICs in the physical server. The hypervisor has a max of 20.62% CPU usage, average of 8% over one day. The total throughput of the hypervisor in a day is max 1.6 GBps, and it doesn't correspond to the dpigner logs. Max network traffic is between 11PM and 3 AM. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Network interruption on pfSense Firewall
On 2017-05-19 08:53 AM, J. Hellenthal wrote: Interesting. I see this same thing on a SG2440 at one of our smaller installation sites with a dual gateway setup it experiences very similar likeness to the packet loss and high latency. All firmware is up-to-date... netgate boot & pfsense. Have not had the chance to look deeper into this as I believed it may be a problem on the remote end and the frequency of events were very quick and disappeared for greater than 24 hours at a time. Are you using all your bandwidth when it happens? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Network interruption on pfSense Firewall
On 2017-05-19 08:33 AM, Angel Rengifo Cancino wrote: On Fri, May 19, 2017 at 6:55 AM, Ugo Bellavance <u...@lubik.ca> wrote: Hi, We sometimes experience what looks like service interruptions on our pfSense firewall. The first symptom was that we came in the office in the morning and found that all the ssh sessions that were opened and going through the firewall would be disconnected. I searched the pfsense logs and I found that: May 19 04:35:48 fw1 dpinger: ISP 206.55.90.97: Alarm latency 2231us stddev 1209us loss 21% May 19 04:36:01 fw1 dpinger: ISP 206.55.90.97: Clear latency 2253us stddev 1266us loss 15% May 19 04:54:24 fw1 dpinger: ISP 206.55.90.97: Alarm latency 2021us stddev 1042us loss 22% May 19 04:54:39 fw1 dpinger: ISP 206.55.90.97: Clear latency 2564us stddev 6028us loss 19% May 19 05:13:05 fw1 dpinger: ISP 206.55.90.97: Alarm latency 2203us stddev 1345us loss 21% May 19 05:13:17 fw1 dpinger: ISP 206.55.90.97: Clear latency 2044us stddev 870us loss 17% I opened a ticket with mi ISP, but I don't think that they'll find anything. I must say they they're not the most knowledgeable. I've experienced such packet loss before and it was always ISP's fault. If your bandwidth usage is not full then there should not be a reason for lossing so many packets. Our bandwidth usage is quite high when it happens. According to the logs, everytime that happens, pfSense tries to do a few things: - Update dyndns - Restart VPN tunnels - Reload filters I'll keep on searching but I really wonder wether the post-clear-latency actions cause the SSH disconnects (and possibly other network cuts) or if it's the firewall that is too busy to receive the ICMP packets. Once I had the same problem with 2 ISPs configured in my pfSense box and disabling this option helped me to avoid such disconnection behavior: System -> Advanced -> Miscellaneous -> State Killing on gateway failure Interesting. Why would it be a good idea to kill the states on a gateway failure? You can try it. The firewall runs on a VMWare VM, Intel(R) Xeon(R) CPU E5-2640 0 @ 2.50GHz 3 CPUs: 1 package(s) x 3 core(s) 1 GB RAM The host is not cpu-bound. Make sure VMware is not part of the problem. If possible, use a physical server to start a basic monitoring using continuous ping to see if packet loss also occurs on this host. If it doesn't happen the same loss of connectivity then maybe your VMware infrastructure might be part of the problem. That's not really feasible, unfortunately, but it's good advice. Thanks, ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Network interruption on pfSense Firewall
On 2017-05-19 10:09 AM, WebDawg wrote: On Fri, May 19, 2017 at 9:46 AM, Ugo Bellavance <u...@lubik.ca> wrote: On 2017-05-19 08:24 AM, WebDawg wrote: Thanks for your quick answer. I mean. Your net connection is dripping packets...is your gateway going down? My external Nagios system saw nothing up to now (it always sees my gateway as up from the outside). But it only checks once every minute and the packet losses that I experience last about 15 seconds. 1/4 chance of seeing it when pooling every minute. Your ISP should do something...your WAN connection is going down...unless you have a bad VM config. The firewall has been up for 187 days and we've been using this VM since 2012. However, there is more and more traffic going through the VM as time goes by. This problem happened about 6 times in the past year, but 3 of them were in the past 2 weeks. pfSense does do SOMETHING when a gateway goes down...do you have failover internet setup? When pfSense marks a connection as down and then back up, some of the things your are describing, I think, are supposed to happen. Only one WAN. You can adjust latency settings in the advanced settings of the gateway. You can adjust loss settings too. Some ISP QoS configs I think are known to drop ICMP in favor of higher priority things. In that case it is usually better to do your own QoS. That is interesting. I'll look into that. For some reason every T1 I have ever used had latent ICMP when loaded. I tried so many different QoS configs but I could only get it so good. In our case it's an ethernet link provided on a gigabit GPON. 50 mbps. But I can see that the problem occurs when traffic is at 50 mbps (backups replication) so I lowered the maximum bandwidth for the replication to 43 mbps. If the IPS's equipement ignores your QoS (and I think that's what they do), if they decide to drop some ICMP messages, what will your own QoS do? There are specific types of QoS that are designed to stop the ISP's QoS from coming into play. CODELQ was part of that. https://www.bufferbloat.net/projects/bloat/wiki/What_can_I_do_about_Bufferbloat/ The general concept is to lower your max QoS speed to less then what the max of your connection is for, but I always wondered how this would effect things down the line, lets say if an ISP sells you 50mbits but then then over provisions there back hauls. That is approximately what I did. When we saturate the link, it is outboud, to a remote location where we have replicas of our backups. I have a limiter over there but it was either not working or not low enough. I lowered it more to avoid maxing out the pipe. There is also things that other ISP's have been caught doing in the past like resetting torrent connections and such. I also would wonder about links that have, no QoS and what the default is for things like that. But that can be tested with iperf and ping over a standard ethernet link I would guess. You should run iperf tests on your virtualized install while pinging and watch your CPU load externally via your hypervisor. I took a trip down the virtualized router path and I paid attention to 3 things. Traffic shaping support with PV type drivers, performance out of HVM drivers, and CPU queues for virtual NICs when applicable. I think the max I could get out of the best VM choice with pfSense and a i3 processor was 100-300 mbits and some configurations would provide so little mbits it was laughable. The thing is that this outbound traffic is going through a VPN tunnel so there is a CPU requirement for the encryption. pfSense graphs shows an average of all CPUs, but since we have only one VPN tunnel, I think that it cannot saturate all 3 vCPUs. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Network interruption on pfSense Firewall
On 2017-05-19 08:24 AM, WebDawg wrote: Thanks for your quick answer. I mean. Your net connection is dripping packets...is your gateway going down? My external Nagios system saw nothing up to now (it always sees my gateway as up from the outside). But it only checks once every minute and the packet losses that I experience last about 15 seconds. 1/4 chance of seeing it when pooling every minute. Your ISP should do something...your WAN connection is going down...unless you have a bad VM config. The firewall has been up for 187 days and we've been using this VM since 2012. However, there is more and more traffic going through the VM as time goes by. This problem happened about 6 times in the past year, but 3 of them were in the past 2 weeks. pfSense does do SOMETHING when a gateway goes down...do you have failover internet setup? When pfSense marks a connection as down and then back up, some of the things your are describing, I think, are supposed to happen. Only one WAN. You can adjust latency settings in the advanced settings of the gateway. You can adjust loss settings too. Some ISP QoS configs I think are known to drop ICMP in favor of higher priority things. In that case it is usually better to do your own QoS. That is interesting. I'll look into that. For some reason every T1 I have ever used had latent ICMP when loaded. I tried so many different QoS configs but I could only get it so good. In our case it's an ethernet link provided on a gigabit GPON. 50 mbps. But I can see that the problem occurs when traffic is at 50 mbps (backups replication) so I lowered the maximum bandwidth for the replication to 43 mbps. If the IPS's equipement ignores your QoS (and I think that's what they do), if they decide to drop some ICMP messages, what will your own QoS do? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Network interruption on pfSense Firewall
Hi, We sometimes experience what looks like service interruptions on our pfSense firewall. The first symptom was that we came in the office in the morning and found that all the ssh sessions that were opened and going through the firewall would be disconnected. I searched the pfsense logs and I found that: May 19 04:35:48 fw1 dpinger: ISP 206.55.90.97: Alarm latency 2231us stddev 1209us loss 21% May 19 04:36:01 fw1 dpinger: ISP 206.55.90.97: Clear latency 2253us stddev 1266us loss 15% May 19 04:54:24 fw1 dpinger: ISP 206.55.90.97: Alarm latency 2021us stddev 1042us loss 22% May 19 04:54:39 fw1 dpinger: ISP 206.55.90.97: Clear latency 2564us stddev 6028us loss 19% May 19 05:13:05 fw1 dpinger: ISP 206.55.90.97: Alarm latency 2203us stddev 1345us loss 21% May 19 05:13:17 fw1 dpinger: ISP 206.55.90.97: Clear latency 2044us stddev 870us loss 17% I opened a ticket with mi ISP, but I don't think that they'll find anything. I must say they they're not the most knowledgeable. According to the logs, everytime that happens, pfSense tries to do a few things: - Update dyndns - Restart VPN tunnels - Reload filters I'll keep on searching but I really wonder wether the post-clear-latency actions cause the SSH disconnects (and possibly other network cuts) or if it's the firewall that is too busy to receive the ICMP packets. The firewall runs on a VMWare VM, Intel(R) Xeon(R) CPU E5-2640 0 @ 2.50GHz 3 CPUs: 1 package(s) x 3 core(s) 1 GB RAM The host is not cpu-bound. Any advice would be appreciated. Thanks, Ugo ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forward => load balancer
On 2016-12-02 03:47 PM, Jim Pingle wrote: On 12/02/2016 06:04 AM, Ugo Bellavance wrote: I'd like to know if there is a way to switch from a port forward to a server load balancer configuration without downtime. Can I create everything in the load balancer config and then remove the port forward at the end? v 2.3.2-RELEASE-p1 Using relayd (Services > Load Balancer) or the HAProxy package? I'm already using relayd for other services, so I was planning to go this way again. If using relayd, then maybe but probably not. relayd hooks in using NAT similar to a port forward but it would take precedence. The moment the frontend is setup it would likely take over the port forward even if you were not ready. If it all happened to work on the first try, then it would be fine. That's I thought that I experienced the previous time - relayd overrides port forward. If you're using the haproxy package then that would work fine. It would bind to the outside address directly but the port forward would bypass that. After you've tested it from the inside you could disable the port forward and it would take over from there. Given the choice between the two, I would always take HAProxy. I tend to use the most simple system that fits my need. It is for a simple failover system. Thanks, Ugo ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Port forward => load balancer
Hi, I'd like to know if there is a way to switch from a port forward to a server load balancer configuration without downtime. Can I create everything in the load balancer config and then remove the port forward at the end? v 2.3.2-RELEASE-p1 Thanks, Ugo ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] NAT rule not working
On 2016-11-11 07:41 PM, Ugo Bellavance wrote: On 2016-11-02 02:02 AM, Ugo Bellavance wrote: Hi, I'm running 2.0.1-RELEASE (I know, it's old). I already had 3 virtual servers configured in the load balancer and it works. Tonight I tried to configure a third one (and fourth... http and https) and it worked for a while, then it stopped honoring my changes. The change was there, no error on filter reload, but the actual change is not applied. It looks like a NAT rule is hung there (and I made a mistake in it). So right now the traffic to http port on one public IP goes to the https port of the server inside. It is not absolutely critical because apache sends a friendly page, but it should hit the http port and redirect automatically to the right https URL. I deleted all the load balancer configs that I had, the problem is still there. I tried changing the NAT rule, the problem is still there. I tried deleting relevant states, still there. I did change another NAT rule (port forward as well) and it worked. There is absolutely nothing in the logs about that so I'm starting to think I'm crazy. When I run pfctl -sn, I can see the NAT rule that I want. Does pfctl -sn just read pf.conf or des it really dump the current, in-memory rules? Any idea would be greatly appreciated. The problem was that a load-balancer related rule was still active. I had to remove it manually. Oh and yes, we did upgrade to the latest version. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] NAT rule not working
On 2016-11-02 02:02 AM, Ugo Bellavance wrote: Hi, I'm running 2.0.1-RELEASE (I know, it's old). I already had 3 virtual servers configured in the load balancer and it works. Tonight I tried to configure a third one (and fourth... http and https) and it worked for a while, then it stopped honoring my changes. The change was there, no error on filter reload, but the actual change is not applied. It looks like a NAT rule is hung there (and I made a mistake in it). So right now the traffic to http port on one public IP goes to the https port of the server inside. It is not absolutely critical because apache sends a friendly page, but it should hit the http port and redirect automatically to the right https URL. I deleted all the load balancer configs that I had, the problem is still there. I tried changing the NAT rule, the problem is still there. I tried deleting relevant states, still there. I did change another NAT rule (port forward as well) and it worked. There is absolutely nothing in the logs about that so I'm starting to think I'm crazy. When I run pfctl -sn, I can see the NAT rule that I want. Does pfctl -sn just read pf.conf or des it really dump the current, in-memory rules? Any idea would be greatly appreciated. The problem was that a load-balancer related rule was still active. I had to remove it manually. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Delivery Status Notification (Failure)
Unless I'm missing something pfsense doesn't need to be involved here. Just plug in the printer to your switch and give it a static ip. Exactly. pfSense cannot act as a print server. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] NAT rule not working
Hi, I'm running 2.0.1-RELEASE (I know, it's old). I already had 3 virtual servers configured in the load balancer and it works. Tonight I tried to configure a third one (and fourth... http and https) and it worked for a while, then it stopped honoring my changes. The change was there, no error on filter reload, but the actual change is not applied. It looks like a NAT rule is hung there (and I made a mistake in it). So right now the traffic to http port on one public IP goes to the https port of the server inside. It is not absolutely critical because apache sends a friendly page, but it should hit the http port and redirect automatically to the right https URL. I deleted all the load balancer configs that I had, the problem is still there. I tried changing the NAT rule, the problem is still there. I tried deleting relevant states, still there. I did change another NAT rule (port forward as well) and it worked. There is absolutely nothing in the logs about that so I'm starting to think I'm crazy. When I run pfctl -sn, I can see the NAT rule that I want. Does pfctl -sn just read pf.conf or des it really dump the current, in-memory rules? Any idea would be greatly appreciated. Thanks, Ugo ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Wifi control access
On 16-08-03 08:57 PM, Alfredo Tapia Sabogal wrote: Hi everyone I have an issue here we all know that we have to use portal captive so the user must login to access to internet but what happend if user1 give his credential to user2 to access to internet is any way to control that issue? MAC address authentication? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Alias duplicate - can't delete any of them
Hi, First problem: some time ago a duplicate of an alias got created, I don't know why or how. Second problem: when I try to delete one of the duplicate, I get the standard warning saying that all elements that still use this alias will become invalid. I click OK and both are still here. I get an errer message saying "Cannot delete alias. Currently in use by /rule name/. How should I proceed? Remove it temporarily from the rule, then delete one of them, then add it back to the rule? Thanks, ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Maximum number of established connections per host questions
Hi, We are thinking about limiting the amount of connections that can be open per IP address. We want to avoid getting hammered on a web service that is used by some clients. We've discovered that they sometimes open just as many http connections that they can to perform http queries. We will ask them to change their application to limit the number of concurrent queries, but we're looking for a way to limit the abusers on our side as well. We guess that we can do that on the web server side, but I think that the pfSense may be of help. In our situation, since they are mostly "legitimate" queries, I don't think that there would be a difference between using the Maximum number of established connections or Maximum number of state entries. I have two questions: I think that when an IP address hits the limit, the packets are dropped by the default rule, right? I did some testing and it looks like the tcp connection is not really closed as soon as the http query is complete, so even if an application sends us queries in a serial mode (one http query at the time), many queries would get blocked if I set the Maximum number of established connections per host to 1. My goal is not to set that to 1 but I just want to illustrate the fact that if I tell the client to limit the # of concurrent http query to 100, for example, I can't simply set the parameter to 100. According to my tests, 50 threads can get the connection count to around 4 000. Any input would be appreciated. Thanks, Ugo ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Planning upgrade from 2.0.1-RELEASE to 2.2.6-RELEASE
On 16-01-30 04:51 PM, Jon Gerdes wrote: On Wed, 2016-01-27 at 00:04 -0500, Ugo Bellavance wrote: Hi, We're in the process of planning the upgrade of our main site's pfSense firewall. It is currently running 2.0.1-RELEASE and we want it to be at the latest version. It is running in a VMWare VM (amd64). As it is a VM you can try before you buy! Clone the VM. Create some new vSwitches but don't attach them to physical NICs. Create yourself a virtual workstation for a client if you like. You could also deploy one or more "little" pfSenses to emulate the internet and even put client machines behind them. I use the System Rescue CD to create multiple workstations with minimum effort that have a GUI, browser and lots of tools available. Now do the upgrade and test the functionality. If you really are worried about anything spend plenty of time on this. When your maintenance window arrives, dump a copy of the config, have a copy of the install .iso available, snapshot the VM first, update it and off you go. Back out the snapshot after a few days, don't leave it there. I and many others here have lots of VMware VM pfSense machines. My main work one started life on vSphere 4 as pfSense 1.2.something and is now bang up to date. Thanks! ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Maximum number of established connections per host questions
On 16-02-02 04:34 PM, Rainer Duffner wrote: Am 02.02.2016 um 22:28 schrieb Ugo Bellavance <u...@lubik.ca>: Hi, We are thinking about limiting the amount of connections that can be open per IP address. We want to avoid getting hammered on a web service that is used by some clients. We've discovered that they sometimes open just as many http connections that they can to perform http queries. We will ask them to change their application to limit the number of concurrent queries, but we're looking for a way to limit the abusers on our side as well. We guess that we can do that on the web server side, but I think that the pfSense may be of help. In our situation, since they are mostly "legitimate" queries, I don't think that there would be a difference between using the Maximum number of established connections or Maximum number of state entries. I have two questions: I think that when an IP address hits the limit, the packets are dropped by the default rule, right? I did some testing and it looks like the tcp connection is not really closed as soon as the http query is complete, so even if an application sends us queries in a serial mode (one http query at the time), many queries would get blocked if I set the Maximum number of established connections per host to 1. My goal is not to set that to 1 but I just want to illustrate the fact that if I tell the client to limit the # of concurrent http query to 100, for example, I can't simply set the parameter to 100. According to my tests, 50 threads can get the connection count to around 4 000. They can use HTTP-pipelining: https://en.wikipedia.org/wiki/HTTP_pipelining So, limiting at the firewall-level is pretty much pointless for somebody who wants to abuse a service. In fact, they don't want to abuse the service, they just wrote their application to fit their need, without considering the impact of its use. Their application typically sends less than 1 hit/s but in some cases (when they loose internet connectivity for a while), they send all their backlog of missed queries at once (1000-2000). You’ve already asked them to stop doing this. Not yet, actually. We are going to, but we are also looking for a way to enforce it. Maybe put nginx in front of the web service and use limit_conn and limit_req directives? I already have an apache httpd 2.2 reverse proxy in front of it, but I didn't check yet what kind of modules I could use there. Thanks, Ugo ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfblocker not working
On 16-01-26 11:49 PM, Ugo Bellavance wrote: Hi, I'm still running pfSense 2.0.1-RELEASE on one of my firewalls (it runs fine and it is a headache to upgrade) so I'm stuck with pfblocker, which is rather limited compared to pfblockerng. I've configured it like this: Enable pfBlocker: checked Enable Logging: checked Inbound and outbound interfaces correctly set I've configured a few lists that are currently running fine on 2 other pfsense on pfBlockerNG. I've set the action to Deny Bock and update Every hour. I can see the files in /var/db/aliastables but no traffic is blocked (I try a ping from inside to an IP address that is within one network defined in one of the list and it passes. Nevermind, I discovered the Dashboard widget that helps see blocked packets stats (are these stats anywhere else?) and I can see a few blocked packets once in a while. Current value: 1. Thanks, Ugo ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Planning upgrade from 2.0.1-RELEASE to 2.2.6-RELEASE
On 16-01-27 12:11 AM, Ryan Clough wrote: Your limiters will no longer function if you are planning to continue using NAT. Here is a link to the bug: https://redmine.pfsense.org/issues/4326 Thanks. My rules are ont on the WAN interface though, so they'll be using outbound NAT. Does it apply? Is there another way to throttle traffic like I currently do? Thanks, Ugo ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfblocker not working
Hi, I'm still running pfSense 2.0.1-RELEASE on one of my firewalls (it runs fine and it is a headache to upgrade) so I'm stuck with pfblocker, which is rather limited compared to pfblockerng. I've configured it like this: Enable pfBlocker: checked Enable Logging: checked Inbound and outbound interfaces correctly set I've configured a few lists that are currently running fine on 2 other pfsense on pfBlockerNG. I've set the action to Deny Bock and update Every hour. I can see the files in /var/db/aliastables but no traffic is blocked (I try a ping from inside to an IP address that is within one network defined in one of the list and it passes. Any troubleshooting tips? Thanks, Ugo ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfblockerng
On 16-01-24 10:42 AM, Elijah Savage wrote: I use it and have setup others to use it as well and it is beneficial and glad I switched. Thanks for your input, but my original question was: Would it be possible to update the general documentation (including the list URLs) about pfblocker so that it also covers pfblockerng? Ugo ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Planning upgrade from 2.0.1-RELEASE to 2.2.6-RELEASE
Hi, We're in the process of planning the upgrade of our main site's pfSense firewall. It is currently running 2.0.1-RELEASE and we want it to be at the latest version. It is running in a VMWare VM (amd64). I'm currently using these packages: - AutoConfigBackup - darkstat - mailreport - NRPE v2 (instlled but not used yet) - OpenVPN Client Export Utility - pfBlocker Other features: - 2 limiters - To limit the bandwidth that can be used for Windows Updates - To limit the bandwidth that can be used by the proxy - IPv4 only - Load balancing (configured, working, but not in production yet) - Single WAN - 7 NICS (em), including 1 that passes all the VLANS, 6 VLAN interfaces - Virtual IPs on WAN and on another (internal interface - NAT on WAN ant on another (internal) interface - SNMP - 2 site-to-site IPSec tunnels - 1 site-to site OpenVPN tunnels (client) - 1 OpenVPN road warriors config (1 user) - NTP configured but not used Is there something that doesn't look good for this upgrade? Thanks, Ugo ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfblockerng
On 16-01-13 10:27 PM, Ugo Bellavance wrote: On 16-01-13 05:09 PM, Elijah Savage wrote: Can you give a few more details on this? "Finally, I think that this list, mentionned in the doc, should not be used: http://feeds.dshield.org/top10-2.txt. This one should: http://feeds.dshield.org/block.txt; The top10-2.txt file has last been updated in July 2015 according to my curl command and is not auto-documented. http://feeds.dshield.org/block.txt is updated frequently (as of now, its most recent generation is 5 minutes ago), it is auto-documented. Also, https://www.dshield.org/xml.html states "We offer one blocklist, and one blocklist only (http://www.dshield.org/block.txt)." Is anyone using pfblockerng with this list? Would someone want me to try to update the obsolete doc? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfblockerng
On 16-01-13 05:09 PM, Elijah Savage wrote: Can you give a few more details on this? "Finally, I think that this list, mentionned in the doc, should not be used: http://feeds.dshield.org/top10-2.txt. This one should: http://feeds.dshield.org/block.txt; The top10-2.txt file has last been updated in July 2015 according to my curl command and is not auto-documented. http://feeds.dshield.org/block.txt is updated frequently (as of now, its most recent generation is 5 minutes ago), it is auto-documented. Also, https://www.dshield.org/xml.html states "We offer one blocklist, and one blocklist only (http://www.dshield.org/block.txt)." Regards, Ugo ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfblockerng
Hi, I started using pfblocker(ng) on some of my firewall (starting with my home firewall) and I feel like the documentation may need to be updated. First, it looks like only PFblocker is in the official docs (https://doc.pfsense.org/index.php/Pfblocker) while recent version use PFblockerNG. I know that there is this blog post but it is more like an annouce than doc (https://forum.pfsense.org/index.php?topic=86212.0). Finally, I think that this list, mentionned in the doc, should not be used: http://feeds.dshield.org/top10-2.txt. This one should: http://feeds.dshield.org/block.txt I could contribute to the docs, but up to now I've only been using it for a few weeks. And, does someone know why the alert page says "Insufficient Firewall Alerts found." when the # of entries in a section is less than what is configured at the top of the page. And what means "Currently suppressing 0 Hosts"? Thanks, ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Slow speed on 100Base TX full duplex.
On 16-01-11 01:23 AM, Muhammad Yousuf Khan wrote: I am remotely supporting one of my client who is using pfsense. i have been using pfsense for years and never face such issue in this experience, the Client Co-location is recommending to use 100BaseTX full duplex setting instead of Auto. i do not know why they required that since i am not in US i never observe this settings recommended by colo people in my country. - iperf speed test for LAN, between is 50Mbps up and down - but iperf test on WAN showing 10Mbps down and 5Mbps up. - however my client is saying that assigned speed from colo is 100Mbps. now i can not find where is the issue. i suspect that issue is with 100BaseTX setting. You generally have to configure your equipment the way the colo people tell you. Have you communicated with the colo directly to get help? Also did you try just connecting a Windows or Linux laptop on the colo switch to see what kind of speed you get. Are you sure the other endpoint of your iperf test can send and receive 100 mbps? Ugo ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Lost limiter config after upgrade
On 15-12-13 08:29 PM, ED Fochler wrote: Limiters work on 2.2.4, I’m using them. But I didn’t upgrade, I created the limiters on 2.2.4. Are you asking if limiters work? Or are you just noting that they don’t cleanly upgrade? If you create them through the GUI and link them in with the firewall rules, do they work now? I made some tests and changes and I think it's working now. However, it seems to be working differently than before. I had one of 28 mbps and 3 children to set the weight. Before, it prevented traffic from going over 28 mbps. Now I had to lower the partent limiter to 26 because it looks like some traffic goes over the 26 mbps. Thanks, ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Lost limiter config after upgrade
Hi, We upgraded from 2.0.1-RELEASE to 2.2.4-RELEASE and the limiter that worked on 2.0.1 stopped working. This limiter (and sub-limiters) is located on an inside interface and its role is to limit the traffic that can come in. This firewall is at a remote site and we replicate backups there. We use this limiter because the bandwidth at the remote site is higher than at our main site. Using this limiter avoids saturating our main site's WAN link and cause slowdowns. Looking at the config diffs, it looks like the tags have changed during the upgrade. It looked like ?1 and ?2 and now it looks like labels. Also, the tag seem to include more stuff now. It was 28 and now it looks like 28 Mb none Thanks, Ugo ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] mini-box
Hi, Anyone ever tried an M350 system from minibox? They have different systems with different options: http://www.mini-box.com/MiniPC-Value-Systems I was thinking about buying the cheapest one for my home network and run KVM on it an run pfsense in a VM, or maybe on no KVM and run it on bare metal. Opinions? Thanks, ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] New intel atom board
http://techcrunch.com/2014/04/03/intel-releases-99-minnowboard-max-an-open-source-single-board-computer/?utm_campaign=fbncid=fb An interesting platform for pfSense? It looks like it only has 1 NIC though. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.1 on WRAP
Le 2013-09-23 08:15, Ugo Bellavance a écrit : Le 2013-09-20 00:28, Chris Buechler a écrit : On Thu, Sep 19, 2013 at 8:22 AM, Ugo Bellavance u...@lubik.ca wrote: Hi, My old PC Engines WRAP is still surviving, and I'd like to install 2.1 on it. Are these instructions still valid for 2.1? https://doc.pfsense.org/index.php/NanoBSD_on_WRAP I would guess yes. But we haven't tested on WRAP in years. They've been EOL for 5+ years and their successor is now nearing EOL, it's time to retire the WRAPs. I understand, but their specs are still ok for my home use. I'll keep an eye on the apu platform. Thanks, Ugo For those who care, I bought my WRAP in Dec 2005 and it is still running fine :). I do have to reflash my CF card about once every 2 years but that's about it. Yes, the web interface is slow. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.1 on WRAP
Le 2013-09-20 00:28, Chris Buechler a écrit : On Thu, Sep 19, 2013 at 8:22 AM, Ugo Bellavance u...@lubik.ca wrote: Hi, My old PC Engines WRAP is still surviving, and I'd like to install 2.1 on it. Are these instructions still valid for 2.1? https://doc.pfsense.org/index.php/NanoBSD_on_WRAP I would guess yes. But we haven't tested on WRAP in years. They've been EOL for 5+ years and their successor is now nearing EOL, it's time to retire the WRAPs. I understand, but their specs are still ok for my home use. I'll keep an eye on the apu platform. Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] 2.1 on WRAP
Hi, My old PC Engines WRAP is still surviving, and I'd like to install 2.1 on it. Are these instructions still valid for 2.1? https://doc.pfsense.org/index.php/NanoBSD_on_WRAP Anyone built a WRAP-compatible image for 2.1? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Lab firewall best practices
Le 2013-08-08 11:33, Adam Thompson a écrit : If you want to keep maximal separation but retain easy routability, connect the lab firewall's WAN port to a dedicated OPT# port on your production firewall and establish static routes on both firewalls. Potentially turn off NAT on the lab firewall. It's possible to connect the two firewalls on their OPTx interfaces with static routes *AND* connect the lab's WAN port to either your main LAN or directly to your ISP... in which case you will still need NAT on the lab firewall. Keep your lab VLANs on a separate switch or switches; that's arguably even more important than having a second firewall. Remember that you then need to edit (usually) two sets of firewall rules to allow traffic back and forth. You'll probably want lab DNS integrated into your main DNS tree as a subdomain, that way you can have a lab DNS server handle lab DNS while maintaining a contiguous namespace. (e.g. www.lubik.ca vs. www.lab.lubik.ca) Remember, though, if you want it to be resolvable from the outside world the NS records for lab.lubik.ca have to point to a publicly reachable IP address. -Adam Thompson athom...@athompso.net Thanks a lot, ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bandwith Alert
On 2013-04-17 04:09, Mikey van der Worp wrote: *Hi,* Is there a script called “Bandwith” alerter or something like this? What i want the script to do; ·Alert when an user uses more than 5 GB a day. (So it needs to send a e-mail). Does pfSense have anything like this? I used a nagios plugin in the past that did a check on bandwidth use. It didn't check the total data transfer like what you're asking, but it was checking the % use of a link. I used to configure nagios so that it warns me when my 15 mbps link was used at more than 80% for more than 15 minutes. It uses snmp, I think it is this one: http://nagios.sourceforge.net/download/contrib/misc/check_traffic/ Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Red Hat Network - Location-aware updates
On 2013-02-26 13:42, Ugo Bellavance wrote: Hi, Anyone running RHEL behind a pfSense firewall with egress filtering? I managed to get it to work if I disable location-aware updates, but I have many servers (the change to disable location-aware updates is manual unless you pay for management licences) and would rather do it on the firewall. I used this doc: https://access.redhat.com/knowledge/node/11214 I also tried adding all the IPs from this list (https://access.redhat.com/knowledge/solutions/59586) to an allow rule, but it only works on some servers. I have a ticket open with Red Hat regarding this, but it would same time if someone already dealt with this. Thanks, Ugo I realized I didn't read the support document correctly and forgot to add two hosts to my pfSense config. Sorry for the noise. Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] bogon networks update failing
On 2013-02-12 20:48, Chris Buechler wrote: On Tue, Feb 12, 2013 at 12:46 PM, Ugo Bellavance u...@lubik.ca wrote: Hi, I get this error in the logs: root: Could not download http://files.pfsense.org/mirrors/bogon-bn-nonagg.txt.md5 (md5 mismatch) That's what happens when something upstream is breaking your Internet connectivity and returning bunk data, for instance maybe a captive portal, or a proxy server returning something other than the actual file, amongst other possibilities. Go to a command prompt on the firewall and run: fetch http://files.pfsense.org/mirrors/bogon-bn-nonagg.txt.md5 and cat the resulting file to see what you're getting, should help track down what's happening. [2.0.1-RELEASE][user@]/home/user(4): cat bogon-bn-nonagg.txt.md5 MD5 (/home/cmb/bogons/bogon-bn-nonagg.txt) = 9fb7d3a1645fbbe899e4c0938b6858f1 I fetched http://files.pfsense.org/mirrors/bogon-bn-nonagg.txt, md5'd it and it gives this: MD5 (bogon-bn-nonagg.txt) = 9fb7d3a1645fbbe899e4c0938b6858f1 I don't really see what could have been wrong. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort and multiple vlans
On 2013-02-13 11:12, Josh Bitto wrote: I'm having issues where Snort is not alerting anything on my LAN as well as my VLAN's...My WAN works fine, but its connected to the cloud, but for some reason snort isn't logging anything on my other interfaces that are inside my network. I haven't ever used snort on pfsense, but have you configured it to listen on all the interfaces you want to monitor? You'd have to provide more info on your setup... ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] bogon networks update failing
On 2013-02-12 20:57, Michael Schuh wrote: DNS is working correct? Yes an MTR reports no packet loss or bogus routing or flaky routes? Hmmm, MTR? Your provider does not block or control traffic through transparent proxies? I really don't think so. Wen I go to http://www.whatismyip.com/, it returns the IP address associated with my wan interface, and it says No proxy detected. Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] bogon networks update failing
Hi, I get this error in the logs: root: Could not download http://files.pfsense.org/mirrors/bogon-bn-nonagg.txt.md5 (md5 mismatch) On another, most likely unrelated note, in the dashboard I always get Unable to check for updates. Any ideas welcome. Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort and multiple vlans
On 2013-02-12 15:41, Josh Bitto wrote: I’ve read the documentation on snort not working really that well with vlans….Is there anyone out there that has been successful with this? What do you mean exactly? I think that if snort is listening on interfaces in all the vlans you want to cover it should be OK. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] VMware patch released for clock stopping issue
On 2012-09-29 21:40, Chris Buechler wrote: This ESX regression was discussed recently here in at least one if not more threads, VMware has a patch out. http://kb.vmware.com/selfservice/microsites/search.do?language=en_UScmd=displayKCexternalId=2032586 PR887134: Timer stops in FreeBSD 8.x and 9.x as virtual hardware HPET main counter register fails to update due to comparison failure between signed and unsigned integer values. So that means that if we update to ESXi500-201209001 (that gives build #821926) we fix that problem? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] FYI: MS-CHAPv2 (used in PPTP) considered totally insecure
http://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Permission problem for traffic graph
On 2012-07-11 13:21, Ugo Bellavance wrote: Hi, I've created a user on one of our pfsense (2.0.1) and gave him these permissions: - WebCfg - Status: RRD Graphs page -WebCfg - Status: Traffic Graph page The RRD Graphs page works, but the Traffic Graph page doesn't. When the user tries to access the Traffic Graph page, we get this error in the logs: php: /graph.php: u...@ip.ip.ip.ip attempted to access /graph.php but does not have access to that page. Redirecting to status_rrd_graph.php. I looked at the URLs and the traffic graph page is /status_graph.php, but the SVG graph seems to be /graph.php. Maybe the permission was given only to /status_graph.php? I have tested on a second pfsense and I get the same result. Should I open a bug? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Site-to-Site VPN, IPSec or OpenVPN
On 2012-03-21 22:34, Oliver Hansen wrote: Ipsec works but I've found it much easier to use OpenVPN when that's an option. Easier to do real routing as well. Is OpenVPN the only one that can compress data in transit? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Routing problem pfsense 2.0.1-RELEASE
On 2012-05-29 09:50, Ronald Pérez wrote: Any ideas? I think you'd need to provide a little more details about your setup. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Rule processing optimization - states
On 2012-05-22 15:44, Vick Khera wrote: On Thu, May 17, 2012 at 2:37 PM, Ugo Bellavanceu...@lubik.ca wrote: I would like to make sure my rules in the best order. I understand that the rules are processed from top to bottom, so I should place the rules that are most used at top. However, how long lasts a state? I just want to know whether a long stream of data (a backup, for example) between two hosts will hit the rules more or less than my smtp server, for example (less data, but more connections). Once a state is established, the rules are not referenced for that connection again. The check-state happens pretty close to the top. I understand, but if, for example, you download an ISO using http, will it remain in one state for the whole transfert? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NFS through pfSense
On 2012-05-13 07:03, Nicolas Schlumberger wrote: 2012/5/12 Michael Schuhmichael.sc...@gmail.com 2012/5/12 Ugo Bellavanceu...@lubik.ca On 2012-05-11 16:14, Michael Schuh wrote: 2012/5/11 Ian Levesquei...@crystal.harvard.edu mailto:ian@crystal.harvard.**eduian-cwAjtnUKHr2dFdvTe/nmlpvzexx5g...@public.gmane.org On May 11, 2012, at 2:52 PM, Ugo Bellavance wrote: I'd need to have an NFS client access an NFS server. Both are on a different network segment, so I need to have the traffic go through the pfSense firewall. Does anyone has the list of ports that must be allowed for NFSv3? If your client is on the LAN and the server the WAN, you should be fine with the built-in state management. If the NFSv3 server is behind a firewall, good luck... :) (basically, you'd need to configure your server to use static ports, which may not be possible with your NAS). My client is in LAN and the server is on OPT1 (another internal network). I could do that with my current CheckPoint FW-1, but I needed to allow all ports. Ian pointed it already outmuch fun... if: all the clients need the NFS access, they should be in that subnet or the server should be in the subnet of the clients. then: find a solution to get the data shared between the clients and the secured service ( what was the reason why that NFS-Server stands in an DMZ ? ) without to open the doors for the entire network. Think about your conceptual design. :-) endif: if: only specific Clients need access then: Allow the traffic from specific ( if not all clients need access) lan-clients to the NFS-Server. Secure up your server, make usage of the local files /etc/hosts.allow, /etc/hosts.deny, cut of (deinstall them completely) all other services, accept only DSA/RSA-Key authentication on SSHv2 and only v2. a word in the documentation : WHY you made that this way. - would be a good idea. Try to keep other Services far from that box. endif: greetings m. if it must be NFS - lol: may be the simplest solution if the NFS-Server must be in a separate Subnet (DMZ) and all Clients needs access to it: Create a special SSH-Account on the NFS Server. This NFS-Account has a very restricted (at best no) shell, secure him up as ever possbile. create the Authentcation keys and allow only Key-Authentication. That account has write access to the filesystem share that you like to export via NFS. Put a second Box in the internal network. This box make the NFS-Server for you. This box shares the SSH-Fuse-FS (SSHFS) Fileshare mounted from your initial server. for details please read the certain documentation. result is: only a SSH-Connection between internal net and your server. all clients connect, read/Write to the internal server. both reached. Easy FW-Management and secure NFS-Share. drawback: if another application related to the NFS-Server delivers the authentication credentials you have to manage that this gets applied to the new internal NFS-Server. VPN is a solutionssh tunnel is like an vpn ;-) eew - works for sure, but why generate some overhead, if you can just define what ports nfs (and its helper programs) should use. NFSv3 uses 2 static ports: nfs (2049) and sun-rpc (111) and 3 dynamic ports (2 for statd, 1 for mountd) which can be defined directly on the respective daemons. just look for option -p and -o in the man pages. I have this working on Linux and on FreeBSD. Depending how you mount your nfs shares, you need to open either tcp or udp ports, or just open both protocols to keep you life simple. cheers nico That was he answer I was looking for, thanks a lot. I'll look into my appliance's config to see how to set the dynamic ports, or, in the worst case, I'll let any as dst port. No user has shell access on this client. Thanks Michael for your comments. I know all the NFS client should reside in the same segment as the server, but it is simply not possible for us right now. Most NFS clients are in the same segment, except one. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Multiple port ranges in alias
Hi, I want to create a rule for an application that uses 2 ranges of destination ports. I created an alias with 2 port ranges, but when I add it in the rule it says: _Ports_xxx is not a valid start destination port. It must be a port alias or integer between 1 and 65535. _Ports_xxx is not a valid end destination port. It must be a port alias or integer between 1 and 65535. Do I have to make 2 separate rules? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] NFS through pfSense
Hi, I'd need to have an NFS client access an NFS server. Both are on a different network segment, so I need to have the traffic go through the pfSense firewall. Does anyone has the list of ports that must be allowed for NFSv3? Client is RHEL5, server is a SUN NAS. No NAT involved. Also, is it really required to disable scrubbing for the whole firewall? Can't it be disabled by a rule? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NFS through pfSense
On 2012-05-11 16:14, Michael Schuh wrote: 2012/5/11 Ian Levesque i...@crystal.harvard.edu mailto:i...@crystal.harvard.edu On May 11, 2012, at 2:52 PM, Ugo Bellavance wrote: I'd need to have an NFS client access an NFS server. Both are on a different network segment, so I need to have the traffic go through the pfSense firewall. Does anyone has the list of ports that must be allowed for NFSv3? If your client is on the LAN and the server the WAN, you should be fine with the built-in state management. If the NFSv3 server is behind a firewall, good luck... :) (basically, you'd need to configure your server to use static ports, which may not be possible with your NAS). My client is in LAN and the server is on OPT1 (another internal network). I could do that with my current CheckPoint FW-1, but I needed to allow all ports. Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Hyphens in aliases
Hi, Is there a reason why hyphens are not allowed in aliases names? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Outbound NAT
On 2012-05-04 13:41, Ugo Bellavance wrote: Hi, I'm still planning the Checkpoint - pfSense migration, and I'm now at the Outbound NAT part. In our current Checkpoint, every single NAT is manually defined. It is a bit cumbersome and I doubt this adds to security because we have a default deny rules everywhere, ingress/egress. What are the best practices for Outbound NAT? I have one WAN and 9 networks on the LAN side. Within most of my LAN networks, I don't NAT, but I do NAT with one of them. I also need to NAT to go out on the internet, via WAN. So, basically, I need Outbound NAT for WAN and for this one network that I need to NAT. One of my question is: should I leave Automatic outbound NAT rule generation or use Manual rules. From what I can see, the automatic rules are only to access the internet, which is fine because I'll only allow what I want with firewall rules. No matter if I go automatic or not, I'll need a few rules that I can create for my LAN network that needs NAT. Just thinking aloud, but I'd be glad to know if my thinking sounds right. Thanks, Ugo Is there something wrong with my question? Now I've enabled automatic outbound NAG rule generation and the rules that were added by setting it to manual are still there. Should I delete them? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense hardware for a proxy, 1U w/ 12 depth
On 2012-05-03 07:45, Ulrik Lunddahl wrote: Hi! I can sign that, we often sell those exact systems, and compatibility and stability is not an issue with fpSense. We often use a 4 ports Intel Gigabit NIC too, and this specific one works with pfSense inbox drivers: E1G44ET2Intel Gigabit ET2 Quad Port Server Adapter The atom processor is not going to route at Gigabit speed, but I have seen around half, with no optimizations made. Works with VMware (Free) Hypervisor (ESXi) too, and so does pfSense, but you can also get the system with KVM/IP for remote assistance. I'll check those units, thanks a lot! Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfsense hardware for a proxy, 1U w/ 12 depth
Hi, I'm looking for hardware to replace an ASA unit that only allows 5 concurrent VPN connections for road warrior by a pfsense unit. However, I need to have a proxy on the server to have reports or logs on who does what on the internet, so I need a hard drive. Also, the physical space that I have for this unit is 1U and about 12 of depth. I thought about soekris units, but anyone else has another idea? The other needs are quite simple, not that many internal users, no other VPN tunnels. Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] lagg
On 2012-04-04 18:05, Michael Schuh wrote: Am 4. April 2012 15:29 schrieb Ugo Bellavance u...@lubik.ca mailto:u...@lubik.ca: On 2012-04-04 09:19, Michael Schuh wrote: Am 4. April 2012 14:47 schrieb Ugo Bellavance u...@lubik.ca mailto:u...@lubik.ca mailto:u...@lubik.ca mailto:u...@lubik.ca: Hi, Setting up pfsense on a physical server with 2 onboard NICs. The available bandwidth is more than enough (gigabit interfaces for a 10mbps WAN and 100mbps LAN). I think I should do an LAGG interface, then put VLAN interfaces on it, but is the added redundancy worth the hassle? Thanks, Ugo ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org mailto:List@lists.pfsense.org mailto:List@lists.pfsense.org__ http://lists.pfsense.org/mailman/listinfo/list http://lists.pfsense.org/__mailman/listinfo/list http://lists.pfsense.org/__mailman/listinfo/list http://lists.pfsense.org/mailman/listinfo/list Hi Ugo, to reach which target? For all the interfaces There is some lack of Information to give you any advice. a Firewall with 2 physical interfaces has only wan and lan, so no lagg needed? Hmm, theoretically, I think my idea may work, but I think in practice it is not possible to configure an lagg interface without having at least one (temporary) nic available during the configuration. Can you please try to describe your idea a bit better? At this time we (i) know: You have one physical Box ( or two? if one, than i guess that other posting from you is for the same box?) that you like to use it as Firewall with pfsense. This box has 2 physical interfaces (NIC's). Those NICs are Gigabit NICs and you get a 10MBit/s Wan-Connection from your Provider. Further I know your LAN-Setup has only a 100MBit/s Switch ( i guess so based on your Informations). OT (related to another post on this list): From that other Post i figure you get/got a /28 IP-Subnet ( i hope its a real /28 and not just the count of the IP's, like adam described it earlier) You like to set up 1:1 NAT for a Part of that Subnet for the usage within your Servers to provide some Internet-Services(Protocols) to the outside of your IP-World. Where you like to put your lagg group/s there to gain which effort/functionality/state? what do you like to aggregate to get what? Failover for what? Loadbalance for what/which load ( sorry - lol )? for beeing complete: Your VLAN-Setup depends on the local network VLAN-Setup, as mentioned earlier. And yes of course the VLAN-Stuff works since years now very good and stable. If your switches aren't managed: Don't care, just ignore it and do not use any VLAN-Setup. ( i guess no VLAN-Setup needed if the two posts are for one box, than No VLAN/No LAGG). So there are a way to much guesses, so i think we need more detailed informations from you? Hi, You got most of the info right, and you even created some ;). But what I want to do is not possible anyway without putting another NIC in the server (because while configuring the lagg on my 2 onboard interfaces, I'll loose connectivity). Also, Mosche recommends keeping it separate for security reasons. In my case, the security issues involved do not really apply, but in any way, I don't think it is worth all the hassle so I'll put the WAN on one NIC and my internal VLANs on the other. Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Virtual IPs: Carp or proxy arp?
On 2012-04-04 17:22, Michael Schuh wrote: Ok, but are there drawbacks compared to an alias VIP? In virtual environments you have to take care that the virtual switches allow/permit this type of traffic. (p.e. on ESX ) the same rule is valid for physical environments, but the most do it out of the box. You mean for CARP? For now I won't be using HA. I'll start with a single firewall and if the needs ask for it eventually, I'll setup CARP-HA. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] lagg
Hi, Setting up pfsense on a physical server with 2 onboard NICs. The available bandwidth is more than enough (gigabit interfaces for a 10mbps WAN and 100mbps LAN). I think I should do an LAGG interface, then put VLAN interfaces on it, but is the added redundancy worth the hassle? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Virtual IPs: Carp or proxy arp?
On 2012-03-22 08:32, Adam Thompson wrote: Ok, but are there drawbacks compared to an alias VIP? None that I've run into personally. The one I can think of is that you can't (or rather, shouldn't) run CARP on the same network (or VLAN, or...) as any Cisco HSRP devices because they use the same Ethertype value but aren't compatible. Or maybe that was VRRP, can't remember. Not likely to be an issue for very many people, in any case. Wouldn't it be simpler to use IP aliases for IP addresses that are not meant to ever be used for HA? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfSense + CheckPoint Firewall-1 site-to-site VPN
Hi, Is there anyone, by chance, that would have some kind of walk-through (or a few hints) to configure a site-to-site VPN between a pfSense (2.0.1) and CheckPoint Firewall-1 (R65)? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Parallel setup for testing/migration
Hi, During my Checkpoint to pfSense transition, I'll have, during a few days, two ISP active at the same time at the office. The firewall is the only router of the organisation, but has several networks attached to it. Would it be possible to have the two firewalls active at the same time and migrate my services one by one? It doesn't matter if I can't migrate all of my services without interruptions, but if I could test a few things on the new setup before the cutover, it would be nice. Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Virtual IPs: Carp or proxy arp?
On 2012-03-21 21:22, Adam Thompson wrote: Based on that very high-level summary: -assuming the /28 isn't a true routed /28, I would have to ask my ISP to get the answer? What is a true routed subnet? It means that every IP address in the subnet is availabie in a switch in which you connect your ISP's network cable or is it that you must use a firewall or router of your own to address those IPs? -set pfSense's WAN IP to the first IP in the range (or reserve the first three if using CARP for HA) I already planned/reserved 3 IPs in all of my subnets, and with the ISP. -set all remaining IPs as CARP-type aliases, and implement inbound NAT a necessary (maybe including 1:1 for the FTP server) Ok, but are there drawbacks compared to an alias VIP? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Virtual IPs: Carp or proxy arp?
Hi, I was re-reading a book to help my pfsense implementation and in the section about VIPs, it says that some people rather use CARP VIPs instead of proxy arp because of some reasons. Then, looking at http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F I see that IP aliases are new in 2.0. Here is my desired setup: - Our ISP will provide a /28 (16 IP addresses) and we may need more in the futre - We plan to do NAT to expose our public servers (mostly port forward) - We don't have an FTP server to expose, but it may be necessary in the future. - I'm planning on setting the pfSense on a VMWare infrastructure, but we may eventually need to make a CARP setup in the future What should I use for my public IP addresses? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Site-to-Site VPN, IPSec or OpenVPN
Hi, For a simple site-to-site VPN (main office to DR site), what is most recommended? I used IPSec in the past and it worked well. We will have multiple subnets in the main office, but I've read on it and I understand that I may have to configure the networks in the vpn connection correctly or use multiple tunnels. Since this is a disaster recovery site, the traffic would not be time-sensitive, so I may want to use the traffic shaper to lower its priority, if possible, as the WAN link used for the VPN tunnel would also be used for all our traffic. Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] icmp best practices
On 2012-03-20 07:25, Chris Bagnall wrote: On 19/3/12 11:54 pm, Moshe Katz wrote: I have ICMP blanket allowed on both pfSense installations that I have (home and work). By blanket rule, you mean a floating rule allowing icmp echo/reply? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] dhcp relay
Hi, Do I need to create firewall rules when using DHCP relay on pfSense? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Alias based on built-in networks
Hi, Is it possible to create an alias containing the networks that are available in the drop-down menu in firewall rules? I'd like to have an alias that would be Internal Networks, that would include my 8 internal networks (out of 10 - 1 being WAN and the other being the network of a partner). Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] dhcp relay
On 2012-03-19 10:44, Jim Pingle wrote: On 3/19/2012 10:35 AM, Ugo Bellavance wrote: Do I need to create firewall rules when using DHCP relay on pfSense? Shouldn't be required, at least not if it's directly on an interface (if it's a bridge you might need a rule, same as with the DHCP server itself). Jim Thanks Jim for your quick response. I don't use bridges for my planned setup, does that mean that I won't need rules for sure? The only thing I'm concerned about is that my DHCP server is in a network with dhcp clients. With my current setup, it was a bit problematic because the broadcasts were sent twice: once from the client and once from the relay (firewall). But in pfSense, I just disabled the relay on this interface and I should be fine (my other firewall could not enable the relay in a per-interface basis. Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] icmp best practices
Hi, The system I inherited of denies all ICMP requests by default, even internally. Is that a good idea? I think that echo/reply should at least be allowed internally. Opinions? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DNS resolution in aliases
On 2012-03-15 04:27, Raimund Sacherer wrote: On 3/14/2012 4:08 PM, Ugo Bellavance wrote: Is there DNS resolution in aliases (pfSense 2.x)? Is it possible to create an alias, for example, named bunch of servers, and in the hosts, instead of entering the IP address, enter a DNS name? Yes. A To push it even further, if it is the case, can we use a DNS name that has many A records (like db.us.clamav.net)? Yes. B If so, when is the DNS query made to get the IP addresses? There is a filterdns daemon that checks every few minutes and populates the tables if the hostnames change. C A=B=C= I Did not know about these possibilites, and I have the pfsense book too, I think this is REALLY important information, especially the that multiple IP's are gathered from DNS and that they are rechecked every X minutes! This should definitly be discussed in more detail in the new book!!! Does this filterdns daemon *change* the addresses or adds them? What I mean is, if you get multiple IP's from DNS RoundRobin style, you always have the same batch of IP's, but if they are loadbalanced in a different way and you retrieve different batchs of IP's or a different IP at the next check, are those added, or will they replace the not matching set? Is this daemon active by default? Is it possible to evoke the daemon from the shell to fast prefill an alias list? Why would you do that, you could probably just insert the name in an (group) alias and there you go. By the way, I think I could find time to write a page of documentation for docs.pfsense.org about that (once I get my answer about the best practices). And I could probably offer help for the book this summer as I'll be in parental leave for 5 weeks. Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DNS resolution in aliases
On 2012-03-15 08:35, Jim Pingle wrote: And I could probably offer help for the book this summer as I'll be in parental leave for 5 weeks. I think you'll be a bit busier at that time then you might expect. :-) It'd be our second, and to keep our privilege to have our children at the daycare, we must send the older one there at least 4 hours a day. We'll see... ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DNS resolution in aliases
On 2012-03-15 08:35, Jim Pingle wrote: Is it possible to evoke the daemon from the shell to fast prefill an alias list? Not sure why you'd want to do that, just add hostnames to an alias and be done with it. So I've been creating all my servers in aliases for nothing I guess? I'd just have to create the groups I want, then add the servers' DNS name I want inther and voila? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DNS resolution in aliases
On 2012-03-15 09:01, Jim Pingle wrote: On 3/15/2012 8:56 AM, Seth Mos wrote: So I've been creating all my servers in aliases for nothing I guess? I'd just have to create the groups I want, then add the servers' DNS name I want inther and voila? Not a good idea, unless all the records match up. If the system has different addresses you would need to make very sure they are all in DNS. If the DNS server fails that also means that your firewall rules will be skipped and nothing works. I use it for a few websites, but nothing I administer locally for something which I know the IP address won't ever likely change. ^ that. Hostnames are fine to use for remote things or things you don't know for sure, but that does rely on working DNS. If you know the IPs and they aren't likely to change, use them in an alias. You could use all hostnames in you want, but for something like a remote access alias, be sure to leave yourself at least one in there with an IP just in case DNS fails. In general, leave the hostnames for unknowns, like dyndns addresses, systems you don't have control over that could change without your knowledge, and so on. Jim Ok, cool. So I haven't created all my object for nothing. Thanks, So, would you like me to create a documentation page about the aliases and the dnsfilter daemon? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Crashed pfsense
Hi, While configuring a pfsense (in a VMWare VM), it crashed a few seconds after saving the configuration for an interface. I can see it displayed savecore: reboot and savecore: writing core to textdump.tar.0. Would it be usefull to try to diagnose what have happened? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] DNS resolution in aliases
Hi, Is there DNS resolution in aliases (pfSense 2.x)? Is it possible to create an alias, for example, named bunch of servers, and in the hosts, instead of entering the IP address, enter a DNS name? To push it even further, if it is the case, can we use a DNS name that has many A records (like db.us.clamav.net)? If so, when is the DNS query made to get the IP addresses? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Alias based on the PTR record
Hi, I know it is less secure and creates load on the firewall and DNS servers, but is it possible to create an alias to create rules, that would allow one to deny traffic for hosts that has a PTR that contains a string? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DNS resolution in aliases
On 2012-03-14 16:23, Jim Pingle wrote: On 3/14/2012 4:08 PM, Ugo Bellavance wrote: Is there DNS resolution in aliases (pfSense 2.x)? Is it possible to create an alias, for example, named bunch of servers, and in the hosts, instead of entering the IP address, enter a DNS name? Yes. That rocks To push it even further, if it is the case, can we use a DNS name that has many A records (like db.us.clamav.net)? Yes. That rocks even more. If so, when is the DNS query made to get the IP addresses? There is a filterdns daemon that checks every few minutes and populates the tables if the hostnames change. Ok, and what happens if the DNS servers are not available when the daemon checks, does it cache the entries? So... Should I only create aliases that are groups and add individual hosts in them, using hostnames and not IP addresses? What are the best practices regarding the aliases? I looked at the doc and the book (which covers mostly 1.2) and I couldn't really find anything. Since I'm setting a firewall from scratch, I may as well do it right the first time. Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Alias based on the PTR record
On 2012-03-14 16:27, Jim Pingle wrote: On 3/14/2012 4:10 PM, Ugo Bellavance wrote: I know it is less secure and creates load on the firewall and DNS servers, but is it possible to create an alias to create rules, that would allow one to deny traffic for hosts that has a PTR that contains a string? DNS resolution in the ruleset is done (per my last e-mail) independently of the actual incoming packets. Even in pf if you use a hostname in a rule it's resolved at filter load. There isn't a way for it to check the ptr of an IP in that way. It would always be a forward DNS lookup. Not sure what problem you're looking to solve there, if you're looking to block something, PTRs would be pretty unreliable since they rarely (except for mail servers) reverse resolve to the same IP as the forward name for many public-facing servers. My current CheckPoint does it, but it clearly states that the rules using this kind of criteria should be put at the end to limit the number of DNS requests that are necessary. We are using it for a few rules, where we couldn't find the IP ranges for a bunch of web servers, but they do have something in common in their PTR record. I can live without that. Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] VMWare maximum of 10 vnics
On 2012-03-05 21:28, Ugo Bellavance wrote: Hi, I'm currently trying to configure pfSense firewall in a VMWare machine. There is apparently a limit of 10 vNICs on Vsphere 5, but I would need this firewall to access 11 networks. Since all the networks in VMWare are already tagged vlans, I don't really how to overcome this limit. Any ideas? Thanks, Ugo BTW I'm not looking for a solution, just an answer. If it doesn't work in VMWare, I'll use 2 physical servers and a CARP setup. However, I'd rather go with VMWare if possible. Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] VMWare maximum of 10 vnics
Hi, I'm currently trying to configure pfSense firewall in a VMWare machine. There is apparently a limit of 10 vNICs on Vsphere 5, but I would need this firewall to access 11 networks. Since all the networks in VMWare are already tagged vlans, I don't really how to overcome this limit. Any ideas? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] config.xml livecd
Hi, I think I lost my config.xml. Well I do have a backup, but I worked like 1 hour on the config tonight and I'd like to recover the file. This is what I did (I think): - Install pfsense on the HDD, play with it (and probably make config changes - Reboot for some reason and forget that the CD is still in and boot in livecd mode - Make a lot of changes in the firewall aliases - Add vNics and reboot to enable the new nics (what that needed anyway? Is there a way to tell pfsense that new nics have been hot-added?) - Realize that all my configs are gone :(. Is there any way to recover the lost config.xml? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Alias: object within another object
Hi, I'm currently creating Firewall Aliases. What I would like is to have a list of hosts, which I could in turn add to host groups. Is it feasible? Is it in the whishlist? For example, I'd like to have... hypothetical example: webserver1 webserver2 webserver3 I'd like to have them in a group called Web Servers, but since webserver1 also the DB server, I'd need to have special rules for this server. Is there another option than create individual aliases and an alias for the group and maintain them both? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Alias: object within another object
On 2012-03-01 11:51, Jim Pingle wrote: On 3/1/2012 11:48 AM, Ugo Bellavance wrote: I'm currently creating Firewall Aliases. What I would like is to have a list of hosts, which I could in turn add to host groups. Is it feasible? Is it in the whishlist? It works fine on 2.0.x. It's been supported on 2.x for quite some time. My mistake... this message confused me: Enter as many hosts as you would like. Hosts must be specified by their IP address. I thought only IP addresses were allowed here. I should have noticed the typical red box :). It would be an idea to change this message to say that we can put aliases there too. Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] nanobsd WRAP 2.0.1
Hi, Anyone fancy creating a WRAP-compatible 2.0.1 image (2.0 images are available at http://zhaw.ch/~maym). I can provide hosting for a 512mb compressed image. Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Install make in pfsense
On 2012-02-14 07:52, Maykel Casa wrote: Hi!! I like monitorized the pfsense with cacti and I need the following command for configurin ucd-snmp. Make Can I help me please?? Somebody know install the make in pfsense?? Thanks in advanced. Have you tried configuring the snmp agent instead? I remember having monitored pfsense with cacti this way. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dual wan issues
On 2012-02-03 11:56, - Dickie Bradford - wrote: On 1/1/2012 8:11 PM, - Dickie Bradford - wrote: On 12/28/2011 1:55 AM, bruno.deb...@cyberoso.com wrote: Le Tue, 27 Dec 2011 22:53:15 -0500, - Dickie Bradford -dbradf...@never-enuff.net a écrit : I am currently running dual wans to help with traffic load, I have sticky connections and allow default gateway switching checked, My wans are both setup as tier1 in gateway groups and my rules allow outbound traffic out via that group. This has been working pretty well except for a hand full of websites that just behave odd, ( 1 off hand: Vonage) when I log in and when I go to check my voicemail on line, it makes me login again, it seems like it looses its session. I have made a work around rule the for the few particular sites i know of, I just send all their traffic out a single gateway and this works fine and normal, but may get to be a pain if I have to do it to my other dual wan systems. Is there anything else I could look for or do to remedy this? Thnx Dickie I did have the same problem. On https sites, authentication randomly goes away. As a workaround, I had to force one box as the gateway for https traffic (which is allmost only for these sites in my case anyway) Seems sticky connections does not work on https? Maybe a limitation of the built-in package responsiable for server load balancing (relayd). The haproxy package may be an alternative. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Carp locking up routers.
On 2012-01-06 09:40, Bryant Zimmerman wrote: I have had another lockup with CARP. This is on three identical suprermicro systems. Running 2.0-RELEASE with 4 intel nic ports in each. What happens is the pfSense routers just stop sending or receiving traffic on all IP address CARP and non CARP. We could not access either unit from the net. I hooked in a console cable and the hardware was still responding but I did not have enough time to do any diagnostics. I had to reboot all of them to get traffic flowing again. And since they are nanobsd I have no saved logs after the reboot. This is really rendering CARP useless and I need some ideas on how to solve this. I think that the first step would be to set up a syslog server so that you can send your logs to it. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Silly question - using a PC + pfsense + dual ethernet NIC + wlan PCI card as wifi router
On 2011-12-08 05:44, patrick wrote: On 8/12/2011 9:49, Seth Mos wrote: On 8-12-2011 9:21, Chris Buechler wrote: Though that'd be pretty ugly too given the 11 Mb limit of USB 1.x you'd find on such a box, aside from the fact USB NICs tend to be ugly in general driver-wise, and I can't recall seeing a USB wifi card whose chipset supported hostap mode. Ralink usb chipsets do work, but they default to 1Mbit unless you force them to use 54Mbit. I've used them as wireless access points in a cinch but they fell over in about a day of use. Maybe the OP's best bet is getting a WRT54G off ebay (can be had for ~$20 USD shipped in the US at least, generally cheaper than any wifi NIC you're going to find), and use it for wifi only. Considering that the placement of your Wifi antenna is pretty critical for good coverage I second this. Getting a old wifi router on the cheap is easy, some people even give you the old one, you might even have one laying around. Disable the dhcp server on it, plug the cable into the LAN port and you get a 4 port switch as a bonus. I have mine in the living room below the TV. This makes wifi in the living room excellent (where I use it most) and I use the extra ports for the media player and xbox. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list I agree with the above! Trying to get this to work at an acceptable throughput will take some doing (the Wifi) and will be relatively expensive. A cheap NIC and a little access point/ wireless router hanging of that will be easier and cheaper in the end. I have a WAG302 hanging of the NIC for WLAN and this works very well indeed. It works very well with the stock ROM, but you could get a cheapie and put DD-WRT on it (check hardware list before going on ebay!) Any wireless card you buy, will be an uncertainty, as to working under BSD or not, and you might go through a few before you get one to cooperate! Then there is the already mentioned PCI throughput, which is inadequate at best. Adding an extra access point also allows you a double layer of security (especially if the stock ROM is for professional networks, like some of the Cisco or Netgear stuff, or if you run DD-wrt on a plebeian Wifi router. You can make rules to disallow any configuration via the Wifi ROM and the WLAN NIC, giving you an extra layer of defence. If you are completely paranoid (as any good geek should be!) about Wifi breaches, throw in a 3Com or Cisco managed switch (these can be had for next to no money on ebay, like the 4400 from 3Com goes for $10 to $20 these days) This will give you another layer that needs breaching before the PfSense box can even be reached, let along hacked. It isn't ironclad, but every bit helps... Paddy I agree that the OT should get a wifi router instead of putting work to make this happen on a PC. Another option would be an Alix or Wrap board + wifi card with pfSense. That is what I use. However, it is 10x the price of an used Linksys. Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NAT advice
On 2011-11-25 08:55, Ugo Bellavance wrote: Hi, I'd like to use pfSense for a proof-of-concept to link two networks together for a SIP trunk. After discussing with the other network admin, we concluded that we'd use NAT because we don't want the traffic to go through core switches, which are the only L3 devices available. I know NAT is not perfect, but it would keep things on L2. So here is what I do: 1 server on one side, pfsense in the middle, 3 servers on the other side. Subnet 1: 172.30.100.1/24 Server 1: 172.30.100.100 pfSense : 172.30.100.254 Subnet 2: 192.168.99.0/24 Server 1: 192.168.99.11 Server 1: 192.168.99.12 Server 1: 192.168.99.14 pfSense : 192.168.99.4 How should I do my NAT rules? I think I should use the outbound NAT config, but I'm not sure. Thanks, Ugo Did I fail to provide enough info? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] problems with setting 10.0.0.1/8 on LAN
On 2011-11-27 10:14, Eugen Leitl wrote: On Sun, Nov 27, 2011 at 04:07:31PM +0100, Eugen Leitl wrote: While trying to build VIPs and do 1:1 NAT I accidentally noticed that setting LAN to 10.0.0.1/8 (instead of 10.0.0.1/24) will make the system unresponsive (this is 2.1-DEVELOPMENT (i386) built on Fri Oct 21 12:51:56 EDT 2011). I also have other hosts on the 10.0.0.0/24 network -- not sure what mixed network masks on the same LAN do. I was not able to ping the WAN interface at all. I reset the LAN back to 10.0.0.1/24 via an IPMI session, at which point the system sprang back. I'll try doing the same with a /16 mask, let's see what that does. Behavior is the same with /16, ping gets me Destination Host Unreachable, while the pfSense itself has no isssue reaching anything outside. As soon as I reset the LAN back to 10.0.0.1/24 everything from the outside instantly works again. Weird. Are you sure you don't have a subnet overlapping on another interface? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NAT advice
On 2011-11-29 11:53, David Burgess wrote: On Tue, Nov 29, 2011 at 9:27 AM, Ugo Bellavanceu...@lubik.ca wrote: I attached a diagram of what I would like to achieve. You can achieve that without NAT. Simply set up pfsense with two interfaces, addressed 172.30.100.254/24 and 192.168.99.4/24 respectively. Now, depending on whether you want to do any firewalling between these two networks, you have two options: A (with firewalling). Create a PASS rule on each interface permitting the traffic that you want to permit through to the other network. Turn off Automatic Outbound NAT and delete all of the automatically created rules. B (no firewalling). Go to System: Advanced: Firewall and NAT and check the option Disable all packet filtering. In either case, the hosts on both networks will need a static route to the other network (assuming pfsense is not their default route, ie, they have internet through another router). db I know, but we didn't want to do any routing because subnets may change and overlap in the future, since this is two distinct organizations. Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Replacing CheckPoint Firewall-1 with pfSense
On 2011-11-23 23:43, Daniel Davis wrote: We are thinking about running a redundant (CARP) setup with one pfSense on our VMWare cluster, and one on a physical, separate machine. I would not recommend a hybrid physical/virtual CARP cluster as CARP is entirely network reliant. In a physical CARP cluster best practice is to dedicate a network interface on each machine for CARP with a crossover cable between them so that even in the event of a switch failure they can still talk and elect a master. You would need a dedicated NIC per host, an additional physical switch and additional vswitches to achieve the same sort of resiliency in a mixed physical/virtual configuration. This can get expensive and adds additional points of failure, but without it you run the risk of ending up with two masters (i.e. split brain) if the connectivity between your physical and virtual networks were to fail. vmWare HA is your friend here, it will remove the possibility of a split brain fo r you if both hosts are running in the cluster. HA is not network reliant (as long as you are using a separate storage network), it uses a combination of network and shared data store heartb eats to monitor hosts and VMs. One host can lose network connectivity, CARP will failover the firewalls, the cluster will detect a host isolation response and restart the failed VM on another host, all very orderly and controlled with less than a couple of seconds of downtime and no physical intervention. We use two firewalls with CARP in a vSphere cluster, works very nicely. The things to remember if you go with the two virtual machines are: 1. Make sure you follow the instructions for CARP and ESX/ESXi from the wiki. 2. Change the host that ESXi pings to determine its network availability. If you leave this as the default gateway, the ESX host that is hosting the master node will never fail over even in the event of a network outage, as it will still be able to ping the VM. This must be something that is highly available, we use the address of the stacked switches in our blade chassis. See http://kb.vmware.com/selfservice/microsites/search.do?language=en_UScmd=displayKCexternalId=1002478 If you can tolerate a minute or two of downtime in the event of a host failure you could even consider a single pfSense VM and just trust vmWare HA to do the failover. I'm pretty sure that we could live with a few minutes of downtime, so that would save the carp setup. However, I would reserve the 2 other IP addresses in all my subnets in case. Concerns: 1- NAT Reflexion - We don't have a split-DNS setup. CheckPoint does seem to manage NAT Reflexion perfectly. 2- Ease to migrate the configuration to pfSense - I would set a pfSense VM in parallel and start migrating all the rules manually, but I'm scared about missing some or seeing a situation where the Firewall-1 can do it and not pfSense. 3- Backups. Are automated backups (of the config, at least) possible even w/o a service contract? Can people share their experience with this kind of scenario? Don't hesitate if you need more info. Thanks, Ugo pfSense works well for the most part, the Snort package has had a few issues in the past but once it is working it works well, NAT reflection works fine and see the wiki for automated backups (http://doc.pfsense.org/index.php/Remote_Config_Backup). The VPN options are excellent so I don't think you'll have any issues there. IPv6 is still not supported but this was not an issue in our case. Great thanks. I thought there was problems for NAT reflection for port above 500, but is it port range over 500 ports instead? I wouldn't need that. All my internet-facing servers expose 1 to a few ports. As you will find out, the free support provided on the mailing list is often better than the help you get from most CCSP's. :) Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] NAT advice
Hi, I'd like to use pfSense for a proof-of-concept to link two networks together for a SIP trunk. After discussing with the other network admin, we concluded that we'd use NAT because we don't want the traffic to go through core switches, which are the only L3 devices available. I know NAT is not perfect, but it would keep things on L2. So here is what I do: 1 server on one side, pfsense in the middle, 3 servers on the other side. Subnet 1: 172.30.100.1/24 Server 1: 172.30.100.100 pfSense : 172.30.100.254 Subnet 2: 192.168.99.0/24 Server 1: 192.168.99.11 Server 1: 192.168.99.12 Server 1: 192.168.99.14 pfSense : 192.168.99.4 How should I do my NAT rules? I think I should use the outbound NAT config, but I'm not sure. Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list