Re: [pfSense] Open VPN configure ( Urgent)
Amit Saxena wrote on Sun, Mar 22 2015 at 12:40 pm: Mypfsense has 2 nic Wan 192.168.1.4 Lan 192.168.2.1 Client machine Xp lan 192.168.2.4 First I created server certificate If your client PC is on the LAN, to what network are you VPNning on the pfSense router? (if your client PC is on a different network and you are trying to get to the LAN, you need a different subnet on the client end otherwise packets won't route) Some pitfalls: wildcard certs don’t work. Real certs don't seem to work, it wants to use one created on your pfSense box. Therefore you must export your pfSense's CA (cert. authority) certificate and import it as a Trusted Root Certificate on your machine (that's what Windows calls it anyway). The IPv4 Tunnel Network needs to be something not used on either end, such as 10.9.8.0/24. Add firewall rules to the OpenVPN interface on pfSense. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] ARP for CARP
I'm testing a setup inside our office that will eventually drop into a data center, so for now have our office router (also pfSense) set up with a virtual IP (64.79.96.145) and a gateway and static route to direct 64.79.96.144/29 to the new router's WAN IP of 64.79.96.149. That setup works from within my office, and I can ping 64.79.96.149 and 64.79.96.150 which I plan to use as the shared CARP IP. However when I update the office router's gateway and hence route above to use the .150 CARP IP, the office router cannot find the .150 address, and pinging .150 yields Destination host unreachable since it doesn't think it has anywhere to send the routed traffic. I noticed our office router does not detect an ARP entry for the CARP IP. Is there a reason and/or a way to force that? Does it take more than a few minutes? It detects an ARP entry for 64.79.96.149 just fine. It also doesn't have an ARP entry for 64.79.96.148 which is the WAN IP of the second router. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] ARP for CARP
Steve Yates wrote on Wed, Mar 18 2015 at 7:02 pm: and pinging .150 yields Destination host unreachable since it doesn't think it has anywhere to send the routed traffic. I noticed our office router does not detect an ARP entry for the CARP IP. Turns out there was a stray static route defined for that IP block that was already being handled by the IP alias I'd attached to the LAN interface. Works better now. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
Chris L wrote on Fri, Feb 27 2015 at 12:10 pm: Hopefully the provider can just route the additional subnet to your existing WAN IP. Then you don’t need to do anything with CARP/HA except make sure primary and secondary are both set up to deal with the routed traffic. I think sleep deprivation gets worse after 40...due to 1 year old in my case. After I straightened out some things in my head, the above is what we're pursuing with the DC. It will take a /29 block for the WAN (to get 3 IPs) plus a separate block for the LAN side. I'm also looking at using one of the unused IPs from the /29 to provide NAT to a separate network on private IPs. -- Thanks all, Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] CARP sync of skew results in blank Status on backup router, breaking failover
Steve Yates wrote on Wed, Mar 25 2015 at 1:22 pm: In my other thread, diagnosing why failback only moved back the WAN IPs, if the physical host had its network restarted underneath my router VM. Sorry, had that backwards FWIW; it only moved back the LAN. Again, not a normal situation but I had added IPv6 settings and shortcutted a full restart, then chased this issue when I lost access to my testbed despite having two routers running. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense 2.2.1 HA setup does not sync states
Raimund Sacherer wrote on Fri, Mar 27 2015 at 4:33 am: Because I can´t believe that what I see (State sync not applying, Gateways not correctly showing up in pftop/state diagnostic) is general in 2.2(.1). Others would have noticed in Beta/long before me. States seem to be syncing just fine for me. Is your firewall log set to show packets logged by the default block rule? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] newbie question
Pol Hallen wrote on Mon, Mar 23 2015 at 5:09 am: adsl -- server1 -- WAN pfsense (2 NICs) LAN -- internal lan (I known that pfsense should be after adsl modem) does ipsense runs correctly with this configuration? WAN to server1 LAN1 to internal lan or I must add a third NIC and connect LAN1 to server1 and LAN2 to internal lan? Is pfSense running on server1? Or is server1 supposed to be in a DMZ? If pfSense is separate from server1, then yes you will need another NIC. Otherwise all Internet traffic will go to server1 and not get to pfSense. Or, if server1 connects to the Internet directly, and pfSense connects to the Internet separately (so they are in parallel), and you have two WAN IP addresses, that will work. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
Using CARP implies that you care about reliability during edge cases and partial failures. If so, then you need to do it right and use 3 IPs where you want 1 carp. I hear you. I guess part of me just dislikes the possibility of wasting 12 or 18 IPs (6 per subnet) a few years down the road, and yet getting a block of 128 that might never get used is possible also... Just wanted to make sure I wasn't missing something. Steve ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
Steve Yates wrote on Mon, Mar 2 2015 at 1:05 am: the scenario is: no NAT, multiple public IPs in use on the LAN side from two different subnets, and pfSense acting as a firewall. I received an email directly...to perhaps shorten my example, if we have two public subnets 1.1.1.0/28 and 2.2.2.0/28, I would like to use both of those subnets on different servers, use pfSense as the firewall, and use CARP. Is there a way to do that and minimize the number of IPs used? The easy/default way it seems to be would be to use 6 public IPs from each subnet, 3 for CARP on the WAN side, 3 for CARP on the LAN side, and duplicate that for the second subnet. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
Steve Yates wrote on Mon, Mar 2 2015 at 9:09 am: I received an email directly...to perhaps shorten my example, if we have two public subnets 1.1.1.0/28 and 2.2.2.0/28, I would like to use both of those subnets on different servers, use pfSense as the firewall, and use CARP. Is there a way to do that and minimize the number of IPs used? Having had more coffee...by on different servers let's assume 8 IPs in each subnet would be in use. I'm trying to plan for a couple years down the road when we need more IPs from the data center, to see if it's better to get a larger block now even though it won't all be used for a while. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
Steve Yates wrote on Fri, Feb 27 2015 at 12:29 pm: Two WAN IP, two LAN IP, and two more for sync. And reading this, I didn't write what I meant, so to just correct it all, 3 WAN, 3 LAN, and 2 for sync. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
Chris L wrote on Fri, Feb 27 2015 at 3:34 pm: On Feb 27, 2015, at 12:37 PM, Steve Yates wrote: Chris L wrote on Fri, Feb 27 2015 at 12:10 pm: Hopefully the provider can just route the additional subnet to your existing WAN IP. Then you don’t need to do anything with CARP/HA except make sure primary and secondary are both set up to deal with the routed traffic. Would that require three LAN side public IPs for the two firewalls out of that second subnet also? It depends on what you want to do with them. If pfSense just routes them to another IP address, then no. You only need 3 IPs when you have to create a pfSense interface with HA. It's been a long weekend and I'm missing something that's probably obvious...the scenario is: no NAT, multiple public IPs in use on the LAN side from two different subnets, and pfSense acting as a firewall. Subnet 1 would need a shared CARP IP and officially two others for WAN on both firewalls (but see below) and the same thing duplicated on the LAN side. The servers on subnet 1 would use the CARP LAN IP from subnet 1 as their gateway. If subnet 2 is routed by the data center to subnet 1's CARP IP, then the way I read the docs it will get to pfSense if I set up an Other virtual IP type, correct? Does pfSense then need to use a public IP Alias from subnet 2 on its LAN side CARP interface to be the gateway for subnet 2? Or if I read the IP Alias section a few more times, does it mean that it would still need the three public IPs for three LAN side aliases (aliases on the two interfaces plus a third alias for the CARP LAN interface). I found this forum thread which points out that, as you suggested in another message, using three public IPs on the WAN side (and hopefully the LAN side) is apparently not required in v2.2. https://forum.pfsense.org/index.php?topic=87546.0 However I found another post which says in part, Without valid IPs on both, the secondary will not be able to independently check for updates or install packages. There would also be no way to directly manage the secondary from a remote location. It couldn't do DNS resolution to a remote DNS server, or even sync its clock to a remote time server. https://forum.pfsense.org/index.php?topic=73584.msg404834#msg404834 ...So those are good points. However does that mean only the second firewall would need a WAN side public IP? (presumably the master would use the CARP WAN IP for its communication, while it is online.). Regarding remote management, my tentative plan was to VPN to the CARP IP so access the firewalls from the LAN side. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] CARP authentication requires user admin?
Steve Yates wrote on Wed, Mar 18 2015 at 4:49 pm: If enable the HA sync setting for Synchronize Config to IP with the backup node's IP, and Remote System Username and Password for the backup, I get errors on the master like: [ An authentication failure occurred while trying to access https://10.20.1.102:443 (pfsense.host_firmware_version).] On the backup, I get a message in the system log that xmlrpc authentication failed for user admin but I disabled admin and the web GUI uses the username/password I entered as Remote System Username and Password on the master. Is it hard coded to use admin? Or is the error message hard coded to display admin? Also, it appears to sync the states just fine. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] CARP authentication requires user admin?
Steve Yates wrote on Wed, Mar 18 2015 at 4:49 pm: Is it hard coded to use admin? Never mind, I reread the docs again. Enter admin for the Remote System Username (other usernames will not work ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] CARP failover works but it only fails back the LAN
I am not sure this is related but it is weird/bad...I got around to setting the skew back to 0 for all CARP IPs on router1. pfSense (2.2.1) syncs the change to router2 so those skews change from 101 to 100. However afterwards router1 shows all five as Status of Master, and router2 shows all five with a blank Status. I must edit each of the five, save (without making changes) and only once changes are Applied the Status shows as Backup. That sounds like a configuration sync bug? I did see this when setting the skew from 0 to 1 earlier today and passed it off as I was clicking around a lot, but it seems to be repeatable. -- Steve Steve Yates wrote on Mon, Mar 23 2015 at 2:50 pm: Just ran into an odd scenario in my testbed...if pfSense (router1) is in a VM (Parallels Cloud/Virtuozzo), and I run service network restart on the host for that VM, pfSense fails over the WAN interface but does not fail over the LAN interface. At that point external communication is lost because one router is handling LAN and one WAN. It does not seem to recover afterwards until the host is restarted (we're also using VLANs on the host level for the pfSense VM to use for its interfaces, so that may be a factor in having the host restart). Per http://www.freebsd.org/cgi/man.cgi?query=carpsektion=4, if net.inet.carp.preempt=1 then the CARP interfaces should fail over together. Running sysctl net.inet.carp on pfSense shows net.inet.carp.preempt=1. If I reload the CARP status page on router2 quickly, I can see that the WAN and LAN interfaces correctly fail over so router2 is Master, however it almost immediately reverts so router2 is Master for WAN but router2 is Backup for LAN, and router1 is Master for LAN. How can I ensure they fail back together? Note that when I simply boot the host for router1, pfSense does fail over and back correctly! So something is making it not fail back on the network restart? For what it's worth we have a IPv4 and IPv6 CARP IPs for WAN, and an IPv4, an IPv4 alias, and IPv6 CARP IP for LAN. I found an OpenBSD (which I know is different OS, but...) FAQ page on CARP that says By default all carp(4) interfaces are added to the carp group. However if I run ifconfig -v on pfSense no groups are listed for em0 and em1, only lo0, enc0, and ovpns1. I created a pfSense interface group carpgroup for LAN and WAN, but had the same symptoms. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Requiring TLS 1.1 for OpenVPN
PCI scanning is now failing TLS 1.0 connections. Is it as simple as adding tls-version-min 1.1 (or 1.2) to the OpenVPN: Server/Advanced configuration/Advanced text box? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Pfsense + Cloudflare
Seth Mos wrote on Thu, Apr 30 2015 at 10:09 am: If you want any meaningful address information you need to look at the headers that the proxy service provides you. I was going to point that out (CloudFlare sends the IP in HTTP request headers) but that won't help at the firewall/packet level. At that point (theoretically) I suppose CloudFlare would have to have functionality to act as a firewall? And pfSense configured to only allow traffic from it. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2
Ermal Luçi wrote on Wed, Jun 17 2015 at 10:22 am: On Wed, Jun 17, 2015 at 4:40 PM, Steve Yates st...@teamits.com wrote: OpenVPN requires a self-signed cert. Can you report the issue with OpenVPN on self-signed cert? It's been a few months but if I recall correctly, on page Services/OpenVPN, While Server Certificate allows others to be chosen, Peer Certificate Authority (i.e., pfSense's CA) is a required field. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Suricata alert suppression
For posterity, I found references in the web forum that the stream rules basically don't work the way IDS is set up on pfSense so should be disabled. I believe the issue is that it looks at the traffic in parallel so packets might be processed out of order. Still not sure why it wasn't honoring the Suppress instruction. -- Steve Yates ITS, Inc. Steve Yates wrote on Mon, Jul 13 2015 at 3:16 pm: I got Suricata installed and operating. I found, oddly, that the highest volume of packet errors alerted was to/from Symantec IPs. I added that subnet as trusted but apparently that doesn't take effect unless automatic blocking is also enabled. I have not had much luck having it actually suppress the alerts though... I edited the Suppress rules to use a subnet, which seems to be allowed, like so: #SURICATA STREAM Packet with invalid ack suppress gen_id 1, sig_id 2210045, track by_dst, ip 143.127.136.0/24 ...and then disabled and re-enabled Suricata on the WAN interface. However, IPs from within that /24 still show in the Alerts tab? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] CARP development testing within our network -- broadcast storm?
I'm not sure I follow...the 192.168.50.x subnet would use 192.168.50.1 as its gateway and 10.10.10.111 would be the NATted WAN IP. I don't see how that's a problem for other PCs in 10.10.10.x? Unless 10.10.10.111-113 are in use on it? This reads like you added the computer and server to the WAN side of pfSense, so they would not be using pfSense at all. You can't connect the networks through pfSense and around it at the same time... -- Steve Yates ITS, Inc. Justin Edmands wrote on Mon, Jul 27 2015 at 3:53 pm: I have setup a dual gateway setup I have created to test a future project of adding another gateway to our production setup. I added two computers next to me connected to a switch and the WAN IPs are IPs from our regular subnet. The LAN is a subnet that we don't use normally. my computer - 10.10.10.58 random server - 10.10.10.43 devpfsense WAN CARP IP - 10.10.10.111 devpfsense1 WAN - 10.10.10.112 devpfsense2 WAN - 10.10.10.113 devpfsense LAN CARP IP - 192.168.50.1 devpfsense1 LAN - 192.168.50.10 devpfsense2 LAN - 192.168.50.11 I connect all of this up. CARP works just fine. I edit a few things and everything syncs over to the secondary gateway. The problem is that the WAN IPs being set are wreaking havoc on my regular network where the 10.10.10.XXX IPs reside. It is as if I am creating some form of a loop or broadcast storm. Am I supposed to enable something like HSRP or VVRP to tell my regular network that these two WAN IPs work together and form 10.10.10.111? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] CARP development testing within our network -- broadcast storm?
Justin Edmands wrote on Mon, Jul 27 2015 at 4:57 pm: These computers in the 10.10.10.XXX lose all access to the internet when I plug in the 10.10.10.112 and 10.10.10.113 pfsense boxes. Can you explain the cabling? pfSense should just be another device on the network at that point, with the LAN computers behind it. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] bsd/pfsense equivalent to fail2ban
I think you're looking for Snort or Suricata. Presumably someone would have detections for asterisk by now? -- Steve Yates ITS, Inc. mayak wrote on Sat, Jul 25 2015 at 7:31 am: hi all, i have a number of asterisk instances behind pfsense -- 5060 is open to the public, and of course, i have incessant attempts to make free calls. for the moment, i use an iptables rule: iptables --append local-external --protocol udp -m udp --sport 5060 -m string -- string SIP/2.0 403 Forbidden \ --algo bm --to 66 -j LOG --log-ip-options --log-prefix SIP ABUSE: 403: which inspects udp packets to discern who is trying to hack. enough errors in the log, and the ip gets banned (digging into the packet is only way to correctly eliminate spoofing) ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Primer for AP/bridge setup? (based on Re: Access Point Recommendations?)
Kenward Vaughan wrote on Fri, Jul 24 2015 at 10:00 am: We have a laser printer down the hall to which I attached an old home wifi router (don't recall the brand) making it accessible to people. Thought it would be nice to have this also bridge to the LAN Usually devices can be access points, wireless clients, or bridges, but not more than one. I would expect if you connect the printer to the LAN, then anyone using the printer would need to connect to the LAN's AP instead of directly to the printer. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm: First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. Second, it appears that ssh-server on pfsense is version 6.6 Is this an internal scan or external? Hopefully those aren't exposed externally. If internal, can access be limited to certain IPs? This probably isn't the forum to discuss, but the TLS 1.0 one is a fun one...that will catch Remote Desktop Services, and Vista and below don't support TLS 1.1+ period, and Windows 7 with IE10 or earlier don't have TLS 1.1+ enabled by default. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Primer for AP/bridge setup? (based on Re: Access Point Recommendations?)
Kenward Vaughan wrote on Fri, Jul 24 2015 at 11:00 am: I currently use the older router wired to the laserjet because I expected it to have more range, and honestly haven't tried setting up a printer's wifi connection before. So it is a standalone system right now. Would that printer work directly with the LANs AP as a bridge, getting its IP address, etc, from there? I don't want unlimited access to it. If the printer has wireless you can connect the printer to any access point. That is the same as plugging in a cable so that wouldn't limit access. However bridging it to the network doesn't limit access either unless the bridge has some sort of security set up. I was just skimming this thread but I think to use pfSense you'd have to have the printer on a different subnet or in some way have pfSense do the routing so it could have firewall rules set up. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Suricata alert suppression
I got Suricata installed and operating. I found, oddly, that the highest volume of packet errors alerted was to/from Symantec IPs. I added that subnet as trusted but apparently that doesn't take effect unless automatic blocking is also enabled. I have not had much luck having it actually suppress the alerts though... I edited the Suppress rules to use a subnet, which seems to be allowed, like so: #SURICATA STREAM Packet with invalid ack suppress gen_id 1, sig_id 2210045, track by_dst, ip 143.127.136.0/24 ...and then disabled and re-enabled Suricata on the WAN interface. However, IPs from within that /24 still show in the Alerts tab? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Help with provider assigning multiple IP addresses over PPPoE
> I don't have any trouble adding NAT > rules that forward the .217 through to my internal network. If that works, it sounds like .217 is your IP, and not your gateway as they documented. What is the gateway on your WAN connection? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] 2.2.5 upgrade - failed to open openvpn-client-export-2.3.6.tgz
Upgraded two routers today from 2.2.1 to 2.2.5. Both showed this at the end of the upgrade (pasting from system log): Nov 8 14:49:19 php: rc.bootup: Finished reinstalling all packages. Nov 8 14:49:19 php: rc.bootup: Finished installing package OpenVPN Client Export Utility Nov 8 14:49:19 php: rc.bootup: Successfully installed package: OpenVPN Client Export Utility. Nov 8 14:49:19 check_reload_status: Syncing firewall Nov 8 14:49:18 kernel: tar: Error opening archive: Failed to open '/usr/local/pkg/openvpn-client-export-2.3.6.tgz' Nov 8 14:49:18 kernel: 100% Nov 8 14:49:15 kernel: 90% 100% ... Nov 8 14:48:17 php: rc.bootup: Beginning package installation for OpenVPN Client Export Utility . Nov 8 14:48:16 php: rc.bootup: Reinstalling package OpenVPN Client Export Utility Nov 8 14:48:16 php: rc.bootup: Finished uninstalling package OpenVPN Client Export Utility ... Nov 8 14:47:48 php: rc.bootup: Uninstalling package OpenVPN Client Export Utility ... Nov 8 14:47:48 php: rc.bootup: List of packages to reinstall: OpenVPN Client Export Utility 1) OpenVPN: Client Export Utility page displays fine? Install finished per the log above...can I ignore the error? 2) System/Packages shows v1.2.20 installed. Looking at its changelog page, it looks like 2.3.6 is the OpenVPN version? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] FTP issues on 1:1
ED Fochler wrote on Tue, Jul 7 2015 at 1:10 pm: FTP is a nasty beast. There’s active, passive, and extended passive connections. You may need a client that does extended passive (epsv?) to work properly. Standard passive will hand back the server’s IP data port over the control connection, so unless PFSense is altering the packets as they leave, or ProFTPd knows that it needs to respond to that IP range with a masqueraded IP, standard passive will get hung up. http://www.proftpd.org/docs/directives/linked/config_ref_MasqueradeAddress.html Basically that should hand out the public IP for the passive connection, instead of the server's LAN IP. However (not tested) that may well break internal FTP, unless perhaps requests to the WAN IP are reflected back inside. I think I would even expect internal FTP users to have to connect via the WAN IP also. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] FTP issues on 1:1
Ryan Coleman wrote on Thu, Jul 9 2015 at 5:24 pm: I switched it to port 21 and it’s still not working externally, either. Not sure if you said what FTP client you're using. FileZilla has some debug logging modes that might help narrow down the issue. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] FTP issues on 1:1
Ryan Coleman wrote on Tue, Jul 7 2015 at 4:48 pm: http://www.proftpd.org/docs/directives/linked/config_ref_MasqueradeAddress.html Yep - I’m using that. Command: PORT 10,20,1,49,214,167 Pretty sure this would be IP 10.20.1.49, not the public one...is 10.20.1.x on your WAN? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Unbound DNS Resolver doesn't listen on IP aliases even when selected in settings
Paul Mather wrote on Thu, Nov 12 2015 at 1:38 pm: > Unfortunately, with this configuration, unbound does not listen on the > IP aliases: it only listens on the primary IP addresses of LAN, > INTERNAL, and localhost. I don't have quite the same configuration, but with a CARP shared LAN IP, it listens on that alias. Did you check your firewall log/rules? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Strange timezone behavior and then full stop
Wade Blackwell wrote on Wed, Aug 26 2015 at 10:27 am: Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /etc/inc/globals.inc on line 64 This is a PHP warning that would show on each page load. Recent PHP versions (5.3+?) require the time zone to be set in php.ini or other PHP-read .ini files. It's just a warning so isn't an indicator of a problem in and of itself. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense + AD not resolving DNS
> 2.- The WAN network don't work. No access to Internet using or not, > DNS service in pfSense box. ping, traceroute, dig directly from > pfSense box not work. If you can't ping/traceroute by IP address, it's not a DNS issue. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Shutdown Interface?
pfse...@douwifi.com wrote on Tue, Dec 8 2015 at 4:41 pm: >> Doug what doese that link have to do with Pfsense and how does it help >> him configure pfsense. It has advice and instructions for configuring pfSense to mitigate DDOS, with screenshots. :) Including rate limiting on firewall rules which the OP specifically asked about and I'll admit I didn't realize pfSense had. I couldn't find a "part 2" though...? >> A quick Googling came up with this: >> >> http://www.wedebugyou.com/2012/11/how-to-prevent-and-mitigate-ddos-part1/ -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Lost limiter config after upgrade
Chris L wrote on Tue, Dec 15 2015 at 1:32 am: > Yeah there’s a difference between the upgrade fails and the upgraded system > just doesn’t work with limiters. > > It seems either traffic just doesn’t flow or limiters don’t limit. > > I am really looking forward to this being fixed. Until then, 2.1.5 rules the > roost. Per that bug report (https://redmine.pfsense.org/issues/4326), it sounds like it's only an issue if NAT is being used, correct? They work if NAT is not in use? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Multiple SSIDs
Steve Yates wrote on Tue, Nov 24 2015 at 9:28 am: > We haven't used wireless with pfSense yet. The manuals for the > hardware models don't seem to mention how to set up the optional > wireless. The doc site suggests not using wireless in pfSense? > (https://doc.pfsense.org/index.php/Should_I_use_pfSense_as_my_access_poi > nt) It also says that some cards can handle multiple SSIDs > (https://doc.pfsense.org/index.php/Wireless_Interfaces). Does anyone > know if pfSense's hardware models support multiple SSIDs? > > The scenario is a client would use pfSense for routing but has a "demo > room" they would like to keep isolated. Can we set up a second SSID that > would connect to that room's network? Or should we just get an access point > for that room? > Or, for other/future reference, a "guest" SSID that would be isolated from the rest. I'd expect that to be possible as long as it supports multiple SSIDs, and just be a matter of the routing setup... -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Suricata sync crashes WebConfigurator, and other issues
I've been working on implementing Suricata (package 2.1.9.1) on a CARP dual router setup, and Suricata is set to sync to router2 as well. I have several issues, the worst of which ends with me unable to connect to router2 via a browser (and of course sync fails). 1) Agonizingly slow page loads. I'm trying to enable only certain emerging-web_specific_apps.rules rules. I disabled all rules, and am going through and enabling certain ones that apply. There are several thousand rules in that category, so it is a big page*. If I enable a rule, sometimes the page reloads in a few seconds. Sometimes it takes several minutes. Sometimes I can enable 20 in a row, fast, and then it slows down again. I don't understand the discrepancy. It is so slow I can watch the table draw if I scroll to the bottom of what's loaded. While it's loading, other pages from the router load fine, e.g. the index.php page loads immediately and shows 0% CPU usage, 30% memory usage (it's a 4 CPU VM with 2 GB RAM, on a 100 Mbps connection). Other connections *through* this router are normal. 2) I have found that despite two Apply buttons on the "Suricata: Interface WAN - Rules: " page it syncs every change to router2 anyway, every time a rule is enabled. It seems slightly faster to turn off syncing but not several minutes faster (and then enable it at the end, which immediately syncs). 3) CARP syncs at every Suricata rule enable also , even though Suricata has its own sync. QUESTION: do I need the Suricata sync enabled if the CARP sync is enabled? 4) If I disable the CARP configuration sync (leaving state sync enabled) the super slow page loads go away for a while. However they come back so it does not 100% fix the problem of the several-minute page loads. 5) Occasionally, clicking on the Enable icon sends me directly to the router's index.php page as if something crashed. I would say it is rare, but just now it happened 4 times inside of a few minutes. It can happen even if I wait a couple minutes after the page loads before clicking an Enable icon. What would cause this redirect? Shouldn't pfSense show an error page if an error is happening? 6) I started on pfSense 2.2.5 and upgraded both routers to 2.2.6 since it said it fixed some sync issues. On at least two occasions, with 2.2.6, I start getting "unread notice" alerts for sync errors, and can't connect to the web GUI on router2. Connecting to its console and choosing "Restart webConfigurator" (option 11) fixes both issues, as if the web browser crashed. 7) I don't know if this is relevant but when each and every CARP sync happens, router2 logs the following. The 192.168.199.1 IP address is in the tunnel network for OpenVPN, which is not connected. Jan 12 00:39:47 php-fpm[26893]: /rc.start_packages: Restarting/Starting all packages. Jan 12 00:39:46 check_reload_status: Starting packages Jan 12 00:39:46 php-fpm[26893]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - -> 192.168.199.1 - Restarting packages. Jan 12 00:39:46 check_reload_status: Reloading filter Jan 12 00:39:46 php-fpm[26893]: /rc.newwanip: rc.newwanip: on (IP address: 192.168.199.1) (interface: []) (real interface: ovpns1). Jan 12 00:39:46 php-fpm[26893]: /rc.newwanip: rc.newwanip: Info: starting on ovpns1. Jan 12 00:39:45 check_reload_status: rc.newwanip starting ovpns1 Jan 12 00:39:45 kernel: ovpns1: link state changed to UP Jan 12 00:39:44 check_reload_status: Reloading filter Jan 12 00:39:44 kernel: ovpns1: link state changed to DOWN Jan 12 00:39:44 php-fpm[19360]: /xmlrpc.php: Resyncing OpenVPN instances. Jan 12 00:39:44 php-fpm[19360]: /xmlrpc.php: ROUTING: setting IPv6 default route to [IPv6 WAN gateway] Jan 12 00:39:44 php-fpm[19360]: /xmlrpc.php: ROUTING: setting default route to [IPv4 WAN gateway] Jan 12 00:39:44 check_reload_status: Reloading filter Jan 12 00:39:44 check_reload_status: Syncing firewall * small JavaScript tip: define a function for document.getElementById like so and it will save a lot of repeated text on a page that big: function x() { return document.getElementById(arguments[0]); } -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
Jumping in midway through, 193.168.1.0/24 belongs to Universite du Luxembourg. If that's not you then the other end could be routing packets there. -- Steve Yates ITS, Inc. -Original Message- > On Wed, May 25, 2016 at 8:54 PM, Lyle <l...@lcrcomputer.net> wrote: > >> The other end has a conflict with our LAN addressing(192.168.1.0/24). >> So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 >> >> for the local Network. NAT/BINAT network of 192.168.85.0/24. Their >> remote network is 192.168.75.0/24. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Snort or Suricata
See if disabling the stream-events.rules ruleset helps. The web forum had some references about that being incompatible with the pfSense implementation. If memory serves, it's because Snort/Suricata see copies of packets not the actual stream so they are often processed out of order. When I looked a while back it seemed like Snort and Suricata were similar but Snort was single thread and Suricata could multi-thread. https://github.com/Snorby/snorby/wiki/Snort-vs-Suricata-vs-Sagan http://wiki.aanval.com/wiki/Snort_vs_Suricata -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner Sent: Sunday, June 12, 2016 1:57 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] Snort or Suricata Hi there, i installed Snort and let it run with snort Community Rules and ET Rules. I get ton als Fals positiv alters. Maybe is suricata better? What are the difference? It Seems that only the ET rules has no or veryl less fals positivs. Cheers Daniel ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Snort or Suricata
When we first started experimenting with Suricata we had pfSense running on a very old PC...XP era probably, and I'd guess 10-15 years old. When running, Suricata did seem OK and not too CPU or RAM intensive but Suricata did simply stop working now and again. That hasn't happened since using newer hardware with a faster CPU, though we've also upgraded pfSense since then. We haven't had any such issue elsewhere. I would expect that higher traffic would definitely benefit from multithreading, hence our choice of Suricata over Snort. The one issue we had with Suricata is on a CARP setup, where the sync would fail and crash the web service and/or PHP on the second router. I had tried to disable a lot of rules (some of the rulesets have hundreds) that didn't apply, and that took forever since it tried to sync each time. Later I found all those rules were enabled again, and we haven't had the problem lately. My guess is the more individual rules that one disables, the longer it takes to sync, and the larger sync info is. Then at some point something crashed and reset the rules to not have any disabled, after which the sync is smaller. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife Sent: Monday, June 13, 2016 2:12 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Snort or Suricata With as many rules as an IDS/IPS would evaluate for each packet, it seems that a multi-threaded option would be an obvious choice, especially on modern multi-core quasi-embedded systems (e.g. Rangely/Atom) with lower absolute clock speeds. Otherwise it seems you might become effectively CPU bound given modern uplinks and applications (e.g. captive portal, multi-lan etc), thus introducing jitter and reduced throughput. Is this consistent with anyone's real-world observation/testing? On 6/13/2016 9:28 AM, Steve Yates wrote: > See if disabling the stream-events.rules ruleset helps. The web forum had > some references about that being incompatible with the pfSense > implementation. If memory serves, it's because Snort/Suricata see copies of > packets not the actual stream so they are often processed out of order. > > When I looked a while back it seemed like Snort and Suricata were similar but > Snort was single thread and Suricata could multi-thread. > > https://github.com/Snorby/snorby/wiki/Snort-vs-Suricata-vs-Sagan > http://wiki.aanval.com/wiki/Snort_vs_Suricata > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel > Eschner > Sent: Sunday, June 12, 2016 1:57 PM > To: pfSense Support and Discussion Mailing List > <list@lists.pfsense.org> > Subject: [pfSense] Snort or Suricata > > Hi there, > > i installed Snort and let it run with snort Community Rules and ET Rules. > I get ton als Fals positiv alters. > > Maybe is suricata better? What are the difference? > > It Seems that only the ET rules has no or veryl less fals positivs. > > Cheers > > Daniel > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How to determine supported packages without installing
I suspect package compatibility is not maintained on per-pfSense-version basis. Meaning, packages worked on 2.x up until the package changes on 2.3, and probably will work on into the future until the next breaking change. https://doc.pfsense.org/index.php/Upgrade_Guide#pfSense_2.3_Upgrade_Guide has text: See Package Port List for a list of packages currently available on 2.3. Links to -> https://doc.pfsense.org/index.php/Package_Port_List Also, from the blog entry on the 2.3.1 release: https://doc.pfsense.org/index.php/2.3_Removed_Packages -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Bryan D. Sent: Friday, June 17, 2016 5:18 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] How to determine supported packages without installing On 2016-Jun-17, at 2:35 PM, compdoc <comp...@hotrodpc.com> wrote: > I think this is complete: > <snip'd> Thanks. Looks like I can proceed with an update to 2.3. Regardless, I still think there should be a way to authoritatively determine this info via the pfSense web site -- ideally, for all releases, minimally for the current release. Perhaps the generation of such a page could be added to the build/release tools? Alternatively, porting pfSense's packages pages to run on the pfSense site could provide the current-release info. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] add Blocking in suricata just for some IPs
You should be able to go the other direction and set up a pass list that allows everything but these IPs. Remember to add the pass list to the interface though. However if you just enable the alerting and select to not automatically block the bad traffic that may be easier. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner Sent: Monday, June 20, 2016 1:28 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] add Blocking in suricata just for some IPs Hi to everyone, is it possible to add blocking mode just to some IPs from a /24 Network? I want to run that in test mode to see who much false positiv i will see ;) Cheers Daniel ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Lost limiter config after upgrade
Steve Yates wrote on Tue, Dec 15 2015 at 5:04 pm: > Per that bug report (https://redmine.pfsense.org/issues/4326), it > sounds like it's only an issue > if NAT is being used, correct? They work if NAT is not in use? To follow up I set up a limiter on our data center router, for one IP doing an rsync backup to our office. No NAT. No issues yet after a week or two. I didn't use the wizard, though I started it a few times to try to see what it was doing. I just wanted the limiter. The time of day scheduling is great for long running rsyncs since I drop the bandwidth down during the day. Ugo Bellavance wrote on Tue, Dec 15 2015 at 11:02 pm: > I had one of 28 mbps and 3 children to set the weight. Before, it > prevented traffic from going over 28 mbps. Now I had to lower the > partent limiter to 26 because it looks like some traffic goes over the > 26 mbps. A couple ideas based on what I read about setting up limiters... 1) did you create two limiters, one for upload and one for download? 2) in the limiter settings, did you pick a Mask setting or leave at None? Mask will create multiple pipes, one per IP address. I haven't watched the traffic graph that closely to see if it ever goes over a little bit. If you're saying you set it to 28 and sometimes see 35 Mbps, I am not seeing that. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Slow speed on 100Base TX full duplex.
Muhammad Yousuf Khan wrote on Mon, Jan 11 2016 at 12:23 am: > - iperf speed test for LAN, between is 50Mbps up and down > - but iperf test on WAN showing 10Mbps down and 5Mbps up. > - however my client is saying that assigned speed from colo is 100Mbps. "full duplex" means the card sends and receives at the same time, so you normally want that on. You said the colo port speed is 100 Mbps. This is not necessarily the speed they have allowed for him, or the available bandwidth at the facility. If we imagine he is paying for a 50 Mbps connection the Ethernet port speed is still going to be 100 because the only choices are 10, 100, 1000, or 10 Gbit. Likewise, if the colo has a lot of traffic, he may not get a 100 Mbps download speed when testing. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Suricata sync crashes WebConfigurator, and other issues
I don't like leaving things not fully stable so I bit the bullet and clicked "Remove Enable/Disable changes in the current Category" so it would at least sync. To my surprise it did not help, even after doing it on router2 as well. Then I noticed the CARP sync was also starting to fail. After thinking about it a bit I restarted router2 and syncing immediately worked again. That implies something was wrong with the XMLRPC sync that wasn't fixed by restarting webConfigurator and/or PHP-FPM. Notably there was a config sync fix included in pfSense 2.2.6... I noticed another interesting tidbit. The first Suricata sync after the restart I used a hostname (to router2's LAN IP). The sync took 4 seconds. I then changed to an IP address. It succeeded but took just shy of 3 minutes. Back to the hostname...1 second. Back to the IP...timeouts and "Code 2: Invalid return payload." At that point I had to restart router2 again. I can't imagine using a hostname makes any practical difference. I had started with an IP for the Suricata sync because the High Availability Sync page says to use an IP. I did notice that the pfSense config sync triggers a route reload and down/up of the OpenVPN interface (which isn't connected), and the OpenVPN down/up logs, in order: /rc.newwanip: rc.newwanip: Info: starting on ovpns1. /rc.newwanip: rc.newwanip: on (IP address: 192.168.199.1) (interface: []) (real interface: ovpns1). check_reload_status: Reloading filter php-fpm[49144]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - -> 192.168.199.1 - Restarting packages. check_reload_status: Starting packages /rc.start_packages: Restarting/Starting all packages. ...maybe "restarting packages" is interfering with the Suricata sync? Or possibly the default Suricata sync timeout of 150 seconds needs to be a *lot* higher? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Suricata sync crashes WebConfigurator, and other issues
Steve Yates wrote on Tue, Jan 12 2016 at 1:25 am: > 6) I started on pfSense 2.2.5 and upgraded both routers to 2.2.6 since it > said it > fixed some sync issues. On at least two occasions, with 2.2.6, I start > getting > "unread notice" alerts for sync errors, and can't connect to the web GUI on > router2. Connecting to its console and choosing "Restart webConfigurator" > (option 11) fixes both issues, as if the web browser crashed. It happened just now and the General log on router2 shows: Jan 15 18:37:23 kernel: pid 17318 (lighttpd), uid 0: exited on signal 11 (core dumped) ...however that usually doesn't get logged, and I just see my restart ("lighttpd[33922]: (log.c.194) server started"). At this point, if I open the Suricata Sync tab, click Save, and within a minute or so router2's web GUI crashes again. Interestingly, the last few times if I restart webConfigurator I still can't connect but if I restart PHP-FPM I instantly get a 500 - Internal Server Error page. Does that imply a PHP problem? I am thinking it can't handle having most of the rules in emerging-web_specific_apps.rules disabled...too many things to update? A memory limit somewhere? (PHP's is 256 MB) Does anyone know if "Enable all rules in the current Category" will reset the rule state back to default, or mark them all enabled (which won't help any, if my theory is correct)? Is there a way to set "Disable all rules in the current Category" back to the default but keep any changes? " Remove Enable/Disable changes in the current Category" sounds like it will undo all my changes. :-/ -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Suricata sync crashes WebConfigurator, and other issues
Chris Buechler wrote on Sat, Jan 16 2016 at 2:23 am: > The fact you're hitting at least one lighttpd crash makes me think > there's some other issue there, though no one else has seen any issues > in 2.2.6, the issue in 2.2.5 wasn't replicable in most cases either. > There's a reason nginx is now the web server in 2.3. > > That could be an issue in the Suricata package, given the web server > only crashed once it appears. Since you end up in a situation where > you're stuck until restarting php-fpm, that points to the issue being > in PHP, though an issue in lighttpd could impact PHP. If I step back and look at the big picture it kind of got worse over time. It started off that restarting webConfigurator seemed to fix it, at least letting me log in to the web GUI and syncing for a while afterwards. Then restarting webConfigurator had no effect and restarting PHP-FPM would immediately yield an HTTP error (usually 500). And then Friday night it seemed like I had to restart the entire router to get to the web GUI. Is it conceivable that a temporary problem would survive restarting webConfigurator and PHP-FPM? I don't understand how. I'd guess Suricata was left running but the log says "Restarting/Starting all packages" at every firewall sync. I'd ask if someone with a couple of routers/VMs could install Suricata, enable some rule sets, disable all the rules in emerging-web_specific_apps.rules and try to duplicate it, but un-disabling them didn't fix the problem. Although I probably had not yet restarted our router2 at that point either, come to think of it. It's even weirder that a "successful" sync can be 1-4 seconds or 3 minutes. It does make me think the issue is with Suricata, but ideally whatever the issue is shouldn't block access to the web GUI. Luckily I can get to the router's console. Is there a way to get lighttpd to log errors? I was poking around while logged into the console but its log was blank (as I recall now). > Not sure offhand whether Suricata is even usable in 2.3, but that > might be worth a shot. Hmmm, we don't have a long history with packages. I was kind of assuming it would just work with new versions. :) Will have to test it out first. Usually I don't hurry to upgrade without a reason but I've never had a problem upgrading 2.x versions. That said I read the changelog-in-progress for 2.3 and it looks like a big overhaul. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Suricata sync crashes WebConfigurator, and other issues
> Not sure offhand whether Suricata is even usable in 2.3, but that > might be worth a shot. Given that we're using CARP, if we install it on our router2 to test, how long would you recommend running router2 on 2.3 and router1 on 2.2.6? Generally I've not waited more than a few minutes between upgrading, though we've usually upgraded our office router first and tested there. Another question...for syncing Suricata, and/or the configuration sync, would you recommend using the pfSync interface, or the LAN interface? Or does it matter? I've tried both and it didn't help my issue... Steve Yates ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
Romain Lapoux wrote on Thu, Feb 11 2016 at 4:36 pm: > I did some test and does not work Since you're listing things, what are your firewall rules for traffic to/from the FTP server? If you create rules allowing all traffic to and from that IP address, do FTP connections work? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] FTP trouble.
J. Echter wrote on Thu, Feb 11 2016 at 1:25 pm: > But, i cant use it as i get errors like 'no data', error 227 'entering > passive mode' and so on. So the FTP client is in your location and the FTP server is somewhere on the Internet? We've not had any issues with that under pfSense 2.x, and specifically 2.2.x for Kevin. I looked at the link he posted and I'm guessing you are hitting this: "Passive mode on the client will require access to random/high ports outbound, which could run afoul of a strict outbound ruleset. Environments with a security policy that requires strict outbound firewall rules likely would not be using FTP anyhow, as it transmits credentials without encryption." In other words if you are allowing port 21 outbound but blocking outbound ports over 1000, that would allow the initial connection and then fail on the data connection(s). The FTP server would tell the client what port to use for the data connection but then the client is blocked by the firewall. Try (in Status: System logs: Settings) setting your firewall log to "Log packets matched from the default block rules put in the ruleset" and see if that shows the block in your firewall log. And just to over clarify, it is the FTP server that tells the client what port to use, so you can't control that unless you control the FTP server. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfblockerng
>>> "Finally, I think that this list, mentionned in the doc, should not be >>> used: http://feeds.dshield.org/top10-2.txt. This one should: >>> http://feeds.dshield.org/block.txt; >> >> The top10-2.txt file has last been updated in July 2015 according to my >> curl command and is not auto-documented. >> >> http://feeds.dshield.org/block.txt is updated frequently (as of now, its >> most recent generation is 5 minutes ago), it is auto-documented. >> >> Also, https://www.dshield.org/xml.html states "We offer one blocklist, >> and one blocklist only (http://www.dshield.org/block.txt)." > > Is anyone using pfblockerng with this list? Would someone want me to > try to update the obsolete doc? We do, though technically we're using a different method to get that list. Unfortunately, for a Google search for "dshield feed pfSense" it's the first result, and there are plenty of other pages referencing the other lists. I had found the top10-2 list is outdated, but I don't recall where now. I had realized the other method we use wasn't updating and thought it was me but it was pulling old Bluetack lists from I-Blocklist, and those lists still exist online also but also stopped updating a while back...apparently Bluetack closed or something. Anyway it's confusing for newbies if one never sees the list update, and bad if someone thinks they have a working list and aren't protected at all after it is months or years old. Why they wouldn't set up a redirect for http://feeds.dshield.org/top10-2.txt to http://feeds.dshield.org/block.txt, or take the old list down, is beyond me. Also note the list is available at https://www.dshield.org/block.txt and https://secure.dshield.org/block.txt either of which are probably better to use/list since they use HTTPS. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Sync problem betweens 2 nodes
So the configuration is sync'd successfully, but the next time the sync happens the slave loses its rules? Is the slave also set to sync to the master? That should not be the case. My initial problem was there is a field to type a username for syncing but that is ignored and pfSense is hardcoded to use "admin"...but it sounds like you get a successful sync so that can't be it. Now I only have issues with the Suricata package sync occasionally causing the web GUI (I think PHP-FPM really, which prevents the GUI from working) on the slave to stop responding. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Raphaël RIGNIER Sent: Friday, April 1, 2016 10:23 AM To: List@lists.pfsense.org Subject: [pfSense] Sync problem betweens 2 nodes Hi community. I'm trying to sync 2 SG-8860 nodes for high avaibality. Relase 2.2.6-RELEASE I've read the doc on HA from portal.pfsense.org but I'm having an issue. Configuration sync from master to slave is almost working. But SYNC interface's Firewall rules are cleared on slave each sync attempt. If I add a temp allow all rule on slave's SYNC interface, as describe in doc, it is cleared on the next sync event. Even if the allow rule is present on master. I Haven't seen anithing insterstoing in log files. Does someone have an idea ? Thank you. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.3 show stopper - bind package missing -- don't install if you need bind!
The release blog post led me to the upgrade notes which have: https://doc.pfsense.org/index.php/Upgrade_Guide#Package_System "Packages require significant conversion for use on 2.3, currently only the most popular and supported packages are present on 2.3, so be aware that some packages are not available. See Package Port List for a list of packages currently available on 2.3." https://doc.pfsense.org/index.php/Package_Port_List -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jeff H Sent: Wednesday, April 13, 2016 2:08 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] 2.3 show stopper - bind package missing -- don't install if you need bind! On Wed, Apr 13, 2016 at 11:48 AM, Steve Yates <st...@teamits.com> wrote: > The release notes don't mention specific package compatibility but a > lot of that's third party. In System: Package Manager does the "platform: > 2.2" > mean the package is compatible with only 2.2? Or is that because I'm > looking at a v2.2 installation? Is there a package compatibility list > for 2.3.x? > > -- > > Steve Yates > ITS, Inc. I'm not sure about the listing in Package manger. For a list of removed packages in 2.3 see here: https://doc.pfsense.org/index.php/2.3_Removed_Packages Jeff ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.3 show stopper - bind package missing -- don't install if you need bind!
The release notes don't mention specific package compatibility but a lot of that's third party. In System: Package Manager does the "platform: 2.2" mean the package is compatible with only 2.2? Or is that because I'm looking at a v2.2 installation? Is there a package compatibility list for 2.3.x? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of mayak Sent: Wednesday, April 13, 2016 5:17 AM To: pfSense support and discussion <list@lists.pfsense.org> Subject: [pfSense] 2.3 show stopper - bind package missing -- don't install if you need bind! hi all, upgraded to 2.3 and found that the bind package is missing. my whole network depends on its presence ... does anyone know when it might be available? thanks m -- Markets can remain irrational longer than you can remain solvent. — John Maynard Keynes ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Soeckris Net5501 SSD
The Intel S37xx is their data center line right? We've had some weird stuff in Windows and Linux servers get fixed by drive firmware updates. There have been multiple updates since fall 2015. Weird as in the Intel software in Windows showed both drives in a RAID 1 failed, though Windows could still read and write to that drive letter. Based on the Linux errors I suspect the drives were temporarily dropping out and/or taking too long to access. That said, I know you were asking for real world experience, but Intel does list reliability and drive write life specs for their SSDs if you open the PDFs on their site. They do list compressed read and write speeds for some drives so be careful what table you're reading. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife Sent: Wednesday, May 18, 2016 1:18 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Soeckris Net5501 SSD Ed, you said it well here: "wear leveling work is in SATA and DOM" I think this is an important point, because If I understand correctly, there is nothing inherent to DOM or SATA to make it more or less suitable to the excellent implementations we've seen of over-provisioning, wear-leveling etc. in the other storage form factors. As you say though, that's were the work is taking place, so if you want it, DOM and SATA appear to be the devices to use. Funny how that works, but it appears to be market forces only, not technology which informs this detail. Thanks too for the info on the Soekris 6501. I have one in the feild, also with an MSata module. I'm really glad I didn't try to upgrade that in place, or I might be talking ethyl the 60-year-old office manager through router-resurrection. Fun. You just saved my bacon. Thanks for that. In the realm of SSD's I have been using Intel S37xx's as ZFS intent log accelerators for as long as they've been available. Great devices. Some installs have seen many terabytes of writes per week for years without issue. For a pfSense install, it's an absurd amount of overkill. Still, as you say, 'pro grade' SSD's are a mere $50, so 'pro' SSD's start to become an economical choice. In particular, I see the Intel S35x0 ~80GB for $60. Do you know if the reliability is in the same league as the s3700 series, it would be an easy choice given the high cost of downtime in a remote install. Any experience with that series of devices in particular? Thanks a lot Ed. Your input was exactly what I was looking for! -Karl On 5/18/2016 10:11 AM, ED Fochler wrote: > Karl, > There are numerous other similar answers to be found, but here’s mine: > > Get away from CF if you can. The modern performance and wear leveling work > is in sata and DOM, those are better devices. Abandon the nano-BSD and just > find the miscellaneous checkbox to put /tmp and /var in ram. That’s the bulk > of the benefit without the separate distribution. Although that is seldom > necessary any more either. > > My Soekris 6501 still doesn’t like the upgrade to PFSense 2.3 on mSata, but > I’m running one from a Sata disk on 2.3 just fine. This problem seems > Soekris specific, but my summary is still that sata seems to be where the > support is. And with SSD, I don’t see any benefit to staying away from sata > even if you are allergic to spinning disks. Market forces have made 100GB > SSD’s available for less than $50, and that’s some wild over-provisioning for > an install that is happy in < 4GB. You can get a nice Intel or “pro” samsung > for a little more if you want more insurance against having to visit those > devices. I’m generally a fan of the SSDs with metal cases for heat > dissipation. > > ED. > > > > > >> On 2016, May 17, at 6:09 PM, Karl Fife <karlf...@gmail.com> wrote: >> >> I have about 15 Net5501's OR Lanner FW-7541D's in the field running >> embedded/Nano on CF cards. There's not enough space on a 1GB CF to >> upgrade to v2.3. Of course I can upgrade to larger CF cards, however >> the eventual phase-out of NanoBSD makes me wonder if it's better to >> install a SATA SSD (or SATA DOM) which would possibly eliminate the >> need to re-re-factor storage in the near future (e.g with the release >> of v 2.4, and the phase-out of NanoBSD: >> https://doc.pfsense.org/index.php/Upgrade_Guide#Planning_for_the_Futu >> re ) >> >> Question: >> I'd like to ask what solid-state storage others are using on non-NanoBSD >> installs. If running the "full" version of pfSense, Is it sufficient >> 'simply' to use a quality wear-leveling SATA DOM, or is it recommended to >> use something with even better write endurance? I wouldn't h
[pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch
We have an application with a Comcast-provided SMC router and two pfSense routers (Comcast <- building <- tenant). The building router (v2.3.0) gets an IPv6 address and can ping out. However in its DHCP logs I see: dhcp6c invalid prefix length 64 + 4 + 64 dhcp6c XID mismatch (several of these) Am I correct that "invalid prefix length" means the Comcast router isn't delegating a /60 properly? I have it set: DHCPv6 Prefix Delegation size 60 Send IPv6 prefix hint checked If I as for a /56 I get "invalid prefix length 64 + 8 + 64." My second question was going to be about getting IPv6 to the PCs inside the tenant router but unless I'm mistaken I need a couple more /64 networks for that (what a waste of IPs...I know there's a lot but still...). Thanks, Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Limiter on WAN based on time?
The schedules are created under Firewall/Schedules and then can be applied to a limiter. On a limiter you'd need at least two Bandwidth entries, one for each schedule (day/night). -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Ryan Coleman Sent: Tuesday, May 24, 2016 10:00 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] Limiter on WAN based on time? So I’ve tried floating rules (blocks all traffic outside of schedule) and LAN rules (limits 24/7 or blocks outside of schedule). How do I throttle WAN from 9am to 10pm, say, and then open it up after hours? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch
I neglected to mention it but I did find and read many articles on Comcast modem support. As a whole the posts were rather conflicting and confused so it seemed that it may or may not work...older posts were more likely to say it wasn't working. We do have a static IPv4 block. Sadly a few years ago when we tried to increase speeds we were down for a time because their other non-SMC modem couldn't handle static IPs reliably and they had to scrounge for an SMC box for us. I inferred the techs knew this but Comcast was switching modems anyway. So, I'm hesitant to ask for a different one. :-/ Maybe it is different now. I don't see anything in the SMC interface about a firmware update. It's Comcast branded so I assume their firmware. Maybe we'd have to call. It has v 3.1.6.57 now. The SMC does show an IPv6 address, LAN DHCPv6 enabled with a range, and has an "External Router Delegated Prefix" section that is empty. The building router gets its IP from that range. The SMC has a different WAN IPv6 address in 2001:558:...::/64. At the bottom of its Gateway Summary/Network tab I see: LAN IPv6 Prefixs Delegations2601:249::::/64 ...with the LAN IP range. (yes, it is spelled "prefixs") -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe Katz Sent: Wednesday, May 18, 2016 10:10 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch On Wed, May 18, 2016 at 7:14 PM, Steve Yates <st...@teamits.com> wrote: > We have an application with a Comcast-provided SMC router and two > pfSense routers (Comcast <- building <- tenant). The building router > (v2.3.0) gets an IPv6 address and can ping out. However in its DHCP logs I > see: > > dhcp6c invalid prefix length 64 + 4 + 64 > dhcp6c XID mismatch (several of these) > > Am I correct that "invalid prefix length" means the Comcast router > isn't delegating a /60 properly? I have it set: > > DHCPv6 Prefix Delegation size 60 > Send IPv6 prefix hint checked > > If I as for a /56 I get "invalid prefix length 64 + 8 + 64." > > My second question was going to be about getting IPv6 to the PCs > inside the tenant router but unless I'm mistaken I need a couple more > /64 networks for that (what a waste of IPs...I know there's a lot but > still...). > > Thanks, > > Steve Yates > ITS, Inc. > > Comcast's support documents claim that "Business IP Gateway" devices (a.k.a. your SMC modem/router) are allocated a /56. However, there seem to be indications on Comcast's forums and other networking forums that they aren't doing that properly on certain models with certain firmware. (One example is http://forums.businesshelp.comcast.com/t5/IPV6/Dual-Stack-on-SMC-D3GCCR-and-Cisco-DPC3939B/td-p/20504/page/2 is from over a year ago, but that could still be an issue now given the speed which these companies release firmware updates.) Can you check if there is a firmware update for the SMC box? Is there any way to check in the settings of the SMC box to see what it got from Comcast? None of my customers are using that model at the moment, so I can't tell you where to look. If you do not have static IPs from Comcast, your best option is probably to replace the Comcast-provided router with a Motorola/Arris Surfboard modem and have the building pfSense talk directly to Comcast through that. However, for some reason that defies all logical explanation, Comcast will not let you BYOM if you use static IPs. Some people (also mentioned in the forum link above) have gotten prefix delegation to work by asking Comcast to switch their SMC router for a Netgear one. -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch
Is there a way to force pfSense to do NAT for IPv6? If so then we could make it work. I understand that's not the point of IPv6 but... -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe Katz Sent: Thursday, May 19, 2016 2:13 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch I'm going to have to guess that you are out of luck for IPv6 then. If you find anyone at Comcast who is 1) capable of understanding technical feedback, 2) receptive to such feedback, and 3) high enough up the chain of command to make things happen, I'd be happy to join a campaign to convince that person to get this fixed. Moshe P. S. Something tells me that we will have moved on to IPv6 or IPv8 (or maybe even abandoned IP entirely for something else) by the time anything happens to get this fixed. This is Comcast we're talking about after all, a multi-year winner and runner-up of Consumerist's "Golden Poo Award" for worst company in America. -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Thu, May 19, 2016 at 2:49 PM, Steve Yates <st...@teamits.com> wrote: > I neglected to mention it but I did find and read many > articles on Comcast modem support. As a whole the posts were rather > conflicting and confused so it seemed that it may or may not > work...older posts were more likely to say it wasn't working. > > We do have a static IPv4 block. Sadly a few years ago when we > tried to increase speeds we were down for a time because their other > non-SMC modem couldn't handle static IPs reliably and they had to > scrounge for an SMC box for us. I inferred the techs knew this but > Comcast was switching modems anyway. So, I'm hesitant to ask for a different > one. > :-/ Maybe it is different now. > > I don't see anything in the SMC interface about a firmware > update. It's Comcast branded so I assume their firmware. Maybe we'd > have to call. It has v 3.1.6.57 now. > > The SMC does show an IPv6 address, LAN DHCPv6 enabled with a > range, and has an "External Router Delegated Prefix" section that is > empty. The building router gets its IP from that range. The SMC has > a different WAN IPv6 address in 2001:558:...::/64. At the bottom of > its Gateway Summary/Network tab I see: > > LAN IPv6 Prefixs Delegations 2601:249::::/64 > > ...with the LAN IP range. (yes, it is spelled "prefixs") > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe > Katz > Sent: Wednesday, May 18, 2016 10:10 PM > To: pfSense Support and Discussion Mailing List > <list@lists.pfsense.org> > Subject: Re: [pfSense] IPv6 with Comcast and two pfSense - invalid > prefix length, XID mismatch > > On Wed, May 18, 2016 at 7:14 PM, Steve Yates <st...@teamits.com> wrote: > > > We have an application with a Comcast-provided SMC router and two > > pfSense routers (Comcast <- building <- tenant). The building > > router > > (v2.3.0) gets an IPv6 address and can ping out. However in its DHCP > logs I see: > > > > dhcp6c invalid prefix length 64 + 4 + 64 > > dhcp6c XID mismatch (several of these) > > > > Am I correct that "invalid prefix length" means the Comcast router > > isn't delegating a /60 properly? I have it set: > > > > DHCPv6 Prefix Delegation size 60 > > Send IPv6 prefix hint checked > > > > If I as for a /56 I get "invalid prefix length 64 + 8 + 64." > > > > My second question was going to be about getting IPv6 to the PCs > > inside the tenant router but unless I'm mistaken I need a couple > > more > > /64 networks for that (what a waste of IPs...I know there's a lot > > but > still...). > > > > Thanks, > > > > Steve Yates > > ITS, Inc. > > > > > > Comcast's support documents claim that "Business IP Gateway" devices > (a.k.a. your SMC modem/router) are allocated a /56. However, there > seem to be indications on Comcast's forums and other networking forums > that they aren't doing that properly on certain models with certain > firmware. (One example is > > http://forums.businesshelp.comcast.com/t5/IPV6/Dual-Stack-on-SMC-D3GCC > R-and-Cisco-DPC3939B/td-p/20504/page/2 > is from over a year ago, but that could still be an issue now given > the speed which these companies release firmware updates.) > > Can you check if there is a firmwar
Re: [pfSense] Routing Issue
I'm a bit confused whether the /25 is your LAN subnet or another interface. The OpenVPN tunnel network has to be a subnet that is on no other interfaces including the remote PC's LAN. For example we have our data center using a /29 for WAN, a /25 for LAN, 10.20.1.0/24 for PFSYNC, and 192.168.199.0/24 for OpenVPN. 192.168.199.0/24 is just used to route packets from the remote PC to behind the router. You wrote "/130" for the CARP WAN alias...I'm assuming that's a typo and should be "/29" like the others. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner Sent: Tuesday, May 10, 2016 2:32 PM To: list@lists.pfsense.org Subject: [pfSense] Routing Issue Hi there, i try to configure 2 PFsense Firewalls as the Following Setup: My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following: x.x.x.131/29 PF1 x.x.x.132/29 PF2 x.x.x.130/130 CARP Interface (Redundant) After that i added x.x.x.2/25 and to another interface and created also a CARP Interface with IP 1 (default gateway for Clients) Now i want to route the /25 thought the .130 IP for example that openvpn have the IP from the /25 network. When i establish a BPN Connection it shows me always the IP .131 Can it be changed for example change Outbound NAT or so that the .1 is shown in the Interface? All IPs are Public IPs Hope you understand what i mean ;) Cheers Daniel ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2.6 HA to 2.3 Upgrade Advice
https://doc.pfsense.org/index.php/Upgrade_Guide#Upgrading_High_Availability_Deployments "Generally the recommended path for upgrading a High Availability cluster is to first upgrade the secondary node." -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Mike Montgomery Sent: Tuesday, May 10, 2016 3:55 PM To: pfsense mail list <list@lists.pfsense.org> Subject: [pfSense] 2.2.6 HA to 2.3 Upgrade Advice I have two servers, setup in high availability that are currently running 2.2.6. I have been running 2.3 at home and my test servers and am ready to upgrade the office to 2.3 as well. I have been reading several upgrade guides, as to which one to upgrade first, but would like to see if anyone has upgraded a HA setup yet successfully? What I am looking at doing, is disable carp, and upgrade the master after I make backups, and take a snapshot of the machines to roll back to if needed (they are vm's). Then once everything is upgraded on master, allow carp to switch back, then upgrade secondary. Should this work? Going from 2.2.6 to 2.3, if I do the master first, do I need to disable the sync from master until the secondary is upgraded as well? Have not seen much specified for 2.3, only 2.1 to 2.2 upgrades. Thanks ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Routing Issue
You should not have to route anything manually. Your data center or ISP routes the /25 to 212.168.31.130. In essence, packets are sent there for you. PfSense then "knows" the LAN side is the /25 and sends them to the LAN. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner Sent: Tuesday, May 10, 2016 3:13 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Routing Issue Let my try to explain it completely ;) i configured something like that in my first Router. I think CARP etc. is not the problem here: WAN (wan) -> igb0 -> v4: 212.168.31.131/29 FCSE_PUB (lan) -> igb1 -> v4: 212.168.31.2/25 HA_SYNC (opt1) -> igb3 -> v4: 10.0.0.1/24 The /29 Network is just a transfer-Net for the /25 Subnet. So i have to route the /25 thought the /29. In my Case it should be the .130 (CARP IP) I configured openVPN-Server to listen on one IP from the /25 Network (.1 CARP IP) VPN-Clients get a IP from 10.0.1.0/24 Network - that should be fine anyway. Connection etc. is working but when i make connections thought the VPN i will always see the IP from the WAN Interface but /25 are Public IPs so i want to have the (.1 CARP IP) show on remote Servers like google.com and so on. In Linux i just can setup the next hop like: ip r a 212.168.31.2/25 via 212.168.31.130 dev igb0 When it set the route with route add 212.168.31.0/25 212.168.31.130 i am not able to reach anythink. NAT is not needed i think because we use public IPs. So thats the reason why i am confused. traceroute -i igb1 web.de traceroute: Warning: web.de has multiple addresses; using 82.165.229.138 traceroute to web.de (82.165.229.138), 64 hops max, 40 byte packets 1 * * * 2 * * * On the Router-Site from my ISP all traffic to the /25 is routed to the .130 on my site. > Am 10.05.2016 um 21:57 schrieb Steve Yates <st...@teamits.com>: > > I'm a bit confused whether the /25 is your LAN subnet or another interface. > The OpenVPN tunnel network has to be a subnet that is on no other interfaces > including the remote PC's LAN. For example we have our data center using a > /29 for WAN, a /25 for LAN, 10.20.1.0/24 for PFSYNC, and 192.168.199.0/24 for > OpenVPN. 192.168.199.0/24 is just used to route packets from the remote PC > to behind the router. > > You wrote "/130" for the CARP WAN alias...I'm assuming that's a typo and > should be "/29" like the others. > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel > Eschner > Sent: Tuesday, May 10, 2016 2:32 PM > To: list@lists.pfsense.org > Subject: [pfSense] Routing Issue > > Hi there, > > i try to configure 2 PFsense Firewalls as the Following Setup: > > My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following: > > x.x.x.131/29 PF1 > x.x.x.132/29 PF2 > x.x.x.130/130 CARP Interface (Redundant) > > After that i added x.x.x.2/25 and to another interface and created > also a CARP Interface with IP 1 (default gateway for Clients) > > Now i want to route the /25 thought the .130 IP for example that openvpn have > the IP from the /25 network. > When i establish a BPN Connection it shows me always the IP .131 > > Can it be changed for example change Outbound NAT or so that the .1 is shown > in the Interface? > All IPs are Public IPs > > Hope you understand what i mean ;) > > Cheers > > Daniel > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Limiters on LAN, WAN
A question on where to set up a limiter...if it is set on a LAN rule and has in/out limiters set, will the limiter only apply to outbound traffic matching the rule (from __ to any)? Or would that match, say, the response to an outbound HTTP request? Up until now I've only had occasion to use a limiter on a LAN upload. I did see the known issue that limiters don't currently work on NATted interfaces so don't have them set up on the WAN side. Thanks, Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Limiters on LAN, WAN
To explain my need it's for limiting traffic for several tenants of an office building, so each gets up to "n" amount of bandwidth. Each has a static IP and their own router. Maybe I was just overthinking it. Having a limiter on the WAN side would therefore limit the connection if a tenant was, let's say, hosting a web server and a remote user uploaded a file into the building. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg Sent: Thursday, May 12, 2016 1:17 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Limiters on LAN, WAN On Thu, May 12, 2016 at 1:11 PM, Steve Yates <st...@teamits.com> wrote: > I have the limiters configured as you show. But are you saying you would > normally set your limiter on rules on both the LAN and WAN? Basically, I > should set it on LAN for now and when the bug is fixed set it on WAN also? > > -- > > Steve Yates > ITS, Inc. No, I only set a limiter on LAN to match the host that I want to limit. I did not know if you were talking about matching outgoing traffic from all hosts. It would be a bit different I think. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Limiters on LAN, WAN
No we're actually using NAT and private IPs inside the building. We use 1:1 NAT if a tenant needs a public IP. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg Sent: Thursday, May 12, 2016 2:38 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Limiters on LAN, WAN On Thu, May 12, 2016 at 1:42 PM, Steve Yates <st...@teamits.com> wrote: > To explain my need it's for limiting traffic for several tenants of > an office building, so each gets up to "n" amount of bandwidth. Each has a > static IP and their own router. > > Maybe I was just overthinking it. Having a limiter on the WAN side > would therefore limit the connection if a tenant was, let's say, hosting a > web server and a remote user uploaded a file into the building. > > -- > > Steve Yates > ITS, Inc. > I understand what you are talking about. See I do not let any traffic in... Are you running the firewall transparent then? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Limiters on LAN, WAN
I have the limiters configured as you show. But are you saying you would normally set your limiter on rules on both the LAN and WAN? Basically, I should set it on LAN for now and when the bug is fixed set it on WAN also? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg Sent: Thursday, May 12, 2016 12:47 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Limiters on LAN, WAN On Thu, May 12, 2016 at 11:52 AM, Steve Yates <st...@teamits.com> wrote: > A question on where to set up a limiter...if it is set on a LAN rule > and has in/out limiters set, will the limiter only apply to outbound traffic > matching the rule (from __ to any)? Or would that match, say, the response > to an outbound HTTP request? Up until now I've only had occasion to use a > limiter on a LAN upload. > > I did see the known issue that limiters don't currently work on > NATted interfaces so don't have them set up on the WAN side. > > Thanks, > > Steve Yates > ITS, Inc. > > ___ Normal firewall rules are only ingress, they can check source and dest from a packing coming in to the interface. I limit both upload and download of clients. Limiters: UPLOAD: Some Limit Set Mask: Source Address Bits: 32 and 128 DOWNLOAD: Some Limit Set Mask: Destination Address Bits: 32 and 128 pfsense firewall rule: Pass some source address Advanced Settings: In / Out pipe: UPLOAD FIRST DOWNLOAD SECOND It it would take matched traffic from a firewall rule and put it in the limiter. I have not tried using egress rules but with the any directive all traffic to and from the system gets limited. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] firewall rules with fqdn-alias
Are you using dots in your FQDNs? Those aren't valid alias names... 'The name of the alias may only consist of the characters "a-z, A-Z, 0-9 and _".' -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Martin Fuchs Sent: Tuesday, May 17, 2016 9:26 AM To: list@lists.pfsense.org Subject: [pfSense] firewall rules with fqdn-alias Hi ! We're using pfSense 2.3_1 here in a CARP-cluster. We are using rules with fqdn-aliases and those rules do not work. When i look under diagnostics -> tables i see the tables filled with the correct IPs. When I change the rule not to use the alias, but the IP instead, the rules works immediately. It's really weired. Does anyone have some idea for me ? Regards, martin ! ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] firewall rules with fqdn-alias
Is there a length limit for alias names? If it's an invalid alias I would think one of the logs should show something when the firewall rules are applied...I recall seeing errors in there before... -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Martin Fuchs Sent: Wednesday, May 18, 2016 4:22 AM To: 'pfSense Support and Discussion Mailing List' <list@lists.pfsense.org> Subject: Re: [pfSense] firewall rules with fqdn-alias Hi ! Sounds reasonable, but there's no dot at the end ... Regards, martin -Ursprüngliche Nachricht- Von: List [mailto:list-boun...@lists.pfsense.org] Im Auftrag von WolfSec-Support Gesendet: Mittwoch, 18. Mai 2016 09:26 An: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Betreff: Re: [pfSense] firewall rules with fqdn-alias Hi Martin Do you have a dot at the end of the fqdn like in bind configs ? Pfsense doesnt like a dot at the end. With e.g. host.domain.tld It works fine With host.domain.tld. It works not So if you use a dot at the end please remove it Br Stephan Am 18.05.2016 00:12 schrieb "Martin Fuchs" <mar...@fuchs-kiel.de>: > Hi, Steve ! > No dots in the alias, yurt in the fqdn-address, the lookup works fine, > so the resolved fqdn are visible in the tables, but it seems as if the > rule is not applied. > But there is no error... > Any diagnostic hints ? > Regards, > Martin > > > Are you using dots in your FQDNs? Those aren't valid alias names... > > 'The > name of the alias may only > > consist of the characters "a-z, A-Z, 0-9 and _".' > > > > -- > > > > Steve Yates > > ITS, Inc. > > > > -Original Message- > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of > > Martin > Fuchs > > Sent: Tuesday, May 17, 2016 9:26 AM > > To: list@lists.pfsense.org > > Subject: [pfSense] firewall rules with fqdn-alias > > > > Hi ! > > > > We're using pfSense 2.3_1 here in a CARP-cluster. > > > > We are using rules with fqdn-aliases and those rules do not work. > > > > When i look under diagnostics -> tables i see the tables filled with > > the > correct IPs. > > > > When I change the rule not to use the alias, but the IP instead, the > rules works immediately. > > > > It's really weired. > > > > Does anyone have some idea for me ? > > > > Regards, > > > > martin ! > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.3-REL, HA, WAN CARP IPv6 MAC seen as active on both NICs
"IPv6 does not seem to get proper advertisements from peer and both think they're MASTER" Are you only syncing in one direction? fe80::250:56ff:febf:3ca5 is a link-local address which looks a bit strange in my skimming of the below. Overall, we have two IPv6 ranges for the routing: WAN CARP IP: 2607:ff50::12/125 WAN IP router 1: 2607:ff50::17/125 WAN IP router 2: 2607:ff50::16/125 LAN block: 2607:ff50:0:4c::0/64 2607:ff50:0:4c::0/64 is routed to 2607:ff50::12 by our data center. CARP syncs over IPv4 and we've not had a problem. We're on 2.2.6. "CARP is not permitted on their equipment" Is that even possible? How would they prevent that other than tying the IP address to a MAC address? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier Mascia Sent: Wednesday, May 4, 2016 5:12 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] 2.3-REL, HA, WAN CARP IPv6 MAC seen as active on both NICs > Le 3 mai 2016 à 11:17, Olivier Mascia <o...@integral.be> a écrit : > >> Le 3 mai 2016 à 09:49, Chris Buechler <c...@pfsense.com> a écrit : >> >>> Or would it be that my BACKUP (according to /status_carp.php) do also >>> advertise (which it shouldn't as BACKUP)? >> >> That's the problem. I'm seeing that in some cases and not others with >> IPv6 CARP in 2.3, with no apparent reason as to why. It seems like it >> continues to work fine in that circumstance for me, but that could >> definitely affect switch CAM tables and cause issues like packet loss >> in some environments. I need to look at it closer tomorrow. > > It's a relief to read your comment. :) > > As I clearly have a system where this happen, what would you need from me or > my system to maybe help you pinpoint what's the cause? > Could this possibly be a NIC drivers issue? > Those are vmware VMs using VMXNET3 (underlying physical NICs on the cluster > hosts are 10 Gbe). > Would it be worth trying to downgrade to E1000 and see if it helps? Or a > probable pure loss of time? > > Also, from your comment, am I right assuming this is not known to happen with > <2.3 releases? > So that I could consider rebuilding those VMs using 2.2.6 for instance? > And upgrade to 2.3.x later? > > Thanks! I'm lost trying to get CARP / IPv6 working, including on 2.2.6 (I setup two new VM using 2.2.6 to compare results with those I had with 2.3). CARP works for IPv4 and IPv6 on my LAN side. On WAN side, only IPv4 is OK. IPv6 does not seem to get proper advertisements from peer and both think they're MASTER. The ports on which my WAN interfaces are plugged in are managed by the hosting provider and I tend to think they light have something setup wrong on their side. By default, CARP is not permitted on their equipment and I have to trigger (once) a GUI command to "activate CARP" on each of my interfaces facing their equipment. To my understanding it probably allows the required multicast to flow between both ports. I fear their setup might not work for the ff02::12 traffic. Capturing on IPv4, I see : FW1: 11:54:38.719091 IP 51.254.87.130 > 224.0.0.18: VRRPv2, Advertisement, vrid 104, prio 0, authtype none, intvl 1s, length 36 ... and FW2: 11:54:38.723415 IP 51.254.87.130 > 224.0.0.18: VRRPv2, Advertisement, vrid 104, prio 0, authtype none, intvl 1s, length 36 ... That looks good and understandable to me. State MASTER or BACKUP switch properly from one box or the other, when I shutdown one of the others, and restore properly to FW1 MASTER and FW2 BACKUP when both are online. Therefore, the IPv4 CARP VIP works properly which can be easily tested. Capturing on IPv6, I see : FW1: 11:59:13.379073 IP6 fe80::250:56ff:febf:3ca5 > ff02::12: ip-proto-112 36 ... and FW2: 11:59:13.202384 IP6 fe80::250:56ff:febf:37a3 > ff02::12: ip-proto-112 36 ... And both FW switch to MASTER. This same behavior with 2.3 and 2.2.6. I'll talk again to my supplier who have the control of those ports, insisting on checking IPv6 multicast. But I feel sad not really knowing if I'm hit by a bug their side or my side on pfSense level. If someone has CARP on IPv6 working, would you be so kind to check what you can capture about it (IPv6)? Does it differ from the scheme I'm seeing? Thanks!! -- Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense on vmware ESXi 6.0
I don't have VMWare-specific insight. But, we're doing this on another platform, with CARP syncing between the pfSense VMs. I would consider using a VLAN to isolate the Internet traffic from the servers. Depending on the amount of traffic there are settings for the number of firewall states and such but unless you're expecting a super high number of connections I would probably just turn it on and check the settings periodically. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier Mascia Sent: Thursday, April 14, 2016 4:41 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] pfSense on vmware ESXi 6.0 Hello, I'm looking for advices and best practices when running pfSense (this time it will be 2.3) in a vmware VM. I'm offered to move some resources to a virtual datacenter made of dedicated hardware hosts in clusters, running ESXi 6.0 and vSphere. I have access to such an infrastructure for the next 3 weeks. I have used pfSense in a number of devices and hosts, but never inside a VM, except for experimenting with configurations of pfSense itself. I could build up a pfSense 2.3 VM without real difficulties. Installing the integration tools was easy through the included package. Now, what are the pitfalls I should look for? Any shared vmware experience from you will undoubtedly help fine tuning this. For now the pfSense VM I configured has these resources: OS declared to vSphere is FreeBSD 10.3 64 bits, 1 socket, 2 cores, 2 GHz reserved, 2 GB RAM, 10 GB HD, 2 network adapters. I'm generally resources-conservative but I could allow much more if it makes sense. For these adapters I have the choice between E1000, VMXNET 2, VMXNET 3. I have set them for VMXNET 3 but without background about this being the right-thing-to-do or not. At least it seems to work but I still need to stress test the VM (traffic-wise) a little bit. Are there tunings inside pfSense which you could recommend / not live without, based on your experience inside vmware virtual machines? Network interfaces settings? All are set for their default pfSense values, which means TCP segmentation offloading and large receive offloading are disabled. Would it make sense to enable those? Thanks for any insight you might want to share. -- Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPV6 WAN/LAN routing
To rule out any missing firewall rules, on Status: System logs: Settings, check "Log packets matched from the default block rules put in the ruleset" and see if it starts logging your pings from the LAN. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier Mascia Sent: Wednesday, April 20, 2016 11:39 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] IPV6 WAN/LAN routing Dear all, I must be tired or something but I have a strange thing with IPv6 on a new box I just setup. Have a x:y:z:d800::/56 routed to me. WAN is static IPv6 on x:y:z:d800::1/64, gateway is x:y:z:d800::::: (not a nice one but that is what they gave me). LAN is static IPv6 on x:y:z:d801::1/64, no gateway as usual for LAN interface. >From a host on the LAN side, at x:y:z:d801::100 (or any other), I can reach pf >LAN interface on x:y:z:d801::1, I can also reach pf WAN interface on >x:y:z:d800::1, but I can't get a packet to go further. Yet, from pf itself, I can reach (ping for instance) www.google.com (IPv6) from WAN interface, but not from LAN interface. I would have thought "ok I miss a pass rule on the LAN interface", but there is one. This by far is not my first pfSense box, and they all have various kind of IPv6 links. Not that I couldn't be awfully wrong somewhere. So what obvious detail am I overlooking here? If you have any idea? This is 2.3-RELEASE by the way. Other boxes (on other networks) are still 2.2.x. -- Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.3 show stopper - bind package missing -- don't install if you need bind!
I should restate/clarify that I was looking at the https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes page which mentions the package system changed but doesn't specifically mention the below, which is on the https://doc.pfsense.org/index.php/Upgrade_Guide#Package_System page that I mentioned in another message. The New Features and Changes page is what is linked from https://doc.pfsense.org/index.php/Category:Releases (on the doc Main Page: "pfSense Release Versions - Change logs and other information for past and present releases") Also by "specific" I meant, say, the bind package the OP asked about, which was covered in other messages also. Steve -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris Buechler Sent: Wednesday, April 13, 2016 5:02 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] 2.3 show stopper - bind package missing -- don't install if you need bind! On Wed, Apr 13, 2016 at 1:48 PM, Steve Yates <st...@teamits.com> wrote: > The release notes don't mention specific package compatibility Yes it does. "Packages The list of available packages in pfSense 2.3 has been significantly trimmed. We have removed packages that have been deprecated upstream, no longer have an active maintainer, or were never stable. A few have yet to be converted for Bootstrap and may return if converted. See the 2.3 Removed Packages list for details." ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS Forwarder # exception
I'm just brainstorming here but for your specific example could you do something like delegate wildcard record *.example.com to the public DNS servers? Or mail.example.com, etc. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife Sent: Friday, July 22, 2016 3:41 PM To: ESF - Electric Sheep Fencing pfSense Support <list@lists.pfsense.org> Subject: [pfSense] DNS Forwarder # exception DNS Forwarder had a domain override *exception* feature that I don't see in DNS Resolver. I'm looking for a equivalent/workaround. Obviously, In both dnsmasq and unbound, I can create a domain override, e.g. DomainIP example.com10.243.0.1 However, I Don't want the override to answer queries for certain hosts, e.g. mail.example.com, vpn.example.com, because queries to those domains will fail if 10.243.0.1 is not available (e.g. mail.example.com) or not available JUST YET (e.g. vpn.example.com). With dnsmasq, I could create an exception with # so those queries would just fall through to the public DNS, e.g. vpn.example.com# mail.example.com # sip.example.com 10.55.47.1 Certainly I can create a HOST override that resolves the host's public IP, but that breaks when the public IP changes. What's the best way to accomplish these domain override exceptions these days (in unbound/DNSResolver)? Thanks ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] looking for perfect pfsense box for home?
I'm being serious but what is your rationale for not using pfSense's/NetGate's? https://www.pfsense.org/products/ The "cheap" part (< $299)? We tried a "build our own" approach and it's tough to get a small package. Any old PC will do just fine if one adds an SSD but as someone pointed out that may use far more power in the long run. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Wednesday, August 3, 2016 2:37 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] looking for perfect pfsense box for home? Any ideas where to find perfect pfsense box for home usage. Must be cheap and silent? netgate device? shuttle box? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsync_undefer_state: unable to find deferred state
This may or may not be related but after he upgrade to 2.3.1 I did find a continual stream of checksum error alerts in Suricata. As found online, disabling Hardware Checksum Offloading fixed it, even though this is on a virtual machine. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates Sent: Friday, July 8, 2016 4:30 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] pfsync_undefer_state: unable to find deferred state I found thread https://forum.pfsense.org/index.php?topic=87541.60 ...and posted there but it's old and references 2.1.x and 2.2.x versions. After upgrading from 2.2.6 to 2.3.1_5 we get a long spew of this logged during a Limiter-limited rsync each night (it also shows on the console screen): Jul 8 02:47:36 kernel defer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred state Jul 8 02:47:36 kernel _undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_und efer_state: unable to find deferred statepf Jul 8 02:47:36 kernel ync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_ undefer_state: unable to find deferred stat It continues while traffic that triggers the limiter rule is in effect and ends immediately upon traffic's end. The Limiter set up is only using Firewall\Traffic Shaper\Limiters: LimitBackupUpLAN 50Mbit/sOvernight [Mon - Sun / 0:00-6:45] 15Mbit/sDay LimitBackupUpLAN 50Mbit/sOvernight 15Mbit/sDay The limiter is on a rule on the LAN interface, with "In / Out pipe" set. It only matches to one IP. Neither checking "No pfSync" nor setting "State type" to None seem to have any effect. I think that's the equivalent of what they mentioned in the forum thread... 'unchek the flag "State Type" to "NO pfsync".' I can duplicate this at will...in this case an "rsync --dry-run" is plenty. It doesn't seem to have any effect on traffic since the copy works fine, it appears to just be a logging issue. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfsync_undefer_state: unable to find deferred state
I found thread https://forum.pfsense.org/index.php?topic=87541.60 ...and posted there but it's old and references 2.1.x and 2.2.x versions. After upgrading from 2.2.6 to 2.3.1_5 we get a long spew of this logged during a Limiter-limited rsync each night (it also shows on the console screen): Jul 8 02:47:36 kernel defer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred state Jul 8 02:47:36 kernel _undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_und efer_state: unable to find deferred statepf Jul 8 02:47:36 kernel ync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_ undefer_state: unable to find deferred stat It continues while traffic that triggers the limiter rule is in effect and ends immediately upon traffic's end. The Limiter set up is only using Firewall\Traffic Shaper\Limiters: LimitBackupUpLAN 50Mbit/sOvernight [Mon - Sun / 0:00-6:45] 15Mbit/sDay LimitBackupUpLAN 50Mbit/sOvernight 15Mbit/sDay The limiter is on a rule on the LAN interface, with "In / Out pipe" set. It only matches to one IP. Neither checking "No pfSync" nor setting "State type" to None seem to have any effect. I think that's the equivalent of what they mentioned in the forum thread... 'unchek the flag "State Type" to "NO pfsync".' I can duplicate this at will...in this case an "rsync --dry-run" is plenty. It doesn't seem to have any effect on traffic since the copy works fine, it appears to just be a logging issue. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Xinetd error message repeating every 15 minutes
I noticed the issue desscribed here: https://www.reddit.com/r/PFSENSE/comments/4lb287/xinetd_error_message_repeating_every_15_minutes/ ...after updating from 2.2.6 to 2.3.1 then immediately 2.3.1_5. To save you some reading, we get this logged every 15 minutes: Jul 5 12:00:00 xinetd 16277 Reconfigured: new=0 old=1 dropped=0 (services) Jul 5 12:00:00 xinetd 16277 readjusting service 6969-udp Jul 5 12:00:00 xinetd 16277 Swapping defaults Jul 5 12:00:00 xinetd 16277 Starting reconfiguration It sounds like it's a known/expected issue from the cron job running /etc/rc.filter_configure_sync. My question is, is there an accepted way to hide that info? It fills up the system logs/General page... -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] add Blocking in suricata just for some IPs
pfBlockerNG blocks by country, which is what your image showed. One caveat to country blocking is Microsoft has started using IPv4 blocks allocated to it in other countries for its Azure service, since they ran out. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner Sent: Monday, June 20, 2016 4:41 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] add Blocking in suricata just for some IPs pfblocker is a L7 IDS/IPS Protection? > Am 20.06.2016 um 22:26 schrieb Ducky BUNG <ducky.b...@gmail.com>: > > Use pfblocker package for this. > > > > On 06/20/2016 08:27 PM, Daniel Eschner wrote: >> Hi to everyone, >> >> is it possible to add blocking mode just to some IPs from a /24 Network? >> I want to run that in test mode to see who much false positiv i will see ;) >> >> Cheers >> >> Daniel >> >> >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> > > -- > Markets can remain irrational longer than you can remain solvent. > > John Maynard Keynes > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] NAT from WAN to LAN
I'm not sure I follow your NAT rule. The WAN and LAN have to be different subnets. The NAT rule is normally a source address of * (to allow any IP to connect) or perhaps in your case 195.160.1.0/24 (that entire subnet). However 195.160.1.0/24 and 195.160.2.0/24 are in a public IP range allocated to Hewlett-Packard...? That might also be interfering with your routing. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Antonio Sent: Sunday, August 14, 2016 3:55 AM To: list@lists.pfsense.org Subject: [pfSense] NAT from WAN to LAN Hello, you'll have to forgive my newbie question but that where we are start at some point. I'm really keen to understand more about networking hence my desire to learn through pfSense. This is my setup: OpenWRT Router on the ADSL which has the 195.160.1.0 network on the LAN side and a pfSense linked to the 195.160.1.2 address on the routers LAN (so connected to pfSense WAN side). On the LAN side of the pfSense, I have 195.160.2.0 network with 195.160.2.1 on the LAN side. I have a server on the LAN on pfSense which I want isolate from all the wireless traffic that is going on the 195.160.1.0 (lots of guest accounts). But I also have a multimedia client on the 195.160.1.0 network that I want to allow access to the media server (195.160.2.2:8096) on the 195.160.2.0 network. I've set up a NAT port forward rule on pfSense like this: InterfaceProtocolSourceAdd.SourcePortDestAdd DestPortNATip NATport WAN TCP ** 195.160.2.28096195.160.2.28096 I allowed pfSense to create the firewall rule automatically so this should be fine? Why do i not see traffic from the media client being logged (basically, the client does appear to be routed to the server through between the two subnets) but I do see traffic from the media client on the 195.160.1.0 being logged to the whole 195.160.1.0 network (I see UDP traffic from 195.160.1.4 to 195.160.1.255 being logged for netbios on 138) as blocked traffic. When I try to ping the pfSense WAN port on 195.160.1.2, it does get logged on pfSense but when I try to ping the LAN side of the pFSense from the WAN side, nothing gets logged. HAs this got to do with the default rules set up during setting up the WAN interface on PfSense: a) Blocks traffic from IP addresses that are reserved for private networks per RFC 1918 (10/8, 172.16/12, 192.168/16) and unique local addresses per RFC 4193 (fc00::/7) as well as loopback addresses (127/8). This option should generally be turned on, unless this network interface resides in such a private address space, too. b) Blocks traffic from reserved IP addresses (but not RFC 1918) or not yet assigned by IANA. Bogons are prefixes that should never appear in the Internet routing table, and so should not appear as the source address in any packets received.Note: The update frequency can be changed under System->Advanced Firewall/NAT settings. I have them both ticked but I thought the NAT rule would take precedence? Thanks geotux ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] SG-1000 and VPN
We have a client who wants to set up one remote user (in a fixed location) with a hardware VPN connection back to the office. The office has about 5 active PCs at any given time. This would be the only VPN user. Has anyone used one of the new micro SG-1000 units with a VPN yet? Either as a remote site or as a SOHO router + VPN host? Just wondering how the ARM CPU would stack up. The specs say 200k active (non-VPN) connections... -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] SG-1000 and VPN
> It currently does 21mbps IPsec (aes-gcm-128), in a lab environment, because > there is no driver for the crypto core (yet). > OpenVPN is slightly slower (19 Mbps). Thanks. That is probably sufficient for most applications since one or both ends is likely limited by Internet upload speed anyway. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] SG-1000 and VPN
That's what I'm trying to ask, if the SG-1000 would work for that. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of A Mohan Rao Sent: Tuesday, January 24, 2017 11:41 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] SG-1000 and VPN better u can use site to site vpn is best solution. On Wed, Jan 25, 2017 at 11:08 AM, WebDawg <webd...@gmail.com> wrote: > On Tue, Jan 17, 2017 at 10:16 AM, Steve Yates <st...@teamits.com> wrote: > > > We have a client who wants to set up one remote user (in a > > fixed > > location) with a hardware VPN connection back to the office. The > > office has about 5 active PCs at any given time. This would be the > > only VPN > user. > > > > Has anyone used one of the new micro SG-1000 units with a > > VPN yet? Either as a remote site or as a SOHO router + VPN host? > > Just wondering how the ARM CPU would stack up. The specs say 200k > > active > > (non-VPN) connections... > > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] PFsense 2.3.2-P1 dies
That's interesting, we had a drive that kept dropping out and we couldn't figure out why as all tests passed. We replaced the drive and then found the "Hard disk standby time" setting was set. Turned that off and it's been fine. That setting has been my suspicion... At the time the console would show a stream of errors that pointed to the drive, don't recall them now of course. -- Steve Yates ITS, Inc. -Original Message- I had an issue at one point with hard disks dropping out because of the idle time set on my Western Digital drives. You say you just upgraded. >From what version? I did not see it until v2. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] small problem with squid
If I'm following, you're using a public IP:port. Did you set up NAT Reflection? (System/Advanced/Firewall & NAT) -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Berg Sent: Monday, February 13, 2017 3:45 PM To: list@lists.pfsense.org Subject: [pfSense] small problem with squid Just set up a new pfsense box, my own hardware running the latest release, 2.3.2-RELEASE-p1. So far it's been pretty smooth but I just ran into one glitch I can't quite figure out. I've got two NAT rules that redirect incoming ports 80xx and 80xy to two different web servers internal to my network. My external IP is resolved using DynDNS and everything works nicely from my iPad when I'm off the local network. But using the same hostname:port when I'm connected to the WiFi I get no response and the squid Real Time page shows a "TCP_DENIED/403" entry for one of the systems, and "TCP_MISS_ABORTED/000" for the other. Using the local IP when on the WiFi works as expected and I see 13.02.2017 15:43:00 10.x.x.x TCP_MISS/200 http://10.x.x.x/path/to/webpage - 10.x.x.x I'm fairly new to pfsense and squid so I've probably missed something simple but I'd appreciate a tip or pointer to where to go to fix this issue. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense really slow
I saw something similar once after an upgrade, installing packages, when pfSense's DNS wasn't running. Linux doesn't really do a round-robin or last-known-good DNS search, it just keeps trying the failing ones. I don't recall noticing it on the main screen though. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Robison, Dave Sent: Friday, September 2, 2016 5:40 PM To: list@lists.pfsense.org Subject: Re: [pfSense] pfsense really slow Figured it out. Had to enter a few hosts into the local DNS resolver, including a CNAME for one of our LDAP authentication servers. The delay was DNS waiting to time out/fail on the local DNS records before pointing off to our other, canonical, internal DNS servers. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] nat or routing?
In Status/System Logs/Settings check the "Log packets matched from the default block rules in the ruleset" option and see if the firewall log shows blocked packets. Are the interfaces set to block private networks, since you are using those on all interfaces? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Pol Hallen Sent: Friday, September 9, 2016 10:53 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>; mo...@ymkatz.net Subject: Re: [pfSense] nat or routing? Hi Moshe, thanks for all your advices about security :-) Very kind! > All you need to do is create rules on each LAN interface that allow > incoming traffic from the other LAN. > >- Rule on LAN1 interface: > - Action: "Pass" > - Source: "LAN1 net" > - Destination: "LAN2 net" >- Rule on LAN2 interface: > - Action: "Pass" > - Source: "LAN2 net" > - Destination: "LAN1 net" some problem: I can ping lan1 from lan2 (and vice-versa) but traceroute doesn't work and if I try to connect to local webserver no reply. Any idea to solve the problem? thanks for help! Pol ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense Aliases / firewall rule with an FQDN and multiple entries
When editing an alias the Hint line shows, "FQDN hostnames are periodically re-resolved and updated. If multiple IPs are returned by a DNS query, all are used." -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WolfSec-Support Sent: Friday, October 7, 2016 9:56 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] pfSense Aliases / firewall rule with an FQDN and multiple entries Hello, what is doing a pfense with an rule which contains an alias. this alias is a FQDN - which for sure will resoluted by DNS This A record has multiple entries. e.g. 1.1.1.1 and 2.2.2.2 and 3.3.3.3 So, is pfsense applying this rule to ALL IP's in this record, or round robin ? Kind regards Stephan ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] bind DNS question
It will eventually be stored in the .db but not immediately. http://serverfault.com/questions/560326/ddns-bind-and-leftover-jnl-files Before you get worried about the question, read comment "...even if the change is only in the jnl file, it should always resolve correctly." Also, " Restarting named will flush updated data from .jnl files back to the zone file." -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Satish Patel Sent: Thursday, September 22, 2016 1:55 PM To: m...@fuckaround.org; pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] bind DNS question Does that means dynamic update will stored in Journal file right? it won't be visible in Zone.DB file On Thu, Sep 22, 2016 at 2:35 PM, Pol Hallen <pfsens...@fuckaround.org> wrote: >> Does dynamic DNS stored in .jnl file? > > > It's a journal file: The journal file is used not only for replaying > updates not yet committed in the zone file, but also to provide the > data for incremental zone transfers (IXFR). > > Pol ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] bind domain specific forwarder
I don't know if you need forwarding for this. Can you just add an NS record to the example.com zone for site2.example.com pointing to 10.0.10.1 (well, a hostname that points to that IP)? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Satish Patel Sent: Thursday, September 22, 2016 2:54 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] bind domain specific forwarder I have two office connected over VPN, and both sites has own bind running in Pfsense. now i site1 client can resolve their DNS entries but i want site1/2 both can resolve each other entires. in short i want to tell DNS if you see site2.example.com then forward that query to site2 DNS server. I have tired couple of stuff but didn't work. I have disabled DNS resolver/ DNS forwarder services. I am only using bind server, it has enable DNS Forwarding but if do that it didn't start my bind service. site1 ---VPN-site2 I want something like this in bind but don't know how do i add this? zone "site2.example.com" IN { type forward; forwarders { 10.0.10.1; }; }; ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Pfsense lan config
If you want the pfSense to be between your laptop and the Internet your laptop would need to be on the LAN side of the pfSense. Why are you using a public IP range on the LAN side of your router? That will also cause problems. Did you mean to write (or use) 172.16.30.10? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Alfredo Tapia Sabogal Sent: Sunday, August 28, 2016 8:11 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] Pfsense lan config Hello everyone Im using virtual box on my laptop which is connected directly to my WAN router when i installed the pfsense i choose my wan ip address 192.168.0.33 and my lan 176.16.30.10 the problem is that everytime i type on my internet explorer 176.16.30.10 i can login to pfsense but only for 10 seconds coz took me off so i change my lan ip address to the same wan ip range with no problem and is not supposed to be like that or is because my laptop have only one nic card ...i also configured two nic cards on my virtual box the first for my wan as a gateway adapter the lan adapter as internal network and that one doesnt work to configured my pfsense coz cant access with my lan ip from my laptop should i buy another router or how should i resolve this issue? Please i need help or i should change my laptop ip address ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries?
A package like pfBlockerNG will maintain such a list for you. An alternative, maybe, is that one can set up a "firewall URL alias" that pulls its data from a URL. For instance pfBlockerNG sets them up on our router and then refers to them as "https://127.0.0.1:443/pfblockerng/pfblockerng.php?pfb=pfB_Africa_v4.; So you could keep your list somewhere else on a web server. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of qmail Sent: Friday, September 30, 2016 10:30 AM To: list@lists.pfsense.org Subject: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries? i's like to blacklist all of mainland china, russia, korea, .. i could have done it by creating a DNS with just those entries. I dont see a way to add in BULK a list of bad boys of the internet. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries?
Basically, but doing it directly would avoid dealing with the package. I guess it's just down to how often the chosen list is updated. And, if it's just via allocation, aren't they done allocating IPv4 blocks... -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick Khera Sent: Friday, September 30, 2016 2:19 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries? On Fri, Sep 30, 2016 at 12:57 PM, Doug Lytle <supp...@drdos.info> wrote: > On 09/30/2016 11:53 AM, Steve Yates wrote: >> >> So you could keep your list somewhere else on a web server. > > > This is what I do. > > And I grab the list from > > http://www.wizcrafts.net/chinese-iptables-blocklist.html > > Once a month > Isn't this more or less what pfBlockerNG does for you automatically? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense 2.3.2-p1 RELEASE Now Available
I'm curious if you removed all packages before upgrading? The instructions recommend that. We usually have done so and not had an issue. The packages we've used have a setting to keep settings, for instance Suricata's "Settings will not be removed during package deinstallation" and pfBlockerNG's "Keep settings." I have run into an issue at one point where the DNS service on the pfSense wasn't working so DNS requests were failing or timing out causing lots of issues during downloading. I didn't pay too much attention at the time, since it was solved quickly, but if DNS isn't working that could be an issue. In other words if DNS is running then 127.0.0.1 will always be the first DNS server used. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Holger Bauer Sent: Friday, October 7, 2016 7:58 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] pfSense 2.3.2-p1 RELEASE Now Available I found an older post to the list regarding the same issues with a different version, however this solution worked for me on my testsystem just fine: Run from the console (ssh or local console) Option 8 to go to the shell. Then enter the following commands: pkg clean pkg update pkg upgrade reboot After that the system come up fine with the new release. I'll try that on some production systems this evening. Regards Holger 2016-10-07 14:51 GMT+02:00 Pete Boyd <petes-li...@thegoldenear.org>: > Same for me, failure first time on a full install: > > Fetching pfSense-kernel-pfSense-2.3.2_1.txz: . done > pkg: > https://pkg.pfsense.org/pfSense_v2_3_2_i386-core/All/ > pfSense-kernel-pfSense-2.3.2_1.txz: > Operation timed out > >>> Locking package pfSense-kernel-pfSense... done. > Failed > > > > > -- > Pete Boyd > > Open Plan IT - http://openplanit.co.uk The Golden Ear - > http://thegoldenear.org ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsync_undefer_state: unable to find deferred state
I thought I'd post again to see if anyone has an idea of how to fix "pfsync_undefer_state: unable to find deferred state"? I found an August blog post http://phil.lavin.me.uk/2016/08/solved-pfsense-pfsync_undefer_state-unable-to-find-deferred-state/ which says to turn off HA state syncing completely. I haven't gone that far but did check "No pfSync" on the firewall rule per the below, to no avail. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates Sent: Friday, July 8, 2016 4:30 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] pfsync_undefer_state: unable to find deferred state I found thread https://forum.pfsense.org/index.php?topic=87541.60 ...and posted there but it's old and references 2.1.x and 2.2.x versions. After upgrading from 2.2.6 to 2.3.1_5 we get a long spew of this logged during a Limiter-limited rsync each night (it also shows on the console screen): Jul 8 02:47:36 kernel defer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred state Jul 8 02:47:36 kernel _undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_und efer_state: unable to find deferred statepf Jul 8 02:47:36 kernel ync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_ undefer_state: unable to find deferred stat It continues while traffic that triggers the limiter rule is in effect and ends immediately upon traffic's end. The Limiter set up is only using Firewall\Traffic Shaper\Limiters: LimitBackupUpLAN 50Mbit/sOvernight [Mon - Sun / 0:00-6:45] 15Mbit/sDay LimitBackupUpLAN 50Mbit/sOvernight 15Mbit/sDay The limiter is on a rule on the LAN interface, with "In / Out pipe" set. It only matches to one IP. Neither checking "No pfSync" nor setting "State type" to None seem to have any effect. I think that's the equivalent of what they mentioned in the [forum.pfsense.org] thread... 'unchek the flag "State Type" to "NO pfsync".' I can duplicate this at will...in this case an "rsync --dry-run" is plenty. It doesn't seem to have any effect on traffic since the copy works fine, it appears to just be a logging issue. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] rules cleanup and approval process
Not sure. Router restart? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin Sent: Friday, October 21, 2016 11:08 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] rules cleanup and approval process hoo yeah .. sorry I didn't pay enough attention to that column... So when are those number get reset ? How can I manually reset those number? -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2016-10-21 10:35 GMT-04:00 Steve Yates <st...@teamits.com>: > The Rules page logs traffic for the rule, in bytes, in the > States column. You can also set allow rules to log traffic but that > will be a lot of log entries. > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc > Paulin > Sent: Friday, October 21, 2016 9:27 AM > To: pfSense Support and Discussion Mailing List > <list@lists.pfsense.org> > Subject: [pfSense] rules cleanup and approval process > > Hi, > I am in the final stage to review pfsense and I was wondering if > there's a way to do the following > > 1. Is there way to enable an approval process. For exmaple let say I > added rule ABC, then in order that the rules can be apply, the change > must be approve by someone else. > 2. How can we know which rule is mostly use and which are unused? Is > theres some kind of way to create a report of the top 10 less use rules ? > > Thanx for your help > > -Luc > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] rules cleanup and approval process
The Rules page logs traffic for the rule, in bytes, in the States column. You can also set allow rules to log traffic but that will be a lot of log entries. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin Sent: Friday, October 21, 2016 9:27 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] rules cleanup and approval process Hi, I am in the final stage to review pfsense and I was wondering if there's a way to do the following 1. Is there way to enable an approval process. For exmaple let say I added rule ABC, then in order that the rules can be apply, the change must be approve by someone else. 2. How can we know which rule is mostly use and which are unused? Is theres some kind of way to create a report of the top 10 less use rules ? Thanx for your help -Luc ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense + carp + ha
System/High Availability Sync page shows checkboxes for what to sync. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Wednesday, November 16, 2016 1:05 AM To: pfSense Support and Discussion Mailing ListSubject: Re: [pfSense] pfsense + carp + ha ok. does it also sync all settings like ipsec and openvpn keys? Eero ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense + carp + ha
Any hardware should work fine. They recommend a separate NIC/port for the sync traffic since if syncing states there can be a lot of traffic (if not syncing state there is probably very little). I don't think it needs to be identical hardware but the rules would need to copy over so it would need the same ports. One gotcha that caught me...under "System/High Availability Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a "Remote System Username" field. That field is ignored, and "admin" is always used. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Tuesday, November 15, 2016 2:20 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] pfsense + carp + ha Hi List, What are requirements for pfsense ha clustering? does any of x86 hardware work with ha? does hardware need to be identical? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense in ha - sync interface rule disapear
Are your rules disappearing on the slave, the master, or both? Brainstorming, do both have the same name for the pfsync interface? Meaning the slave isn't named PFSYNC-SLAVE or something like that? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin Sent: Thursday, October 13, 2016 9:10 AM To: list@lists.pfsense.org Subject: [pfSense] pfsense in ha - sync interface rule disapear Hi Everyone, I am new to pfsense and I have to say to that I am very impressed to see all the feature available out of box. I am currently testing it to see how well it work and perform for our environement. We would like to replace our HA linux firewall running IPTable/fwbuiler scripts. Currently trying to setup the HA but having hard time to make it work properly. I am following the wiki guide ( https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) ). The issue that I have is that the rule I added on both firewall to allow SYNC interface to communicate keep disapear on the slave firewall once the connection got established. So XMLRPC did copy rules from master to slave, but the PFSYNC interface rules disapear, therefore this cause communication issue after (/rc.filter_synchronize: New alert found: A communications error occurred while attempting XMLRPC sync with username admin https://172.16.199.2:443.) ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold