[pfSense] Help on reports
Hi All, I have been trying to configure it to send mail's as to daily reports & usage details. It's able to send me test msg's. But, i am not getting the daily reports. Is there a particular way to set it -- Thanks & Regards, Abhishek Purba +919845153700 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Help with provider assigning multiple IP addresses over PPPoE
On Sat, Nov 14, 2015 at 9:14 PM, Chris Bagnallwrote: > On 14 Nov 2015, at 20:19, C. R. Oldham wrote: > > My ISP provides access over PPPoE and has given me 2 static IPs via the > [...] > > I cannot figure out how to make pfSense expose the xxx.yyy.149.218 > address [...] The ‘easiest’ way of getting use out of the other address is to go to > Virtual IPs and add it there, with type Proxy ARP. > I apologize for not following up sooner. This was indeed the solution. Thanks to everyone that replied. I thought this might be the case, some of the options on the Virtual IP Edit page were confusing me (Virtual IP Password, VHID group password, VHID Group, Advertising Frequency). I didn't realize they were optional. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Help with provider assigning multiple IP addresses over PPPoE
On 14 Nov 2015, at 20:19, C. R. Oldhamwrote: > My ISP provides access over PPPoE and has given me 2 static IPs via the > following configuration (public IPs sanitized) > Usable IP addresses:xxx.yyy.149.218 > Gateway address:xxx.yyy.149.217 > Subnet mask:255.255.255.252 > I cannot figure out how to make pfSense expose the xxx.yyy.149.218 address > to the public Internet. I don't have any trouble adding NAT rules that > forward the .217 through to my internal network. Can someone give me a > clue? It’s quite a common setup - I get something very similar at home (albeit with a /29). pfSense has already been assigned the .217 address via PPP, as it should. The ‘easiest’ way of getting use out of the other address is to go to Virtual IPs and add it there, with type Proxy ARP. You’ll then be able to use it on the 1:1 NAT page to assign it to a specific internal RFC1918 address if you want, or you can just use it as another external IP choice when defining standard NAT rules. Kind regards, Chris -- C.M. Bagnall This email is made from 100% recycled electrons ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Help with provider assigning multiple IP addresses over PPPoE
To be brief, You have a single usable address at a subnet mask of /30.217 is the default gateway / default route.218 is assigned to you WAN port on pfSense. You should read up on subnetting if you want a more thorough answer.Couple of search terms: VLSMCIDR Regards,Yaroslav Original message From: "C. R. Oldham" <c...@ncbt.org> Date: 11/14/2015 3:19 PM (GMT-05:00) To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] Help with provider assigning multiple IP addresses over PPPoE Greetings, My ISP provides access over PPPoE and has given me 2 static IPs via the following configuration (public IPs sanitized) Subnet Report -- Subnet Size: 4 Usable IP addresses: xxx.yyy.149.218 Gateway address: xxx.yyy.149.217 Subnet mask: 255.255.255.252 CIDR number: /30 Broadcast address: xxx.yyy.149.219 Network address: xxx.yyy.149.216 When I login to pfsense on the console I see *** Welcome to pfSense 2.2.5-RELEASE-pfSense (amd64) on pfSense *** WAN (wan) -> pppoe0 -> v4/PPPoE: xxx.yyy.149.217/32 LAN (lan) -> em1 -> v4: 172.23.23.1/24 I cannot figure out how to make pfSense expose the xxx.yyy.149.218 address to the public Internet. I don't have any trouble adding NAT rules that forward the .217 through to my internal network. Can someone give me a clue? Exhaustive search of the mailing lists & pfSense handbook reveals similar requests, but nothing that really addresses (ha ha) this issue, unless I missed it. Thank you. --cro ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Help with provider assigning multiple IP addresses over PPPoE
> I don't have any trouble adding NAT > rules that forward the .217 through to my internal network. If that works, it sounds like .217 is your IP, and not your gateway as they documented. What is the gateway on your WAN connection? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Help with provider assigning multiple IP addresses over PPPoE
Greetings, My ISP provides access over PPPoE and has given me 2 static IPs via the following configuration (public IPs sanitized) Subnet Report -- Subnet Size:4 Usable IP addresses:xxx.yyy.149.218 Gateway address:xxx.yyy.149.217 Subnet mask:255.255.255.252 CIDR number:/30 Broadcast address: xxx.yyy.149.219 Network address:xxx.yyy.149.216 When I login to pfsense on the console I see *** Welcome to pfSense 2.2.5-RELEASE-pfSense (amd64) on pfSense *** WAN (wan) -> pppoe0 -> v4/PPPoE: xxx.yyy.149.217/32 LAN (lan) -> em1-> v4: 172.23.23.1/24 I cannot figure out how to make pfSense expose the xxx.yyy.149.218 address to the public Internet. I don't have any trouble adding NAT rules that forward the .217 through to my internal network. Can someone give me a clue? Exhaustive search of the mailing lists & pfSense handbook reveals similar requests, but nothing that really addresses (ha ha) this issue, unless I missed it. Thank you. --cro ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Help with Dup-To in pfSense
Hi all This is my first post to the list. I should preface that I have searched the dup-to topic on the forums and haven't found any good explanations as to how to do it in pfSense. I used to run a tomato based router at home. it reached its limits as my link speed exceed it, instead of getting a faster tomato based router I have decided to try out pfSense. I have APU1D4 box that does the job. I have some iptables rules that I am at a bit of a loss to convert over to pf dup-to. I need to copy SIP INVITE packets are routed to my SIP adapter are copied to another computer where I extract that information and keep a log and notify various systems. iptables -t mangle -A POSTROUTING -p udp -d 192.168.100.0/23 -m string --string INVITE sip: --algo kmp -j ROUTE --tee --gw 192.168.100.2 Or a worst case where I duplicate all packets, and drop what doesn't match at the .2 server. # Brute force # iptables -t mangle -A POSTROUTING -d 192.168.100.9 -p udp -j ROUTE --tee --gw 192.168.100.2 # iptables -t mangle -A POSTROUTING -d 192.168.100.249 -p udp -j ROUTE --tee --gw 192.168.100.2 How can I get this done w/ pf. I have been using pf for 2 days now so am a complete noob w/ it. thanks vajonam ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Help with OpenVPN interface rules
On 10/13/2014 10:46 AM, Paul Beriswill wrote: Now, when I create rules for the OpenVPN_Ops interface, using 'OPEN_VPN_OPS net' as 'Source' the rule never hits. It doesn't appear that the 'net' and 'address' aliases are being populated when the connection is established. Is this correct? I don't believe that macro works for OpenVPN interfaces. Remember, when you assign the interface you must set it to an IP type of None which is what that macro would have used to fill that macro. Manually specify the source of the traffic in the rules and you'll be OK. You could use aliases to define specific subnet(s) or groups of people based on the addresses you intend to assign via client-specific overrides. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Help with OpenVPN interface rules
Jim Thanks for the response. That is what I suspected, that the values were populated at config time rather than connect time. The main reason that I wanted to be able to use those values is because I couldn't find a way to use an alias when defining a 'Client Specific Override'. I wanted to avoid needing to enter the same values more than one place in order to reduce the chance of error when defining CSO's and their related rules. Am I missing something? It seems like an oversight to not allow alias substitution when defining CSO's ... or is there a technical reason why substitution is not possible with the OpenVPN package? Is there a way to define both the client specific network and associated FW rules from a single input; using aliases, radius, AD, other. From what I have gleaned from the docs, forums, etc that I have perused, local DB + CSO's seem to be the closest I can get to this type of 'policy based routing/security' Basically, what we want to do is define a set of policies that can be applied to a group of users and allow fine tuning of the policy for individual users if necessary. I had envisioned using a different OpenVPN interface for each group; assigning rules to each interface then fine tuning using CSO's. Is there a better way to do this? Paul On 10/14/2014 07:08 AM, Jim Pingle wrote: On 10/13/2014 10:46 AM, Paul Beriswill wrote: Now, when I create rules for the OpenVPN_Ops interface, using 'OPEN_VPN_OPS net' as 'Source' the rule never hits. It doesn't appear that the 'net' and 'address' aliases are being populated when the connection is established. Is this correct? I don't believe that macro works for OpenVPN interfaces. Remember, when you assign the interface you must set it to an IP type of None which is what that macro would have used to fill that macro. Manually specify the source of the traffic in the rules and you'll be OK. You could use aliases to define specific subnet(s) or groups of people based on the addresses you intend to assign via client-specific overrides. Jim ___ List mailing list List@lists.pfsense.orgmailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Paul Beriswill PDF Complete Inc | www.pdfcomplete.comhttp://www.pdfcomplete.com/ 550 Club Drive, Ste. 477 | Montgomery, TX 77316 512.263.0868 x 707 direct | paul.berisw...@pdfcomplete.commailto:paul.berisw...@pdfcomplete.com [cid:part4.07050903.03090103@pdfcomplete.com]http://www.pdfcomplete.com/ ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Help with OpenVPN interface rules
Help!! I'm trying to get per interface OpenVPN rules working and have run into a problem: I go into the Interfaces-(assign) menu and create an interface assignment (OPENVPN_OPS). Now, when I create rules for the OpenVPN_Ops interface, using 'OPEN_VPN_OPS net' as 'Source' the rule never hits. It doesn't appear that the 'net' and 'address' aliases are being populated when the connection is established. Is this correct? The intent is to use this feature to create per-configuration OpenVPN rules then further refine the rules using Client Specific Overrides. In the end we want to be able to provide some general, very restrictive rules for users based on how they connect (think general function, i.e. accounting, tech support, dev, it, etc) then open up additional resources based on identity (CSO's?). We also want to make it difficult for an administrator to accidentally create security holes or break access by fat-fingering IP addresses, etc. Will this scheme work for this scenario? Is there a better way to accomplish this? I have looked briefly at using AD or Radius to push rules to the FW ... would this work better? I still don't like that, apparently, this would move some of the functionality into the authentication mechanisms. Also, I don't believe AD or Radius work with CSO's. I don't want to create a maintenance nightmare as we scale up. Appreciate any assistance or suggestions. -- Paul Beriswill PDF Complete Inc | www.pdfcomplete.comhttp://www.pdfcomplete.com/ 550 Club Drive, Ste. 477 | Montgomery, TX 77316 512.263.0868 x 707 direct | paul.berisw...@pdfcomplete.commailto:paul.berisw...@pdfcomplete.com [cid:part3.03050603.06030406@pdfcomplete.com]http://www.pdfcomplete.com/ ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] HELP
Hi, Mr Mohan Rao , no new update from ur end. Sent with MailTrack https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22 On Wed, Jul 9, 2014 at 4:40 PM, A Mohan Rao mohanra...@gmail.com wrote: you can give team viewer tomorrow.. On Wed, Jul 9, 2014 at 4:38 PM, G.T.RAO netwebst...@gmail.com wrote: hi, can u help me regarding non-transparent proxy. Sent with MailTrack https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22 On Wed, Jul 9, 2014 at 4:31 PM, A Mohan Rao mohanra...@gmail.com wrote: At present u can only block with transparent proxy http sites whatever u want like social networks movies downloading etc with groupwise. If u want to block https sites u can use non-transparent proxy.. Thnx MOHAN RAO On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote: Greetings all, I ma new to pfsense , pl help me out pfsense firewall Nat configuration for small education network. I am Using pfsense 2.1.4-reease for (i386) 1. interface on WAN (wan) - em0 - v4/DHCP4 : 192.168.0.16/24 https://mailtrack.io/trace/link/534a165f0ca4acef44b1e7988788a911e92f3dca 2. interface on LAN (lan ) - em1 - v4/DHCP4 : 192.168.0.15/24 https://mailtrack.io/trace/link/dd33c3e23c8532810f5b3e33a98e30e033508345 Webconfigurator is not working, So how can i block [ social media sites : facebook,youtube.etc). Regards, G.T.RAO A free software fund-a-mentaL-isT. Sent with MailTrack https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- G.T.RAO A free software fund-a-mentaL-isT. http://fossyatra.wordpress.com http://paper.li/GTRao/1342070958 mobile:9953506651 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ સ્પાયવેર, માત્ર સારું સોફ્ટવેર. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- G.T.RAO A free software fund-a-mentaL-isT. http://fossyatra.wordpress.com http://paper.li/GTRao/1342070958 mobile:9953506651 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ સ્પાયવેર, માત્ર સારું સોફ્ટવેર. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] HELP
Please take this conversation off list. -- Ryan Coleman ryanjc...@me.com m. 651.373.5015 o. 612.568.2749 On Jul 10, 2014, at 7:44, G.T.RAO netwebst...@gmail.com wrote: Hi, Mr Mohan Rao , no new update from ur end. Sent with MailTrack On Wed, Jul 9, 2014 at 4:40 PM, A Mohan Rao mohanra...@gmail.com wrote: you can give team viewer tomorrow.. On Wed, Jul 9, 2014 at 4:38 PM, G.T.RAO netwebst...@gmail.com wrote: hi, can u help me regarding non-transparent proxy. Sent with MailTrack On Wed, Jul 9, 2014 at 4:31 PM, A Mohan Rao mohanra...@gmail.com wrote: At present u can only block with transparent proxy http sites whatever u want like social networks movies downloading etc with groupwise. If u want to block https sites u can use non-transparent proxy.. Thnx MOHAN RAO On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote: Greetings all, I ma new to pfsense , pl help me out pfsense firewall Nat configuration for small education network. I am Using pfsense 2.1.4-reease for (i386) 1. interface on WAN (wan) - em0 - v4/DHCP4 : 192.168.0.16/24 2. interface on LAN (lan ) - em1 - v4/DHCP4 : 192.168.0.15/24 Webconfigurator is not working, So how can i block [ social media sites : facebook,youtube.etc). Regards, G.T.RAO A free software fund-a-mentaL-isT. Sent with MailTrack ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- G.T.RAO A free software fund-a-mentaL-isT. http://fossyatra.wordpress.com http://paper.li/GTRao/1342070958 mobile:9953506651 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ સ્પાયવેર, માત્ર સારું સોફ્ટવેર. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- G.T.RAO A free software fund-a-mentaL-isT. http://fossyatra.wordpress.com http://paper.li/GTRao/1342070958 mobile:9953506651 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ સ્પાયવેર, માત્ર સારું સોફ્ટવેર. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] HELP
- Original Message - Greetings all, I ma new to pfsense , pl help me out pfsense firewall Nat configuration for small education network. I am Using pfsense 2.1.4-reease for (i386) 1. interface on WAN (wan) - em0 - v4/DHCP4 : 192.168.0.16/24 2. interface on LAN (lan ) - em1 - v4/DHCP4 : 192.168.0.15/24 Webconfigurator is not working, So how can i block [ social media sites : facebook,youtube.etc). Well, for starters your WAN and LAN are on the same subnet. You need to fix that first, then I'd bet your web configurator will work as expected. For the rest of your issues, it looks like you made a friend on the list to take care of the rest (offlist). --Tim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] HELP
Hello mr rao, Its your work so i will not availble with your conditions and timings. better is u can take time frim me then we will shortout ur problems.. Thanks On Jul 10, 2014 6:14 PM, G.T.RAO netwebst...@gmail.com wrote: Hi, Mr Mohan Rao , no new update from ur end. Sent with MailTrack https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22 On Wed, Jul 9, 2014 at 4:40 PM, A Mohan Rao mohanra...@gmail.com wrote: you can give team viewer tomorrow.. On Wed, Jul 9, 2014 at 4:38 PM, G.T.RAO netwebst...@gmail.com wrote: hi, can u help me regarding non-transparent proxy. Sent with MailTrack https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22 On Wed, Jul 9, 2014 at 4:31 PM, A Mohan Rao mohanra...@gmail.com wrote: At present u can only block with transparent proxy http sites whatever u want like social networks movies downloading etc with groupwise. If u want to block https sites u can use non-transparent proxy.. Thnx MOHAN RAO On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote: Greetings all, I ma new to pfsense , pl help me out pfsense firewall Nat configuration for small education network. I am Using pfsense 2.1.4-reease for (i386) 1. interface on WAN (wan) - em0 - v4/DHCP4 : 192.168.0.16/24 https://mailtrack.io/trace/link/534a165f0ca4acef44b1e7988788a911e92f3dca 2. interface on LAN (lan ) - em1 - v4/DHCP4 : 192.168.0.15/24 https://mailtrack.io/trace/link/dd33c3e23c8532810f5b3e33a98e30e033508345 Webconfigurator is not working, So how can i block [ social media sites : facebook,youtube.etc). Regards, G.T.RAO A free software fund-a-mentaL-isT. Sent with MailTrack https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- G.T.RAO A free software fund-a-mentaL-isT. http://fossyatra.wordpress.com http://paper.li/GTRao/1342070958 mobile:9953506651 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ સ્પાયવેર, માત્ર સારું સોફ્ટવેર. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- G.T.RAO A free software fund-a-mentaL-isT. http://fossyatra.wordpress.com http://paper.li/GTRao/1342070958 mobile:9953506651 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ સ્પાયવેર, માત્ર સારું સોફ્ટવેર. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] HELP
PLEASE take this conversation off the list. -- Ryan Coleman ryanjc...@me.com m. 651.373.5015 o. 612.568.2749 On Jul 10, 2014, at 9:15, A Mohan Rao mohanra...@gmail.com wrote: Hello mr rao, Its your work so i will not availble with your conditions and timings. better is u can take time frim me then we will shortout ur problems.. Thanks On Jul 10, 2014 6:14 PM, G.T.RAO netwebst...@gmail.com wrote: Hi, Mr Mohan Rao , no new update from ur end. Sent with MailTrack On Wed, Jul 9, 2014 at 4:40 PM, A Mohan Rao mohanra...@gmail.com wrote: you can give team viewer tomorrow.. On Wed, Jul 9, 2014 at 4:38 PM, G.T.RAO netwebst...@gmail.com wrote: hi, can u help me regarding non-transparent proxy. Sent with MailTrack On Wed, Jul 9, 2014 at 4:31 PM, A Mohan Rao mohanra...@gmail.com wrote: At present u can only block with transparent proxy http sites whatever u want like social networks movies downloading etc with groupwise. If u want to block https sites u can use non-transparent proxy.. Thnx MOHAN RAO On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote: Greetings all, I ma new to pfsense , pl help me out pfsense firewall Nat configuration for small education network. I am Using pfsense 2.1.4-reease for (i386) 1. interface on WAN (wan) - em0 - v4/DHCP4 : 192.168.0.16/24 2. interface on LAN (lan ) - em1 - v4/DHCP4 : 192.168.0.15/24 Webconfigurator is not working, So how can i block [ social media sites : facebook,youtube.etc). Regards, G.T.RAO A free software fund-a-mentaL-isT. Sent with MailTrack ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- G.T.RAO A free software fund-a-mentaL-isT. http://fossyatra.wordpress.com http://paper.li/GTRao/1342070958 mobile:9953506651 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ સ્પાયવેર, માત્ર સારું સોફ્ટવેર. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- G.T.RAO A free software fund-a-mentaL-isT. http://fossyatra.wordpress.com http://paper.li/GTRao/1342070958 mobile:9953506651 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ સ્પાયવેર, માત્ર સારું સોફ્ટવેર. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] HELP
Okey...! On Jul 10, 2014 7:46 PM, Ryan Coleman ryanjc...@me.com wrote: PLEASE take this conversation off the list. -- Ryan Coleman ryanjc...@me.com m. 651.373.5015 o. 612.568.2749 On Jul 10, 2014, at 9:15, A Mohan Rao mohanra...@gmail.com wrote: Hello mr rao, Its your work so i will not availble with your conditions and timings. better is u can take time frim me then we will shortout ur problems.. Thanks On Jul 10, 2014 6:14 PM, G.T.RAO netwebst...@gmail.com wrote: Hi, Mr Mohan Rao , no new update from ur end. Sent with MailTrack https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22 On Wed, Jul 9, 2014 at 4:40 PM, A Mohan Rao mohanra...@gmail.com wrote: you can give team viewer tomorrow.. On Wed, Jul 9, 2014 at 4:38 PM, G.T.RAO netwebst...@gmail.com wrote: hi, can u help me regarding non-transparent proxy. Sent with MailTrack https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22 On Wed, Jul 9, 2014 at 4:31 PM, A Mohan Rao mohanra...@gmail.com wrote: At present u can only block with transparent proxy http sites whatever u want like social networks movies downloading etc with groupwise. If u want to block https sites u can use non-transparent proxy.. Thnx MOHAN RAO On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote: Greetings all, I ma new to pfsense , pl help me out pfsense firewall Nat configuration for small education network. I am Using pfsense 2.1.4-reease for (i386) 1. interface on WAN (wan) - em0 - v4/DHCP4 : 192.168.0.16/24 https://mailtrack.io/trace/link/534a165f0ca4acef44b1e7988788a911e92f3dca 2. interface on LAN (lan ) - em1 - v4/DHCP4 : 192.168.0.15/24 https://mailtrack.io/trace/link/dd33c3e23c8532810f5b3e33a98e30e033508345 Webconfigurator is not working, So how can i block [ social media sites : facebook,youtube.etc). Regards, G.T.RAO A free software fund-a-mentaL-isT. Sent with MailTrack https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- G.T.RAO A free software fund-a-mentaL-isT. http://fossyatra.wordpress.com http://paper.li/GTRao/1342070958 mobile:9953506651 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ સ્પાયવેર, માત્ર સારું સોફ્ટવેર. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- G.T.RAO A free software fund-a-mentaL-isT. http://fossyatra.wordpress.com http://paper.li/GTRao/1342070958 mobile:9953506651 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ સ્પાયવેર, માત્ર સારું સોફ્ટવેર. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] HELP
G.T.RAO netwebsteps@... writes: Greetings all, I ma new to pfsense , pl help me out pfsense firewall Nat configuration for small education network. I am Using pfsense 2.1.4-reease for (i386) 1. interface on WAN (wan) - em0 - v4/DHCP4 : 192.168.0.16/24 2. interface on LAN (lan ) - em1 - v4/DHCP4 : 192.168.0.15/24 Webconfigurator is not working, So how can i block [ social media sites : facebook,youtube.etc). Regards,G.T.RAOA free software fund-a-mentaL-isT. Sent with MailTrack ___ List mailing list List@... https://lists.pfsense.org/mailman/listinfo/list HI, You can´t use same IP RANGE to WAN and LAN. Try other IP range to lan, like 192.168.2.x - and try to access the webconfig in this lan. Regard´s Roberto Soubhia ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] HELP
At present u can only block with transparent proxy http sites whatever u want like social networks movies downloading etc with groupwise. If u want to block https sites u can use non-transparent proxy.. Thnx MOHAN RAO On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote: Greetings all, I ma new to pfsense , pl help me out pfsense firewall Nat configuration for small education network. I am Using pfsense 2.1.4-reease for (i386) 1. interface on WAN (wan) - em0 - v4/DHCP4 : 192.168.0.16/24 https://mailtrack.io/trace/link/534a165f0ca4acef44b1e7988788a911e92f3dca 2. interface on LAN (lan ) - em1 - v4/DHCP4 : 192.168.0.15/24 https://mailtrack.io/trace/link/dd33c3e23c8532810f5b3e33a98e30e033508345 Webconfigurator is not working, So how can i block [ social media sites : facebook,youtube.etc). Regards, G.T.RAO A free software fund-a-mentaL-isT. Sent with MailTrack https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] HELP
you can give team viewer tomorrow.. On Wed, Jul 9, 2014 at 4:38 PM, G.T.RAO netwebst...@gmail.com wrote: hi, can u help me regarding non-transparent proxy. Sent with MailTrack https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22 On Wed, Jul 9, 2014 at 4:31 PM, A Mohan Rao mohanra...@gmail.com wrote: At present u can only block with transparent proxy http sites whatever u want like social networks movies downloading etc with groupwise. If u want to block https sites u can use non-transparent proxy.. Thnx MOHAN RAO On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote: Greetings all, I ma new to pfsense , pl help me out pfsense firewall Nat configuration for small education network. I am Using pfsense 2.1.4-reease for (i386) 1. interface on WAN (wan) - em0 - v4/DHCP4 : 192.168.0.16/24 https://mailtrack.io/trace/link/534a165f0ca4acef44b1e7988788a911e92f3dca 2. interface on LAN (lan ) - em1 - v4/DHCP4 : 192.168.0.15/24 https://mailtrack.io/trace/link/dd33c3e23c8532810f5b3e33a98e30e033508345 Webconfigurator is not working, So how can i block [ social media sites : facebook,youtube.etc). Regards, G.T.RAO A free software fund-a-mentaL-isT. Sent with MailTrack https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- G.T.RAO A free software fund-a-mentaL-isT. http://fossyatra.wordpress.com http://paper.li/GTRao/1342070958 mobile:9953506651 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ સ્પાયવેર, માત્ર સારું સોફ્ટવેર. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] HELP
hi, tomorrow i am free from 11 am to 3 pm. Sent with MailTrack https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22 On Wed, Jul 9, 2014 at 4:40 PM, A Mohan Rao mohanra...@gmail.com wrote: you can give team viewer tomorrow.. On Wed, Jul 9, 2014 at 4:38 PM, G.T.RAO netwebst...@gmail.com wrote: hi, can u help me regarding non-transparent proxy. Sent with MailTrack https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22 On Wed, Jul 9, 2014 at 4:31 PM, A Mohan Rao mohanra...@gmail.com wrote: At present u can only block with transparent proxy http sites whatever u want like social networks movies downloading etc with groupwise. If u want to block https sites u can use non-transparent proxy.. Thnx MOHAN RAO On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote: Greetings all, I ma new to pfsense , pl help me out pfsense firewall Nat configuration for small education network. I am Using pfsense 2.1.4-reease for (i386) 1. interface on WAN (wan) - em0 - v4/DHCP4 : 192.168.0.16/24 https://mailtrack.io/trace/link/534a165f0ca4acef44b1e7988788a911e92f3dca 2. interface on LAN (lan ) - em1 - v4/DHCP4 : 192.168.0.15/24 https://mailtrack.io/trace/link/dd33c3e23c8532810f5b3e33a98e30e033508345 Webconfigurator is not working, So how can i block [ social media sites : facebook,youtube.etc). Regards, G.T.RAO A free software fund-a-mentaL-isT. Sent with MailTrack https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- G.T.RAO A free software fund-a-mentaL-isT. http://fossyatra.wordpress.com http://paper.li/GTRao/1342070958 mobile:9953506651 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ સ્પાયવેર, માત્ર સારું સોફ્ટવેર. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- G.T.RAO A free software fund-a-mentaL-isT. http://fossyatra.wordpress.com http://paper.li/GTRao/1342070958 mobile:9953506651 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ સ્પાયવેર, માત્ર સારું સોફ્ટવેર. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfSense help at Dayton NJ needed
Hi all, sorry for my abuse of the mailing list. We have the disaster of a broken pfSense upgrade to 2.1.2. Unfortunally we don't have a proper technican on site all repair attemps by phone have been not successfull and the (planned) new pfSense HA-cluster will not reach our location before Tuesday. Is there a list member somewhere from Dayton NJ who can help us or does someone knows somebody near Dayton ? Thanks and bye Christoph ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Help - GW Failover Gateway
Hi, I need of information about GW Failover Gateway. I tested many times and don't worked. I'm using Openvpn interface option. When the link wan primary down the change is not realized for the link wan secundary. I have to change manually for the link secundary. Can someone help me in this case? Thanks ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Help with VLAN setup
Hello all… I’m trying to set up VLANs but I can’t get it to work. I have a TP-Link TL-SL2210WEB switch connected to a pfSense box. The switch should connect to 3 ADSL Modems on ports 2, 3 and 4 and to the pfSense Box on port 1. On the switch I configured port 2 to be part of VLAN 2, port 3 to be part of VLAN 3 and port 4 to be part of VLAN 4. They all tag “Egress Frames” accordingly. Port 1 is member of all those VLANs and does not modify “Egress Frames”. On pfSense I tried to set up VLANs 2-4 too, but something doesn’t work. I created the VLANs during set up, then assigned them to the corresponding interface (fxp0 - I tried with re1 too) and then created OPT interfaces using the VLANs as their network ports. Then I gave each OPT an IP address according to the modem’s configuration (192.168.x.10). I tried creating Gatways when assigning IPs and as well afterwards but no interface gets online or can ping the modems. When I connect my laptop directly to port 1 of the switch and assign it an IP address corresponding to any of the modems connected I get online and can ping the modems too. What am I doing wrong? Thanks Ben (sorry for cross posting on forum and list, I’ll share any knowledge I can gather in bot too.) ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Help with VLAN setup
On Sat 23 Nov 2013 10:40:23 AM CST, Benjamin Swatek wrote: I’m trying to set up VLANs but I can’t get it to work. I have a TP-Link TL-SL2210WEB switch connected to a pfSense box. The switch should connect to 3 ADSL Modems on ports 2, 3 and 4 and to the pfSense Box on port 1. On the switch I configured port 2 to be part of VLAN 2, port 3 to be part of VLAN 3 and port 4 to be part of VLAN 4. They all tag “Egress Frames” accordingly. Port 1 is member of all those VLANs and does not modify “Egress Frames”. Based on your description, I think you've got it backwards. Ports 2, 3, and 4 need to be untagged members of their respective VLANs, and port 1 needs to have VLANs 2, 3 and 4 tagged. When I connect my laptop directly to port 1 of the switch and assign it an IP address corresponding to any of the modems connected I get online and can ping the modems too. That doesn't quite add up. What am I doing wrong? My best guess is untagged/tagged confusion on your part, but there are other possibilities. I assume VLAN 1 is your LAN, i.e. the subnet protected by the firewall. Presumably ports 5 through 8 are on VLAN 1 as well, and your other devices are plugged in there. You want port 1 to be an untagged member of VLAN1, and a tagged member of VLANs 2, 3 and 4. If your switch talks about egress and ingress rules, port 1 should be configured to *apply* an 802.1Q tag on egress for VLANs 2, 3 4, and to *strip* (or merely not apply, depends on the switch) 802.1Q tags on egress for VLAN 1. Similarly, the PVID (default VLAN) for port 1 should be VLAN 1, and it should accept tagged packets for VLANs 2, 3 4. Then ports 2, 3, and 4 should be configured to strip (or not apply) 802.1Q tags on egress for their respective VLANs, and should be configured with a PVID of 2/3/4 (respectively) and be set to accept untagged packets. Of pfSense, your fxp0 interface should be the LAN interface, and you should create three additional VLAN interfaces on fxp0 for WAN1, WAN2, WAN3 (or whatever you want to call them - but one of them has to be the primary WAN interface that gets configured during initial setup). pfSense does 802.1Q tagging by default (I'm not even sure it can be turned off). Because you're using VLAN 1, the default VLAN, you likely can't tag those packets, and probably shouldn't in any case. (I'm not going to get on my soapbox here, ask me if you care about why.) -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Help with VLAN setup
On 23, Nov2013, at 13:14 , Adam Thompson athom...@athompso.net wrote: What am I doing wrong? My best guess is untagged/tagged confusion on your part, but there are other possibilities. I assume VLAN 1 is your LAN, i.e. the subnet protected by the firewall. Presumably ports 5 through 8 are on VLAN 1 as well, and your other devices are plugged in there. You want port 1 to be an untagged member of VLAN1, and a tagged member of VLANs 2, 3 and 4. If your switch talks about egress and ingress rules, port 1 should be configured to *apply* an 802.1Q tag on egress for VLANs 2, 3 4, and to *strip* (or merely not apply, depends on the switch) 802.1Q tags on egress for VLAN 1. Similarly, the PVID (default VLAN) for port 1 should be VLAN 1, and it should accept tagged packets for VLANs 2, 3 4. Then ports 2, 3, and 4 should be configured to strip (or not apply) 802.1Q tags on egress for their respective VLANs, and should be configured with a PVID of 2/3/4 (respectively) and be set to accept untagged packets. Seems like that was the problem. Thanks a million. Ben ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Help
--- On Thu, 5/16/13, Joy pj.netfil...@gmail.com wrote: From: Joy pj.netfil...@gmail.com Subject: [pfSense] Help To: pfSense support and discussion list@lists.pfsense.org Date: Thursday, May 16, 2013, 5:55 AM Hi Team, Is it possible to use cloud based web filtering with pfsense like open dns based filtering. in case yes what software does that like websense etc ? -Inline Attachment Follows- ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list The Squid Guard package provides a means of filtering URLs. The project site (http://www.squidguard.org/) provides links to blacklists and/or malicious URLs (http://www.squidguard.org/blacklists.html). The following site provides a quick description regarding how to setup SquidGuard: http://skear.hubpages.com/hub/URL-Filtering-How-To-Configure-SquidGuard-in-pfSense Also, there is pfBlocker. Instructions for enabling pfBlocker are available at: http://doc.pfsense.org/index.php/Pfblocker 1. Install the pfBlocker package 2. Goto Firewall pfBlocker General to specify the inbound and outbound interfaces. Also check the checkboxes to enable pfBlocker and enable logging if desired. 3. Goto the Firewall pfBlocker Lists tab to configure blocklists (such as http://www.spamhaus.org/drop/drop.txt, http://www.spamhaus.org/drop/edrop.txt, and http://feeds.dshield.org/top10-2.txt). pfBlocker will automatically add firewall rules using the configured list alias. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Help
Hi Team, Is it possible to use cloud based web filtering with pfsense like open dns based filtering. in case yes what software does that like websense etc ? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Help
On Thu, May 16, 2013 at 04:25:10PM +0530, Joy wrote: Hi Team, Is it possible to use cloud based web filtering with pfsense like open dns based filtering. in case yes what software does that like websense etc ? Have you tried just putting in OpenDNS resolvers under System-General setup-DNS servers? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
On Wed, Apr 24, 2013 at 10:36 AM, eyobe kebede e...@dbu.edu.et wrote: public ip 197.156.75.54 our side and 197.156.75.53 ISP side Well, now you have just shared some new information. Try this: set your public IP to 197.156.75.54 and the default route to the .53 address, and the netmask to 255.255.255.252. See what happens. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
if I want to make NAT how could I do it? the IP addresses are 10.130.51.83 WAN ip and 10.130.65.42 default gateway and 197.156.75.54 public IP our side and 197.156.75.53 and 10.130.65.41 is ip ISP's side. but I am not clear with the function of 10.130.65.41 and how can I make nat On Wed, Apr 24, 2013 at 8:04 AM, Ryan Rodrigue radiote...@aaremail.comwrote: ** ** Please don’t top post. It makes helping difficult. ** ** *From:* list-boun...@lists.pfsense.org [mailto: list-boun...@lists.pfsense.org] *On Behalf Of *eyobe kebede *Sent:* Wednesday, April 24, 2013 9:36 AM *To:* pfSense support and discussion *Subject:* Re: [pfSense] help ** ** we are using dSL and let me give you some information. we were using 10.130.48.72 IP address give by the ISP and for some reason we have purchased public ip 197.156.75.54. where technicians from the ISP do not give us how to use the IP addresses and it become difficult to configure it on pfsense. this are the solid facts wan ip 10.130.51.83 default gate way 10.130.65.42 public ip 197.156.75.54 our side and 197.156.75.53 ISP side the we need how to configure this in pfsense? ** ** I would try 2 things. 1st I would try to setup the public IP that was given to you (197.156.75.54) as a static IP in PF and setup the 197.156.75.53 as a default gateway. (Don’t use DHCP) You will have to setup the DNS servers in the System General Setup tab. 2nd If that doesn’t work, I would try to move the PPPOE login information to the PF box and put the DSL modem in bridge mode. ** ** ** ** ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
On 24/04/13 03:17, Vick Khera wrote: On Sat, Apr 20, 2013 at 5:46 AM, eyobe kebede e...@dbu.edu.et mailto:e...@dbu.edu.et wrote: but 10.134.192.154 is the WAN ip and 10.130.42.65 is default gate way Given that 10.134.192.154 is your WAN IP, and the netmask they gave you is 255.255.255.252, the *ONLY* other IP you can directly reach is 10.134.192.153. Your network address is the .152 address and your broadcast IP is the .155 address. Your default gateway must be within the network defined by the WAN IP + netmask, and the one they gave you is not within that network. To include 10.130.42.65 in your WAN network so that you can reach it directly, you will need a much, much wider netmask. Or some magic. Don't count on getting any magic any time soon. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Didn't Jim already provide the solution to this problem 2 weeks ago? No point in pondering further on unusual setups :) ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
after along period of communication they give us new WAN ip 10.130.51.83 and and public ip of 197.156.75.54 how we can configure all the two ip addresses? On Tue, Apr 23, 2013 at 6:17 PM, Vick Khera vi...@khera.org wrote: On Sat, Apr 20, 2013 at 5:46 AM, eyobe kebede e...@dbu.edu.et wrote: but 10.134.192.154 is the WAN ip and 10.130.42.65 is default gate way Given that 10.134.192.154 is your WAN IP, and the netmask they gave you is 255.255.255.252, the *ONLY* other IP you can directly reach is 10.134.192.153. Your network address is the .152 address and your broadcast IP is the .155 address. Your default gateway must be within the network defined by the WAN IP + netmask, and the one they gave you is not within that network. To include 10.130.42.65 in your WAN network so that you can reach it directly, you will need a much, much wider netmask. Or some magic. Don't count on getting any magic any time soon. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
after along period of communication they give us new WAN ip 10.130.51.83 and and public ip of 197.156.75.54 how can I include the two ip addresses? On Wed, Apr 24, 2013 at 4:17 AM, Vick Khera vi...@khera.org wrote: On Sat, Apr 20, 2013 at 5:46 AM, eyobe kebede e...@dbu.edu.et wrote: but 10.134.192.154 is the WAN ip and 10.130.42.65 is default gate way Given that 10.134.192.154 is your WAN IP, and the netmask they gave you is 255.255.255.252, the *ONLY* other IP you can directly reach is 10.134.192.153. Your network address is the .152 address and your broadcast IP is the .155 address. Your default gateway must be within the network defined by the WAN IP + netmask, and the one they gave you is not within that network. To include 10.130.42.65 in your WAN network so that you can reach it directly, you will need a much, much wider netmask. Or some magic. Don't count on getting any magic any time soon. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
I am just a big dummy that is coming in late in the game. Is it possible that they are sending that IP to a router/modem and the router is doing nat. If so, is it possible to diable the routing functions and just use this as a bridge and not a router. I have seen this before with DSL and some cable modems. I have even seen cable modems that have an internal NAT IP, but also work with the public IP that is assigned to your account. Have you called your ISP and asked them how to use your static IP? Who is your service provider? Is this cable or DSL? Sorry if you have answered this before. I am coming in a little late. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
we are using dSL and let me give you some information. we were using 10.130.48.72 IP address give by the ISP and for some reason we have purchased public ip 197.156.75.54. where technicians from the ISP do not give us how to use the IP addresses and it become difficult to configure it on pfsense. this are the solid facts wan ip 10.130.51.83 default gate way 10.130.65.42 public ip 197.156.75.54 our side and 197.156.75.53 ISP side the we need how to configure this in pfsense? On Wed, Apr 24, 2013 at 5:22 PM, Ryan Rodrigue radiote...@aaremail.comwrote: I am just a big dummy that is coming in late in the game. Is it possible that they are sending that IP to a router/modem and the router is doing nat. If so, is it possible to diable the routing functions and just use this as a bridge and not a router. I have seen this before with DSL and some cable modems. I have even seen cable modems that have an internal NAT IP, but also work with the public IP that is assigned to your account. Have you called your ISP and asked them how to use your static IP? Who is your service provider? Is this cable or DSL? Sorry if you have answered this before. I am coming in a little late. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
Please don't top post. It makes helping difficult. From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of eyobe kebede Sent: Wednesday, April 24, 2013 9:36 AM To: pfSense support and discussion Subject: Re: [pfSense] help we are using dSL and let me give you some information. we were using 10.130.48.72 IP address give by the ISP and for some reason we have purchased public ip 197.156.75.54. where technicians from the ISP do not give us how to use the IP addresses and it become difficult to configure it on pfsense. this are the solid facts wan ip 10.130.51.83 default gate way 10.130.65.42 public ip 197.156.75.54 our side and 197.156.75.53 ISP side the we need how to configure this in pfsense? I would try 2 things. 1st I would try to setup the public IP that was given to you (197.156.75.54) as a static IP in PF and setup the 197.156.75.53 as a default gateway. (Don't use DHCP) You will have to setup the DNS servers in the System General Setup tab. 2nd If that doesn't work, I would try to move the PPPOE login information to the PF box and put the DSL modem in bridge mode. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
On 24/04/13 16:36, eyobe kebede wrote: we are using dSL and let me give you some information. we were using 10.130.48.72 IP address give by the ISP and for some reason we have purchased public ip 197.156.75.54. where technicians from the ISP do not give us how to use the IP addresses and it become difficult to configure it on pfsense. this are the solid facts wan ip 10.130.51.83 default gate way 10.130.65.42 public ip 197.156.75.54 our side and 197.156.75.53 ISP side the we need how to configure this in pfsense? See the second reply in this thread by jim: [quote] Some ISPs that are particularly stingy with IPs and bad at routing have been doing this. His ISP may have just forgotten to give him the proper gateway. But on the outside chance they really do expect him to use that 10.x address as the gateway, it may still be possible. http://redmine.pfsense.org/issues/972 Not supported in the GUI yet though. Jim [/quote] On Wed, Apr 24, 2013 at 5:22 PM, Ryan Rodrigue radiote...@aaremail.com mailto:radiote...@aaremail.com wrote: I am just a big dummy that is coming in late in the game. Is it possible that they are sending that IP to a router/modem and the router is doing nat. If so, is it possible to diable the routing functions and just use this as a bridge and not a router. I have seen this before with DSL and some cable modems. I have even seen cable modems that have an internal NAT IP, but also work with the public IP that is assigned to your account. Have you called your ISP and asked them how to use your static IP? Who is your service provider? Is this cable or DSL? Sorry if you have answered this before. I am coming in a little late. ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Matthias May Sent: Wednesday, April 24, 2013 11:02 AM To: list@lists.pfsense.org Subject: Re: [pfSense] help On 24/04/13 16:36, eyobe kebede wrote: we are using dSL and let me give you some information. we were using 10.130.48.72 IP address give by the ISP and for some reason we have purchased public ip 197.156.75.54. where technicians from the ISP do not give us how to use the IP addresses and it become difficult to configure it on pfsense. this are the solid facts wan ip 10.130.51.83 default gate way 10.130.65.42 public ip 197.156.75.54 our side and 197.156.75.53 ISP side the we need how to configure this in pfsense? See the second reply in this thread by jim: [quote] Some ISPs that are particularly stingy with IPs and bad at routing have been doing this. His ISP may have just forgotten to give him the proper gateway. But on the outside chance they really do expect him to use that 10.x address as the gateway, it may still be possible. http://redmine.pfsense.org/issues/972 Not supported in the GUI yet though. Jim [/quote] I don't understand your comment. He says that the public IP is 197.156.75.53 on the ISP side. This appears to be a proper gateway. On Wed, Apr 24, 2013 at 5:22 PM, Ryan Rodrigue radiote...@aaremail.com wrote: I am just a big dummy that is coming in late in the game. Is it possible that they are sending that IP to a router/modem and the router is doing nat. If so, is it possible to diable the routing functions and just use this as a bridge and not a router. I have seen this before with DSL and some cable modems. I have even seen cable modems that have an internal NAT IP, but also work with the public IP that is assigned to your account. Have you called your ISP and asked them how to use your static IP? Who is your service provider? Is this cable or DSL? Sorry if you have answered this before. I am coming in a little late. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
Some ISPs that are particularly stingy with IPs and bad at routing have been doing this. I might be missing something, but it does seem like a pretty awful, and at best very temporary 'solution' to IPv4 shortage. I must admit if I were the OP, I'd probably be looking for a new DSL provider. Roll on widespread v6 adoption and NAT64 for access to the 'legacy internet' :-) Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
On 24-4-2013 18:24, Chris Bagnall wrote: Some ISPs that are particularly stingy with IPs and bad at routing have been doing this. I might be missing something, but it does seem like a pretty awful, and at best very temporary 'solution' to IPv4 shortage. I must admit if I were the OP, I'd probably be looking for a new DSL provider. Roll on widespread v6 adoption and NAT64 for access to the 'legacy internet' :-) It looks like 464xlat is one of the better things that has come forth, however, it needs to be implemented on the client. Till that time, DNS64 and NAT64 will have to do. And it ain't pretty. Dual stack if you can folks! The water is fine! Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
On Sat, Apr 20, 2013 at 5:46 AM, eyobe kebede e...@dbu.edu.et wrote: but 10.134.192.154 is the WAN ip and 10.130.42.65 is default gate way Given that 10.134.192.154 is your WAN IP, and the netmask they gave you is 255.255.255.252, the *ONLY* other IP you can directly reach is 10.134.192.153. Your network address is the .152 address and your broadcast IP is the .155 address. Your default gateway must be within the network defined by the WAN IP + netmask, and the one they gave you is not within that network. To include 10.130.42.65 in your WAN network so that you can reach it directly, you will need a much, much wider netmask. Or some magic. Don't count on getting any magic any time soon. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
hi here I have got some information in our router configuration. the ip address is 10.134.192.154 and the subnet mask is 255.255.255.252. how could I configure this to include 197.156.75.54 as public IP On Tue, Apr 9, 2013 at 6:37 PM, Vick Khera vi...@khera.org wrote: On Tue, Apr 9, 2013 at 11:19 AM, Jim Pingle li...@pingle.org wrote: His ISP may have just forgotten to give him the proper gateway. But on the outside chance they really do expect him to use that 10.x address as the gateway, it may still be possible. http://redmine.pfsense.org/issues/972 Not supported in the GUI yet though. Wow, just wow. How do people come up with these ideas? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] help
hello there; it have been around three years since my institution started using pfsense as router. and it was so awesome and help full in my understanding since I used it for averagely enough time. but my problem starts now. in previous we were using static IP address that was given to us from Ethio Telecome the local ISP. but due to speed maters we have asked them to allow us use public IP address. and they demanded us to change the WAN ip which was previously 10.130.48.72 with the default gateway of 10.130.48.1 in to 197.156.75.54 and default gateway of 10.130.42.65. while I tried to change the interface and the gateways I am not able to connect to the internet. due to this connection is down in my institution. could you please help me in solving my problem? I am waiting to here your response. I would like to thank you in advance for the help that you made to my institution. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
Hello, You should ask your ISP and have them to verify the Gateway. If you are using now 197.156.75.54 they should provide you with a Gateway inside the subnet your IP address is (depending on your subnet mask) Regards, Luis 2013/4/9 eyobe kebede e...@dbu.edu.et hello there; it have been around three years since my institution started using pfsense as router. and it was so awesome and help full in my understanding since I used it for averagely enough time. but my problem starts now. in previous we were using static IP address that was given to us from Ethio Telecome the local ISP. but due to speed maters we have asked them to allow us use public IP address. and they demanded us to change the WAN ip which was previously 10.130.48.72 with the default gateway of 10.130.48.1 in to 197.156.75.54 and default gateway of 10.130.42.65. while I tried to change the interface and the gateways I am not able to connect to the internet. due to this connection is down in my institution. could you please help me in solving my problem? I am waiting to here your response. I would like to thank you in advance for the help that you made to my institution. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
On Tue, Apr 9, 2013 at 3:49 AM, eyobe kebede e...@dbu.edu.et wrote: to 197.156.75.54 and default gateway of 10.130.42.65 As Luis points out, this makes no sense. What is the netmask they told you to use for the WAN address? The gateway must be within that network block defined by the netmask and IP. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
On 4/9/2013 11:06 AM, Vick Khera wrote: On Tue, Apr 9, 2013 at 3:49 AM, eyobe kebede e...@dbu.edu.et mailto:e...@dbu.edu.et wrote: to 197.156.75.54 and default gateway of 10.130.42.65 As Luis points out, this makes no sense. What is the netmask they told you to use for the WAN address? The gateway must be within that network block defined by the netmask and IP. Some ISPs that are particularly stingy with IPs and bad at routing have been doing this. His ISP may have just forgotten to give him the proper gateway. But on the outside chance they really do expect him to use that 10.x address as the gateway, it may still be possible. http://redmine.pfsense.org/issues/972 Not supported in the GUI yet though. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
On Tue, Apr 9, 2013 at 11:19 AM, Jim Pingle li...@pingle.org wrote: His ISP may have just forgotten to give him the proper gateway. But on the outside chance they really do expect him to use that 10.x address as the gateway, it may still be possible. http://redmine.pfsense.org/issues/972 Not supported in the GUI yet though. Wow, just wow. How do people come up with these ideas? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Help in Configuring my pfsense 2.0 firewall for IPSec tunneling with a Cisco router ASA5505
Did you get it working. I need to do the same and can't get the phase 1 connection to work. N ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Help in Configuring my pfsense 2.0 firewall for IPSec tunneling with a Cisco router ASA5505
What information precisely are you missing? -Ian Pro VPN Monkey On Tue, Jul 10, 2012 at 10:59 PM, Joseph Rotan joseph.ro...@gmail.comwrote: Hi, I'm configuring my pfsense 2.0 firewall to do tunneling with a remote Cisco Router ASA5505 and with the provided *VPN Device Host Information, * *Encryption Method (**Phase 1 Properties and **Phase 2 Properties), **Encryption Domain and **Pre-Shared-Key information from my remote site I'am not able to see the exact features in the link below on my pfsense 2.0* ** * * http://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS * * *Do I have to upgrade my pfsense as you may find in the attached screenshot of my VPN IPSec settings and network diagram* *Appreciate your assistance.* * * * * *Kind Regards* * * *Joseph.* ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Help in Configuring my pfsense 2.0 firewall for IPSec tunneling with a Cisco router ASA5505
What information precisely are you missing? Or unsure on? Apologies, it's not completely clear from your email -Ian Pro VPN Monkey On Tue, Jul 10, 2012 at 10:59 PM, Joseph Rotan joseph.ro...@gmail.comwrote: Hi, I'm configuring my pfsense 2.0 firewall to do tunneling with a remote Cisco Router ASA5505 and with the provided *VPN Device Host Information, * *Encryption Method (**Phase 1 Properties and **Phase 2 Properties), **Encryption Domain and **Pre-Shared-Key information from my remote site I'am not able to see the exact features in the link below on my pfsense 2.0* ** * * http://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS * * *Do I have to upgrade my pfsense as you may find in the attached screenshot of my VPN IPSec settings and network diagram* *Appreciate your assistance.* * * * * *Kind Regards* * * *Joseph.* ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Help in Configuring my pfsense 2.0 firewall for IPSec tunneling with a Cisco router ASA5505
Hi, I'm configuring my pfsense 2.0 firewall to do tunneling with a remote Cisco Router ASA5505 and with the provided *VPN Device Host Information, **Encryption Method (**Phase 1 Properties and **Phase 2 Properties), **Encryption Domain and **Pre-Shared-Key information from my remote site I'am not able to see the exact features in the link below on my pfsense 2.0* ** * * http://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS * * *Do I have to upgrade my pfsense as you may find in the attached screenshot of my VPN IPSec settings and network diagram* *Appreciate your assistance.* * * * * *Kind Regards* * * *Joseph.* ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
On Fri, Feb 10, 2012 at 6:34 AM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Well, if you want to get technical, the minimum possible subnet in IPv4 over Ethernet is actually a /31. $employer uses these religiously in PtP Ethernet links, and they work flawlessly. Unfortunately, *BSD doesn't seem to implement RFC3021, which is really a pity, because it means all my firewalls use twice as many IPs as necessary on their uplinks. http://tools.ietf.org/html/rfc3021 FreeBSD 9 supports RFC3021 (http://svnweb.freebsd.org/base?view=revisionrevision=226572). -- .warren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
- Original Message - From: Nathan Eisenberg nat...@atlasnetworks.us To: athom...@athompso.net, pfSense support and discussion list@lists.pfsense.org Sent: Friday, February 10, 2012 2:56:36 AM Subject: Re: [pfSense] pfSense help with creating rules I think the entire ISP operation I partly run has... three routers that support it, AFAIK. So for all practical intents and purposes, that doesn't exist for me. It would be nice, most definitely, if it were supported by more equipment, but it's just not (in my corner of the world, anyway). So yes, for equipment that supports it, you're right - a /31 is the smallest IPv4-over-ethernet subnet. (There's also a philosophical point of whether Ethernet can ever truly be a PtP media even when physically connected PtP...) My Cisco 6509s/7204s/3550/3560/linux boxes support it just fine (philosophy aside, it *works* over ethernet, even in a test case when 'PtP' really meant 'these are the only two ports in the VLAN'). Anything I own with an ARM chip (Mikrotik, Ubiquiti, or general embedded hardware) in it, and my PFsense boxen, don't support it at all. Very sad - some days, it almost makes me want to roll a bunch of iptables boxes and reclaim a ton of usable IP space. Almost. :) Anyways, didn't mean to hijack the OP! Interested to see if Comcast is actually handing him a /29, or just 5 IPs out of a bigger subnet, and if they'll route that /29 to him. Nathan Eisenberg ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Comcast allocated a /30 for my WAN interface and a /28 for my network use. They are in different class C address spaces. Gordon Russell Clarke County IT ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
- Original Message - From: Nathan Eisenberg nat...@atlasnetworks.us To: athom...@athompso.net, pfSense support and discussion list@lists.pfsense.org Sent: Friday, February 10, 2012 2:56:36 AM Subject: Re: [pfSense] pfSense help with creating rules I think the entire ISP operation I partly run has... three routers that support it, AFAIK. So for all practical intents and purposes, that doesn't exist for me. It would be nice, most definitely, if it were supported by more equipment, but it's just not (in my corner of the world, anyway). So yes, for equipment that supports it, you're right - a /31 is the smallest IPv4-over-ethernet subnet. (There's also a philosophical point of whether Ethernet can ever truly be a PtP media even when physically connected PtP...) My Cisco 6509s/7204s/3550/3560/linux boxes support it just fine (philosophy aside, it *works* over ethernet, even in a test case when 'PtP' really meant 'these are the only two ports in the VLAN'). Anything I own with an ARM chip (Mikrotik, Ubiquiti, or general embedded hardware) in it, and my PFsense boxen, don't support it at all. Very sad - some days, it almost makes me want to roll a bunch of iptables boxes and reclaim a ton of usable IP space. Almost. :) Anyways, didn't mean to hijack the OP! Interested to see if Comcast is actually handing him a /29, or just 5 IPs out of a bigger subnet, and if they'll route that /29 to him. Nathan Eisenberg Comcast allocated a /30 for my WAN interface and a /28 for my network use. They are in different class C address spaces. Gordon Russell Clarke County IT I understand what you are trying to accomplish I think. Just as a stupid thought, could you simply setup virtual IP's for the addresses you are trying to use and setup 1:1 Nat and forward them to the internal servers. I understand this means you will have to use nat. You may be trying to avoid this, but it seems like a much easier solution. It also seems more flexible. Hope this helps, Ryan __ Information from ESET NOD32 Antivirus, version of virus signature database 6874 (20120210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Hi Nathan, Anyways, didn't mean to hijack the OP! Interested to see if Comcast is actually handing him a /29, or just 5 IPs out of a bigger subnet, and if they'll route that /29 to him. I am a little confused at how I would know if they are handing me a /29 or just 5 IP's? range: 75.xx.xx.25 - .29 subnet: 255.255.255.248 (which is /29, IIRC) GW: 75.xx.xx.30 I have trouble ticket in as well as an e-mail to my sales rep who works directly for their head of Operations, so I am hoping brining in the big brass will help me get this going today. On the other hand, I explored Sonic.net and they are willing to run a 3/3Mbps symmetrical ethernet service with free setup and a free Cisco 2600, 16 IP's and they said yes to a routed subnet /30 no problem, no additional charge. But I am confused. Can anyone explain to me which is really a better deal? Comcast 50 x 10 for $169/mo or Snnic.net 3/3mbps $274/mo I get that Comcast is faster, but it is shared traffic, right? Where this 3/3mbps would be all dedicated to me? I still dont understand a real world speed comparison though. Can anyone explain a bit about measuring traffic? We are an NPO, we create datasets and allow users to crawl the web for topics of interest and we work that data for them. We are going live here soon. If anyone wants more details about what we do and how we are going to do it and the hardware we are thinking about, ask. I'd love to chat. -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Hi, On Fri, Feb 10, 2012 at 11:00 AM, Jason T. Slack-Moehrle slackmoeh...@gmail.com (mailto:slackmoeh...@gmail.com) wrote: I am a little confused at how I would know if they are handing me a /29 or just 5 IP's? range: 75.xx.xx.25 - .29 subnet: 255.255.255.248 (which is /29, IIRC) GW: 75.xx.xx.30 Comcast has routed that /29 to your cable modem, and made those IPs visible to you on the inside. They are not routing the /29 to your pfSense box, else the fpSense box would have to have its own very own IP address outside of that /29, and that'd be a total waste of address space the IP for your firewall would need to be a /29 to route them to you anyway (at least if you had any redundancy, such as a CARPed pair of firewalls.) Yes, so it still stands that I need to have them create a /30 for me and route my /29 to the /30, put the /30 on my pfSense WAN port and the /29 on my DMZ….. -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
- Original Message - From: Jason T. Slack-Moehrle slackmoeh...@gmail.com Hi, On Fri, Feb 10, 2012 at 11:00 AM, Jason T. Slack-Moehrle slackmoeh...@gmail.com (mailto:slackmoeh...@gmail.com) wrote: I am a little confused at how I would know if they are handing me a /29 or just 5 IP's? range: 75.xx.xx.25 - .29 subnet: 255.255.255.248 (which is /29, IIRC) GW: 75.xx.xx.30 Comcast has routed that /29 to your cable modem, and made those IPs visible to you on the inside. They are not routing the /29 to your pfSense box, else the fpSense box would have to have its own very own IP address outside of that /29, and that'd be a total waste of address space the IP for your firewall would need to be a /29 to route them to you anyway (at least if you had any redundancy, such as a CARPed pair of firewalls.) Yes, so it still stands that I need to have them create a /30 for me and route my /29 to the /30, put the /30 on my pfSense WAN port and the /29 on my DMZ….. I've deleted all the previous messages, so perhaps I'm missing something... but why not just use proxy arp and NAT, keep the /29 on the WAN, and have your DMZ et al use reserved private IPs? Comcast may be unwilling to waste a /30 for your WAN, even if you're willing to pay. Regards, Adrian ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jason T. Slack-Moehrle Sent: Friday, February 10, 2012 10:00 AM To: pfSense support and discussion Subject: Re: [pfSense] pfSense help with creating rules Hi Nathan, Anyways, didn't mean to hijack the OP! Interested to see if Comcast is actually handing him a /29, or just 5 IPs out of a bigger subnet, and if they'll route that /29 to him. I am a little confused at how I would know if they are handing me a /29 or just 5 IP's? range: 75.xx.xx.25 - .29 subnet: 255.255.255.248 (which is /29, IIRC) GW: 75.xx.xx.30 I have trouble ticket in as well as an e-mail to my sales rep who works directly for their head of Operations, so I am hoping brining in the big brass will help me get this going today. On the other hand, I explored Sonic.net and they are willing to run a 3/3Mbps symmetrical ethernet service with free setup and a free Cisco 2600, 16 IP's and they said yes to a routed subnet /30 no problem, no additional charge. But I am confused. Can anyone explain to me which is really a better deal? Comcast 50 x 10 for $169/mo or Snnic.net 3/3mbps $274/mo I get that Comcast is faster, but it is shared traffic, right? Where this 3/3mbps would be all dedicated to me? I still dont understand a real world speed comparison though. Can anyone explain a bit about measuring traffic? We are an NPO, we create datasets and allow users to crawl the web for topics of interest and we work that data for them. We are going live here soon. If anyone wants more details about what we do and how we are going to do it and the hardware we are thinking about, ask. I'd love to chat. -Jason Comcast is faster, but is not dedicated. You should always get the same speeds (or reasonable close) with Snnic. You may also have an SLA with Snnic. I am sure you don't have that with Comcast. That said, all use ISP's are shared traffic. It is either shared via the same wire, or with DLS shared at the DSLAM or in all cases shared at the head office. It is very difficult for an ISP with say 1,000 customers at 10megs each to pay for a 10G so they can all have dedicated traffic. This gets worse as the number goes up. ISP's understand that not all users will use the bandwidth at the same time so they have way less than they sell. For instance one service provider here locally has a single OS3 (45Meg) link and offers a 6 meg internet connection. They have a couple of hundred users. 200 x 6 = 1.2 Gigs. Way less than what they have. However, the 45Meg link is very rarely saturated. The better business oriented ISP's will prioritize business customers over residential customers and have a lower ration of what's sold to what's available. I can tell you that Comcast Business in South Louisiana has a very good service and I have never measured less than 10 down and 4 up. This beats your 3/3 hands down. The same may not be able to true in your area as every area is different. Comcast does not however offer to have a routed subnet as you are asking. The provide 5 ip addresses that you can access directly on their modem. You can get 14 address and subnet yourself, but that really waist a lot of IP addresses. You could also setup to Bridge the DMZ and WAN and run a filtered bridge setup. __ Information from ESET NOD32 Antivirus, version of virus signature database 6874 (20120210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Hi Ryan, I am a little confused at how I would know if they are handing me a /29 or just 5 IP's? range: 75.xx.xx.25 - .29 subnet: 255.255.255.248 (which is /29, IIRC) GW: 75.xx.xx.30 Comcast is faster, but is not dedicated. You should always get the same speeds (or reasonable close) with Snnic. You may also have an SLA with Snnic. I am sure you don’t have that with Comcast. That said, all use ISP’s are shared traffic. It is either shared via the same wire, or with DLS shared at the DSLAM or in all cases shared at the head office. It is very difficult for an ISP with say 1,000 customers at 10megs each to pay for a 10G so they can all have dedicated traffic. This gets worse as the number goes up. ISP’s understand that not all users will use the bandwidth at the same time so they have way less than they sell. For instance one service provider here locally has a single OS3 (45Meg) link and offers a 6 meg internet connection. They have a couple of hundred users. 200 x 6 = 1.2 Gigs. Way less than what they have. However, the 45Meg link is very rarely saturated. The better business oriented ISP’s will prioritize business customers over residential customers and have a lower ration of what’s sold to what’s available. I can tell you that Comcast Business in South Louisiana has a very good service and I have never measured less than 10 down and 4 up. This beats your 3/3 hands down. The same may not be able to true in your area as every area is different. Comcast does not however offer to have a routed subnet as you are asking. The provide 5 ip addresses that you can access directly on their modem. You can get 14 address and subnet yourself, but that really waist a lot of IP addresses. You could also setup to Bridge the DMZ and WAN and run a filtered bridge setup. Wait, are you saying I could just pay Comcast for 14 addresses and create a routed subnet myself and not have them do it? Or could I just have them create for me a 2nd IP block of 1 IP, load that on the modem with my block of 5 and somehow created a routed subnet from the /31 to my /29 without them? so that pfSense is setup the correct way? Sorry for the confusion! -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Wait, are you saying I could just pay Comcast for 14 addresses and create a routed subnet myself and not have them do it? Or could I just have them create for me a 2nd IP block of 1 IP, load that on the modem with my block of 5 and somehow created a routed subnet from the /31 to my /29 without them? so that pfSense is setup the correct way? Sorry for the confusion! -Jason Actually, that's a very good point - in a broadband network, there is NO requirement whatsoever for the upstream link to be a /30, or even anything vaguely resembling a PtP link. As long as there's a route entered in their routing table pointing to you, there is no waste of IP addresses to accommodate your route. Your router could easily be one of 16k other devices in a subnet, it wouldn't matter. ISPs generally allocate that /30 for manageability and security reasons, but most of those issues don't exist in a HFC network like Comcast's. More realistically, they probably still don't want to be bothered :-). One other posted reported success, however, in getting a routed setup from Comcast, so perhaps your quest isn't futile after all. No, however, you can't quite do what you're talking about - at least not without proxy ARP or bridging, which brings you right back to the original set of suggestions. Comcast's router expects to be able to ARP for all the addresses they're assigning you, and if it can't that address effectively becomes unreachable. Proxy ARP is even more evil than setting up two firewalls, in most cases - it's nearly impossible to troubleshoot if anything goes wrong, and then you still have to do port forwarding or bridging behind that. (Any port forwarding, including pfSense's virtual IP, does something much like proxy ARP, but manageable.) -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
HI, Wait, are you saying I could just pay Comcast for 14 addresses and create a routed subnet myself and not have them do it? Or could I just have them create for me a 2nd IP block of 1 IP, load that on the modem with my block of 5 and somehow created a routed subnet from the /31 to my /29 without them? so that pfSense is setup the correct way? OK, Comcast called me back and they are saying for me to: 1. load my /29 on the WAN port of the pfsense box 2. Create a vlan for something like 10.0.0.x 3. Create a 1:1 NAT for the public IP's in the /29 to a 10.0.0.x 4. Assign my servers a 10.0.0.x address, etc They say they cannot create a routed subnet for me because the modems they use cannot handle loading of multiple IP blocks. Is this viable? -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
On Fri, Feb 10, 2012 at 2:50 PM, Jason T. Slack-Moehrle slackmoeh...@gmail.com wrote: HI, Wait, are you saying I could just pay Comcast for 14 addresses and create a routed subnet myself and not have them do it? Or could I just have them create for me a 2nd IP block of 1 IP, load that on the modem with my block of 5 and somehow created a routed subnet from the /31 to my /29 without them? so that pfSense is setup the correct way? OK, Comcast called me back and they are saying for me to: 1. load my /29 on the WAN port of the pfsense box 2. Create a vlan for something like 10.0.0.x 3. Create a 1:1 NAT for the public IP's in the /29 to a 10.0.0.x 4. Assign my servers a 10.0.0.x address, etc They say they cannot create a routed subnet for me because the modems they use cannot handle loading of multiple IP blocks. Is this viable? -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list At my office, we have a /27 from our Paetec T1 and a /28 from our Verizon FiOS. We created Virtual IPs for alll of the addresses and we are using 1:1 NAT for all of our servers which themselves have private IPs. It works just fine. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
-Original Message- From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of Jason T. Slack-Moehrle Sent: Friday, February 10, 2012 1:51 PM To: pfSense support and discussion Subject: Re: [pfSense] pfSense help with creating rules HI, Wait, are you saying I could just pay Comcast for 14 addresses and create a routed subnet myself and not have them do it? Or could I just have them create for me a 2nd IP block of 1 IP, load that on the modem with my block of 5 and somehow created a routed subnet from the /31 to my /29 without them? so that pfSense is setup the correct way? OK, Comcast called me back and they are saying for me to: 1. load my /29 on the WAN port of the pfsense box 2. Create a vlan for something like 10.0.0.x 3. Create a 1:1 NAT for the public IP's in the /29 to a 10.0.0.x 4. Assign my servers a 10.0.0.x address, etc They say they cannot create a routed subnet for me because the modems they use cannot handle loading of multiple IP blocks. Is this viable? -Jason So, as expected, they recommend port forwarding. (1:1 NAT is a special case of port forwarding, or vice-versa depending on how you want to look at it.) The excuse about the modem not handling it is complete BS; what they really mean is we don't have an operational procedure to support this, and we don't feel like developing one, so we'll make up a plausible-sounding technical reason. They'll be using a Cisco uBR7206 at the very minimum to handle HFC routing; it might not be Cisco in your area, or it might not be a uBR platform, but your next-hop router WILL be capable enough to handle a single static route. All the modem has to do is its traditional function of bridging a single MAC address back and forth over the wire. Depending on the modem, they *may* have to turn off some of the IP security features (snooping) in the modem. However, there's nothing that says you have the right to a properly-routed subnet - Comcast has no obligation whatsoever to provide this service to you at any price. It doesn't really matter, as you have two other viable options available to you (NAT and bridging, or both if you want a traditional DMZ). The other thing is - even if you get a routed subnet out of Comcast, do you really want to be the guinea pig in your operating territory? Relying on something where you're the only customer affected if something goes wrong is a good way to garner a lot of needless downtime. If you're using the regular service, and something goes wrong, you'll be back in business as soon as everyone else is - which is usually fairly quickly, because HFC network outages tend to be all-or-nothing events. Standardization would be, IMHO, worth the extra complexity and/or effort. This is the way I set up any firewall on a cable modem nowadays; even DSL providers are starting to adopt this model for small business customers (i.e. /28 or smaller) in some cases. Or, in short: yes, just go with what Comcast wants you to do. You can create a separate DMZ if you want to keep the servers off your LAN, if necessary. It's not usually necessary unless you're running a public website. (Which, BTW, might violate your Comcast Terms of Service - check to be sure. No sense getting shut down by your ISP for something avoidable.) -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Hi I restarted the pfSense box and noticed that when it rebooted it had: WAN (wan) -- em1 -- 75.xx.xx.28 LAN (lan) -- em3 -- 172.16.254.1 DMZ (opt1) -- em2 -- NONE That is correct, right, since my servers in 75.xx.xx.xx are on the DMZ? Do I have to do anything to tell pfSense it should answer for my IP's? I recall when I ran untangle I had to sell it what IP's to answer for. If you don't have an IP address for opt1 (DMZ), that would mean that you're bridging with WAN? I think you should be routing instead, but I don't know exactly your goals. Well my WAN has one of my 5 public IP's. I have 75.xx.xx.25 - .29 with a gateway of .30 So I have a few other public IP's on servers that I wanted on a DMZ. Just port 80 actually. So I want traffic on port 80 coming in through WAN getting routed to .27 which is on the DMZ. That way people hit my domain they get that box. So far I am not having luck getting this to work. I certainly have a misunderstanding, I am just not sure what. -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Well my WAN has one of my 5 public IP's. I have 75.xx.xx.25 - .29 with a gateway of .30 So I have a few other public IP's on servers that I wanted on a DMZ. Just port 80 actually. So I want traffic on port 80 coming in through WAN getting routed to .27 which is on the DMZ. That way people hit my domain they get that box. So far I am not having luck getting this to work. I certainly have a misunderstanding, I am just not sure what. -Jason Ok, so it sounds like your provider handed you a /29. To firewall that behind pfSense, you need them to route that /29 to you over a /30. The /30 goes on the WAN interface, the /29's gateway IP goes on your DMZ interface. You can use bridging mode to work around this, but the right way to do it is with routing as described above. Nathan Eisenberg ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Well my WAN has one of my 5 public IP's. I have 75.xx.xx.25 - .29 with a gateway of .30 So I have a few other public IP's on servers that I wanted on a DMZ. Just port 80 actually. So I want traffic on port 80 coming in through WAN getting routed to .27 which is on the DMZ. That way people hit my domain they get that box. So far I am not having luck getting this to work. I certainly have a misunderstanding, I am just not sure what. -Jason Ok, so it sounds like your provider handed you a /29. To firewall that behind pfSense, you need them to route that /29 to you over a /30. The /30 goes on the WAN interface, the /29's gateway IP goes on your DMZ interface. You can use bridging mode to work around this, but the right way to do it is with routing as described above. Nathan Eisenberg While I agree with Nathan about which is the right way to do it, the vast majority of ISPs won't have a clue what you're talking about. Or, like most ISPs here, you might find someone who understands, but tells you they simply can't do it (or don't offer that as a product). There's a very high probability you'll be forced to do it the 'wrong' way, at which point you do have more than one option. Port forwarding is a common solution to this problem, more so than bridging in my experience. You bind the entire /29 range of IPs to the public (WAN) interface on your firewall, and use two different private address ranges on your DMZ and your LAN. Set up port-forwarding from the WAN to the DMZ interface, and then use regular firewall rules to regulate traffic between the LAN and the DMZ. One notable downside to this technique is that is pretty much calls for split DNS; if your outside service is known as www.mycompany.com which resolves to (e.g.) 75.0.0.27, which is bound to the WAN and port-forwards to (e.g.) 192.168.200.27 (on the DMZ), you may want to enter an override in pfSense's DNS server so that when LAN clients request the IP for www.mycompany.com they get directed straight to 192.168.100.27 without going through the port forwarding. Or you can just rely on the NAT Reflection feature if you don't want to use split DNS, but that creates some subtle issues with certain applications and protocols. I find that split DNS works best, as long as ALL the systems are pointing to your pfSense box for DNS resolution. (Or to another DNS server, it doesn't matter as long as every system behind the firewall sees the same information.) The alternative is, as Nathan mentioned, bridging, wherein you either set up two firewalls (one in transparent mode, one in NAT mode), or a very complex setup on a single firewall. Note that doing anything other than right solution (routing it properly) will increase the amount of horsepower you need in a firewall, and probably slightly decrease overall throughput. This decrease may be negligible if you're running pfSense on a fast-enough server, and you probably won't be able to notice it anyway if you aren't running gigabit Ethernet speeds. -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
The alternative is, as Nathan mentioned, bridging, wherein you either set up two firewalls (one in transparent mode, one in NAT mode), or a very complex setup on a single firewall. Note that doing anything other than right solution (routing it properly) will increase the amount of horsepower you need in a firewall, and probably slightly decrease overall throughput. This decrease may be negligible if you're running pfSense on a fast-enough server, and you probably won't be able to notice it anyway if you aren't running gigabit Ethernet speeds. can I use at all, the comcast modem that is already acting as a bridge, as my understanding is it allows all traffic for my 5 IP's though.? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
On Thu, Feb 9, 2012 at 1:24 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Well my WAN has one of my 5 public IP's. I have 75.xx.xx.25 - .29 with a gateway of .30 So I have a few other public IP's on servers that I wanted on a DMZ. Just port 80 actually. So I want traffic on port 80 coming in through WAN getting routed to .27 which is on the DMZ. That way people hit my domain they get that box. So far I am not having luck getting this to work. I certainly have a misunderstanding, I am just not sure what. -Jason Ok, so it sounds like your provider handed you a /29. To firewall that behind pfSense, you need them to route that /29 to you over a /30. The /30 goes on the WAN interface, the /29's gateway IP goes on your DMZ interface. OK, so I called Comcast and explained exactly the above about the /29 routed to a /30 and the representative was clueless, so I asked them to open up a ticket and escalate to a tier 2 tech. We shall see what they say. This obviously means that they will create a new block of public IP's for the /30 in addition to the 5 that I already have in the /29. This seems easier to pay them for that then host and deal with more equipment in my location. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
OK, so I called Comcast and explained exactly the above about the /29 routed to a /30 and the representative was clueless, so I asked them to open up a ticket and escalate to a tier 2 tech. We shall see what they say. This obviously means that they will create a new block of public IP's for the /30 in addition to the 5 that I already have in the /29. This seems easier to pay them for that then host and deal with more equipment in my location. Every inter-router link must have at least two IP addresses, one for each router. The smallest possible subnet in IPv4-over-ethernet that can contain two addresses is a /30. What did Comcast tell you to use as the subnet mask for your 5 addresses? If it's anything other 255.255.255.248, you don't have a /29 at all, you just have six individual IPs in a larger subnet that are allocated to you. I'll bet you're merely part of a much larger subnet. In fact, I would recommend just forgetting about the whole notion of using a router properly, with Comcast. (Anyone with differing experience - please let us all know how you managed to get them to do routed IP!) Most MSOs (cable operators) run extremely large subnets (my cable modem at home is running on a /22 subnet!) and use relatively strange L2 (bridging) features to make their networks work. And, speaking as an ISP operator, that does make sense for that kind of technology and the network design it mandates. It does complicate matters for you, however. The upside is that it's much cheaper for Comcast to do it that way than for a traditional ISP to allocate you a router port. This only rarely translates to cheaper service for you - it usually just translates to more profit for Comcast. -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Every inter-router link must have at least two IP addresses, one for each router. The smallest possible subnet in IPv4-over-ethernet that can contain two addresses is a /30. Well, if you want to get technical, the minimum possible subnet in IPv4 over Ethernet is actually a /31. $employer uses these religiously in PtP Ethernet links, and they work flawlessly. Unfortunately, *BSD doesn't seem to implement RFC3021, which is really a pity, because it means all my firewalls use twice as many IPs as necessary on their uplinks. http://tools.ietf.org/html/rfc3021 But IPv6 solves all that with its utterly inexhaustible address space. Hurrah. Oh, wait, we still have to do IPv4 for some time? Guess we're stuck with RFC1918 addresses for PtP links once the runout is done. Oh well, who needed functional inter-AS tracerouting anyways? /podium Nathan Eisenberg ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Well, if you want to get technical, the minimum possible subnet in IPv4 over Ethernet is actually a /31. $employer uses these religiously in PtP Ethernet links, and they work flawlessly. Unfortunately, *BSD doesn't seem to implement RFC3021, which is really a pity, because it means all my firewalls use twice as many IPs as necessary on their uplinks. http://tools.ietf.org/html/rfc3021 But IPv6 solves all that with its utterly inexhaustible address space. Hurrah. Oh, wait, we still have to do IPv4 for some time? Guess we're stuck with RFC1918 addresses for PtP links once the runout is done. Oh well, who needed functional inter-AS tracerouting anyways? /podium Nathan Eisenberg I think the entire ISP operation I partly run has... three routers that support it, AFAIK. So for all practical intents and purposes, that doesn't exist for me. It would be nice, most definitely, if it were supported by more equipment, but it's just not (in my corner of the world, anyway). So yes, for equipment that supports it, you're right - a /31 is the smallest IPv4-over-ethernet subnet. (There's also a philosophical point of whether Ethernet can ever truly be a PtP media even when physically connected PtP...) -Adam ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
I think the entire ISP operation I partly run has... three routers that support it, AFAIK. So for all practical intents and purposes, that doesn't exist for me. It would be nice, most definitely, if it were supported by more equipment, but it's just not (in my corner of the world, anyway). So yes, for equipment that supports it, you're right - a /31 is the smallest IPv4-over-ethernet subnet. (There's also a philosophical point of whether Ethernet can ever truly be a PtP media even when physically connected PtP...) My Cisco 6509s/7204s/3550/3560/linux boxes support it just fine (philosophy aside, it *works* over ethernet, even in a test case when 'PtP' really meant 'these are the only two ports in the VLAN'). Anything I own with an ARM chip (Mikrotik, Ubiquiti, or general embedded hardware) in it, and my PFsense boxen, don't support it at all. Very sad - some days, it almost makes me want to roll a bunch of iptables boxes and reclaim a ton of usable IP space. Almost. :) Anyways, didn't mean to hijack the OP! Interested to see if Comcast is actually handing him a /29, or just 5 IPs out of a bigger subnet, and if they'll route that /29 to him. Nathan Eisenberg ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfSense help with creating rules
Hello All, I build a box dedicated to pfSense, 3 NICS. WAN, LAN, what I thought would be a DMZ for my hosting. WAN works. LAN Works as I can plug directly into that card, get an IP and get out to where ever. I am having trouble with DMZ as I thought it would be as simple as going from DMZ - SWITCH - MY SERVERS WITH PUBLIC IP'S I am trying to open up port 80 coming from WAN to a specific address (75.xx.xx.27) which is plugged in the switch. Nothing. I cannot reach it. I plug the server into my cable modem directly (which is acting in pass through) and I can get to the server just fine. So I am confused on setting up rules I think. Right Now I have a rule on WAN source: any port: any Dest: 75.xx.xx.29 Start port: 80 End port: 80 Can anyone help me? I have tried creating rules this same from LAN and DMZ Is there a setting I must set to allow me to see my public boxes on the DMZ from behind the LAN? -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Hi David, I am having trouble with DMZ as I thought it would be as simple as going from DMZ - SWITCH - MY SERVERS WITH PUBLIC IP'S Do you have advanced outbound NAT enabled? You will need it. It will auto-create rules for LAN and DMZ, just delete the ones for the DMZ to allow straight routing of the public IPs. I do see that: 'Automatic outbound NAT rule generation' is indeed on. -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
On Wed, Feb 8, 2012 at 5:07 PM, Jason T. Slack-Moehrle slackmoeh...@gmail.com wrote: I do see that: 'Automatic outbound NAT rule generation' is indeed on. Right, so your public IPs are getting NATed on their way through pfsense. Turn it off (ie, from automatic to advanced). db ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Hi David, I do see that: 'Automatic outbound NAT rule generation' is indeed on. Right, so your public IPs are getting NATed on their way through pfsense. Turn it off (ie, from automatic to advanced). Indeed I have tried that as well. So then I would create a rule from from WAN to a specific IP on the DMZ for any 80? I have had that rule in place but I dont get the site when I hit it. -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
On Wed, Feb 8, 2012 at 5:13 PM, Jason T. Slack-Moehrle slackmoeh...@gmail.com wrote: So then I would create a rule from from WAN to a specific IP on the DMZ for any 80? I have had that rule in place but I dont get the site when I hit it. I think you're still talking about inbound NAT (aka, port forwards), which you don't need. You need to turn on outbound NAT and then delete every rule that is not sourced from your LAN. Then you need a firewall pass rule on the DMZ to let out what you want out, and a pass rule on the WAN to let in every source to dst port 80/TCP. db ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
am I missing something obvious? Would I need to possible restart the server itself or any switches? You're hitting the default deny rule on the DMZ interface. Rules on all interfaces are processed as 'inbound' to that interface - so return traffic from an HTTP request would be sourced from :80 with a destination of * (random source port the client OS picked). You have a rule which allows traffic from any port TO :80, so you're blocking your server's replies. The easiest thing would be to create a rule which allows all traffic sourced from your DMZ subnet on the DMZ interface, since that's your outbound. That gives you a typical default deny in, default allow out behavior. Also - go to Status-System Logs-Firewall. If you have 'log packets blocked by the default deny rule', you'll get useful feedback about whats getting blocked and why. Alternatively, you can create a deny deny at the bottom of your interface's rules with the 'log' flag on, and get the blocked packets that way. Nathan Eisenberg ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Hi Nathan, am I missing something obvious? Would I need to possible restart the server itself or any switches? You're hitting the default deny rule on the DMZ interface. Rules on all interfaces are processed as 'inbound' to that interface - so return traffic from an HTTP request would be sourced from :80 with a destination of * (random source port the client OS picked). You have a rule which allows traffic from any port TO :80, so you're blocking your server's replies. The easiest thing would be to create a rule which allows all traffic sourced from your DMZ subnet on the DMZ interface, since that's your outbound. That gives you a typical default deny in, default allow out behavior. I restarted the pfSense box and noticed that when it rebooted it had: WAN (wan) -- em1 -- 75.xx.xx.28 LAN (lan) -- em3 -- 172.16.254.1 DMZ (opt1) -- em2 -- NONE That is correct, right, since my servers in 75.xx.xx.xx are on the DMZ? Do I have to do anything to tell pfSense it should answer for my IP's? I recall when I ran untangle I had to sell it what IP's to answer for. Here is the only rule I have on DMZ, http://6colors.net/dmz.png but I still cannot reach the server on port 80 coming from LAN or even if I RDC to the outside someplace and come in via a browser. -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list