[pfSense] Help on reports

[Abhi]

Hi All,

I have been trying to configure it to send mail's as to daily reports &
usage details.
It's able to send me test msg's. But, i am not getting the daily reports.
Is there a particular way to set it

-- 
Thanks & Regards,

Abhishek Purba
+919845153700
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Help with provider assigning multiple IP addresses over PPPoE

[C. R. Oldham]

On Sat, Nov 14, 2015 at 9:14 PM, Chris Bagnall 
wrote:

> On 14 Nov 2015, at 20:19, C. R. Oldham  wrote:
> > My ISP provides access over PPPoE and has given me 2 static IPs via the
> [...]
> > I cannot figure out how to make pfSense expose the xxx.yyy.149.218
> address

[...]

 The ‘easiest’ way of getting use out of the other address is to go to
> Virtual IPs and add it there, with type Proxy ARP.
>

I apologize for not following up sooner.  This was indeed the solution.
Thanks to everyone that replied.

I thought this might be the case, some of the options on the Virtual IP
Edit page were confusing me (Virtual IP Password, VHID group password, VHID
Group, Advertising Frequency).  I didn't realize they were optional.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Help with provider assigning multiple IP addresses over PPPoE

[Chris Bagnall]

On 14 Nov 2015, at 20:19, C. R. Oldham  wrote:
> My ISP provides access over PPPoE and has given me 2 static IPs via the
> following configuration (public IPs sanitized)
> Usable IP addresses:xxx.yyy.149.218
> Gateway address:xxx.yyy.149.217
> Subnet mask:255.255.255.252

> I cannot figure out how to make pfSense expose the xxx.yyy.149.218 address
> to the public Internet.  I don't have any trouble adding NAT rules that
> forward the .217 through to my internal network.  Can someone give me a
> clue?

It’s quite a common setup - I get something very similar at home (albeit with a 
/29). pfSense has already been assigned the .217 address via PPP, as it should. 
The ‘easiest’ way of getting use out of the other address is to go to Virtual 
IPs and add it there, with type Proxy ARP.

You’ll then be able to use it on the 1:1 NAT page to assign it to a specific 
internal RFC1918 address if you want, or you can just use it as another 
external IP choice when defining standard NAT rules.

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Help with provider assigning multiple IP addresses over PPPoE

[ys1338]

To be brief,
You have a single usable address at a subnet mask of /30.217 is the default 
gateway / default route.218 is assigned to you WAN port on pfSense. 
You should read up on subnetting if you want a more thorough answer.Couple of 
search terms: VLSMCIDR
Regards,Yaroslav  Original message From: "C. R. Oldham" 
<c...@ncbt.org> Date: 11/14/2015  3:19 PM  (GMT-05:00) To: pfSense Support and 
Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] Help with 
provider assigning multiple IP addresses over
PPPoE 
Greetings,

My ISP provides access over PPPoE and has given me 2 static IPs via the
following configuration (public IPs sanitized)

Subnet Report
--
Subnet Size:    4
Usable IP addresses:    xxx.yyy.149.218
Gateway address:    xxx.yyy.149.217
Subnet mask:    255.255.255.252
CIDR number:    /30
Broadcast address:  xxx.yyy.149.219
Network address:    xxx.yyy.149.216


When I login to pfsense on the console I see

*** Welcome to pfSense 2.2.5-RELEASE-pfSense (amd64) on pfSense ***

 WAN (wan)   -> pppoe0 -> v4/PPPoE: xxx.yyy.149.217/32
 LAN (lan)   -> em1    -> v4: 172.23.23.1/24

I cannot figure out how to make pfSense expose the xxx.yyy.149.218 address
to the public Internet.  I don't have any trouble adding NAT rules that
forward the .217 through to my internal network.  Can someone give me a
clue?

Exhaustive search of the mailing lists & pfSense handbook reveals similar
requests, but nothing that really addresses (ha ha) this issue, unless I
missed it.

Thank you.

--cro
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Help with provider assigning multiple IP addresses over PPPoE

[Steve Yates]

> I don't have any trouble adding NAT
> rules that forward the .217 through to my internal network.  

If that works, it sounds like .217 is your IP, and not your gateway as 
they documented.  What is the gateway on your WAN connection?
--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Help with provider assigning multiple IP addresses over PPPoE

[C. R. Oldham]

Greetings,

My ISP provides access over PPPoE and has given me 2 static IPs via the
following configuration (public IPs sanitized)

Subnet Report
--
Subnet Size:4
Usable IP addresses:xxx.yyy.149.218
Gateway address:xxx.yyy.149.217
Subnet mask:255.255.255.252
CIDR number:/30
Broadcast address:  xxx.yyy.149.219
Network address:xxx.yyy.149.216


When I login to pfsense on the console I see

*** Welcome to pfSense 2.2.5-RELEASE-pfSense (amd64) on pfSense ***

 WAN (wan)   -> pppoe0 -> v4/PPPoE: xxx.yyy.149.217/32
 LAN (lan)   -> em1-> v4: 172.23.23.1/24

I cannot figure out how to make pfSense expose the xxx.yyy.149.218 address
to the public Internet.  I don't have any trouble adding NAT rules that
forward the .217 through to my internal network.  Can someone give me a
clue?

Exhaustive search of the mailing lists & pfSense handbook reveals similar
requests, but nothing that really addresses (ha ha) this issue, unless I
missed it.

Thank you.

--cro
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Help with Dup-To in pfSense

[Manojav Sridhar]

Hi all

This is my first post to the list. I should preface that I have searched
the dup-to topic on the forums and haven't found any good explanations as
to how to do it in pfSense.

I used to run a tomato based router at home. it reached its limits as my
link speed exceed it, instead of getting a faster tomato based router I
have decided to try out pfSense. I have APU1D4 box that does the job.

I have some iptables rules that I am at a bit of a loss to convert over to
pf dup-to. I need to copy SIP INVITE packets are routed to my SIP adapter
are copied  to another computer where I extract that information and keep a
log and notify various systems.

iptables -t mangle -A POSTROUTING -p udp -d 192.168.100.0/23  -m string
--string INVITE sip: --algo kmp -j ROUTE --tee --gw 192.168.100.2

Or a worst case where I duplicate all packets, and drop what doesn't match
at the .2 server.

# Brute force
# iptables -t mangle -A POSTROUTING -d 192.168.100.9 -p udp -j ROUTE --tee
--gw 192.168.100.2
# iptables -t mangle -A POSTROUTING -d 192.168.100.249 -p udp -j ROUTE
--tee --gw 192.168.100.2

How can I get this done w/ pf. I have been using pf for 2 days now so am a
complete noob w/ it.

thanks
vajonam
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Help with OpenVPN interface rules

[Jim Pingle]

On 10/13/2014 10:46 AM, Paul Beriswill wrote:
 Now, when I create rules for the OpenVPN_Ops interface, using
 'OPEN_VPN_OPS net' as 'Source' the rule never hits.
 It doesn't appear
 that the 'net' and 'address' aliases are being populated when the
 connection is established.  Is this correct?

I don't believe that macro works for OpenVPN interfaces. Remember, when
you assign the interface you must set it to an IP type of None which
is what that macro would have used to fill that macro.

Manually specify the source of the traffic in the rules and you'll be OK.

You could use aliases to define specific subnet(s) or groups of people
based on the addresses you intend to assign via client-specific overrides.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Help with OpenVPN interface rules

[Paul Beriswill]

Jim

Thanks for the response.  That is what I suspected, that the values were 
populated at config time rather than connect time.

The main reason that I wanted to be able to use those values is because I 
couldn't find a way to use an alias when defining a 'Client Specific Override'. 
 I wanted to avoid needing to enter the same values more than one place in 
order to reduce the chance of error when defining CSO's and their related rules.

Am I missing something?  It seems like an oversight to not allow alias 
substitution when defining CSO's ... or is there a technical reason why 
substitution is not possible with the OpenVPN package?

Is there a way to define both the client specific network and associated FW 
rules from a single input; using aliases, radius, AD, other.  From what I have 
gleaned from the docs, forums, etc that I have perused, local DB + CSO's seem 
to be the closest I can get to this type of 'policy based routing/security'

Basically, what we want to do is define a set of policies that can be applied 
to a group of users and allow fine tuning of the policy for individual users if 
necessary.  I had envisioned using a different OpenVPN interface for each 
group; assigning rules to each interface then fine tuning using CSO's.

Is there a better way to do this?

Paul

On 10/14/2014 07:08 AM, Jim Pingle wrote:

On 10/13/2014 10:46 AM, Paul Beriswill wrote:
 Now, when I create rules for the OpenVPN_Ops interface, using
 'OPEN_VPN_OPS net' as 'Source' the rule never hits.
 It doesn't appear
 that the 'net' and 'address' aliases are being populated when the
 connection is established.  Is this correct?

I don't believe that macro works for OpenVPN interfaces. Remember, when
you assign the interface you must set it to an IP type of None which
is what that macro would have used to fill that macro.

Manually specify the source of the traffic in the rules and you'll be OK.

You could use aliases to define specific subnet(s) or groups of people
based on the addresses you intend to assign via client-specific overrides.

Jim
___
List mailing list
List@lists.pfsense.orgmailto:List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

--

Paul Beriswill
PDF Complete Inc | www.pdfcomplete.comhttp://www.pdfcomplete.com/
550 Club Drive, Ste. 477 | Montgomery, TX 77316
512.263.0868 x 707 direct | 
paul.berisw...@pdfcomplete.commailto:paul.berisw...@pdfcomplete.com

[cid:part4.07050903.03090103@pdfcomplete.com]http://www.pdfcomplete.com/
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Help with OpenVPN interface rules

[Paul Beriswill]

Help!!  I'm trying to get per interface OpenVPN rules working and have run into 
a problem:
I go into the Interfaces-(assign) menu and create an interface assignment 
(OPENVPN_OPS).
Now, when I create rules for the OpenVPN_Ops interface, using 'OPEN_VPN_OPS 
net' as 'Source' the rule never hits.  It doesn't appear that the 'net' and 
'address' aliases are being populated when the connection is established.  Is 
this correct?

The intent is to use this feature to create per-configuration OpenVPN rules 
then further refine the rules using Client Specific Overrides.

In the end we want to be able to provide some general, very restrictive rules 
for users based on how they connect (think general function, i.e. accounting, 
tech support, dev, it, etc) then open up additional resources based on identity 
(CSO's?).  We also want to make it difficult for an administrator to 
accidentally create security holes or break access by fat-fingering IP 
addresses, etc.  Will this scheme work for this scenario?

Is there a better way to accomplish this?
I have looked briefly at using AD or Radius to push rules to the FW ... would 
this work better?  I still don't like that, apparently, this would move some of 
the functionality into the authentication mechanisms.  Also, I don't believe AD 
or Radius work with CSO's.  I don't want to create a maintenance nightmare as 
we scale up.

Appreciate any assistance or suggestions.
--

Paul Beriswill
PDF Complete Inc | www.pdfcomplete.comhttp://www.pdfcomplete.com/
550 Club Drive, Ste. 477 | Montgomery, TX 77316
512.263.0868 x 707 direct | 
paul.berisw...@pdfcomplete.commailto:paul.berisw...@pdfcomplete.com

[cid:part3.03050603.06030406@pdfcomplete.com]http://www.pdfcomplete.com/
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] HELP

[G.T.RAO]

Hi, Mr Mohan Rao , no new update from ur end.



Sent with MailTrack
https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22


On Wed, Jul 9, 2014 at 4:40 PM, A Mohan Rao mohanra...@gmail.com wrote:

 you can give team viewer tomorrow..



 On Wed, Jul 9, 2014 at 4:38 PM, G.T.RAO netwebst...@gmail.com wrote:

 hi, can u help me regarding non-transparent proxy.



 Sent with MailTrack
 https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22


 On Wed, Jul 9, 2014 at 4:31 PM, A Mohan Rao mohanra...@gmail.com wrote:

 At present u can only block with transparent proxy http sites whatever u
 want like social networks movies downloading etc with groupwise.

 If u want to block https sites u can use non-transparent proxy..

 Thnx

 MOHAN RAO
 On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote:

 Greetings all,
 I ma new to pfsense , pl help me out  pfsense firewall  Nat
 configuration for small education network.

  I am Using  pfsense 2.1.4-reease for (i386)

 1. interface  on WAN (wan) - em0  -   v4/DHCP4 : 192.168.0.16/24
 https://mailtrack.io/trace/link/534a165f0ca4acef44b1e7988788a911e92f3dca
 2. interface  on LAN  (lan  ) - em1 -   v4/DHCP4 : 192.168.0.15/24
 https://mailtrack.io/trace/link/dd33c3e23c8532810f5b3e33a98e30e033508345

 Webconfigurator is not working, So how can i block [ social media sites
 : facebook,youtube.etc).


 Regards,

 G.T.RAO

 A free software fund-a-mentaL-isT.

 Sent with MailTrack
 https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




 --




 G.T.RAO

 A free software fund-a-mentaL-isT.
 http://fossyatra.wordpress.com
 http://paper.li/GTRao/1342070958
 mobile:9953506651
 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा
 है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर.
 Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને
 વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ  સ્પાયવેર, માત્ર સારું સોફ્ટવેર.

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 




G.T.RAO

A free software fund-a-mentaL-isT.
http://fossyatra.wordpress.com
http://paper.li/GTRao/1342070958
mobile:9953506651
लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा
है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर.
Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને
વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ  સ્પાયવેર, માત્ર સારું સોફ્ટવેર.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] HELP

[Ryan Coleman]

Please take this conversation off list. 

--
Ryan Coleman
ryanjc...@me.com
m. 651.373.5015
o. 612.568.2749

 On Jul 10, 2014, at 7:44, G.T.RAO netwebst...@gmail.com wrote:
 
 Hi, Mr Mohan Rao , no new update from ur end.
 
 
 
 Sent with MailTrack
 
 
 
 On Wed, Jul 9, 2014 at 4:40 PM, A Mohan Rao mohanra...@gmail.com wrote:
 you can give team viewer tomorrow..
 
 
 
 On Wed, Jul 9, 2014 at 4:38 PM, G.T.RAO netwebst...@gmail.com wrote:
 hi, can u help me regarding non-transparent proxy. 
 
 
 
 Sent with MailTrack
 
 
 
 On Wed, Jul 9, 2014 at 4:31 PM, A Mohan Rao mohanra...@gmail.com wrote:
 At present u can only block with transparent proxy http sites whatever u 
 want like social networks movies downloading etc with groupwise.
 
 If u want to block https sites u can use non-transparent proxy..
 
 Thnx
 
 MOHAN RAO
 
 On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote:
 Greetings all,
 I ma new to pfsense , pl help me out  pfsense firewall  Nat 
 configuration for small education network.
 
  I am Using  pfsense 2.1.4-reease for (i386)
 
 1. interface  on WAN (wan) - em0  -   v4/DHCP4 : 192.168.0.16/24
 2. interface  on LAN  (lan  ) - em1 -   v4/DHCP4 : 192.168.0.15/24
 
 Webconfigurator is not working, So how can i block [ social media sites : 
 facebook,youtube.etc).
 
 
 Regards,
 
 G.T.RAO
 
 A free software fund-a-mentaL-isT.
 
 Sent with MailTrack
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 
 
 -- 
 
 
 
 
 G.T.RAO
 
 A free software fund-a-mentaL-isT.
 http://fossyatra.wordpress.com
 http://paper.li/GTRao/1342070958
 mobile:9953506651
 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा 
 है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. 
 Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને 
 વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ  સ્પાયવેર, માત્ર સારું સોફ્ટવેર.
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 
 
 -- 
 
 
 
 
 G.T.RAO
 
 A free software fund-a-mentaL-isT.
 http://fossyatra.wordpress.com
 http://paper.li/GTRao/1342070958
 mobile:9953506651
 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा है. 
 ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. 
 Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને 
 વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ  સ્પાયવેર, માત્ર સારું સોફ્ટવેર.
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] HELP

[Tim Nelson]

- Original Message - 

 Greetings all,

 I ma new to pfsense , pl help me out pfsense firewall  Nat
 configuration for small education network.

 I am Using pfsense 2.1.4-reease for (i386)

 1. interface on WAN (wan) - em0 -  v4/DHCP4 : 192.168.0.16/24

 2. interface on LAN (lan ) - em1 -  v4/DHCP4 : 192.168.0.15/24

 Webconfigurator is not working, So how can i block [ social media
 sites : facebook,youtube.etc).

Well, for starters your WAN and LAN are on the same subnet. You need to fix 
that first, then I'd bet your web configurator will work as expected. For the 
rest of your issues, it looks like you made a friend on the list to take care 
of the rest (offlist).

--Tim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] HELP

[A Mohan Rao]

Hello mr rao,
Its your work so i will not availble with your conditions and timings.
better is u can take time frim me then we will shortout ur problems..

Thanks
On Jul 10, 2014 6:14 PM, G.T.RAO netwebst...@gmail.com wrote:

 Hi, Mr Mohan Rao , no new update from ur end.



 Sent with MailTrack
 https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22


 On Wed, Jul 9, 2014 at 4:40 PM, A Mohan Rao mohanra...@gmail.com wrote:

 you can give team viewer tomorrow..



 On Wed, Jul 9, 2014 at 4:38 PM, G.T.RAO netwebst...@gmail.com wrote:

 hi, can u help me regarding non-transparent proxy.



 Sent with MailTrack
 https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22


 On Wed, Jul 9, 2014 at 4:31 PM, A Mohan Rao mohanra...@gmail.com
 wrote:

 At present u can only block with transparent proxy http sites whatever
 u want like social networks movies downloading etc with groupwise.

 If u want to block https sites u can use non-transparent proxy..

 Thnx

 MOHAN RAO
 On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote:

 Greetings all,
 I ma new to pfsense , pl help me out  pfsense firewall  Nat
 configuration for small education network.

  I am Using  pfsense 2.1.4-reease for (i386)

 1. interface  on WAN (wan) - em0  -   v4/DHCP4 : 192.168.0.16/24
 https://mailtrack.io/trace/link/534a165f0ca4acef44b1e7988788a911e92f3dca
 2. interface  on LAN  (lan  ) - em1 -   v4/DHCP4 : 192.168.0.15/24
 https://mailtrack.io/trace/link/dd33c3e23c8532810f5b3e33a98e30e033508345

 Webconfigurator is not working, So how can i block [ social media
 sites : facebook,youtube.etc).


 Regards,

 G.T.RAO

 A free software fund-a-mentaL-isT.

 Sent with MailTrack
 https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




 --




 G.T.RAO

 A free software fund-a-mentaL-isT.
 http://fossyatra.wordpress.com
 http://paper.li/GTRao/1342070958
 mobile:9953506651
 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए
 अच्छा है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर.
 Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે
 અને વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ  સ્પાયવેર, માત્ર સારું
 સોફ્ટવેર.

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




 --




 G.T.RAO

 A free software fund-a-mentaL-isT.
 http://fossyatra.wordpress.com
 http://paper.li/GTRao/1342070958
 mobile:9953506651
 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा
 है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर.
 Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને
 વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ  સ્પાયવેર, માત્ર સારું સોફ્ટવેર.

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] HELP

[Ryan Coleman]

PLEASE take this conversation off the list. 

--
Ryan Coleman
ryanjc...@me.com
m. 651.373.5015
o. 612.568.2749

 On Jul 10, 2014, at 9:15, A Mohan Rao mohanra...@gmail.com wrote:
 
 Hello mr rao,
 Its your work so i will not availble with your conditions and timings.
 better is u can take time frim me then we will shortout ur problems..
 
 Thanks
 
 On Jul 10, 2014 6:14 PM, G.T.RAO netwebst...@gmail.com wrote:
 Hi, Mr Mohan Rao , no new update from ur end.
 
 
 
 Sent with MailTrack
 
 
 
 On Wed, Jul 9, 2014 at 4:40 PM, A Mohan Rao mohanra...@gmail.com wrote:
 you can give team viewer tomorrow..
 
 
 
 On Wed, Jul 9, 2014 at 4:38 PM, G.T.RAO netwebst...@gmail.com wrote:
 hi, can u help me regarding non-transparent proxy. 
 
 
 
 Sent with MailTrack
 
 
 
 On Wed, Jul 9, 2014 at 4:31 PM, A Mohan Rao mohanra...@gmail.com wrote:
 At present u can only block with transparent proxy http sites whatever u 
 want like social networks movies downloading etc with groupwise.
 
 If u want to block https sites u can use non-transparent proxy..
 
 Thnx
 
 MOHAN RAO
 
 On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote:
 Greetings all,
 I ma new to pfsense , pl help me out  pfsense firewall  Nat 
 configuration for small education network.
 
  I am Using  pfsense 2.1.4-reease for (i386)
 
 1. interface  on WAN (wan) - em0  -   v4/DHCP4 : 192.168.0.16/24
 2. interface  on LAN  (lan  ) - em1 -   v4/DHCP4 : 192.168.0.15/24
 
 Webconfigurator is not working, So how can i block [ social media sites 
 : facebook,youtube.etc).
 
 
 Regards,
 
 G.T.RAO
 
 A free software fund-a-mentaL-isT.
 
 Sent with MailTrack
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 
 
 -- 
 
 
 
 
 G.T.RAO
 
 A free software fund-a-mentaL-isT.
 http://fossyatra.wordpress.com
 http://paper.li/GTRao/1342070958
 mobile:9953506651
 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा 
 है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. 
 Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને 
 વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ  સ્પાયવેર, માત્ર સારું સોફ્ટવેર.
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 
 
 -- 
 
 
 
 
 G.T.RAO
 
 A free software fund-a-mentaL-isT.
 http://fossyatra.wordpress.com
 http://paper.li/GTRao/1342070958
 mobile:9953506651
 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा 
 है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर. 
 Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને 
 વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ  સ્પાયવેર, માત્ર સારું સોફ્ટવેર.
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] HELP

[A Mohan Rao]

Okey...!
On Jul 10, 2014 7:46 PM, Ryan Coleman ryanjc...@me.com wrote:

 PLEASE take this conversation off the list.

 --
 Ryan Coleman
 ryanjc...@me.com
 m. 651.373.5015
 o. 612.568.2749

 On Jul 10, 2014, at 9:15, A Mohan Rao mohanra...@gmail.com wrote:

 Hello mr rao,
 Its your work so i will not availble with your conditions and timings.
 better is u can take time frim me then we will shortout ur problems..

 Thanks
 On Jul 10, 2014 6:14 PM, G.T.RAO netwebst...@gmail.com wrote:

 Hi, Mr Mohan Rao , no new update from ur end.



 Sent with MailTrack
 https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22


 On Wed, Jul 9, 2014 at 4:40 PM, A Mohan Rao mohanra...@gmail.com wrote:

 you can give team viewer tomorrow..



 On Wed, Jul 9, 2014 at 4:38 PM, G.T.RAO netwebst...@gmail.com wrote:

 hi, can u help me regarding non-transparent proxy.



 Sent with MailTrack
 https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22


 On Wed, Jul 9, 2014 at 4:31 PM, A Mohan Rao mohanra...@gmail.com
 wrote:

 At present u can only block with transparent proxy http sites whatever
 u want like social networks movies downloading etc with groupwise.

 If u want to block https sites u can use non-transparent proxy..

 Thnx

 MOHAN RAO
 On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote:

 Greetings all,
 I ma new to pfsense , pl help me out  pfsense firewall  Nat
 configuration for small education network.

  I am Using  pfsense 2.1.4-reease for (i386)

 1. interface  on WAN (wan) - em0  -   v4/DHCP4 : 192.168.0.16/24
 https://mailtrack.io/trace/link/534a165f0ca4acef44b1e7988788a911e92f3dca
 2. interface  on LAN  (lan  ) - em1 -   v4/DHCP4 : 192.168.0.15/24
 https://mailtrack.io/trace/link/dd33c3e23c8532810f5b3e33a98e30e033508345

 Webconfigurator is not working, So how can i block [ social media
 sites : facebook,youtube.etc).


 Regards,

 G.T.RAO

 A free software fund-a-mentaL-isT.

 Sent with MailTrack
 https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




 --




 G.T.RAO

 A free software fund-a-mentaL-isT.
 http://fossyatra.wordpress.com
 http://paper.li/GTRao/1342070958
 mobile:9953506651
 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए
 अच्छा है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर.
 Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે
 અને વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ  સ્પાયવેર, માત્ર સારું
 સોફ્ટવેર.

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




 --




 G.T.RAO

 A free software fund-a-mentaL-isT.
 http://fossyatra.wordpress.com
 http://paper.li/GTRao/1342070958
 mobile:9953506651
 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा
 है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर.
 Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને
 વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ  સ્પાયવેર, માત્ર સારું સોફ્ટવેર.

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] HELP

[Roberto Tufik]

G.T.RAO netwebsteps@... writes: 
 
 Greetings all,
 I ma new to pfsense , pl help me out  pfsense firewall  Nat 
configuration for small education network.
 
  I am Using  pfsense 2.1.4-reease for (i386)
 
 
 
 1. interface  on WAN (wan) - em0  -   v4/DHCP4 : 192.168.0.16/24
 
 
 2. interface  on LAN  (lan  ) - em1 -   v4/DHCP4 : 192.168.0.15/24
 
 
 Webconfigurator is not working, So how can i block [ social media sites : 
facebook,youtube.etc).
 
 
 
 Regards,G.T.RAOA free software fund-a-mentaL-isT.
 
 Sent with MailTrack
 
 
 
 ___
 List mailing list
 List@...
 https://lists.pfsense.org/mailman/listinfo/list


HI, 

You can´t use same IP RANGE to WAN and LAN. Try other IP range to lan, like 
192.168.2.x - and try to access the webconfig in this lan.

Regard´s

Roberto Soubhia

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] HELP

[A Mohan Rao]

At present u can only block with transparent proxy http sites whatever u
want like social networks movies downloading etc with groupwise.

If u want to block https sites u can use non-transparent proxy..

Thnx

MOHAN RAO
On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote:

 Greetings all,
 I ma new to pfsense , pl help me out  pfsense firewall  Nat
 configuration for small education network.

  I am Using  pfsense 2.1.4-reease for (i386)

 1. interface  on WAN (wan) - em0  -   v4/DHCP4 : 192.168.0.16/24
 https://mailtrack.io/trace/link/534a165f0ca4acef44b1e7988788a911e92f3dca
 2. interface  on LAN  (lan  ) - em1 -   v4/DHCP4 : 192.168.0.15/24
 https://mailtrack.io/trace/link/dd33c3e23c8532810f5b3e33a98e30e033508345

 Webconfigurator is not working, So how can i block [ social media sites :
 facebook,youtube.etc).


 Regards,

 G.T.RAO

 A free software fund-a-mentaL-isT.

 Sent with MailTrack
 https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] HELP

[A Mohan Rao]

you can give team viewer tomorrow..



On Wed, Jul 9, 2014 at 4:38 PM, G.T.RAO netwebst...@gmail.com wrote:

 hi, can u help me regarding non-transparent proxy.



 Sent with MailTrack
 https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22


 On Wed, Jul 9, 2014 at 4:31 PM, A Mohan Rao mohanra...@gmail.com wrote:

 At present u can only block with transparent proxy http sites whatever u
 want like social networks movies downloading etc with groupwise.

 If u want to block https sites u can use non-transparent proxy..

 Thnx

 MOHAN RAO
 On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote:

 Greetings all,
 I ma new to pfsense , pl help me out  pfsense firewall  Nat
 configuration for small education network.

  I am Using  pfsense 2.1.4-reease for (i386)

 1. interface  on WAN (wan) - em0  -   v4/DHCP4 : 192.168.0.16/24
 https://mailtrack.io/trace/link/534a165f0ca4acef44b1e7988788a911e92f3dca
 2. interface  on LAN  (lan  ) - em1 -   v4/DHCP4 : 192.168.0.15/24
 https://mailtrack.io/trace/link/dd33c3e23c8532810f5b3e33a98e30e033508345

 Webconfigurator is not working, So how can i block [ social media sites
 : facebook,youtube.etc).


 Regards,

 G.T.RAO

 A free software fund-a-mentaL-isT.

 Sent with MailTrack
 https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




 --




 G.T.RAO

 A free software fund-a-mentaL-isT.
 http://fossyatra.wordpress.com
 http://paper.li/GTRao/1342070958
 mobile:9953506651
 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा
 है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर.
 Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને
 વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ  સ્પાયવેર, માત્ર સારું સોફ્ટવેર.

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] HELP

[G.T.RAO]

hi, tomorrow i am free from 11 am to 3 pm.




Sent with MailTrack
https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22


On Wed, Jul 9, 2014 at 4:40 PM, A Mohan Rao mohanra...@gmail.com wrote:

 you can give team viewer tomorrow..



 On Wed, Jul 9, 2014 at 4:38 PM, G.T.RAO netwebst...@gmail.com wrote:

 hi, can u help me regarding non-transparent proxy.



 Sent with MailTrack
 https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22


 On Wed, Jul 9, 2014 at 4:31 PM, A Mohan Rao mohanra...@gmail.com wrote:

 At present u can only block with transparent proxy http sites whatever u
 want like social networks movies downloading etc with groupwise.

 If u want to block https sites u can use non-transparent proxy..

 Thnx

 MOHAN RAO
 On Jul 9, 2014 4:26 PM, G.T.RAO netwebst...@gmail.com wrote:

 Greetings all,
 I ma new to pfsense , pl help me out  pfsense firewall  Nat
 configuration for small education network.

  I am Using  pfsense 2.1.4-reease for (i386)

 1. interface  on WAN (wan) - em0  -   v4/DHCP4 : 192.168.0.16/24
 https://mailtrack.io/trace/link/534a165f0ca4acef44b1e7988788a911e92f3dca
 2. interface  on LAN  (lan  ) - em1 -   v4/DHCP4 : 192.168.0.15/24
 https://mailtrack.io/trace/link/dd33c3e23c8532810f5b3e33a98e30e033508345

 Webconfigurator is not working, So how can i block [ social media sites
 : facebook,youtube.etc).


 Regards,

 G.T.RAO

 A free software fund-a-mentaL-isT.

 Sent with MailTrack
 https://mailtrack.io/install?source=signaturelang=enreferral=netwebst...@gmail.comidSignature=22

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




 --




 G.T.RAO

 A free software fund-a-mentaL-isT.
 http://fossyatra.wordpress.com
 http://paper.li/GTRao/1342070958
 mobile:9953506651
 लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा
 है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर.
 Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને
 વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ  સ્પાયવેર, માત્ર સારું સોફ્ટવેર.

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




-- 




G.T.RAO

A free software fund-a-mentaL-isT.
http://fossyatra.wordpress.com
http://paper.li/GTRao/1342070958
mobile:9953506651
लिनक्स: नि:शुल्क और खुले स्रोत सॉफ्टवेयर आप के लिए और दुनिया के लिए अच्छा
है. ना कोई adware,ना कोई spyware, सिर्फ अच्छा सॉफ्टवेयर.
Linux(લિનક્ષ ): મુક્ત અને નિઃશુલ્ક(મફત) ઓપન સોર્સ સોફ્ટવેર તમારા માટે અને
વિશ્વ માટે સારું છે. ના કોઈ એડવેર , ના કોઈ  સ્પાયવેર, માત્ર સારું સોફ્ટવેર.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] pfSense help at Dayton NJ needed

[Christoph Hanle]

Hi all,
sorry for my abuse of the mailing list.
We have the disaster of a broken pfSense upgrade to 2.1.2.
Unfortunally we don't have a proper technican on site
all repair attemps by phone have been not successfull and the (planned)
new pfSense HA-cluster will not reach our location before Tuesday.

Is there a list member somewhere from Dayton NJ who can help us or does
someone knows somebody near Dayton ?

Thanks and bye
Christoph
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Help - GW Failover Gateway

[Pedro Almeida]

Hi,

I need of information about GW Failover Gateway. I tested many times and don't 
worked. I'm using Openvpn interface option.

When the link wan primary down the change is not realized for the link wan 
secundary. I have to change manually for the link secundary.


Can someone help me in this case? 

Thanks   


  ___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Help with VLAN setup

[Benjamin Swatek]

Hello all…

I’m trying to set up VLANs but I can’t get it to work.

I have a TP-Link TL-SL2210WEB switch connected to a pfSense box.

The switch should connect to 3 ADSL Modems on ports 2, 3 and 4 and to the 
pfSense Box on port 1.

On the switch I configured port 2 to be part of VLAN 2, port 3 to be part of 
VLAN 3 and port 4 to be part of VLAN 4. They all tag “Egress Frames” 
accordingly.

Port 1 is member of all those VLANs and does not modify “Egress Frames”.

On pfSense I tried to set up VLANs 2-4 too, but something doesn’t work.

I created the VLANs during set up, then assigned them to the corresponding 
interface (fxp0 - I tried with re1 too) and then created OPT interfaces using 
the VLANs as their network ports.

Then I gave each OPT an IP address according to the modem’s configuration 
(192.168.x.10).
I tried creating Gatways when assigning IPs and as well afterwards but no 
interface gets online or can ping the modems.

When I connect my laptop directly to port 1 of the switch and assign it an IP 
address corresponding to any of the modems connected I get online and can ping 
the modems too.

What am I doing wrong?

Thanks

Ben
(sorry for cross posting on forum and list, I’ll share any knowledge I can 
gather in bot too.)
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Help with VLAN setup

[Adam Thompson]

On Sat 23 Nov 2013 10:40:23 AM CST, Benjamin Swatek wrote:

I’m trying to set up VLANs but I can’t get it to work.
I have a TP-Link TL-SL2210WEB switch connected to a pfSense box.
The switch should connect to 3 ADSL Modems on ports 2, 3 and 4 and to the 
pfSense Box on port 1.
On the switch I configured port 2 to be part of VLAN 2, port 3 to be part of 
VLAN 3 and port 4 to be part of VLAN 4. They all tag “Egress Frames” 
accordingly.
Port 1 is member of all those VLANs and does not modify “Egress Frames”.


Based on your description, I think you've got it backwards.
Ports 2, 3, and 4 need to be untagged members of their respective 
VLANs, and port 1 needs to have VLANs 2, 3 and 4 tagged.



When I connect my laptop directly to port 1 of the switch and assign it an IP 
address corresponding to any of the modems connected I get online and can ping 
the modems too.


That doesn't quite add up.


What am I doing wrong?


My best guess is untagged/tagged confusion on your part, but there are 
other possibilities.


I assume VLAN 1 is your LAN, i.e. the subnet protected by the 
firewall.  Presumably ports 5 through 8 are on VLAN 1 as well, and your 
other devices are plugged in there.
You want port 1 to be an untagged member of VLAN1, and a tagged member 
of VLANs 2, 3 and 4.  If your switch talks about egress and ingress 
rules, port 1 should be configured to *apply* an 802.1Q tag on egress 
for VLANs 2, 3  4, and to *strip* (or merely not apply, depends on the 
switch) 802.1Q tags on egress for VLAN 1.  Similarly, the PVID 
(default VLAN) for port 1 should be VLAN 1, and it should accept 
tagged packets for VLANs 2, 3  4.  Then ports 2, 3, and 4 should be 
configured to strip (or not apply) 802.1Q tags on egress for their 
respective VLANs, and should be configured with a PVID of 2/3/4 
(respectively) and be set to accept untagged packets.


Of pfSense, your fxp0 interface should be the LAN interface, and you 
should create three additional VLAN interfaces on fxp0 for WAN1, WAN2, 
WAN3 (or whatever you want to call them - but one of them has to be the 
primary WAN interface that gets configured during initial setup).  
pfSense does 802.1Q tagging by default (I'm not even sure it can be 
turned off).


Because you're using VLAN 1, the default VLAN, you likely can't tag 
those packets, and probably shouldn't in any case.  (I'm not going to 
get on my soapbox here, ask me if you care about why.)


--
-Adam Thompson
athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Help with VLAN setup

[Benjamin Swatek]

On 23, Nov2013, at 13:14 , Adam Thompson athom...@athompso.net wrote:

 What am I doing wrong?
 
 My best guess is untagged/tagged confusion on your part, but there are other 
 possibilities.
 
 I assume VLAN 1 is your LAN, i.e. the subnet protected by the firewall.  
 Presumably ports 5 through 8 are on VLAN 1 as well, and your other devices 
 are plugged in there.
 You want port 1 to be an untagged member of VLAN1, and a tagged member of 
 VLANs 2, 3 and 4.  If your switch talks about egress and ingress rules, 
 port 1 should be configured to *apply* an 802.1Q tag on egress for VLANs 2, 3 
  4, and to *strip* (or merely not apply, depends on the switch) 802.1Q tags 
 on egress for VLAN 1.  Similarly, the PVID (default VLAN) for port 1 should 
 be VLAN 1, and it should accept tagged packets for VLANs 2, 3  4.  Then 
 ports 2, 3, and 4 should be configured to strip (or not apply) 802.1Q tags on 
 egress for their respective VLANs, and should be configured with a PVID of 
 2/3/4 (respectively) and be set to accept untagged packets.
 
Seems like that was the problem.

Thanks a million.

Ben

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Help

[Bill Randall]

--- On Thu, 5/16/13, Joy pj.netfil...@gmail.com wrote:

From: Joy pj.netfil...@gmail.com
Subject: [pfSense] Help
To: pfSense support and discussion list@lists.pfsense.org
Date: Thursday, May 16, 2013, 5:55 AM

Hi Team,              Is it possible to use cloud based web filtering with 
pfsense like open dns based filtering. 
in case yes what software does that like websense etc ?


-Inline Attachment Follows-

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


The Squid Guard package provides a means of filtering URLs. The project site 
(http://www.squidguard.org/) provides links to blacklists and/or malicious URLs 
(http://www.squidguard.org/blacklists.html).

The following site provides a quick description regarding how to setup 
SquidGuard:

http://skear.hubpages.com/hub/URL-Filtering-How-To-Configure-SquidGuard-in-pfSense

Also, there is pfBlocker.  Instructions for enabling pfBlocker are available at:

http://doc.pfsense.org/index.php/Pfblocker

1. Install the pfBlocker package

2. Goto Firewall  pfBlocker  General to specify the inbound and outbound 
interfaces. Also check the checkboxes to enable pfBlocker and enable logging if 
desired.

3. Goto the Firewall  pfBlocker  Lists tab to configure blocklists (such as 
http://www.spamhaus.org/drop/drop.txt, http://www.spamhaus.org/drop/edrop.txt, 
and http://feeds.dshield.org/top10-2.txt).

pfBlocker will automatically add firewall rules using the configured list alias.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Help

[Joy]

Hi Team,
  Is it possible to use cloud based web filtering with pfsense
like open dns based filtering.

in case yes what software does that like websense etc ?
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Help

[Eugen Leitl]

On Thu, May 16, 2013 at 04:25:10PM +0530, Joy wrote:
 Hi Team,
   Is it possible to use cloud based web filtering with pfsense
 like open dns based filtering.
 
 in case yes what software does that like websense etc ?

Have you tried just putting in OpenDNS resolvers under
System-General setup-DNS servers?
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[Vick Khera]

On Wed, Apr 24, 2013 at 10:36 AM, eyobe kebede e...@dbu.edu.et wrote:

 public ip 197.156.75.54 our side and 197.156.75.53 ISP side


Well, now you have just shared some new information.

Try this: set your public IP to 197.156.75.54 and the default route to the
.53 address, and the netmask to 255.255.255.252. See what happens.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[eyobe kebede]

if I want to make NAT how could I do it? the IP addresses are 10.130.51.83
WAN ip and 10.130.65.42 default gateway and 197.156.75.54 public IP our
side and 197.156.75.53 and 10.130.65.41 is ip  ISP's side. but I am not
clear with the function of 10.130.65.41 and how can I make nat


On Wed, Apr 24, 2013 at 8:04 AM, Ryan Rodrigue radiote...@aaremail.comwrote:

 ** **

 Please don’t top post.  It makes helping difficult.

 ** **

 *From:* list-boun...@lists.pfsense.org [mailto:
 list-boun...@lists.pfsense.org] *On Behalf Of *eyobe kebede
 *Sent:* Wednesday, April 24, 2013 9:36 AM
 *To:* pfSense support and discussion
 *Subject:* Re: [pfSense] help

 ** **

 we are using dSL and let me give you some information. we were using
 10.130.48.72 IP address give by the ISP and for some reason we have
 purchased public ip 197.156.75.54. where technicians from  the ISP do not
 give us how to use the IP addresses and it become difficult to configure it
 on pfsense. this are the solid facts 

 wan ip 10.130.51.83 

 default gate way 10.130.65.42

 public ip 197.156.75.54 our side and 197.156.75.53 ISP side

 the we need how to configure this in pfsense?

 ** **

 I would try 2 things.

 1st I would try to setup the public IP that was given to you
 (197.156.75.54) as a static IP in PF and setup the 197.156.75.53 as a
 default gateway.  (Don’t use DHCP)

 You will have to setup the DNS servers in the System  General Setup tab.
 

 2nd If that doesn’t work, I would try to move the PPPOE login information
 to the PF box and put the DSL modem in bridge mode.

 ** **

 ** **

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[Matthias May]

On 24/04/13 03:17, Vick Khera wrote:


On Sat, Apr 20, 2013 at 5:46 AM, eyobe kebede e...@dbu.edu.et 
mailto:e...@dbu.edu.et wrote:


but 10.134.192.154 is the WAN ip and 10.130.42.65 is default gate way


Given that 10.134.192.154 is your WAN IP, and the netmask they gave 
you is 255.255.255.252, the *ONLY* other IP you can directly reach is 
10.134.192.153. Your network address is the .152 address and your 
broadcast IP is the .155 address. Your default gateway must be within 
the network defined by the WAN IP + netmask, and the one they gave you 
is not within that network.


To include 10.130.42.65 in your WAN network so that you can reach it 
directly, you will need a much, much wider netmask. Or some magic. 
Don't count on getting any magic any time soon.



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Didn't Jim already provide the solution to this problem 2 weeks ago?
No point in pondering further on unusual setups :)
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[eyobe kebede]

after along period of communication they give us new WAN ip 10.130.51.83
and and public ip of 197.156.75.54 how we can configure all the two ip
addresses?


On Tue, Apr 23, 2013 at 6:17 PM, Vick Khera vi...@khera.org wrote:


 On Sat, Apr 20, 2013 at 5:46 AM, eyobe kebede e...@dbu.edu.et wrote:

 but 10.134.192.154 is the WAN ip and 10.130.42.65 is default gate way


 Given that 10.134.192.154 is your WAN IP, and the netmask they gave you is
 255.255.255.252, the *ONLY* other IP you can directly reach is
 10.134.192.153. Your network address is the .152 address and your broadcast
 IP is the .155 address. Your default gateway must be within the network
 defined by the WAN IP + netmask, and the one they gave you is not within
 that network.

 To include 10.130.42.65 in your WAN network so that you can reach it
 directly, you will need a much, much wider netmask. Or some magic. Don't
 count on getting any magic any time soon.

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[eyobe kebede]

after along period of communication they give us new WAN ip 10.130.51.83
and and public ip of 197.156.75.54 how can I include the two ip addresses?


On Wed, Apr 24, 2013 at 4:17 AM, Vick Khera vi...@khera.org wrote:


 On Sat, Apr 20, 2013 at 5:46 AM, eyobe kebede e...@dbu.edu.et wrote:

 but 10.134.192.154 is the WAN ip and 10.130.42.65 is default gate way


 Given that 10.134.192.154 is your WAN IP, and the netmask they gave you is
 255.255.255.252, the *ONLY* other IP you can directly reach is
 10.134.192.153. Your network address is the .152 address and your broadcast
 IP is the .155 address. Your default gateway must be within the network
 defined by the WAN IP + netmask, and the one they gave you is not within
 that network.

 To include 10.130.42.65 in your WAN network so that you can reach it
 directly, you will need a much, much wider netmask. Or some magic. Don't
 count on getting any magic any time soon.

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[Ryan Rodrigue]

I am just a big dummy that is coming in late in the game.  Is it possible
that they are sending that IP to a router/modem and the router is doing nat.
If so, is it possible to diable the routing functions and just use this as a
bridge and not a router.  I have seen this before with DSL and some cable
modems.  I have even seen cable modems that have an internal NAT IP, but
also work with the public IP that is assigned to your account. 
Have you called your ISP and asked them how to use your static IP?  
Who is your service provider?  
Is this cable or DSL?
Sorry if you have answered this before.  I am coming in a little late.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[eyobe kebede]

we are using dSL and let me give you some information. we were using
10.130.48.72 IP address give by the ISP and for some reason we have
purchased public ip 197.156.75.54. where technicians from  the ISP do not
give us how to use the IP addresses and it become difficult to configure it
on pfsense. this are the solid facts
wan ip 10.130.51.83
default gate way 10.130.65.42
public ip 197.156.75.54 our side and 197.156.75.53 ISP side
the we need how to configure this in pfsense?


On Wed, Apr 24, 2013 at 5:22 PM, Ryan Rodrigue radiote...@aaremail.comwrote:

 I am just a big dummy that is coming in late in the game.  Is it possible
 that they are sending that IP to a router/modem and the router is doing
 nat.
 If so, is it possible to diable the routing functions and just use this as
 a
 bridge and not a router.  I have seen this before with DSL and some cable
 modems.  I have even seen cable modems that have an internal NAT IP, but
 also work with the public IP that is assigned to your account.
 Have you called your ISP and asked them how to use your static IP?
 Who is your service provider?
 Is this cable or DSL?
 Sorry if you have answered this before.  I am coming in a little late.

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[Ryan Rodrigue]

 

Please don't top post.  It makes helping difficult.

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of eyobe kebede
Sent: Wednesday, April 24, 2013 9:36 AM
To: pfSense support and discussion
Subject: Re: [pfSense] help

 

we are using dSL and let me give you some information. we were using
10.130.48.72 IP address give by the ISP and for some reason we have
purchased public ip 197.156.75.54. where technicians from  the ISP do not
give us how to use the IP addresses and it become difficult to configure it
on pfsense. this are the solid facts 

wan ip 10.130.51.83 

default gate way 10.130.65.42

public ip 197.156.75.54 our side and 197.156.75.53 ISP side

the we need how to configure this in pfsense?

 

I would try 2 things.

1st I would try to setup the public IP that was given to you (197.156.75.54)
as a static IP in PF and setup the 197.156.75.53 as a default gateway.
(Don't use DHCP)

You will have to setup the DNS servers in the System  General Setup tab. 

2nd If that doesn't work, I would try to move the PPPOE login information to
the PF box and put the DSL modem in bridge mode.

 

 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[Matthias May]

On 24/04/13 16:36, eyobe kebede wrote:
we are using dSL and let me give you some information. we were using 
10.130.48.72 IP address give by the ISP and for some reason we have 
purchased public ip 197.156.75.54. where technicians from  the ISP do 
not give us how to use the IP addresses and it become difficult to 
configure it on pfsense. this are the solid facts

wan ip 10.130.51.83
default gate way 10.130.65.42
public ip 197.156.75.54 our side and 197.156.75.53 ISP side
the we need how to configure this in pfsense?


See the second reply in this thread by jim:

[quote]

Some ISPs that are particularly stingy with IPs and bad at routing have
been doing this.

His ISP may have just forgotten to give him the proper gateway. But on
the outside chance they really do expect him to use that 10.x address as
the gateway, it may still be possible.

http://redmine.pfsense.org/issues/972

Not supported in the GUI yet though.

Jim
[/quote]





On Wed, Apr 24, 2013 at 5:22 PM, Ryan Rodrigue 
radiote...@aaremail.com mailto:radiote...@aaremail.com wrote:


I am just a big dummy that is coming in late in the game.  Is it
possible
that they are sending that IP to a router/modem and the router is
doing nat.
If so, is it possible to diable the routing functions and just use
this as a
bridge and not a router.  I have seen this before with DSL and
some cable
modems.  I have even seen cable modems that have an internal NAT
IP, but
also work with the public IP that is assigned to your account.
Have you called your ISP and asked them how to use your static IP?
Who is your service provider?
Is this cable or DSL?
Sorry if you have answered this before.  I am coming in a little late.

___
List mailing list
List@lists.pfsense.org mailto:List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list




___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[Ryan Rodrigue]

 

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Matthias May
Sent: Wednesday, April 24, 2013 11:02 AM
To: list@lists.pfsense.org
Subject: Re: [pfSense] help

 

On 24/04/13 16:36, eyobe kebede wrote:

we are using dSL and let me give you some information. we were using
10.130.48.72 IP address give by the ISP and for some reason we have
purchased public ip 197.156.75.54. where technicians from  the ISP do not
give us how to use the IP addresses and it become difficult to configure it
on pfsense. this are the solid facts  

wan ip 10.130.51.83 

default gate way 10.130.65.42

public ip 197.156.75.54 our side and 197.156.75.53 ISP side

the we need how to configure this in pfsense?


See the second reply in this thread by jim:

[quote]



Some ISPs that are particularly stingy with IPs and bad at routing have
been doing this.
 
His ISP may have just forgotten to give him the proper gateway. But on
the outside chance they really do expect him to use that 10.x address as
the gateway, it may still be possible.
 
http://redmine.pfsense.org/issues/972
 
Not supported in the GUI yet though.
 
Jim
[/quote]


I don't understand your comment.  He says that the public IP is
197.156.75.53 on the ISP side.  This appears to be a proper gateway.
 





 

On Wed, Apr 24, 2013 at 5:22 PM, Ryan Rodrigue radiote...@aaremail.com
wrote:

I am just a big dummy that is coming in late in the game.  Is it possible
that they are sending that IP to a router/modem and the router is doing nat.
If so, is it possible to diable the routing functions and just use this as a
bridge and not a router.  I have seen this before with DSL and some cable
modems.  I have even seen cable modems that have an internal NAT IP, but
also work with the public IP that is assigned to your account.
Have you called your ISP and asked them how to use your static IP?
Who is your service provider?
Is this cable or DSL?
Sorry if you have answered this before.  I am coming in a little late.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

 






___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[Chris Bagnall]

Some ISPs that are particularly stingy with IPs and bad at routing have
been doing this.


I might be missing something, but it does seem like a pretty awful, and 
at best very temporary 'solution' to IPv4 shortage.


I must admit if I were the OP, I'd probably be looking for a new DSL 
provider.


Roll on widespread v6 adoption and NAT64 for access to the 'legacy 
internet' :-)


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[Seth Mos]

On 24-4-2013 18:24, Chris Bagnall wrote:
 Some ISPs that are particularly stingy with IPs and bad at routing have
 been doing this.
 
 I might be missing something, but it does seem like a pretty awful, and
 at best very temporary 'solution' to IPv4 shortage.
 
 I must admit if I were the OP, I'd probably be looking for a new DSL
 provider.
 
 Roll on widespread v6 adoption and NAT64 for access to the 'legacy
 internet' :-)

It looks like 464xlat is one of the better things that has come forth,
however, it needs to be implemented on the client.

Till that time, DNS64 and NAT64 will have to do. And it ain't pretty.

Dual stack if you can folks! The water is fine!

Cheers,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[Vick Khera]

On Sat, Apr 20, 2013 at 5:46 AM, eyobe kebede e...@dbu.edu.et wrote:

 but 10.134.192.154 is the WAN ip and 10.130.42.65 is default gate way


Given that 10.134.192.154 is your WAN IP, and the netmask they gave you is
255.255.255.252, the *ONLY* other IP you can directly reach is
10.134.192.153. Your network address is the .152 address and your broadcast
IP is the .155 address. Your default gateway must be within the network
defined by the WAN IP + netmask, and the one they gave you is not within
that network.

To include 10.130.42.65 in your WAN network so that you can reach it
directly, you will need a much, much wider netmask. Or some magic. Don't
count on getting any magic any time soon.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[eyobe kebede]

hi here I have got some information in our router configuration. the ip
address is 10.134.192.154 and the subnet mask is 255.255.255.252. how could
I configure this to include 197.156.75.54 as public IP

On Tue, Apr 9, 2013 at 6:37 PM, Vick Khera vi...@khera.org wrote:


 On Tue, Apr 9, 2013 at 11:19 AM, Jim Pingle li...@pingle.org wrote:

 His ISP may have just forgotten to give him the proper gateway. But on
 the outside chance they really do expect him to use that 10.x address as
 the gateway, it may still be possible.

 http://redmine.pfsense.org/issues/972

 Not supported in the GUI yet though.


 Wow, just wow. How do people come up with these ideas?


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] help

[eyobe kebede]

hello there;

it have been around three years since my institution started using pfsense
as router. and it was so awesome and help full in my understanding since I
used it for averagely enough time.

but my problem starts now. in previous we were using static IP address that
was given to us from Ethio Telecome the local ISP. but due to speed maters
we have asked them to allow us use public IP address. and they demanded us
to change the WAN ip which was previously 10.130.48.72 with the default
gateway of 10.130.48.1 in to 197.156.75.54 and default gateway of
10.130.42.65. while I tried to change the interface and the gateways I am
not able to connect to the internet. due to this connection is down in my
institution. could you please help me  in solving my problem? I am waiting
to here your response. I would like to thank you in advance for the help
that you made to my institution.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[Luis Carrion]

Hello,

You should ask your ISP and have them to verify the Gateway. If you are
using now 197.156.75.54 they should provide you with a Gateway inside the
subnet your IP address is (depending on your subnet mask)

Regards,

Luis


2013/4/9 eyobe kebede e...@dbu.edu.et

 hello there;

 it have been around three years since my institution started using pfsense
 as router. and it was so awesome and help full in my understanding since I
 used it for averagely enough time.

 but my problem starts now. in previous we were using static IP address
 that was given to us from Ethio Telecome the local ISP. but due to speed
 maters we have asked them to allow us use public IP address. and they
 demanded us to change the WAN ip which was previously 10.130.48.72 with the
 default gateway of 10.130.48.1 in to 197.156.75.54 and default gateway of
 10.130.42.65. while I tried to change the interface and the gateways I am
 not able to connect to the internet. due to this connection is down in my
 institution. could you please help me  in solving my problem? I am waiting
 to here your response. I would like to thank you in advance for the help
 that you made to my institution.

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[Vick Khera]

On Tue, Apr 9, 2013 at 3:49 AM, eyobe kebede e...@dbu.edu.et wrote:

 to 197.156.75.54 and default gateway of 10.130.42.65


As Luis points out, this makes no sense. What is the netmask they told you
to use for the WAN address? The gateway must be within that network block
defined by the netmask and IP.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[Jim Pingle]

On 4/9/2013 11:06 AM, Vick Khera wrote:
 
 On Tue, Apr 9, 2013 at 3:49 AM, eyobe kebede e...@dbu.edu.et
 mailto:e...@dbu.edu.et wrote:
 
 to 197.156.75.54 and default gateway of 10.130.42.65
 
 
 As Luis points out, this makes no sense. What is the netmask they told
 you to use for the WAN address? The gateway must be within that network
 block defined by the netmask and IP.

Some ISPs that are particularly stingy with IPs and bad at routing have
been doing this.

His ISP may have just forgotten to give him the proper gateway. But on
the outside chance they really do expect him to use that 10.x address as
the gateway, it may still be possible.

http://redmine.pfsense.org/issues/972

Not supported in the GUI yet though.

Jim

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] help

[Vick Khera]

On Tue, Apr 9, 2013 at 11:19 AM, Jim Pingle li...@pingle.org wrote:

 His ISP may have just forgotten to give him the proper gateway. But on
 the outside chance they really do expect him to use that 10.x address as
 the gateway, it may still be possible.

 http://redmine.pfsense.org/issues/972

 Not supported in the GUI yet though.


Wow, just wow. How do people come up with these ideas?
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Help in Configuring my pfsense 2.0 firewall for IPSec tunneling with a Cisco router ASA5505

[Neil]

Did you get it working.  I need to do the same and can't get the phase 1 
connection to work.

N


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Help in Configuring my pfsense 2.0 firewall for IPSec tunneling with a Cisco router ASA5505

[Ian Bowers]

What information precisely are you missing?

-Ian
Pro VPN Monkey

On Tue, Jul 10, 2012 at 10:59 PM, Joseph Rotan joseph.ro...@gmail.comwrote:

 Hi,

 I'm configuring my pfsense 2.0 firewall to do tunneling with a remote
 Cisco Router ASA5505 and with the provided *VPN Device Host Information, *
 *Encryption Method (**Phase 1 Properties and **Phase 2 Properties), 
 **Encryption
 Domain and **Pre-Shared-Key information from my remote site I'am not able
 to see the exact features in the link below on my pfsense 2.0*

 **
 *
 *
 http://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS
 *
 *
 *Do I have to upgrade my pfsense as you may find in the attached
 screenshot of my VPN IPSec settings and network diagram*

 *Appreciate your assistance.*
 *
 *
 *
 *
 *Kind Regards*
 *
 *
 *Joseph.*

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Help in Configuring my pfsense 2.0 firewall for IPSec tunneling with a Cisco router ASA5505

[Ian Bowers]

What information precisely are you missing?  Or unsure on?  Apologies, it's
not completely clear from your email

-Ian
Pro VPN Monkey

On Tue, Jul 10, 2012 at 10:59 PM, Joseph Rotan joseph.ro...@gmail.comwrote:

 Hi,

 I'm configuring my pfsense 2.0 firewall to do tunneling with a remote
 Cisco Router ASA5505 and with the provided *VPN Device Host Information, *
 *Encryption Method (**Phase 1 Properties and **Phase 2 Properties), 
 **Encryption
 Domain and **Pre-Shared-Key information from my remote site I'am not able
 to see the exact features in the link below on my pfsense 2.0*

 **
 *
 *
 http://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS
 *
 *
 *Do I have to upgrade my pfsense as you may find in the attached
 screenshot of my VPN IPSec settings and network diagram*

 *Appreciate your assistance.*
 *
 *
 *
 *
 *Kind Regards*
 *
 *
 *Joseph.*

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Help in Configuring my pfsense 2.0 firewall for IPSec tunneling with a Cisco router ASA5505

[Joseph Rotan]

Hi,

I'm configuring my pfsense 2.0 firewall to do tunneling with a remote Cisco
Router ASA5505 and with the provided *VPN Device Host Information, **Encryption
Method (**Phase 1 Properties and **Phase 2 Properties), **Encryption Domain
and **Pre-Shared-Key information from my remote site I'am not able to see
the exact features in the link below on my pfsense 2.0*

**
*
*
http://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS
*
*
*Do I have to upgrade my pfsense as you may find in the attached screenshot
of my VPN IPSec settings and network diagram*

*Appreciate your assistance.*
*
*
*
*
*Kind Regards*
*
*
*Joseph.*
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Warren Baker]

On Fri, Feb 10, 2012 at 6:34 AM, Nathan Eisenberg
nat...@atlasnetworks.us wrote:

 Well, if you want to get technical, the minimum possible subnet in IPv4 over 
 Ethernet is actually a /31.  $employer uses these religiously in PtP Ethernet 
 links, and they work flawlessly.  Unfortunately, *BSD doesn't seem to 
 implement RFC3021, which is really a pity, because it means all my firewalls 
 use twice as many IPs as necessary on their uplinks.

 http://tools.ietf.org/html/rfc3021


FreeBSD 9 supports RFC3021
(http://svnweb.freebsd.org/base?view=revisionrevision=226572).


-- 
.warren
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Gordon Russell]

- Original Message -
 From: Nathan Eisenberg nat...@atlasnetworks.us
 To: athom...@athompso.net, pfSense support and discussion 
 list@lists.pfsense.org
 Sent: Friday, February 10, 2012 2:56:36 AM
 Subject: Re: [pfSense] pfSense help with creating rules
  I think the entire ISP operation I partly run has... three routers
  that support
  it, AFAIK. So for all practical intents and purposes, that doesn't
  exist for me.
 
  It would be nice, most definitely, if it were supported by more
  equipment,
  but it's just not (in my corner of the world, anyway).
 
  So yes, for equipment that supports it, you're right - a /31 is the
  smallest
  IPv4-over-ethernet subnet.
 
  (There's also a philosophical point of whether Ethernet can ever
  truly be a
  PtP media even when physically connected PtP...)
 
 My Cisco 6509s/7204s/3550/3560/linux boxes support it just fine
 (philosophy aside, it *works* over ethernet, even in a test case when
 'PtP' really meant 'these are the only two ports in the VLAN').
 Anything I own with an ARM chip (Mikrotik, Ubiquiti, or general
 embedded hardware) in it, and my PFsense boxen, don't support it at
 all. Very sad - some days, it almost makes me want to roll a bunch of
 iptables boxes and reclaim a ton of usable IP space. Almost. :)
 
 Anyways, didn't mean to hijack the OP! Interested to see if Comcast is
 actually handing him a /29, or just 5 IPs out of a bigger subnet, and
 if they'll route that /29 to him.
 
 Nathan Eisenberg
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

Comcast allocated a /30 for my WAN interface and a /28 for my network use. They 
are in different class C address spaces.

Gordon Russell
Clarke County IT


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Ryan Rodrigue]

 

- Original Message -
 From: Nathan Eisenberg nat...@atlasnetworks.us
 To: athom...@athompso.net, pfSense support and discussion
 list@lists.pfsense.org
 Sent: Friday, February 10, 2012 2:56:36 AM
 Subject: Re: [pfSense] pfSense help with creating rules
  I think the entire ISP operation I partly run has... three routers
  that support it, AFAIK. So for all practical intents and purposes,
  that doesn't exist for me.
 
  It would be nice, most definitely, if it were supported by more
  equipment, but it's just not (in my corner of the world, anyway).
 
  So yes, for equipment that supports it, you're right - a /31 is the
  smallest IPv4-over-ethernet subnet.
 
  (There's also a philosophical point of whether Ethernet can ever
  truly be a PtP media even when physically connected PtP...)

 My Cisco 6509s/7204s/3550/3560/linux boxes support it just fine
 (philosophy aside, it *works* over ethernet, even in a test case when
 'PtP' really meant 'these are the only two ports in the VLAN').
 Anything I own with an ARM chip (Mikrotik, Ubiquiti, or general
 embedded hardware) in it, and my PFsense boxen, don't support it at
 all. Very sad - some days, it almost makes me want to roll a bunch of
 iptables boxes and reclaim a ton of usable IP space. Almost. :)

 Anyways, didn't mean to hijack the OP! Interested to see if Comcast is
 actually handing him a /29, or just 5 IPs out of a bigger subnet, and
 if they'll route that /29 to him.

 Nathan Eisenberg

Comcast allocated a /30 for my WAN interface and a /28 for my network use.
They are in different class C address spaces.

Gordon Russell
Clarke County IT


 I understand what you are trying to accomplish I think.  Just as a stupid
thought, could you simply setup virtual IP's for the addresses you are
trying to use and setup 1:1 Nat and forward them to the internal servers.  I
understand this means you will have to use nat.  You may be trying to avoid
this, but it seems like a much easier solution.  It also seems more
flexible.

Hope this helps,
Ryan



__ Information from ESET NOD32 Antivirus, version of virus signature
database 6874 (20120210) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Jason T. Slack-Moehrle]

Hi Nathan,

 Anyways, didn't mean to hijack the OP! Interested to see if Comcast is 
 actually handing him a /29, or just 5 IPs out of a bigger subnet, and if 
 they'll route that /29 to him.
I am a little confused at how I would know if they are handing me a /29 or just 
5 IP's?

range: 75.xx.xx.25 - .29
subnet: 255.255.255.248 (which is /29, IIRC)
GW: 75.xx.xx.30

I have trouble ticket in as well as an e-mail to my sales rep who works 
directly for their head of Operations, so I am hoping brining in the big brass 
will help me get this going today.

On the other hand, I explored Sonic.net and they are willing to run a 3/3Mbps 
symmetrical ethernet service with free setup and a free Cisco 2600, 16 IP's and 
they said yes to a routed subnet /30 no problem, no additional charge.

But I am confused. Can anyone explain to me which is really a better deal? 
Comcast 50 x 10 for $169/mo or Snnic.net 3/3mbps $274/mo

I get that Comcast is faster, but it is shared traffic, right? Where this 
3/3mbps would be all dedicated to me? I still dont understand a real world 
speed comparison though. Can anyone explain a bit about measuring traffic? 

We are an NPO, we create datasets and allow users to crawl the web for topics 
of interest and we work that data for them. We are going live here soon. If 
anyone wants more details about what we do and how we are going to do it and 
the hardware we are thinking about, ask. I'd love to chat.

-Jason


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Jason T. Slack-Moehrle]

Hi,
 On Fri, Feb 10, 2012 at 11:00 AM, Jason T. Slack-Moehrle
 slackmoeh...@gmail.com (mailto:slackmoeh...@gmail.com) wrote:
  I am a little confused at how I would know if they are handing me a /29 or 
  just 5 IP's?
   
  range: 75.xx.xx.25 - .29
  subnet: 255.255.255.248 (which is /29, IIRC)
  GW: 75.xx.xx.30
  
  
 Comcast has routed that /29 to your cable modem, and made those IPs
 visible to you on the inside. They are not routing the /29 to your
 pfSense box, else the fpSense box would have to have its own very own
 IP address outside of that /29, and that'd be a total waste of address
 space the IP for your firewall would need to be a /29 to route them to
 you anyway (at least if you had any redundancy, such as a CARPed pair
 of firewalls.)

Yes, so it still stands that I need to have them create a /30 for me and route 
my /29 to the /30, put the /30 on my pfSense WAN port and the /29 on my DMZ…..

-Jason  


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Adrian Wenzel]

- Original Message -
 From: Jason T. Slack-Moehrle slackmoeh...@gmail.com
 
 Hi,
  On Fri, Feb 10, 2012 at 11:00 AM, Jason T. Slack-Moehrle
  slackmoeh...@gmail.com (mailto:slackmoeh...@gmail.com) wrote:
   I am a little confused at how I would know if they are handing me
   a /29 or just 5 IP's?

   range: 75.xx.xx.25 - .29
   subnet: 255.255.255.248 (which is /29, IIRC)
   GW: 75.xx.xx.30
   
   
  Comcast has routed that /29 to your cable modem, and made those IPs
  visible to you on the inside. They are not routing the /29 to your
  pfSense box, else the fpSense box would have to have its own very
  own
  IP address outside of that /29, and that'd be a total waste of
  address
  space the IP for your firewall would need to be a /29 to route them
  to
  you anyway (at least if you had any redundancy, such as a CARPed
  pair
  of firewalls.)
 
 Yes, so it still stands that I need to have them create a /30 for me
 and route my /29 to the /30, put the /30 on my pfSense WAN port and
 the /29 on my DMZ…..
 

I've deleted all the previous messages, so perhaps I'm missing something... but 
why not just use proxy arp and NAT, keep the /29 on the WAN, and have your DMZ 
et al use reserved private IPs?

Comcast may be unwilling to waste a /30 for your WAN, even if you're willing to 
pay.

Regards,
Adrian


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Ryan Rodrigue]

 

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Jason T. Slack-Moehrle
Sent: Friday, February 10, 2012 10:00 AM
To: pfSense support and discussion
Subject: Re: [pfSense] pfSense help with creating rules

 

Hi Nathan,

 Anyways, didn't mean to hijack the OP! Interested to see if Comcast is
actually handing him a /29, or just 5 IPs out of a bigger subnet, and if
they'll route that /29 to him.
I am a little confused at how I would know if they are handing me a /29 or
just 5 IP's?

range: 75.xx.xx.25 - .29
subnet: 255.255.255.248 (which is /29, IIRC)
GW: 75.xx.xx.30

I have trouble ticket in as well as an e-mail to my sales rep who works
directly for their head of Operations, so I am hoping brining in the big
brass will help me get this going today.

On the other hand, I explored Sonic.net and they are willing to run a
3/3Mbps symmetrical ethernet service with free setup and a free Cisco 2600,
16 IP's and they said yes to a routed subnet /30 no problem, no additional
charge.

But I am confused. Can anyone explain to me which is really a better deal?
Comcast 50 x 10 for $169/mo or Snnic.net 3/3mbps $274/mo

I get that Comcast is faster, but it is shared traffic, right? Where this
3/3mbps would be all dedicated to me? I still dont understand a real world
speed comparison though. Can anyone explain a bit about measuring traffic?

We are an NPO, we create datasets and allow users to crawl the web for
topics of interest and we work that data for them. We are going live here
soon. If anyone wants more details about what we do and how we are going to
do it and the hardware we are thinking about, ask. I'd love to chat.

-Jason

Comcast is faster, but is not dedicated.  You should always get the same
speeds (or reasonable close) with Snnic.  You may also have an SLA with
Snnic.  I am sure you don't have that with Comcast.  That said,  all use
ISP's are shared traffic.  It is either shared via the same wire, or with
DLS shared at the DSLAM or in all cases shared at the head office.  It is
very difficult for an ISP with say 1,000 customers at 10megs each to pay for
a 10G so they can all have dedicated traffic.  This gets worse as the number
goes up.  ISP's understand that not all users will use the bandwidth at the
same time so they have way less than they sell.  For instance one service
provider here locally has a single OS3 (45Meg) link and offers a 6 meg
internet connection.  They have a couple of hundred users.  200 x 6 = 1.2
Gigs.  Way less than what they have.  However, the 45Meg link is very rarely
saturated.  The better business oriented ISP's will prioritize business
customers over residential customers and have a lower ration of what's sold
to what's available.  I can tell you that Comcast Business in South
Louisiana has a very good service and I have never measured less than 10
down and 4 up.  This beats your 3/3 hands down.  The same may not be able to
true in your area as every area is different.  Comcast does not however
offer to have a routed subnet as you are asking.  The provide 5 ip addresses
that you can access directly on their modem.  You can get 14 address and
subnet yourself, but that really waist a lot of IP addresses.  You could
also setup to Bridge the DMZ and WAN and run a filtered bridge setup.



__ Information from ESET NOD32 Antivirus, version of virus signature
database 6874 (20120210) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Jason T. Slack-Moehrle]

Hi Ryan,


 I am a little confused at how I would know if they are handing me a /29 or 
 just 5 IP's?
  
 range: 75.xx.xx.25 - .29
 subnet: 255.255.255.248 (which is /29, IIRC)
 GW: 75.xx.xx.30
  
 Comcast is faster, but is not dedicated. You should always get the same 
 speeds (or reasonable close) with Snnic. You may also have an SLA with Snnic. 
 I am sure you don’t have that with Comcast. That said, all use ISP’s are 
 shared traffic. It is either shared via the same wire, or with DLS shared at 
 the DSLAM or in all cases shared at the head office. It is very difficult for 
 an ISP with say 1,000 customers at 10megs each to pay for a 10G so they can 
 all have dedicated traffic. This gets worse as the number goes up. ISP’s 
 understand that not all users will use the bandwidth at the same time so they 
 have way less than they sell. For instance one service provider here locally 
 has a single OS3 (45Meg) link and offers a 6 meg internet connection. They 
 have a couple of hundred users. 200 x 6 = 1.2 Gigs. Way less than what they 
 have. However, the 45Meg link is very rarely saturated. The better business 
 oriented ISP’s will prioritize business customers over residential customers 
 and have a lower ration of what’s sold to what’s available. I can tell you 
 that Comcast Business in South Louisiana has a very good service and I have 
 never measured less than 10 down and 4 up. This beats your 3/3 hands down. 
 The same may not be able to true in your area as every area is different. 
 Comcast does not however offer to have a routed subnet as you are asking. The 
 provide 5 ip addresses that you can access directly on their modem. You can 
 get 14 address and subnet yourself, but that really waist a lot of IP 
 addresses. You could also setup to Bridge the DMZ and WAN and run a filtered 
 bridge setup.
Wait, are you saying I could just pay Comcast for 14 addresses and create a 
routed subnet myself and not have them do it?

Or could I just have them create for me a 2nd IP block of 1 IP, load that on 
the modem with my block of 5 and somehow created a routed subnet from the /31 
to my /29 without them? so that pfSense is setup the correct way?

Sorry for the confusion!

-Jason


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Adam Thompson]

 Wait, are you saying I could just pay Comcast for 14 addresses and
 create a routed subnet myself and not have them do it?

 Or could I just have them create for me a 2nd IP block of 1 IP, load
 that on the modem with my block of 5 and somehow created a routed
 subnet from the /31 to my /29 without them? so that pfSense is setup
 the correct way?

 Sorry for the confusion!

 -Jason

Actually, that's a very good point - in a broadband network, there is NO 
requirement whatsoever for the upstream link to be a /30, or even anything 
vaguely resembling a PtP link.  As long as there's a route entered in 
their routing table pointing to you, there is no waste of IP addresses to 
accommodate your route.  Your router could easily be one of 16k other 
devices in a subnet, it wouldn't matter.  ISPs generally allocate that /30 
for manageability and security reasons, but most of those issues don't 
exist in a HFC network like Comcast's.

More realistically, they probably still don't want to be bothered :-). 
One other posted reported success, however, in getting a routed setup from 
Comcast, so perhaps your quest isn't futile after all.

No, however, you can't quite do what you're talking about - at least not 
without proxy ARP or bridging, which brings you right back to the original 
set of suggestions.  Comcast's router expects to be able to ARP for all 
the addresses they're assigning you, and if it can't that address 
effectively becomes unreachable.  Proxy ARP is even more evil than setting 
up two firewalls, in most cases - it's nearly impossible to troubleshoot 
if anything goes wrong, and then you still have to do port forwarding or 
bridging behind that.  (Any port forwarding, including pfSense's virtual 
IP, does something much like proxy ARP, but manageable.)

-Adam Thompson
 athom...@athompso.net



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Jason T. Slack-Moehrle]

HI,
 Wait, are you saying I could just pay Comcast for 14 addresses and create a 
 routed subnet myself and not have them do it?
 
 Or could I just have them create for me a 2nd IP block of 1 IP, load that on 
 the modem with my block of 5 and somehow created a routed subnet from the /31 
 to my /29 without them? so that pfSense is setup the correct way?

OK, Comcast called me back and they are saying for me to:

1. load my /29 on the WAN port of the pfsense box
2. Create a vlan for something like 10.0.0.x
3. Create a 1:1 NAT for the public IP's in the /29 to a 10.0.0.x
4. Assign my servers a 10.0.0.x address, etc

They say they cannot create a routed subnet for me because the modems they use 
cannot handle loading of multiple IP blocks.

Is this viable?

-Jason
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Moshe Katz]

On Fri, Feb 10, 2012 at 2:50 PM, Jason T. Slack-Moehrle 
slackmoeh...@gmail.com wrote:

 HI,
  Wait, are you saying I could just pay Comcast for 14 addresses and
 create a routed subnet myself and not have them do it?
 
  Or could I just have them create for me a 2nd IP block of 1 IP, load
 that on the modem with my block of 5 and somehow created a routed subnet
 from the /31 to my /29 without them? so that pfSense is setup the correct
 way?

 OK, Comcast called me back and they are saying for me to:

 1. load my /29 on the WAN port of the pfsense box
 2. Create a vlan for something like 10.0.0.x
 3. Create a 1:1 NAT for the public IP's in the /29 to a 10.0.0.x
 4. Assign my servers a 10.0.0.x address, etc

 They say they cannot create a routed subnet for me because the modems they
 use cannot handle loading of multiple IP blocks.

 Is this viable?

 -Jason
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


At my office, we have a /27 from our Paetec T1 and a /28 from our Verizon
FiOS.  We created Virtual IPs for alll of the addresses and we are using
1:1 NAT for all of our servers which themselves have private IPs.  It works
just fine.

Moshe

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Adam Thompson]

 -Original Message-
 From: list-boun...@lists.pfsense.org [mailto:list-
 boun...@lists.pfsense.org] On Behalf Of Jason T. Slack-Moehrle
 Sent: Friday, February 10, 2012 1:51 PM
 To: pfSense support and discussion
 Subject: Re: [pfSense] pfSense help with creating rules

 HI,
  Wait, are you saying I could just pay Comcast for 14 addresses and
 create a routed subnet myself and not have them do it?
 
  Or could I just have them create for me a 2nd IP block of 1 IP,
 load that on the modem with my block of 5 and somehow created a
 routed subnet from the /31 to my /29 without them? so that pfSense
 is setup the correct way?

 OK, Comcast called me back and they are saying for me to:

 1. load my /29 on the WAN port of the pfsense box 2. Create a vlan
 for something like 10.0.0.x 3. Create a 1:1 NAT for the public IP's
 in the /29 to a 10.0.0.x 4. Assign my servers a 10.0.0.x address,
 etc

 They say they cannot create a routed subnet for me because the
 modems they use cannot handle loading of multiple IP blocks.

 Is this viable?

 -Jason


So, as expected, they recommend port forwarding.  (1:1 NAT is a special 
case of port forwarding, or vice-versa depending on how you want to look 
at it.)

The excuse about the modem not handling it is complete BS; what they 
really mean is we don't have an operational procedure to support this, 
and we don't feel like developing one, so we'll make up a 
plausible-sounding technical reason.

They'll be using a Cisco uBR7206 at the very minimum to handle HFC 
routing; it might not be Cisco in your area, or it might not be a uBR 
platform, but your next-hop router WILL be capable enough to handle a 
single static route.  All the modem has to do is its traditional function 
of bridging a single MAC address back and forth over the wire.  Depending 
on the modem, they *may* have to turn off some of the IP security features 
(snooping) in the modem.

However, there's nothing that says you have the right to a 
properly-routed subnet - Comcast has no obligation whatsoever to provide 
this service to you at any price.  It doesn't really matter, as you have 
two other viable options available to you (NAT and bridging, or both if 
you want a traditional DMZ).

The other thing is - even if you get a routed subnet out of Comcast, do 
you really want to be the guinea pig in your operating territory?  Relying 
on something where you're the only customer affected if something goes 
wrong is a good way to garner a lot of needless downtime.  If you're using 
the regular service, and something goes wrong, you'll be back in 
business as soon as everyone else is - which is usually fairly quickly, 
because HFC network outages tend to be all-or-nothing events. 
Standardization would be, IMHO, worth the extra complexity and/or effort. 
This is the way I set up any firewall on a cable modem nowadays; even DSL 
providers are starting to adopt this model for small business customers 
(i.e. /28 or smaller) in some cases.

Or, in short: yes, just go with what Comcast wants you to do.  You can 
create a separate DMZ if you want to keep the servers off your LAN, if 
necessary.  It's not usually necessary unless you're running a public 
website.  (Which, BTW, might violate your Comcast Terms of Service - check 
to be sure.  No sense getting shut down by your ISP for something 
avoidable.)

-Adam Thompson
 athom...@athompso.net



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Jason T. Slack-Moehrle]

Hi 
  I restarted the pfSense box and noticed that when it rebooted it had:
  
  WAN (wan) -- em1 -- 75.xx.xx.28
  LAN (lan) -- em3 -- 172.16.254.1
  DMZ (opt1) -- em2 -- NONE
  
  That is correct, right, since my servers in 75.xx.xx.xx are on the
  DMZ? Do I have to do anything to tell pfSense it should answer for my
  IP's? I recall when I ran untangle I had to sell it what IP's to
  answer for.
 
 If you don't have an IP address for opt1 (DMZ), that would mean that 
 you're bridging with WAN? I think you should be routing instead, but I 
 don't know exactly your goals.

Well my WAN has one of my 5 public IP's. I have 75.xx.xx.25 - .29 with a 
gateway of .30 

So I have a few other public IP's on servers that I wanted on a DMZ. Just port 
80 actually.

So I want traffic on port 80 coming in through WAN getting routed to .27 which 
is on the DMZ. That way people hit my domain they get that box.

So far I am not having luck getting this to work. I certainly have a 
misunderstanding, I am just not sure what.

-Jason



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Nathan Eisenberg]

 Well my WAN has one of my 5 public IP's. I have 75.xx.xx.25 - .29 with
 a gateway of .30
 
 So I have a few other public IP's on servers that I wanted on a DMZ.
 Just port 80 actually.
 
 So I want traffic on port 80 coming in through WAN getting routed to
 .27 which is on the DMZ. That way people hit my domain they get that
 box.
 
 So far I am not having luck getting this to work. I certainly have a
 misunderstanding, I am just not sure what.
 
 -Jason
 
Ok, so it sounds like your provider handed you a /29.  To firewall that behind 
pfSense, you need them to route that /29 to you over a /30.  The /30 goes on 
the WAN interface, the /29's gateway IP goes on your DMZ interface.

You can use bridging mode to work around this, but the right way to do it is 
with routing as described above.

Nathan Eisenberg
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Adam Thompson]

  Well my WAN has one of my 5 public IP's. I have 75.xx.xx.25 - .29
  with a gateway of .30
  So I have a few other public IP's on servers that I wanted on a
  DMZ.  Just port 80 actually.
  So I want traffic on port 80 coming in through WAN getting routed
  to .27 which is on the DMZ. That way people hit my domain they get
  that box.
  So far I am not having luck getting this to work. I certainly have
  a misunderstanding, I am just not sure what.
  -Jason
 Ok, so it sounds like your provider handed you a /29.  To firewall
 that behind pfSense, you need them to route that /29 to you over a
 /30.  The /30 goes on the WAN interface, the /29's gateway IP goes
 on your DMZ interface.
 You can use bridging mode to work around this, but the right way to
 do it is with routing as described above.
 Nathan Eisenberg

While I agree with Nathan about which is the right way to do it, the 
vast majority of ISPs won't have a clue what you're talking about.  Or, 
like most ISPs here, you might find someone who understands, but tells you 
they simply can't do it (or don't offer that as a product).  There's a 
very high probability you'll be forced to do it the 'wrong' way, at which 
point you do have more than one option.

Port forwarding is a common solution to this problem, more so than 
bridging in my experience.  You bind the entire /29 range of IPs to the 
public (WAN) interface on your firewall, and use two different private 
address ranges on your DMZ and your LAN.  Set up port-forwarding from the 
WAN to the DMZ interface, and then use regular firewall rules to regulate 
traffic between the LAN and the DMZ.

One notable downside to this technique is that is pretty much calls for 
split DNS; if your outside service is known as www.mycompany.com which 
resolves to (e.g.) 75.0.0.27, which is bound to the WAN and port-forwards 
to (e.g.) 192.168.200.27 (on the DMZ), you may want to enter an override 
in pfSense's DNS server so that when LAN clients request the IP for 
www.mycompany.com they get directed straight to 192.168.100.27 without 
going through the port forwarding.

Or you can just rely on the NAT Reflection feature if you don't want to 
use split DNS, but that creates some subtle issues with certain 
applications and protocols.  I find that split DNS works best, as long as 
ALL the systems are pointing to your pfSense box for DNS resolution.  (Or 
to another DNS server, it doesn't matter as long as every system behind 
the firewall sees the same information.)

The alternative is, as Nathan mentioned, bridging, wherein you either set 
up two firewalls (one in transparent mode, one in NAT mode), or a very 
complex setup on a single firewall.

Note that doing anything other than right solution (routing it properly) 
will increase the amount of horsepower you need in a firewall, and 
probably slightly decrease overall throughput.  This decrease may be 
negligible if you're running pfSense on a fast-enough server, and you 
probably won't be able to notice it anyway if you aren't running gigabit 
Ethernet speeds.

-Adam Thompson
 athom...@athompso.net



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Jason T. Slack-Moehrle]

 The alternative is, as Nathan mentioned, bridging, wherein you either set
 up two firewalls (one in transparent mode, one in NAT mode), or a very
 complex setup on a single firewall.

 Note that doing anything other than right solution (routing it properly)
 will increase the amount of horsepower you need in a firewall, and
 probably slightly decrease overall throughput.  This decrease may be
 negligible if you're running pfSense on a fast-enough server, and you
 probably won't be able to notice it anyway if you aren't running gigabit
 Ethernet speeds.

can I use at all, the comcast modem that is already acting as a
bridge, as my understanding is it allows all traffic for my 5 IP's
though.?
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Jason T. Slack-Moehrle]

On Thu, Feb 9, 2012 at 1:24 PM, Nathan Eisenberg
nat...@atlasnetworks.us wrote:
 Well my WAN has one of my 5 public IP's. I have 75.xx.xx.25 - .29 with
 a gateway of .30

 So I have a few other public IP's on servers that I wanted on a DMZ.
 Just port 80 actually.

 So I want traffic on port 80 coming in through WAN getting routed to
 .27 which is on the DMZ. That way people hit my domain they get that
 box.

 So far I am not having luck getting this to work. I certainly have a
 misunderstanding, I am just not sure what.

 -Jason

 Ok, so it sounds like your provider handed you a /29.  To firewall that 
 behind pfSense, you need
 them to route that /29 to you over a /30.  The /30 goes on the WAN interface, 
 the /29's gateway IP  goes on your DMZ interface.

OK, so I called Comcast and explained exactly the above about the /29
routed to a /30 and the representative was clueless, so I asked them
to open up a ticket and escalate to a tier 2 tech. We shall see what
they say.

This obviously means that they will create a new block of public IP's
for the /30 in addition to the 5 that I already have in the /29.

This seems easier to pay them for that then host and deal with more
equipment in my location.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Adam Thompson]

 OK, so I called Comcast and explained exactly the above about the
 /29 routed to a /30 and the representative was clueless, so I asked
 them to open up a ticket and escalate to a tier 2 tech. We shall see
 what they say.

 This obviously means that they will create a new block of public
 IP's for the /30 in addition to the 5 that I already have in the
 /29.

 This seems easier to pay them for that then host and deal with more
 equipment in my location.

Every inter-router link must have at least two IP addresses, one for each 
router.  The smallest possible subnet in IPv4-over-ethernet that can 
contain two addresses is a /30.

What did Comcast tell you to use as the subnet mask for your 5 addresses? 
If it's anything other 255.255.255.248, you don't have a /29 at all, you 
just have six individual IPs in a larger subnet that are allocated to you. 
I'll bet you're merely part of a much larger subnet.

In fact, I would recommend just forgetting about the whole notion of using 
a router properly, with Comcast.  (Anyone with differing experience - 
please let us all know how you managed to get them to do routed IP!)  Most 
MSOs (cable operators) run extremely large subnets (my cable modem at home 
is running on a /22 subnet!) and use relatively strange L2 (bridging) 
features to make their networks work.
And, speaking as an ISP operator, that does make sense for that kind of 
technology and the network design it mandates.  It does complicate matters 
for you, however.
The upside is that it's much cheaper for Comcast to do it that way than 
for a traditional ISP to allocate you a router port.  This only rarely 
translates to cheaper service for you - it usually just translates to more 
profit for Comcast.

-Adam Thompson
 athom...@athompso.net


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Nathan Eisenberg]

 Every inter-router link must have at least two IP addresses, one for
 each
 router.  The smallest possible subnet in IPv4-over-ethernet that can
 contain two addresses is a /30.

Well, if you want to get technical, the minimum possible subnet in IPv4 over 
Ethernet is actually a /31.  $employer uses these religiously in PtP Ethernet 
links, and they work flawlessly.  Unfortunately, *BSD doesn't seem to implement 
RFC3021, which is really a pity, because it means all my firewalls use twice as 
many IPs as necessary on their uplinks.

http://tools.ietf.org/html/rfc3021

But IPv6 solves all that with its utterly inexhaustible address space.  Hurrah. 
 Oh, wait, we still have to do IPv4 for some time?  Guess we're stuck with 
RFC1918 addresses for PtP links once the runout is done.  Oh well, who needed 
functional inter-AS tracerouting anyways?

/podium

Nathan Eisenberg
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Adam Thompson]

 Well, if you want to get technical, the minimum possible subnet in
 IPv4 over Ethernet is actually a /31.  $employer uses these
 religiously in PtP Ethernet links, and they work flawlessly.
 Unfortunately, *BSD doesn't seem to implement RFC3021, which is
 really a pity, because it means all my firewalls use twice as many
 IPs as necessary on their uplinks.

 http://tools.ietf.org/html/rfc3021

 But IPv6 solves all that with its utterly inexhaustible address
 space.  Hurrah.  Oh, wait, we still have to do IPv4 for some time?
 Guess we're stuck with RFC1918 addresses for PtP links once the
 runout is done.  Oh well, who needed functional inter-AS
 tracerouting anyways?

 /podium

 Nathan Eisenberg


I think the entire ISP operation I partly run has... three routers that 
support it, AFAIK.  So for all practical intents and purposes, that 
doesn't exist for me.

It would be nice, most definitely, if it were supported by more equipment, 
but it's just not (in my corner of the world, anyway).

So yes, for equipment that supports it, you're right - a /31 is the 
smallest IPv4-over-ethernet subnet.

(There's also a philosophical point of whether Ethernet can ever truly be 
a PtP media even when physically connected PtP...)

-Adam



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Nathan Eisenberg]

 I think the entire ISP operation I partly run has... three routers that 
 support
 it, AFAIK.  So for all practical intents and purposes, that doesn't exist for 
 me.
 
 It would be nice, most definitely, if it were supported by more equipment,
 but it's just not (in my corner of the world, anyway).
 
 So yes, for equipment that supports it, you're right - a /31 is the smallest
 IPv4-over-ethernet subnet.
 
 (There's also a philosophical point of whether Ethernet can ever truly be a
 PtP media even when physically connected PtP...)

My Cisco 6509s/7204s/3550/3560/linux boxes support it just fine (philosophy 
aside, it *works* over ethernet, even in a test case when 'PtP' really meant 
'these are the only two ports in the VLAN').  Anything I own with an ARM chip 
(Mikrotik, Ubiquiti, or general embedded hardware) in it, and my PFsense boxen, 
don't support it at all.  Very sad - some days, it almost makes me want to roll 
a bunch of iptables boxes and reclaim a ton of usable IP space.  Almost.  :)

Anyways, didn't mean to hijack the OP!   Interested to see if Comcast is 
actually handing him a /29, or just 5 IPs out of a bigger subnet, and if 
they'll route that /29 to him.

Nathan Eisenberg
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] pfSense help with creating rules

[Jason T. Slack-Moehrle]

Hello All,

I build a box dedicated to pfSense, 3 NICS. WAN, LAN, what I thought would be a 
DMZ for my hosting.

WAN works.

LAN Works as I can plug directly into that card, get an IP and get out to where 
ever.

I am having trouble with DMZ as I thought it would be as simple as going from 
DMZ - SWITCH - MY SERVERS WITH PUBLIC IP'S

I am trying to open up port 80 coming from WAN to a specific address 
(75.xx.xx.27) which is plugged in the switch.

Nothing. I cannot reach it. I plug the server into my cable modem directly 
(which is acting in pass through) and I can get to the server just fine.

So I am confused on setting up rules I think. 

Right Now I have a rule on WAN

source: any
port: any
Dest: 75.xx.xx.29
Start port: 80
End port: 80

Can anyone help me? I have tried creating rules this same from LAN and DMZ

Is there a setting I must set to allow me to see my public boxes on the DMZ 
from behind the LAN?

-Jason
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Jason T. Slack-Moehrle]

Hi David,
  I am having trouble with DMZ as I thought it would be as simple as going 
  from DMZ - SWITCH - MY SERVERS WITH PUBLIC IP'S
 
 
 Do you have advanced outbound NAT enabled? You will need it. It will
 auto-create rules for LAN and DMZ, just delete the ones for the DMZ to
 allow straight routing of the public IPs.

I do see that: 'Automatic outbound NAT rule generation' is indeed on.

-Jason


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[David Burgess]

On Wed, Feb 8, 2012 at 5:07 PM, Jason T. Slack-Moehrle
slackmoeh...@gmail.com wrote:


 I do see that: 'Automatic outbound NAT rule generation' is indeed on.



Right, so your public IPs are getting NATed on their way through
pfsense. Turn it off (ie, from automatic to advanced).

db
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Jason T. Slack-Moehrle]

Hi David,

 I do see that: 'Automatic outbound NAT rule generation' is indeed on.

 Right, so your public IPs are getting NATed on their way through
 pfsense. Turn it off (ie, from automatic to advanced).

Indeed I have tried that as well.

So then I would create a rule from from WAN to a specific IP on the
DMZ for any 80? I have had that rule in place but I dont get the site
when I hit it.

-Jason
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[David Burgess]

On Wed, Feb 8, 2012 at 5:13 PM, Jason T. Slack-Moehrle
slackmoeh...@gmail.com wrote:

 So then I would create a rule from from WAN to a specific IP on the
 DMZ for any 80? I have had that rule in place but I dont get the site
 when I hit it.

I think you're still talking about inbound NAT (aka, port forwards),
which you don't need.

You need to turn on outbound NAT and then delete every rule that is
not sourced from your LAN. Then you need a firewall pass rule on the
DMZ to let out what you want out, and a pass rule on the WAN to let in
every source to dst port 80/TCP.

db
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Nathan Eisenberg]

 am I missing something obvious? Would I need to possible restart the
 server itself or any switches?

You're hitting the default deny rule on the DMZ interface.  Rules on all 
interfaces are processed as 'inbound' to that interface - so return traffic 
from an HTTP request would be sourced from :80 with a destination of * (random 
source port the client OS picked).  You have a rule which allows traffic from 
any port TO :80, so you're blocking your server's replies.

The easiest thing would be to create a rule which allows all traffic sourced 
from your DMZ subnet on the DMZ interface, since that's your outbound.  That 
gives you a typical default deny in, default allow out behavior.

Also - go to Status-System Logs-Firewall.  If you have 'log packets blocked 
by the default deny rule', you'll get useful feedback about whats getting 
blocked and why.  Alternatively, you can create a deny deny at the bottom of 
your interface's rules with the 'log' flag on, and get the blocked packets that 
way.

Nathan Eisenberg
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense help with creating rules

[Jason T. Slack-Moehrle]

Hi Nathan,

 am I missing something obvious? Would I need to possible restart the
 server itself or any switches?

 You're hitting the default deny rule on the DMZ interface.  Rules on all 
 interfaces are processed as 'inbound' to that interface - so return traffic 
 from an HTTP request would be sourced from :80 with a destination of * 
 (random source port the client OS picked).  You have a rule which allows 
 traffic from any port TO :80, so you're blocking your server's replies.

 The easiest thing would be to create a rule which allows all traffic sourced 
 from your DMZ subnet on the DMZ interface, since that's your outbound.  That 
 gives you a typical default deny in, default allow out behavior.

I restarted the pfSense box and noticed that when it rebooted it had:

WAN (wan) -- em1 -- 75.xx.xx.28
LAN (lan) -- em3 -- 172.16.254.1
DMZ (opt1) -- em2 -- NONE

That is correct, right, since  my servers in 75.xx.xx.xx are on the
DMZ? Do I have to do anything to tell pfSense it should answer for my
IP's? I recall when I ran untangle I had to sell it what IP's to
answer for.

Here is the only rule I have on DMZ,

http://6colors.net/dmz.png

but I still cannot reach the server on port 80 coming from LAN or even
if I RDC to the outside someplace and come in via a browser.

-Jason
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list