Re: [pfSense] Is pfSense the Best Open Source Firewall/IDS/IPS in the World?

[Vick Khera]

On Fri, May 25, 2018 at 4:56 AM, Turritopsis Dohrnii Teo En Ming <
tdteoenm...@gmail.com> wrote:

> Questions are:
>
> (1) Is pfSense, coupled with Snort IDS, the best open source
> firewall/IDS/IPS in the world?
>

It is my preferred one, for sure, and I have used it for multiple office
locations and my data center for many years. The word "best", however, has
no real meaning without context. You need to specify your environment and
your requirements to decide which software is the optimal choice.


> (2) Is pfSense on par with commercial firewall appliances, including
> Cisco ASA, Cisco Sourcefire, Fortigate, SonicWall, etc?
>
>
Again, you have to define your requirements. Likely for most small to
medium sized organizations basic needs, pfSense will be comparable to the
other commercial offerings.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] memstick-2.4.3-RELEASE-amd64.img debugflags needed for ZFS

[Vick Khera]

On Wed, May 23, 2018 at 4:10 PM, Jason Hellenthal 
wrote:

> Sorry for the long subject but has anyone experienced in the ZFS install
> for a mirrored setup of two disks that you need to set
> kern.geom.debugflags=16 to allow shooting yourself in the foot just to get
> the kernel to stop denying you access to the disks ?
>
>
> The UFS install works as intended.
>

You don't want to use GEOM mirror underneath ZFS. You want ZFS to do the
mirror of two individual disks. What exactly is preventing you from adding
the second drive to the zroot pool?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] boot/loader.conf.local deleted upon reboot

[Vick Khera]

On Wed, May 16, 2018 at 2:03 PM, PiBa  wrote:

> Looks like everything that has the word 'console' in there gets deleted
> from loader.conf.local..
>
> I suppose the 'platform' is not one of these.?:
> if ($specific_platform['name'] == 'RCC-VE' ||
> $specific_platform['name'] == 'RCC' ||
> $specific_platform['name'] == 'SG-2220') {
> $data[] = 'comconsole_port="0x2F8"';
>
>
No, sadly it is not. It is "Super Micro C2758" which has both a physical
COM1 and a virtual COM2, so you can't really force the choice upon someone.

Reading the code, I don't see how all "console*" lines would be removed,
but maybe I misunderstand how the pattern matching is working.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata

[Vick Khera]

On Wed, May 16, 2018 at 10:50 AM, WebDawg  wrote:

> I upgrade via the console now.  Not to say that the GUI is broken, but
> I must have been a victim of when it was.  I have seen what kpa is
> talking about in that forum thread too.  It is why I always ssh in and
> update from console.
>

Wow. I call that a high risk upgrade method. Once it logs you out of ssh,
you just sit there and hope it comes back up. You need to hook your serial
port (or virtual serial port if you have a BMC that supports that) up as
the real device console so you can monitor the entire process.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] boot/loader.conf.local deleted upon reboot

[Vick Khera]

I run pfSense on an official pfSense branded C2758 system. It has a BMC
controller that permits me to use a serial over LAN to COM2. In order to
make the system console connect to COM2, the following line needs to be
added to loader.conf or loader.conf.local:

comconsole_port="0x2F8"

in addition to enabling the serial console via the GUI.

I've run it this way for years with prior versions of pfSense. It seems now
with version 2.4.3 (possibly earlier 2.4.x, not sure) upon reboot the
/boot/loader.conf.local file gets deleted. Thus the symptoms are that you
create the file, reboot and get serial console, but the file gets removed
during the boot. So on your next boot, no console over SoL.

Ideally, there would be a menu on the GUI for serial console to select the
COM port, but I requested that forever ago and it doesn't seem to be
important enough to get implemented.

The /etc/inc/pfsense-utils.inc file appears to try to filter the
loader.conf.local to remove duplicate settings and delete it if it ends up
empty.  This is done by the function load_loader_conf() which seems like it
does the right thing but clearly it is not including the above line and
thus the file gets deleted. It is easily reproduced by just putting that
single line above into the file and rebooting pfSense.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata

[Vick Khera]

I just did the upgrade from the console from 2.4.3 to 2.4.3_1 with no
problems in the upgrade. I run on an official pfSense brand C2758 device.

On Tue, May 15, 2018 at 11:28 PM, John Kline  wrote:

> Many of us a e seeing this.
> See:https://forum.pfsense.org/index.php?topic=147853.0
>
>
>
>
> On Tuesday, May 15, 2018, 7:53 PM, Steve Yates  wrote:
>
> I upgraded two routers from 2.4.2 to 2.4.3 and today to 2.4.3_1.  One is
> an SG-3100 and one is a PC.  On both, both times, the upgrade almost
> immediately fails, but if I try again it works.  I click the pending-update
> icon on the dashboard to go to System Update and it detects the update.  I
> start and I get:
>
> ">>> Updating repositories metadata... done.
> 2.4.3_1 version of pfSense is available"
>
> Then a red bar at the top of the page, "System update failed!"
>
> If I click the already-highlighted System Update tab again, confirm the
> update, it then immediately installs.
>
> Is anyone else seeing this?
>
> --
>
> Steve Yates
> ITS, Inc.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Host override without host part

[Vick Khera]

On Thu, Apr 12, 2018 at 4:03 AM, Marco  wrote:

> Hi,
>
> I need assistance setting up a host override. I successfully set up
> a host override for the www host:
>
>   # Services → DNS → Resolver → General Settings →  Host Overrides
>   # works fine
>   www.foobar.com → 10.0.10.10
>
> However, I also need an override for the domain part:
>
>   # how to do that?
>   foobar.com → 10.0.10.10
>
> I can't leave the host part empty. Pfsense doesn't allow for that.
> Any ideas?
>

Works for me. pfSense 2.4.3.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Vick Khera]

On Thu, Mar 8, 2018 at 3:00 PM, Walter Parker  wrote:

> Are the FreeBSD 10.2 instructions (
> https://www.netgate.com/docs/platforms/rcc-dff-2220/freebsd.html) still
> valid for 11.1?
>
>
>- Connect the console cable (I have that setup)
>- Boot from from a memstick image plugged into the USB port
>- From the Menu select 3, Escape to the loader prompt
>- Enter the following commands
>   - set comconsole_port=0x2F8
>   - set comconsole_speed=38400
>   - set hint.uart.0.flags=0x0
>   - set hint.uart.1.flags=0x10
>   - set console=comconsole
>   - boot
>- Select shell or LiveCD from the FreeBSD installer menu
>- Run tunefs
>
> Or does the 2.4 memstick installer give one an escape to shell option?
>

The hint lines for uart flags are unnecessary but harmless since FreeBSD 10.

The image does have a "live" mode where it runs entirely in ramdisk, but
nothing will let you set the serial port to the second port. You will have
to use these settings to use the second port.

You could try just booting to single user mode and run the tunefs. I don't
remember if that works or not for the boot volume with FreeBSD 11.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Vick Khera]

On Thu, Mar 8, 2018 at 11:10 AM, Zandr Milewski  wrote:

> As someone who has spent easily 100 hours troubleshooting, rebuilding, and
> restoring UFS based Netgate boxes that have to function in environments
> with less-that-datacenter grade power availability, I'll take "potential
> corruption in corner cases" over "1 in 4 chance it won't come back from a
> power cycle"
>
> *Any* journaled filesystem is an improvement.
>

Journaling on UFS is just one setting away. Boot single user from USB, then
run "tunefs -j enable /dev/da0" for your boot device da0. Done. I don't
know why FreeBSD does not recommend this for the boot volume, but I think
as long as you never fill up the disk you're ok. I've no had issues with
it.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Vick Khera]

On Wed, Mar 7, 2018 at 8:18 PM, Walter Parker  wrote:

> don't use ECC. Can anyone show why my solution should switch file systems
> (given that I'm keeping my existing hardware) without changing the subject?
> I've read many of the scare stories from FreeNAS and they all seem to end
> up as a call to authority or a "fine, risk your data" without actually
> answering the question.
>
>
The most important feature I use in ZFS is the snapshots. Combined cleverly
with datasets and quotas, they make for very easy management of disk
resources when needed. The FreeNAS model of boot environments is awesome,
and I hope pfSense takes those up as well. It makes upgrades less stressful
when you can just click a button to revert.

As for the ECC, see this study
https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/35162.pdf
for example. It is slightly old, but RAM hardware is not that much advanced
since then. Basically, if you have a few gigs of RAM in your machine, it
*will* produce bit errors.  There are other studies that back this up too,
and they are more recent.

Personally, I don't understand why any computer, desktop or server, made
these days is without ECC. My desktop has 16GB RAM with room for 16 more.
I'm sure there are flipped bits in some of my work somewhere, but I'll
never really know. If I'm lucky, the flipped bits are on unused sections of
code loaded from the disk into RAM.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Vick Khera]

On Wed, Mar 7, 2018 at 2:04 PM, Walter Parker  wrote:

> without ECC. If there is a time bomb, then it exists for all file systems
> running on computers without ECC. As this one of multiple backups for the
> system, the risks are acceptable.
>
> If you have an actual failure method that makes ZFS worse, I'd love to see
> the details. Then I could publish a paper and be "Internet famous.


Yes, this is true. However, other file systems do not offer *any* hint of
telling you when your data is corrupt on the platter like ZFS will. So if
you know you don't have ECC protection, then you should not expect your
data to be protected end to end. If you have ECC and a "regular" file
system, the same is true. You just never know.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Vick Khera]

On Tue, Mar 6, 2018 at 6:51 PM, Peder Rovelstad 
wrote:

> Here's a ZFS tuning guide if you have not seen.
> https://wiki.freebsd.org/ZFSTuningGuide
>
> But only goes to v9.
>

You 100% do not want nor need to turn on de-dupe. Especially on a boot
volume of pfSense.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Vick Khera]

Here's my simple backup script function. Just stick it into a /bin/sh
script (should work in bash too) and call it once per pfSense instance.
I've been using this for years to backup my production firewalls.

pfsense_config()
{
local FWNAME FWURL FWPASS CSRF CSRF2 COOKIEFILE PFDATE
FWNAME="$1"
FWPASS="$2"

FWURL="https://${FWNAME};
COOKIEFILE=`mktemp -t cookies`
PFDATE=`date +%Y%m%d%H%M%S`

printf "Downloading Firewall Config for $FWNAME\n"

CSRF=`curl -k -L -c ${COOKIEFILE} ${FWURL}/diag_backup.php | grep
"name='__csrf_magic'" | head -1 | sed 's/.*value="\(.*\)".*/\1/'`
CSRF2=`curl -k -L -c ${COOKIEFILE} -b ${COOKIEFILE} -d
"login=Login=admin=$FWPASS&__csrf_magic=${CSRF}"
${FWURL}/diag_backup.php | grep "name='__csrf_magic'" | head -1 | sed
's/.*value="\(.*\)".*/\1/'`
curl -k -b ${COOKIEFILE} -d
"Submit=download=checked&__csrf_magic=${CSRF2}" -o
config-$FWNAME-$PFDATE.xml ${FWURL}/diag_backup.php
rm -f ${COOKIEFILE}
}


You call it like this:

pfsense_config firewall.example.com mySecr3tPassword

and it stores the backup XML in a file based on the date and firewall name.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Vick Khera]

You don't need to export the pool on shutdown. Even an unclean shutdown
should survive automatically on the reboot.

I can't think of a reason ZFS would fail like you describe.

On Wed, Feb 21, 2018 at 12:23 PM, Walter Parker  wrote:

> Hi,
>
> I have 2.4.2 installed on an SG-2220 from Netgate [nice box]. I just bought
> a 6TB powered USB drive from Costco and it works great (the drive has its
> own power supply and a USB hub). I want to use it take ZFS backups from my
> home server.
>
> I edited /boot/loader.conf.local and /etc/rc.conf.local to load ZFS on boot
> and created a pool and a file system. That worked, but the memory ran low
> so I restricted the ARC cache to 1G to keep a bit more memory free and
> rebooted. When the system rebooted it did not remount the pool (and
> therefore the file system) because the pool what marked as in use by
> another system (itself). That means that the pool was not properly
> exported/umounted at shutdown.
>
> Taking a quick look a rc.shutdown, I notice that it calls a customized
> pfsense shutdown script at the beginning and then exits. Is there a good
> place in the configuration where I can put/call the proper zfs shutdown
> script so that the pool is properly stopped/exported so that it imports
> correctly on boot?
>
>
> Walter
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D.
> Brandeis
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] best ipsec cipher for aes-ni on sg-8860

[Vick Khera]

If you're going to use IPSec mobile client with an iPhone, it does not seem
to propose the GCM variants of AES, only the CBC ones with SHA2.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.4 consistently crashes daily

[Vick Khera]

Oh, so you're not running it on hardware, but inside ESXi? Then I have no
more ideas for you. You should mention these things when asking for help,
by the way.


On Mon, Nov 20, 2017 at 8:12 AM, Liwei <xieli...@gmail.com> wrote:

> Thanks for the quick reply. It is a Supermicro 5018A-FTN4 based on
> the A1SRi-2758F which contains an Atom C2758. RAM tests are fine. This
> machine also contains a few other VMs which are running fine.
>
> By the way, I missed out reporting the crash itself:
>
> Fatal trap 12: page fault while in kernel mode
> cpuid = 2; apic id = 02
> fault virtual address = 0x60
> fault code = supervisor read data, page not present
> instruction pointer = 0x20:0x80cbcb0f
> stack pointer = 0x28:0xfe02390bf070
> frame pointer = 0x28:0xfe02390bf070
> code segment = base 0x0, limit 0xf, type 0x1b
> = DPL 0, pres 1, long 1, def32 0, gran 1
> processor eflags = interrupt enabled, resume, IOPL = 0
> current process = 12 (irq267: vmx0)
>
> On Mon, 20 Nov 2017 at 20:55 Vick Khera <vi...@khera.org> wrote:
>
> > On Mon, Nov 20, 2017 at 7:36 AM, Liwei <xieli...@gmail.com> wrote:
> >
> > >
> > > Anyone has any idea what's going on? Restoring to pfSense 2.3 seems
> > to
> > > solve this problem, so it is more likely a software than hardware
> issue.
> > >
> > >
> > What's your hardware? Have you tested your RAM using memtest86?
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> --
> Clear Skies,LiweiCo-Founder, CTO
>
> TinyMOS
>
>
> <http://tinymos.com/> <https://www.facebook.com/thetinymos/>
> <https://www.instagram.com/thetinymos/> <https://twitter.com/thetinymos>
>
> 21 Heng Mui Keng Terrace, Level 1 The Hangar, Singapore 119613
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.4 consistently crashes daily

[Vick Khera]

On Mon, Nov 20, 2017 at 7:36 AM, Liwei  wrote:

>
> Anyone has any idea what's going on? Restoring to pfSense 2.3 seems to
> solve this problem, so it is more likely a software than hardware issue.
>
>
What's your hardware? Have you tested your RAM using memtest86?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ASRock E3C236D2I+Pentium G4560 vs SM A1SRi-C2758F

[Vick Khera]

There are wide-spread reports of ASRock C2750D4I board failures in the
FreeNAS forums. I've suffered from it. Not sure if that applies to the
board you are considering.

There are also wide-spread reports of issues with the Supermicro board you
are considering. I have 4 of these in service for 3+ years with no issues.
I recently closed down one of my offices and have a spare pfSense branded
C2758 system if you're interested.

Personally, I'd go with the Supermicro solution. They easily handle Gigabit
WAN.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Vick Khera]

Nice. Thanks for the explanation. My IPv6 knowledge is slowly being built
up. Not having IPv6 at my home router makes it hard to play with. I've not
had the courage to bring "live" my direct allocation at the data center yet.

On Wed, Aug 2, 2017 at 10:22 PM, Adam Thompson <athom...@athompso.net>
wrote:

> Sadly, yes.  Partly due to providers like OVH who don't "get" prefix
> delegation.
> Also, how else do you multi-home without running BGP?  (Keeping in mind
> that the overwhelming majority of networks around the world have no access
> to BGP.)  That's one of the specific use cases for Network Prefix
> Translation.  (I don't have the RFC handy, sorry.)
> -Adam
>
> > -Original Message-
> > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick
> > Khera
> > Sent: August 2, 2017 21:20
> > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> > Subject: Re: [pfSense] IPv6 1:1 NAT problems
> >
> > Is NAT even a thing with IPv6?
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Vick Khera]

Is NAT even a thing with IPv6?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] RFC2136 Dynamic DNS doesn't update when the "Public IP" option is set

[Vick Khera]

On Thu, May 11, 2017 at 3:40 PM, Julian Heisz 
wrote:

> Are you using the default public IP finder (forget the specific term
> pfSense uses and not in a position to check at the moment) or do you have a
> custom one set up? I have a custom one set up, which works for other DDNS
> but may for some reason not work here.
>

All I did was fill out the form on the RFC2136 client page and check the
"use public IP" box. This has been working for me for a couple of years in
this configuration.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Wifi

[Vick Khera]

1. Assign a static IP for the device to control via the DHCP server. Force
the device to re-fetch its IP so it can get this new dedicated address.
2. create a schedule entry in the Firewall -> Schedules configuration. For
example, 4pm - 8pm Sunday through Thursday (I call this "school
afternoons").
3. Create a "block" rule on the LAN. open the "advanced" options and select
your schedule from the menu for schedules.
4. save and apply the rules.

On Thu, May 11, 2017 at 12:22 PM, Alfredo Tapia Sabogal <
alfred.ta...@gmail.com> wrote:

> Hello everyone, hope some of you have any step by step how to control the
> wifi access with  time restriction for internet access.
>
> Thank you so much!!!
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] RFC2136 Dynamic DNS doesn't update when the "Public IP" option is set

[Vick Khera]

On Thu, May 11, 2017 at 1:06 AM, Julian Heisz 
wrote:

> This appears to be an issue with pfSense, however the wiki suggests that I
> use the forum or mailing list before submitting a ticket in Redmine. Of
>

"works for me". My DNS server runs BIND 9. My pfSense sits behind a NAT
from the FiOS router at home, and my backup link via LTE at the office is
behind a NAT from the LTE to ethernet adapter. Both work great.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for silent and powerful pfsense hardware

[Vick Khera]

On Tue, Mar 28, 2017 at 12:50 PM, Matthew Hall 
wrote:

> > The only silent systems I have are based on the Atom C2758 processor,
> and I
> > do not think those will handle a full gigabit connection at full speed.
>
> This isn't right, the SG-2440 can do it.
>

I stand corrected. Thanks for the additional info.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for silent and powerful pfsense hardware

[Vick Khera]

On Tue, Mar 28, 2017 at 9:00 AM, Eero Volotinen 
wrote:

> Well, I don't know PPS values :) This is just home gigabit connection for
> .. surfing/movies/4K streaming :)
>

Oh, well I don't think you'll need much more than one of the models Netgate
sells, then, aside from their lowest end offering. I think it will be
*very* hard for you to use the full gigabit of bandwidth with that workload.

If you want to build it yourself, I will suggest starting with a basic
Supermicro "barebones" system based on the C2758 processor. They come with
a fan, but it almost never runs and is very very quiet. Just add RAM and
boot disk -- these support the SATA DOM's supermicro sells, and off you go.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for silent and powerful pfsense hardware

[Vick Khera]

On Tue, Mar 28, 2017 at 2:59 AM, Eero Volotinen 
wrote:

> Looking for pfsense hardware that can handle 1000M/1000M internet
> connection with NAT.
>

I would recommend at least a Xeon processor base system for that traffic.
Really, the limit is PPS; do you know what that would be? Any system using
a Xeon will not be silent. I use a pair of high end custom-built boxes at
my data center, and they can push this kind of traffic, though my usual
sustained is only in the 200Mbps range.

The only silent systems I have are based on the Atom C2758 processor, and I
do not think those will handle a full gigabit connection at full speed.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] SIP through IKEv2-tunnel

[Vick Khera]

You only need siproxyd if you have multiple SIP clients inside your network
trying to talk outside.

SIP should work just fine in your situation where your PBX software and
your client are within the same VPN and do not block any traffic.

That is, I have a situation like this and it works just fine:

Internet <- pfSense NAT <- Switchvox <- local LAN clients

remotes  -> pfSense VPN -> Switchvox


I can't tell from the OP's original description how the connections are
configured.


On Mon, Mar 20, 2017 at 6:10 AM, Eero Volotinen 
wrote:

> maybe you need something like this
> https://doc.pfsense.org/index.php/Siproxd_package
>
> Eero
>
> 20.3.2017 11.56 ap. "Martin Fuchs"  kirjoitti:
>
> > Hi !
> >
> > I have a Fritz!Box (router) connected to the internet (no other
> > possibility).
> >
> > In i have NATted ESP, GRE, 4500, 500, 1701, ... to a pfSense VM.
> >
> > This pfSense VM just operates as a VPN-Gateway.
> >
> > I have set up the routes in the Fritz!Box for the dial-in networks to the
> > pfSense.
> >
> >
> > I can connect via IKEv2 and browse internat services.
> >
> > I have a Fritz!App (SIP-Client) on my phone.
> >
> > This app connects to the Fritz!Box (which provides a SIP-connection)
> > successfully.
> >
> >
> > When I try to make a call, the other phone rings BUT no party cann hear
> > the other.
> >
> >
> > It seems to me like a RTP-issue.
> >
> >
> > On the pfSense i have Advanced Outbound NAT configured with no NAT-Rules.
> >
> > The firewall-rules allow IPSec to LAN (any service).
> >
> > I'm running pfSense 2.3.3p1 with one interface.
> >
> >
> > Does anyone have any idea or some hint for me ?
> >
> >
> > regards,
> >
> > martin
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Running newer then released?

[Vick Khera]

Ha... I read that as something you wrote yourself. Curious...


On Fri, Mar 3, 2017 at 9:17 AM, Stephen Shkardoon <step...@zxsecurity.co.nz>
wrote:

> Not the number, rather the message: "The system is on a later version than
> the official release.". Isn't this misleading? Isn't it on the *same*
> version as the official release?
>
> On Sat, Mar 4, 2017 at 3:10 AM, Vick Khera <vi...@khera.org> wrote:
>
> > What number exactly are you fretting about?
> >
> > As of Feb 16, FreeBSD 10.3-p16 was current, and pfsense 2.3.3 was and is
> > still current.
> >
> >
> > On Fri, Mar 3, 2017 at 9:07 AM, Stephen Shkardoon <
> > step...@zxsecurity.co.nz>
> > wrote:
> >
> > > The issue is that the message displayed is, exactly:
> > > ```
> > > 2.3.3-RELEASE (amd64)
> > > built on Thu Feb 16 06:59:53 CST 2017
> > > FreeBSD 10.3-RELEASE-p16
> > >
> > > The system is on a later version than
> > > the official release.
> > > ```
> > >
> > > So I am guessing there's just a file to update somewhere or similar
> that
> > > was missing from the release process?
> > >
> > >
> > > On Sat, Mar 4, 2017 at 2:48 AM, Arno Gramatke <a...@gramatke.biz>
> wrote:
> > >
> > > > 2.3.3 is the current release, isn’t it?
> > > >
> > > > https://blog.pfsense.org/?p=2325 <https://blog.pfsense.org/?p=2325>
> > > >
> > > > > Am 03.03.2017 um 14:45 schrieb Yılmaz Bilgili <
> > li...@yilmazbilgili.com
> > > >:
> > > > >
> > > > > 03-03-2017 15:38 tarihinde Doug Lytle yazdı:
> > > > >> My home pfSense is reporting:
> > > > >>
> > > > >> 2.3.3-RELEASE (amd64)
> > > > >> built on Thu Feb 16 06:59:53 CST 2017
> > > > >> FreeBSD 10.3-RELEASE-p16
> > > > >>
> > > > >> The system is on a later version than
> > > > >> the official release.
> > > > >
> > > > > Same with me.
> > > > >
> > > > > ___
> > > > > pfSense mailing list
> > > > > https://lists.pfsense.org/mailman/listinfo/list
> > > > > Support the project with Gold! https://pfsense.org/gold
> > > >
> > > > ___
> > > > pfSense mailing list
> > > > https://lists.pfsense.org/mailman/listinfo/list
> > > > Support the project with Gold! https://pfsense.org/gold
> > > >
> > >
> > >
> > >
> > > --
> > > *Stephen Shkardoon*
> > > Security Consultant - ZX Security Limited
> > >
> > > Email: step...@zxsecurity.co.nz | Web: www.zxsecurity.co.nz
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
>
>
>
> --
> *Stephen Shkardoon*
> Security Consultant - ZX Security Limited
>
> Email: step...@zxsecurity.co.nz | Web: www.zxsecurity.co.nz
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Running newer then released?

[Vick Khera]

What number exactly are you fretting about?

As of Feb 16, FreeBSD 10.3-p16 was current, and pfsense 2.3.3 was and is
still current.


On Fri, Mar 3, 2017 at 9:07 AM, Stephen Shkardoon 
wrote:

> The issue is that the message displayed is, exactly:
> ```
> 2.3.3-RELEASE (amd64)
> built on Thu Feb 16 06:59:53 CST 2017
> FreeBSD 10.3-RELEASE-p16
>
> The system is on a later version than
> the official release.
> ```
>
> So I am guessing there's just a file to update somewhere or similar that
> was missing from the release process?
>
>
> On Sat, Mar 4, 2017 at 2:48 AM, Arno Gramatke  wrote:
>
> > 2.3.3 is the current release, isn’t it?
> >
> > https://blog.pfsense.org/?p=2325 
> >
> > > Am 03.03.2017 um 14:45 schrieb Yılmaz Bilgili  >:
> > >
> > > 03-03-2017 15:38 tarihinde Doug Lytle yazdı:
> > >> My home pfSense is reporting:
> > >>
> > >> 2.3.3-RELEASE (amd64)
> > >> built on Thu Feb 16 06:59:53 CST 2017
> > >> FreeBSD 10.3-RELEASE-p16
> > >>
> > >> The system is on a later version than
> > >> the official release.
> > >
> > > Same with me.
> > >
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
>
>
>
> --
> *Stephen Shkardoon*
> Security Consultant - ZX Security Limited
>
> Email: step...@zxsecurity.co.nz | Web: www.zxsecurity.co.nz
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Documentation about acme

[Vick Khera]

On Thu, Feb 16, 2017 at 5:12 PM, Travis Hansen 
wrote:

> The certs should show up in System -> Cert Manager -> Certificates
> If DNS works for you great, otherwise you may be interested in the
> following links for integration with haproxy (at least haproxy running on
> pfSense):
>

There is no other way to get a cert for a hostname that maps to a
non-routable IP. You have to do it via DNS. Neither HTTP nor TLS challenge
will be workable.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Vick Khera]

On Thu, Jan 26, 2017 at 3:12 PM, Vick Khera <vi...@khera.org> wrote:

> ahci_load="YES"
>

Indeed, this line is leftover from olden days. This is not necessary
anymore with the FreeBSD 10.x kernel.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Vick Khera]

On Thu, Jan 26, 2017 at 12:17 PM, Karl Fife  wrote:

> Would you mind sharing a snapshot of your Rangeley-optimized tunables?
>
> IIRC there are un-editable tunables that show on your tunables page that
> are not called out in the XML config.
>
> Thanks Vick
>
>
This is the /boot/loader.conf from one my C2758 systems from Netgate
(though they were pfSense branded when I bought them):

autoboot_delay="3"
vm.kmem_size="435544320"
vm.kmem_size_max="535544320"
kern.ipc.nmbclusters="0"
boot_multicons="YES"
boot_serial="YES"
console="comconsole,vidconsole"
comconsole_speed="115200"
hw.usb.no_pf="1"

and /boot/loader.conf.local:

kern.cam.boot_delay="1"
ahci_load="YES"
kern.cam.boot_delay=1
kern.ipc.nmbclusters="100"
hw.igb.rxd=4096
hw.igb.txd=4096
hw.igb.max_interrupt_rate=32000
hw.igb.num_queues=8
hint.uart.1.flags="0x10"
hint.uart.0.flags="0x00"
comconsole_port="0x2f8"
legal.intel_ipw.license_ack=1


I configured the serial console to talk to the SoL console provided by the
built-in IPMI controller (that's the uart bits). I don't recall which parts
other than those were default as system shipped vs. anything I may have
changed. My notes are unclear on these.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Vick Khera]

On Wed, Jan 25, 2017 at 4:01 PM, Karl Fife  wrote:

> I recently did a virgin install of 2.3.2 nano on an older atom (a Soekris
> 6501), and found there were no tunables for kern.ipc.nmbclusters nor
> kern.ipc.nmbufs.  Maybe it's a nano/full-install difference?I would
> think most people running the a Rangeley board are running the full
> version.  We will also begin running the full version with 2.4, (ZFS copies
> = 2) :-)


I think the Nano vs full install may be your way to look. Also, my system
is running Netgate-tuned pfSense, so it is entirely possible they added the
bump to nmbclusters. Even though my configs to not specify a value for it,
it is set in /boot/loader.conf.

I'm 99.44% sure this system was upgraded from 2.2 to 2.3, and not a fresh
install of 2.3.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Vick Khera]

On Wed, Jan 25, 2017 at 1:10 PM, Karl Fife  wrote:

> pfsense 2.2.6 was running without issue on our Supermicro A1SRi-2758F
> rangeley board (Intel Atom C2758)
>

Are you sure you didn't hard-code them before in the system tunables
section under 2.2? On my C2758 system (exact same motherboard) running
pfSense 2.3.2-RELEASE-p1, these are the values:

kern.ipc.nmbclusters: 100
kern.ipc.nmbufs: 1019445

and I've not tuned them at all.

What did you have to set them to? I have no additional NICs aside from the
4 built-in.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] system CA certificate generator change

[Vick Khera]

I just made a new certificate using my own CA with the UI in pfsense
2.3.2-p1 for one of my firewalls. It appears that how it is generated does
not allow Chrome or Firefox to recognize it by the CN, only the aliases.

A certificate I generated using the UI in 2014 does however, work with the
aliases and the CN.

They appear to be produced very differently then vs. now:

Subject: C=US, ST=Maryland, L=Rockville, O=Khera Communications
Inc/emailAddress=kh...@example.com, CN=rockville-fw-a/subjectAltName=DNS:
rockville-fw-a.int.example.com,DNS:rockville-fw-a.example.com

but now we get:

Subject: C=US, ST=Maryland, L=Rockville, O=Khera Communications
Inc/emailAddress=kh...@example.com, CN=ashburn-fw-a.example.com

and lower down the aliases in the X509v3 extensions area are the aliases:

X509v3 Subject Alternative Name:
  DNS:ashburn-fw-a, DNS:ashburn-fw-a-prv

Did I do something differently/incorrectly? I filled out the form the
obvious way.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Aliases grouping

[Vick Khera]

On Wed, Dec 7, 2016 at 2:56 PM, Luc Paulin  wrote:

> For curiosity how do you manage the aliases naming ?  Do you have some sort
> on naming convention depending of the aliases is an IP/Host/Network and or
> if it's and aliase of aliases ?
>

I tend to use names like "DeveloperHosts" and "WebserverPorts" where the
last part describes what it is. But the GUI makes it easy for you and only
presents what's sensible for auto-fill in each place you can use one.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense + carp + ha

[Vick Khera]

I use commodity x86 (64-bit) hardware. I tend to make my pairs
identical, so I know the backup can handle the load if the primary
keels over. There's no hard requirement for that, though.


On Tue, Nov 15, 2016 at 3:19 PM, Eero Volotinen  wrote:
> Hi List,
>
> What are requirements for pfsense ha clustering? does any of x86 hardware
> work with ha? does hardware need to be identical?
>
> --
> Eero
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense default firewall configuration

[Vick Khera]

On Tue, Nov 15, 2016 at 3:17 AM, user49b  wrote:
> I have heavily modified my IPcop configuration and just wanted to know if
> pfSesnse's default firewall configuration is good enough.

The default is deny everything inbound, and allow everything outbound.
Nobody can say what's "good enough" for you without knowing your
requirements.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Diagnosing System lag

[Vick Khera]

On Sun, Oct 23, 2016 at 1:38 PM, Ryan Coleman  wrote:
> Why? 57,265 pings sent. 57,625 pings received.

If you get more pings than you send, someone thinks they're you. Find
out who is sharing the IP and fix that.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Diagnosing System lag

[Vick Khera]

You get that same lag from all devices?

I agree you should investigate the wires and switches. Try wiring your
computer directly to the LAN port on the APU and see if you get any
delays.

On Sat, Oct 22, 2016 at 2:41 PM, Ryan Coleman  wrote:
> I had in the past.. but I’ll admit right now… I’m not in the spot to check. I 
> will do when I get home tonight (I live 90 miles from this customer)
>
>
>> On Oct 22, 2016, at 1:35 PM, WebDawg  wrote:
>>
>> did you look at the freebsd system logs?
>>
>> On Sat, Oct 22, 2016 at 1:32 PM, Ryan Coleman  wrote:
>>> Because I blamed it on the local phone company. :)
>>>
>>> Ping time, as you can see in the quoted text, hits up to 48 seconds. I 
>>> cannot get it to reply and I am not seeing anything in the logs.
>>>
>>> It’s not the switch - rebooting does not resolve. Switching ports is not 
>>> viable for testing at the time of the issue because of VLANs.
>>>
>>> I honestly suspect it’s the firewall hardware failing more than anything 
>>> else.
>>>
>>> —
>>> Ryan
>>>
>>>
 On Oct 22, 2016, at 1:06 PM, WebDawg  wrote:

 Whoa.  2 years?  Why are you just looking at it now?

 Do you have any other ports you could try your lan cables in?  Is
 something else using that IP?

 Why do you say hangs, no web ui access?  No logs?

 I mean it could be anything.

 On Sat, Oct 22, 2016 at 12:40 PM, Ryan Coleman  
 wrote:
> My NetGate APU installation hangs, seemingly randomly… and has for most 
> of the two years since purchase and installation.
>
> How might I diagnose these issues?
>
>> --- 10.20.0.1 ping statistics ---
>> 296 packets transmitted, 271 packets received, 8.4% packet loss
>> round-trip min/avg/max/stddev = 1.274/9254.705/48807.578/16024.851 ms
>
> Many of the lost packets easily came in late. 48 seconds for pings? The 
> network seems to be fine - rebooting switches does not effect the issue. 
> It will resolve itself after 3-4 minutes but our radio in the bar is fed 
> over the net so it gets frustrating at times.
>
> Thanks!
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
>>>
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lightning strike

[Vick Khera]

On Thu, Oct 13, 2016 at 6:25 PM, Walter Parker  wrote:
> Problem is that all of the current OS do this sort of renumbering (I'd have
> to check, but I think it could be a hardware/driver issue). IIRC Linux
> systems have had this sort of problem in even greater measure than the
> BSDs. The plug and play nature of USB has caused issues for most systems

Current versions of CentOS/RedHat hard-wire ethernet names. You have
to go dig in and find some file that has the mappings and delete them
if you do something like replace a motherboard with embedded NICs,
otherwise it makes all new ethernet device names for you. The mapping
is base on MAC address.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] dpinger data collection

[Vick Khera]

I'm trying to trace how the data gets from dpinger into the RRD file
and ultimately into the UI.

I see dpinger is writing to a socket, but I cannot for the life of me
find what process is reading that socket and writing to the RRD file.

How does that happen?

My ultimate goal is to see if I can convince pfsense to monitor other
arbitrary IPs to debug certain conditions like VPN slowness. I want to
monitor the "quality" of the other endpoint of the openvpn
connections, for example.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries?

[Vick Khera]

On Fri, Sep 30, 2016 at 12:57 PM, Doug Lytle  wrote:
> On 09/30/2016 11:53 AM, Steve Yates wrote:
>>
>> So you could keep your list somewhere else on a web server.
>
>
> This is what I do.
>
> And I grab the list from
>
> http://www.wizcrafts.net/chinese-iptables-blocklist.html
>
> Once a month
>

Isn't this more or less what pfBlockerNG does for you automatically?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] shaper wizard LAN queues

[Vick Khera]

Is there a reason the traffic shaper makes queues on the LAN? None of
the firewall rules it makes references the LAN queues. Is it just for
my future use convenience?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] shaper questions

[Vick Khera]

I'm reading over the shaper guide at
https://doc.pfsense.org/index.php/Traffic_Shaping_Guide and I find I
still have some confusion. The document seems to be in need of some
updating.

There are no definitions of what the scheduler types FAIRQ and CODELQ
are not defined. What would be their use cases?

The document still refers to the Layer 7 shaping, but when you follow
the link it says that feature does not exist since version 2.2. It
doesn't seem like that even needs to be linked anymore.

When I used the wizard to set up some simple queues (voip, smtp, IMAP,
and IPSEC) to test it out, it created a handful of floating rules to
map traffic into the queues. I do not see any rule for what to do with
the rest of the traffic. Does not all traffic need to be sent through
the queues in order for them to be effective? Should I update my
catch-all LAN rule to use a queue? This part is very fuzzy in my mind
right now.

The wizard does not have an OpenVPN option for the VPN section. Is
this because you can run it on any port or because there is something
about OpenVPN that does not let it work. I'm thinking I would just
need to add a rule that matches my port numbers and IPs and it should
work.

The wizard only seems to make outbound rules (based on the comment)
for everything except IPSEC. Looking at the rules, for example on
SMTP, they seem to match both directions. It says "direction = any"
and the only filter is destination port 25, so it should work for
incoming SMTP connections I would think.

Do I need to define queues on all interfaces if I want to control
outbound traffic? Can I just define them on the LAN interface and put
the rules on the LAN tab? Or do I define them on the WAN?

The document states that shaping is not capable of setting an upper
limit on bandwidth. If this is the case, what for is the "Max
bandwidth for queue." settings in the "Service Curve" settings panel
for a queue? I need this capability, but I also use pfsync so I cannot
use the limiters.

What is the incantation for evenly distributing http/https among the
users? That is, if one person is uploading a large file over the web
to some remote service, how to let the others still get their fair
share of traffic? Does this happen with the queues automatically?

Thanks for any answers to these questions and any tips you may have to offer.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Export user account/password issue

[Vick Khera]

On Wed, Sep 14, 2016 at 10:44 AM, Satish Patel  wrote:
> How do i convert old style password to new FreeBSD style password in
> master.passwd file?  is it possible with pwd_mkdb?

You cannot; they are one-way hashes. The first part of the resulting
string identifies which hash method was used. I forget where the
default choice is set. Some file in /etc does it.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for perfect pfsense box for home?

[Vick Khera]

My home office is protected by a Netgate APU box (which it seems they
have replaced with some other device at the low end now). It is a
little pricey, but they offer great support and it supports the
project in the best way.

On Wed, Aug 3, 2016 at 3:37 AM, Eero Volotinen  wrote:
> Any ideas where to find perfect pfsense box for home usage.
>
> Must be cheap and silent? netgate device? shuttle box?
>
> --
> Eero
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Installation issues of latest release (2.3.2) resolved?

[Vick Khera]

On Sat, Jul 30, 2016 at 12:19 AM, Jim Thompson  wrote:
> As a reminder, pfSense 2.4 will not support i386, and will not support the
> 'nano' image.

Does this imply that we will need to do a full re-install on our
Netgate APU's or will there be a clean self-upgrade process?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Installation issues of latest release (2.3.2) resolved?

[Vick Khera]

On Fri, Jul 29, 2016 at 10:37 PM, Ryan Coleman  wrote:
> So does this effect APUs running the AMD64 architecture?

I updated from 2.3.1 to 2.3.2 the APU at my home office with zero
problems. It just took a good long time to clone the boot slice before
updating, which also took a long time. The actual downtime was minimal
as it does boot really fast.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPv6 being used for NTP even though IPv6 is not configured

[Vick Khera]

According to the System/Advanced/Networking page, there is an option
to prefer IPv4. However, it says this: "if IPv6 is configured and a
hostname resolves IPv6 and IPv4 addresses, IPv6 will be used."

I do not have IPv6 configured -- all my interfaces are statically
configured. The only IPv6 I see is the automatic link-local address
assigned to each interface. Is that enough to convince pfSense that it
is "configured"?

The symptom I'm seeing is that one of the remote NTP servers I sync
with returns both IPv6 and IPv4 addresses, and NTP is preferring the
v6 address which does not work here.

If I check the box to enable the "prefer IPv4" it does indeed select
the IPv4 address. So something is misleading pfSense to thinking v6 is
enabled, at least for NTP.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 502 Bad Gateway

[Vick Khera]

On Thu, Jul 7, 2016 at 2:16 PM, Bill Arlofski 
wrote:

> I guess I will remove it the next time this happens and see if there is any
> change.
>

It seems to me you should remove it *before* to see if you avoid it
happening.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

[Vick Khera]

On Wed, Jun 8, 2016 at 6:31 AM, David White  wrote:

> I didn't think I would have to setup a new server / port for each remote
> office. I thought that, with the SSL/TLS setup, I could have a single
> server and configure it so that clients can see & interact with each other.
>

When you configure the OpenVPN server side, you need to specify the remote
IP network. How will you do that for 20 different remote sites with one
server config?

The IPSec config will be much cleaner, I think, and much lower overhead.

With either case, make sure you have hardware crypto support (usually that
means AES-NI feature in your CPU) and choose the ciphers that are supported
by it, specifically AES128 (or AES256) with SHA. The clients could probably
get away without the hardware acceleration, but if you are pushing lots of
traffic through the hub then you will need it.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

[Vick Khera]

On Tue, Jun 7, 2016 at 3:03 PM, David White  wrote:

> I know that this can be done, but I've never actually done it. Are there
> some good resources I can review, besides
> https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site
>
> ? For branch offices,
>

If you can manage it, and the remotes are on static IPs, I'd suggest trying
IPSec.

If you are going with OpenVPN, then you basically will need to set up one
"server" per remote, each on its own port number. I like to only open the
firewall to that port from the IP of the remote that will use it. Depending
on how many you have and how tight you want it, you could just make an
alias of all the ports and an alias of all the remote IPs and set up one
rule to allow all of that at one shot.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FreeBSD on uFW

[Vick Khera]

On Wed, Jun 1, 2016 at 5:58 PM, Jim Thompson  wrote:

> you prefer ‘m1cr0Wall’, perhaps?
>

I'm totally the wrong person to brand a product.


>
> Netgate used to have a m1n1wall product (which shipped with m0n0wall at
> first, then pfSense).
>

I remember that...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FreeBSD on uFW

[Vick Khera]

On Wed, Jun 1, 2016 at 4:54 PM, Jim Thompson  wrote:

> Vick, no, it’s not in the Netgate storefront (yet).  There are a handful
> of boards in the world.  This one is on my desk at home.
> https://twitter.com/gonzopancho/status/738098254890471424
>
>
>
>
Cool. I found the original twitter thread too. Wasn't sure exactly what it
was, but glad to see you took the banana request seriously. :)

The name will confuse the heck out of people. Right now when you google uFW
you get stuff about some linux firewall software.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FreeBSD on uFW

[Vick Khera]

What is a uFW? Google is not my friend (keeps finding some stupid firewall
package for linux) and I see nothing on the netgate storefront that seems
to be it.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec nat issue

[Vick Khera]

On Wed, May 25, 2016 at 8:54 PM, Lyle  wrote:

> The other end has a conflict with our LAN addressing(192.168.1.0/24).  So
> in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24
>
> for the local Network.  NAT/BINAT network of 192.168.85.0/24.  Their
> remote network is 192.168.75.0/24.
>

So if they have a conflicting 192.168.1.0/24 network on their end already,
how the heck do they expect traffic to *your* version of that network to
get routed to you? That is, if they type "ping 192.168.1.42" which network
is it supposed to go to? I don't see how some Sonicwall magic could make
that happen either.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Unbound connections: excessive???

[Vick Khera]

On Sun, May 22, 2016 at 8:26 PM, Bryan D.  wrote:

> Is it normal to have this kind of increase in the number of UDP DNS-port
> states when moving to unbound with this kind of configuration?
>

One would expect that a dns resolver would have to communicate with
hundreds if not thousands of other hosts depending on how busy and diverse
the clients are. You can always try running unbound in forwarding mode and
see if your states drop down.

Personally, I think worrying about this is a waste of your time.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.6 HA to 2.3 Upgrade Advice

[Vick Khera]

On Tue, May 10, 2016 at 4:55 PM, Mike Montgomery 
wrote:

> I have two servers, setup in high availability that are currently running
> 2.2.6.  I have been running 2.3 at home and my test servers and am ready to
> upgrade the office to 2.3 as well.  I have been reading several upgrade
> guides, as to which one to upgrade first, but would like to see if anyone
> has upgraded a HA setup yet successfully?
>

Here is how I upgrade mine, whatever the upgrade versions:

1) upgrade the backup firewall
2) on primary, in CARP Status, enter persistent backup mode (the button on
the right side of the top row)
3) wait a moment or two to let the VPNs and traffic move from the primary
to the backup (usually a few seconds at most)
4) upgrade primary at your leisure
5) on primary, un-click the persistent backup mode button.

This usually works really well. However, when I did this 2.2 -> 2.3 upgrade
Monday at my data center, my terminal window into my management server had
its ssh connection severed right when the primary was booted. I suspect
there is some race between the networking starting and the thing that sets
the persistent backup mode, but this only happened to me once.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Aggregated WAN traffic

[Vick Khera]

On Tue, May 10, 2016 at 9:45 AM, Randy Morgan  wrote:

> Having said that there is some question in my mind as to how this actually
> works.  Some of what I read indicates that the aggregation actually causes
> the LAGG port to, effectively, operate on QOS functionality, meaning that
> it cycles between the two links based on available bandwidth.
>

>From my understanding, a single connection will not use both links, but
multiple connections will be load balanced among them. Thus, don't expect a
single file download to be able to use all 20Mbps of the bandwidth.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3_1 ?

[Vick Khera]

On Thu, May 5, 2016 at 3:05 PM, Jim Thompson  wrote:

> it’s documented that you need to (re)start NTP manually.
>

Where would one learn this? The update page doesn't say anything about
"after applying this update, do XYZ". That would be the ideal place, IMO.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3_1 ?

[Vick Khera]

On Thu, May 5, 2016 at 9:47 AM, Jeppe Øland  wrote:

> This install is running a 4G NANO image ... maybe there's a problem with
> that?
>

I just did the update on a nano image system (netgate, not vanilla pfsense)
and had success other than having to manually restart ntpd.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3_1 ?

[Vick Khera]

On Tue, May 3, 2016 at 11:24 AM, Jeppe Øland  wrote:

> Does this update actually work?
>
> After hitting install and crunching for a while, it showed "firmware
> installation failed!" at the top.
>

I just did the upgrade and it succeeded. However, ntpd was not restarted on
either of the two systems upgraded. I had to manually restart ntpd.

My guess on the "pfSense" package is all that does is bump the displayed
release number.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Site to Site VPN behind nat

[Vick Khera]

On Sun, May 1, 2016 at 8:18 PM, Dane Reugger  wrote:

> I've seen this done with Aruba but not sure it's possible with PfSense but
> if it is I would love a guide to get it going.
>

Use OpenVPN. It doesn't care at all about the NAT. Many guides online for
setting up whole network VPN over OpenVPN.

On pfSense server, you create one "server" entry per remote LAN you want on
its own dedicated port. Open up the firewall to allow connections and
you're good to go.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] NTP Drift file not retained (NanoBSD) and "clipping" of

[Vick Khera]

On Fri, Apr 22, 2016 at 5:10 PM, Karl Fife  wrote:

> Obviously not retained in the case of an abend, but notably ALSO not
> retained during a normal reboot.  Is there a strategic reason this hard-won
> calibration is not retained?


I agree this should be preserved the same way the RRD files and DHCP leases
are.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Monitor (RRD) all 0 data on 2.3

[Vick Khera]

oh never mind. i first read you did an upgrade. that is a weird symptom...

On Thu, Apr 21, 2016 at 8:21 AM, Vick Khera <vi...@khera.org> wrote:

>
> On Thu, Apr 21, 2016 at 1:53 AM, Gé Weijers <g...@weijers.org> wrote:
>
>> I just performed a clean install of 2.3 on an AMD64 PC. Everything is
>> fine,
>>
>
> Was your prior install 32-bit? When you switch/upgrade from 32 to 64 bit
> the RRD graphs break.
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Monitor (RRD) all 0 data on 2.3

[Vick Khera]

On Thu, Apr 21, 2016 at 1:53 AM, Gé Weijers  wrote:

> I just performed a clean install of 2.3 on an AMD64 PC. Everything is fine,
>

Was your prior install 32-bit? When you switch/upgrade from 32 to 64 bit
the RRD graphs break.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] cannot backup one device

[Vick Khera]

I have 5 pfSense devices: one at my home office, and two set up in pairs at
my data center and main office respectively. The data center are running
stock pfSense on beefy hardware; the others are all Netgate units running
Netgate pfSense.

Since the most recent update added CSRF checking, I updated my config file
backup script according to
https://doc.pfsense.org/index.php/Remote_Config_Backup (using cURL rather
than wget) and this works just great for all but the home office unit. I'm
running my script that calls curl from my Mac desktop at the main office.
All access is over VPN connections (or the local LAN) to private IP
addresses.

On my home office unit, the second HTTP GET returns an error page saying
the CSRF token was incorrect. The others return the dashboard page (which
is the expected result after submitting a login). Because it fails at that
step, the final fetch of the actual config file fails as well.

I've spent all morning trying to figure out what's different with this
unit's configuration and I just cannot see it. I concentrated on the
general config and advanced config screens.

There are two major visible differences in the initial HTTP GET:

First, the CSRF token looks different. On the working units, it looks like
this:

csrfMagicToken =
"sid:a25852be7ba6a2a00b9eeab807389bf3b65ad28b,1460041532;ip:46ff0619e5d874ac44652f9eb04813c13621faf8,1460041532"

On the failing unit it looks like this:

csrfMagicToken = "sid:1d1800a1f646e0f14788b8b1a0bc0aff6fdbbc2a,1460041531"

Secondly, the PHPSESSID cookie on the failing units is not set as "HTTPS"
only, whereas on the other units it is.

Any ideas would be appreciated. I'm running pfSense 2.2.6.

Here's my testing script which just fetches from one working and the
failing unit.

--cut here--
#!/bin/sh

readonly PFDATE=`date +%Y%m%d%H%M%S`
readonly VKFW="vkfirewall.example.com"
readonly ASHBURNFWA="rockville-fw-a.example.com"
readonly USBCFGDIR="/tmp"


FWPASS="xx"

pfsense_config()
{
local FWNAME FWURL CSRF CSRF2 COOKIEFILE
FWNAME="$1"
FWURL="https://${FWNAME};
COOKIEFILE=`mktemp -t cookies`

printf "Downloading Firewall Config for $FWNAME"

curl -k -L -c ${COOKIEFILE} -o $USBCFGDIR/$FWNAME-1.html ${FWURL}/
#CSRF=`curl -k -c ${COOKIEFILE} ${FWURL}/ | grep "name='__csrf_magic'"
| sed 's/.*value="\(.*\)".*/\1/'`
CSRF=`cat $USBCFGDIR/$FWNAME-1.html | grep "name='__csrf_magic'" | sed
's/.*value="\(.*\)".*/\1/'`
echo c=$CSRF
curl -k -L -c ${COOKIEFILE} -d
"login=Login=admin=$FWPASS&__csrf_magic=${CSRF}" -o
$USBCFGDIR/$FWNAME-2.html ${FWURL}/diag_backup.php
#CSRF2=`curl -k -c ${COOKIEFILE} -d
"login=Login=admin=$FWPASS&__csrf_magic=${CSRF}"
${FWURL}/diag_backup.php | grep "name='__csrf_magic'" | sed
's/.*value="\(.*\)".*/\1/'`
CSRF2=`cat $USBCFGDIR/$FWNAME-2.html | grep "name='__csrf_magic'" | sed
's/.*value="\(.*\)".*/\1/'`
echo c2=$CSRF2
curl -k -b ${COOKIEFILE} -d
"Submit=download=checked&__csrf_magic=${CSRF2}" -o
$USBCFGDIR/config-$FWNAME-$PFDATE.xml ${FWURL}/diag_backup.php
cat ${COOKIEFILE}
rm -f ${COOKIEFILE}
}

printf "Downloading Firewall Configuration\n\n"

pfsense_config $VKFW

printf "\n\n"

pfsense_config $ASHBURNFWA
--cut here--
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] APinger times wrong after a few hours

[Vick Khera]

On Wed, Feb 24, 2016 at 8:28 PM, Jim Thompson  wrote:

> Apinger is… not very good.
>
> This is why we’ve gone to dpinger in pfSense software v2.3


Yay. I'll be glad to not have that PoS software being critical to my
infrastructure.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense for high-bandwith environments

[Vick Khera]

On Tue, Feb 23, 2016 at 9:01 PM, Jim Thompson  wrote:

> Fun fact, this ’Netflix’ success is using the AES-GCM code that Netgate
> co-developed with the FreeBSD Foundation for use with IPsec.
>
> https://lists.freebsd.org/pipermail/freebsd-security/2014-November/008029.html
>
>
>
> Fun fact #2, a future variant of that work will leverage QuickAssist.
> http://store.netgate.com/QuickAssist-and-Other-Cards-C210.aspx
>
>
>
> Fun fact #3, we can achieve much higher PPS with the router we’re writing
> (leverages DPDK) and netmap-fwd than you can with
> fastforward.  (Where Chelsio NICs make life a bit more complex.)
> https://github.com/Netgate/netmap-fwd/blob/master/netmap-fwd.pdf
>
>

All I can say is "wow" and "thank you". Very impressive work! I look
forward to the netmap-fwd the most.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Best automated configuration backup options for 2.1.5?

[Vick Khera]

Here's my config file backup script bits for pfSense:

curl -k -c ${COOKIEFILE} -d
"login=Login=admin=$FWPASS"
https://${FWHOST}/diag_backup.php
curl -k -b ${COOKIEFILE} -d "Submit=download=checked"
-o config-${FWHOST}.xml https://${FWHOST}/diag_backup.php

where COOKIEFILE is some secure temp file name. the rest of the
variables should be obvious.

As I recall, this works for 2.0 and up. Definitely works for the most
current release.

On Mon, Dec 14, 2015 at 4:14 PM, Volker Kuhlmann  wrote:
> The configuration is stored in a single file I thought.
> rsync, ssh, and cron should take care of that easily.
>
> If you pull it from the pfsense box you could create a new,
> unpriviledged user with read access to a copy of the ocnfig file. That
> way your backup system doesn't need to know the firewall's main
> password.
>
> Volker
>
> --
> Volker Kuhlmann is list0570 with the domain in header.
> http://volker.top.geek.nz/  Please do not CC list postings to me.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Hostname resolution of OpenVPN-connected clients

[Vick Khera]

On Thu, Nov 12, 2015 at 5:20 AM, Marco  wrote:

> > Setting up BIND 9 to manage a dynamic zone is not very difficult.
>
> Do I need an additional BIND instance besides the unbound that's
> already running on the pfSense box?
>

unbound != bind. I do not know anything about setting up dynamic zones in
unbound. i know how to do it in bind9.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Hostname resolution of OpenVPN-connected clients

[Vick Khera]

On Wed, Nov 11, 2015 at 2:46 AM, Marco  wrote:

> How to access the mobile hosts via the same hostname regardless if
> they are connected to the LAN or VPN?
>

Via some form of dynamic DNS perhaps? It seems it should be possible to
have the openvpn client run some script that will register its current IP
into a BIND server via RFC2136 update. Setting up BIND 9 to manage a
dynamic zone is not very difficult.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] github.com/google/google-authenticator/ on pfSense 2.2x

[Vick Khera]

I haven't tried it but pfSense uses the exact same pam login process. So
chance are pretty much as high as possible of it working.

On Thu, Oct 15, 2015 at 9:48 AM, Ryan Coleman <ryan.cole...@cwis.biz> wrote:

> So… you don’t know how well it will work in pfSense, then.
>
>
> > On Oct 14, 2015, at 3:34 PM, Vick Khera <vi...@khera.org> wrote:
> >
> > and only on FreeBSD servers (not pfSense)
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] github.com/google/google-authenticator/ on pfSense 2.2x

[Vick Khera]

The freebsd port for GA works great. I've only ever used it for SSH logins
when no public key is used, and only on FreeBSD servers (not pfSense).

The only files you really need from the package are

/usr/local/bin/google-authenticator
/usr/local/lib/pam_google_authenticator.so

The configuration for PAM is trivial too.


On Tue, Oct 13, 2015 at 8:30 AM, Olivier Mascia  wrote:

> Hello,
>
> Could someone give me pointers on environment needed for me to experiment
> with building Google Authenticator PAM module for pfSense 2.2.4 (amd x64) ?
>
> The code I'm talking about is here:
>
> git clone https://github.com/google/google-authenticator/
>
> I'm only concerned with the libpam sub-directory.
>
> I can build it and use it successfully with freeradius, on a LinuxMint
> 17.2 environment. And can get pfSense to refer to that box, successfully.
> Though I would like to experiment the same using the freeradius available
> as a package for pfSense and adding this PAM on it.
> I guess I first need to setup a development environment en BSD, then I
> should be flying?
> Are there some recommended guidelines for porting and debugging (if
> needed) things to the specific BSD environment of pfSense 2.2x?
>
> --
> Meilleures salutations, Met vriendelijke groeten,
> Best Regards. Olivier Mascia, integral.be/om
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense IP stack crashing.

[Vick Khera]

On Wed, Oct 7, 2015 at 8:20 AM, Bryant Zimmerman  wrote:

>  Any ideas would be appreciated. This units has been stable for 3 years
> only rebooted when upgrades occur. This is so out of character for this box
> and I need to figure this out ASAP.
>

I will vote hardware failure, possibly intermittent. Diagnostics don't
always pick up everything.

Many times it is the power supply, but it could be the NIC itself.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] client VPN on IOS

[Vick Khera]

On Tue, Sep 15, 2015 at 9:18 AM, Ray Bagby  wrote:

> Anyone have any luck connecting iphone via VPN?
>

Yes, with the built-in Cisco VPN client. Works great unless you have
pfSense 2.2.3 (older and newer work ok)
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.2.4, Services: Dynamic DNS client

[Vick Khera]

On Mon, Sep 7, 2015 at 9:24 PM, Ryan Coleman  wrote:

> How do you get this to function with Dyn.com (formerly DynDNS.com <
> http://dyndns.com/
>
> >)? I have the paid domain and I’ve gotten CenturyLink DSL modems to
> negotiate the IP without issue before but I cannot seem to figure out the
> configuration for pfSense.
>

You'd have to ask Dyn if they can make host names within your own domain
dynamic. The dynamic DNS configuration in pfSense is for working with their
existing dynamic DNS domains, like foo.dyndns.org.

Personally, I set up my own personal domain (which I self-host in BIND9) to
work with the RFC 2136 client within pfSense. It involved having a
sub-domain to hold the dynamic parts for easier management. I did not spend
the effort to figure out if I could mix and match static and dynamic domain
names in the top level.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.2.4, Services: Dynamic DNS client

[Vick Khera]

On Tue, Sep 8, 2015 at 8:14 AM, Chris Bagnall <pfse...@lists.minotaur.cc>
wrote:

> Would you be willing to share your RFC2136/bind9 config?
>

Here's a copy of my notes:

Dynamic DNS Update
<http://projects/confluence/display/INF/Dynamic+DNS+Update>

   - Created by Vick Khera <http://projects/confluence/display/~khera>,
   last modified on Nov 10, 2014
   
<http://projects/confluence/pages/diffpagesbyversion.action?pageId=5603398=5=6>


To support the ever-changing IP address that FiOS issues, dynamic DNS is
configured under the domain dyn.khera.org to work with RFC2136 clients.
The pfSense firewall is able to function as such a client, and to use these
dynamic host names within firewall rules to permit the client to move IP
yet still retain services via the firewall.
Initial Configuration

This configuration is based on that  from
http://www.shakabuku.org/writing/dyndns.html and
https://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS.


*named.conf zone file additions*
1
2
3
4
5
6
7
8
9
include "../dyn-keys.conf";
zone "dyn.khera.org" {
type master;
file "../dynamic/dyn.khera.org";
update-policy {
grant *.dyn.khera.org. self dyn.khera.org. A ;
grant dyn-control zonesub ANY;
};
};



This defines the dynamic zone, which will be periodically written to the
dynamic/dyn.khera.org zone file. Line 1 includes by reference the list of
keys we will allow to update the zone. Line 6 permits keys of the name
format *.dyn.khera.org to update entries of that name only. That is,
foobar.dyn.khera.org key is only permitted to update A and  records for
the domain name foobar.dyn.khera.org and nothing else. The line 7
permissions allows our master control key to update any record in this
zone. Also, in khera.org zone, an entry for dyn.khera.org NS
kci.kcilink.com was
created to send all requests for the dynamic zone to the primary server.

The key for the "dyn-control" is generated using this command:
ddns-confgen -k dyn-control

The resulting key then copied to the top of the dyn-keys.conf file and to
the dyn-control.key file for use with nsupdate command.

Create an empty zone file dyn.khera.org and run rndc reload to load the new
configuration.
Manual Zone Manipulation

Manual control of the zone is done via the nsupdate command. From time to
time, bind will write the dynamic/dyn.khera.org file with the current set
of entries. Between those writes, a journal file is kept to avoid losing
updates.
*Adding an Entry*
# nsupdate -k dyn-control.key
> server localhost
> update add test.dyn.khera.org 60 a 192.168.1.10
> send
*Delete an Entry*
# nsupdate -k dyn-control.key
> server localhost
> update delete test.dyn.khera.org a
> send
Adding Client

To add a client, newhost.dyn.khera.org, first create a key:
ddns-confgen -k newhost.dyn.khera.org -a hmac-md5

Copy the key into the dyn-keys.conf file and execute rndc reload to load
the new key into memory.

The client will then use the following settings:

   - Server: kci.kcilink.com
   - Hostname: newhost.dyn.khera.org
   - Key name: newhost.dyn.khera.org
   - Key: hmac key just generated
   - Key Type: host
   - TTL: 60

The configuration will permit the use of the key name newhost.dyn.khera.org
 to *only* update the A and  records for the domain name
newhost.dyn.khera.org. Any other updates using that key will be denied.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.2.4, Services: Dynamic DNS client, and HE.net service types

[Vick Khera]

On Mon, Sep 7, 2015 at 2:37 PM, David Christensen  wrote:

> Do they refer to Hurricane Electric (he.net
>
> )?
>

yes.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense no access to web configurator from internal network

[Vick Khera]

On Sat, Aug 8, 2015 at 5:01 AM, Alfredo Tapia Sabogal 
alfred.ta...@gmail.com wrote:

 Vick, Thank you for your prompt response, i change my LAN IP address to
 192.168.1.40/24 and the WAN to 192.168.0.10 /24 so when I go to the
 internet
 explorer and I wrote the LAN ip address or I ping tolds me that the host is
 unreachable so the web configurator doesn’t load should I do something else
 ? my laptop ip address is 192.168.0.4 /24 even when I ping the LAN/WAN is
 not reachable what should I do please help!!!


So your laptop is on the WAN not the LAN. You cannot expect it to reach the
LAN if it is not on the same network. Are you very new at networking?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense no access to web configurator from internal network

[Vick Khera]

On Thu, Aug 6, 2015 at 1:12 PM, Alfredo Tapia Sabogal 
alfred.ta...@gmail.com wrote:

 internal network (LAN) em1 far as I did well, but I have some problems with
 my IP's range of IP's from my provider are 192.168.0.1 (router) in the
 PFSENSE I assigned the network card for the WAN 192.168.0.10 IP DHCP and
 for
 the LAN (INTERNAL Network ) I put 192.168.0.20 and give that addresses for


You will have to set the IP for the LAN to something else via the console,
or run in a mode disconnected from the LAN so your desktop can talk to the
pfSense LAN IP.

You can't have the same networks on both LAN and WAN.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with load vpn status

[Vick Khera]

On Wed, Jul 29, 2015 at 3:18 PM, Edward Josette Ortega Salas 
edward.jose...@gmail.com wrote:

 Yes, it was quick:

 -  For setkey -D its took:  0.253u 0.276s 0:31.37 1.6% 93+178k 0+0io 0pf+0w
 - And  for setkey -DP:  0.017u 0.008s 0:00.02 50.0% 204+408k 0+0io 0pf+0w


 And.. we are talking about 157 vpn, So what can we do with this delay?, do
 you need another parse code or additional information for solve this?


Not being a PHP developer, I couldn't say why it takes so long to generate
that page from the output of setkey, but I'd definitely narrow my search
for the problem to the PHP code.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with load vpn status

[Vick Khera]

Perhaps pay someone to debug it for you? The pfSense folk sell support
contracts that are reasonably priced.

On Thu, Jul 30, 2015 at 11:18 AM, Edward Josette Ortega Salas 
edward.jose...@gmail.com wrote:

 Hi.

 So.. what would it be your recomendation?..  the other weird thing is
 that.. that happen it just with ipsecc status bar, the rest work just fine.

 Thanks again

 2015-07-30 10:25 GMT-04:30 Vick Khera vi...@khera.org:

  On Wed, Jul 29, 2015 at 3:18 PM, Edward Josette Ortega Salas 
  edward.jose...@gmail.com wrote:
 
   Yes, it was quick:
  
   -  For setkey -D its took:  0.253u 0.276s 0:31.37 1.6% 93+178k 0+0io
  0pf+0w
   - And  for setkey -DP:  0.017u 0.008s 0:00.02 50.0% 204+408k 0+0io
 0pf+0w
  
  
   And.. we are talking about 157 vpn, So what can we do with this delay?,
  do
   you need another parse code or additional information for solve this?
  
 
  Not being a PHP developer, I couldn't say why it takes so long to
 generate
  that page from the output of setkey, but I'd definitely narrow my search
  for the problem to the PHP code.
  ___
  pfSense mailing list
  https://lists.pfsense.org/mailman/listinfo/list
  Support the project with Gold! https://pfsense.org/gold
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Connect pfSense as client to a Hotel WLAN?

[Vick Khera]

On Thu, Jul 30, 2015 at 4:10 AM, Seth Mos seth@dds.nl wrote:

 The current crown goes to the Dlink DIR510L which is a dual band travel
 router with dual radios (dual band) and a 4Ah battery for charging


The DLink DIR505 has been in my travel bag for a few years. It makes life
very easy when traveling. I should check out if the 510 is worth upgrading.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Vick Khera]

On Tue, Jul 28, 2015 at 4:12 PM, Moshe Katz mo...@ymkatz.net wrote:

 Again,  I agree with you that this shouldn't affect your score.  I am
 simply explaining why they do it.


based on this explanation, i agree. there's no reason for them to demand
your certificate also signs any other domain name as long as it signs the
one to which they are connecting and testing.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with load vpn status

[Vick Khera]

On Wed, Jul 29, 2015 at 10:24 AM, Edward Josette Ortega Salas 
edward.jose...@gmail.com wrote:

 Status - Ipsec, i have between 15 and 20min delay  for show the
 information.


How long do these commands take to run on the command line:

setkey -D
setkey -DP

If these are quick, I'd suspect that the UI code that parses this output is
inefficient and taking a long time.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Vick Khera]

On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman ryan.cole...@cwis.biz
wrote:

 I have an issue with Qualy’s: They ding my certification because I have
 domain.com

 http://domain.com/

  on it and not www.domain.com

 http://www.domain.com/

  (multi-site cert).

 That’s not a reason to lower a score on security.


The only way I can make sense of your sentence is that they are dinging you
for having a certificate that does not match the name of the site you are
visiting because one has www. and the other does not. That seems to be
reasonable for them to ding you.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSEC Tunnel with NAT not working under 2.2.3

[Vick Khera]

On Tue, Jul 7, 2015 at 8:39 AM, compdoc comp...@hotrodpc.com wrote:

 The same thing happened to me. I had to change the Encryption algorithm
 from
 AES256 to 3DES to get it to work.


Another option is to disable the AES-NI hardware acceleration in 2.2.3.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] iphone roaming client stopped routing

[Vick Khera]

On Wed, Jul 1, 2015 at 12:25 PM, Vick Khera vi...@khera.org wrote:

 With pfSense 2.2.3, the iPhone connects to the pfSense firewall to
 negotiate the VPN. The status seems to be normal and as far as I can tell
 all the IPSec bits are in order. Nothing unexpected in the logs. SAD and
 SPD look fine to me.


For the list archives: there is a bug in 2.2.3 using AES-256 encryption
with hardware accelerated crypto via AES-NI kernel module. Disabling the
latter (and rebooting) solves the problem. 2.2.4 will fix this, hopefully
soon.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Issues with IPsec and 2.2.3

[Vick Khera]

On Sun, Jul 5, 2015 at 12:03 PM, Ryan Coleman ryan.cole...@cwis.biz wrote:

 Neither my desktop nor my mobile (OS X 10.10.3 and iOS 8.3) are able to
 negotiate on a previously-functioning IPsec configuration. Only change I
 can determine right now is the updated OS of the firewall to CURRENT.


I had the issue with iPhone IPSec connection not routing any packets, but
negotiating properly otherwise. It turns out there is a bug in 2.2.3 with
respect to using AES-256 encryption and having the AES-NI hardware
acceleration enabled. Release 2.2.4 expected soon will fix this.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Loading pfSense on Netgate 1U rack mount server c2758

[Vick Khera]

Are you trying to put the CD ISO image on the USB stick? That doesn't work.
You have to use the memstick image. This is not like some linux distros
where you use the CD image like this.


On Thu, Jul 2, 2015 at 2:31 PM, Paul Upson pmup...@thewestmoreland.org
wrote:

 I recently purchased this device and am now trying to load pfSense onto it
 using a usb stick. Each time the load fails with the following error.
 Mounting from cd9660:/dev/iso9660/PFSENSE fails with error 19. I found a
 post that said to add the command set kern.cam.boot_delay=1 but it
 doesn't change the result. I need a resolution soon.

 Thanks

 *Paul Upson*
 IT Support Manager
 Westmoreland Museum of American Art @rt 30
 4764 State Route 30, Greensburg, PA 15601
 724-261-9982
 thewestmoreland.org

 http://www.wmuseumaa.org/museum/getevent.cfm?ID=751
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Improving OpenVPN performance

[Vick Khera]

On Wed, Jul 1, 2015 at 10:40 AM, Jon Gerdes gerd...@blueloop.net wrote:

 Your first job is to establish a real baseline.  That is: How fast can
 you really move data between the two sites without any tunnels?  You may
 have to be creative with NATting and other tricks to get a system at
 each end to see the other.


After you have done this do some of these things. These are all things I
had to try to debug a horribly performing OpenVPN tunnel (about 10% of raw
baseline in one direction only, other direction was line speed).


   - Turn on/off the network offloading switches: checksum, TCP
   segmentation, LRO. Do this one at a time. For APU you want checksum offload
   disabled, but the others on in normal use. Disable here only to satisfy
   yourself that they are not the culprit.
   - Try different ciphers. AES-128-CBC is great and works with the
   hardware cryptodev engine in modern CPUs.
   - turn on/off BSD cryptodev (you already did this one)
   - Try TCP instead of UDP (likely will be slower, though)
   - change the MTU size to be smaller on the VPN link using the advanced
   OpenVPN configurations
   - use NULL encryption to rule out slow CPU crypto (you've already done
   this one)
   - Switch to IPSEC to rule out some crazy on intermediate routers between
   endpoints
   - Use port 443/TCP for same reason as above.

For me, none of this made a difference and I gave up. Until the one day
that my primary firewall WAN NIC died on the motherboard. The failover box
took over and suddenly OpenVPN was running at line speed between the two
endpoints. It turns out in my case that the NIC had started to fail a few
months before, and the only symptom was outbound wrapped packets, either
OpenVPN or IPSEC, would be lost frequently and retransmitted. Nonetheless,
the above tricks should help you optimize your connection once you
determine your raw baseline speed.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] iphone roaming client stopped routing

[Vick Khera]

For years I've had the iPhone roaming client IPSec configuration (using the
Cisco IPSec built-in client for iPhone). It has always worked great. I set
it up using the instructions on the pfSense forums.

With pfSense 2.2.3, the iPhone connects to the pfSense firewall to
negotiate the VPN. The status seems to be normal and as far as I can tell
all the IPSec bits are in order. Nothing unexpected in the logs. SAD and
SPD look fine to me.

However, no packets are routing. I cannot access *any* resource inside or
outside the VPN from my device. Normally all traffic is sent to the VPN
server in this configuration.

Clearly something changed with the roaming client use case with the recent
updates to IPSec.

Has anyone else noticed this on the upgrade? What's the fix?


SPD:
SourceDestinationDirectionProtocolTunnel endpoints192.168.101.10.0.0.0/0[image:
direction]ESP70.192.205.232 - X.Y.208.2120.0.0.0/0192.168.101.1[image:
direction]ESPX.Y.208.212 - 70.192.205.232
SAD:
SourceDestinationProtocolSPIEnc. alg.Auth. alg.DataX.Y.208.21270.192.205.232
ESP096c1f12rijndael-cbchmac-sha10 B
70.192.205.232X.Y.208.212ESPc61812ferijndael-cbchmac-sha10 B

Overview status:
DescriptionLocal IDLocal IPRemote IDRemote IPRoleReauthAlgoStatusX.Y.208.212
X.Y.208.212
Port: 4500 NAT-T XAuth: user1
70.192.205.232
Port: 7009 IKEv1
responder 7 hours AES_CBC:256
HMAC_SHA1_96:0
PRF_HMAC_SHA1
MODP_1024
established
2 minutes ago [image: Disconnect]
https://ashburn-fw-a.kcilink.com/diag_ipsec.php?act=ikedisconnectikeid=5[image:
Disconnect]
https://ashburn-fw-a.kcilink.com/diag_ipsec.php?act=ikedisconnectikeid=5ikesaid=125
Local subnetsLocal SPI(s)Remote subnetsTimesAlgoStats0.0.0.0/0
Local: c61812fe
Remote: 96c1f12 192.168.101.1/32
Rekey: 42 minutes
Life: 57 minutes
Install: 2 minutes AES_CBC:256
HMAC_SHA1_96:0
IPComp: none Bytes-In: 0
Packets-In: 0 : 126
Bytes-Out: 0
Packets-Out: 0 : 0 [image: Disconnect]
https://ashburn-fw-a.kcilink.com/diag_ipsec.php?act=childdisconnectikeid=5ikesaid=7
 iPhone Roaming Clients X.Y.208.212 X.Y.208.212 iphoneUnknown
Awaiting connections



The configs are as follows:

Tunnel Phase1:
 Key exchange: V1
 IPv4
 Authentication: Mutual PSK + Xauth
 Mode: Aggressive
 Identifyer: My IP address
 Peer Identifier: Distinguished name, iphone
 PSK: 64-byte hex value
 Encryption: AES-256, SHA1
 DH Key group: 2
 NAT Traversal: auto
 DPD: 10seconds/5 tries

Phase2:
 Mode: tunnel IPv4
 Local Network: Type: address, Address blank
 NAT Type: none
 Protocol: ESP
 Algorithms: AES-256, SHA1
 PFS key group: off

On the mobile client tab:
 Authentication: Local Database, system
 Virtual address pool: 192.168.101.0/24
 Network list: unchecked
 Save Xauth PW: allowed
 DNS Domain: int.kcilink.com
 DNS Servers: 192.168.97.97; 8.8.4.4
 other options off.

On the iphone:
 server: DNS name of my pfsense WAN interface
 account/password: properly set
 no certificate
 Group name: iphone (matches Peer Identifier above)
 Secret: (matches PSK 64-byte key above)
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] upgrade Openssl Package 0.9.8y in to 0.9.8zd) in pfsense 2.1

[Vick Khera]

pfsense is not distributed with a developer environment.

On Thu, Mar 26, 2015 at 5:53 AM, amit saxena amit.linux@gmail.com
wrote:

 Hello Everyone

 I am going to upgrade Openssl Package* ( 0.9.8y in to 0.9.8zd) *in
 pfsense 2.1 release
 Step 1 I have downloaded Openssl-0.9.8zd.tar.gz
 Step 2 Extract Openssl-0.9.8zd.tar.gz
 Step 3 cd openssl-0.9.8zd
 Step4 ./config --prefix=/usr/  (Below mention error I am getting )


 *cc: not foundYou need Perl 5.*

 Regards
 Amit saxema

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1-RELEASE sudo issues?

[Vick Khera]

On Tue, Mar 17, 2015 at 10:23 PM, Manojav Sridhar mano...@manojav.com
wrote:

 on APU1D4, 64-bit. Looks like the user stuff is all buggered up, it wasn't
 creating the admins group, but am quite sure its got to do w/ permissions
 and group membership.


The only way this could be permissions related is if the libintl.so.9 file
itself has no read permissions for your user ID. What are the permissions
on that file?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense FreeBSD Version

[Vick Khera]

On Tue, Mar 10, 2015 at 12:53 PM, WebDawg webd...@gmail.com wrote:

 Where is this tracked.  I remember I used to be able to install the next
 version of pfSense, can I still do this?


What you're saying you want to try is debugging, not a production solution.
pfSense 2.2 already runs the most recent released freebsd kernel.

pfSense is a unified tool; it is based on FreeBSD; it is not FreeBSD + some
packages.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] NIC Offloading Setting Questions

[Vick Khera]

On Fri, Mar 6, 2015 at 4:02 PM, Jim Thompson j...@netgate.com wrote:

 Second, none of these were offload-related.

 Third, the config file doesn't overwrite loader.conf.local.


I didn't say they were related; I just said it would be a nice thing if the
hardware specific settings were publicly stated on the product pages.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] NIC Offloading Setting Questions

[Vick Khera]

On Wed, Mar 4, 2015 at 5:08 PM, Jim Thompson j...@netgate.com wrote:

  Ah, so I should have asked _before_ ordering the NICs?  $;-)

 There are many of you, and few of us.


As a Netgate and pfSense customer, I think it would help *everyone* if you
just posted the special settings for the devices you sell. For example,
the NIC settings in loader.con.local, and the options for things like the
thermal sensors and these NIC offloading settings. I now they come
pre-configured with such, but the first thing I do is upload my old config
to replace the old device, and now those settings are unknown to me. Having
to look thru every page to find them before is just a time suck.

If the special settings are shared on the product tech specs page, it would
make life just a lot easier and lower your support load.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Pretend to be google's DNS

[Vick Khera]

On Thu, Mar 5, 2015 at 1:48 PM, Marc Peiser li...@nerens.com wrote:

 Any ideas how I might make this work? Or is there a better solution to
 this problem?


It seems like you should figure out why your client VPN software is broken,
and fix that.

My personal solution was to just make the internal hostnames resolve
globally. I mean, who really cares if anyone knows that my workstation IP
address is 192.168.7.80?  I suppose some level of security thru obscurity
would be there for not knowing my DB server internal IPs at the production
data center. But if you are in my network it won't take you long to find
them anyhow.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold