Re: [pfSense Support] Windows VPN client compatible L2TP/IPsec?

2008-02-06 Thread Matthew Grooms 

Gabe Green wrote:
I just wanted to thank you for this.  I looked forever and ever for a 
free IPSEC client for Windows to no avail - and this works like a 
charm.  Awesome.




Gabe,

Your welcome. I'm glad it worked out for you. It still has some rough 
edges but development is progressing steadily. I hope to full Vista 
support completed for the 2.1.0 release. Next comes signed drivers and 
an integrated stateful firewall targeted for the end of September.


http://www.shrew.net/?page=software

The windows version tends to get more publicity but there is also an 
open source *nix port available which sports a QT GUI much like its 
Windows counterpart. It has been integrated into the FreeBSD ports 
collection and is available as an Ubuntu Hardy universe package. NetBSD 
is also a supported target but the pkgsrc folks never got back to me 
regarding my submission.


http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/ike/
http://packages.ubuntu.com/hardy/net/ike

There was talk at one point in adding a link to the "Utilities to be 
used with pfSense" page so folks didn't have to hunt around for it. I 
guess it never make it there.


Thanks,

-Matthew

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Windows VPN client compatible L2TP/IPsec?

2008-02-06 Thread Gabe Green 
I just wanted to thank you for this.  I looked forever and ever for a 
free IPSEC client for Windows to no avail - and this works like a 
charm.  Awesome.


Gabe

Matthew Grooms wrote:

Gabe Green wrote:

Hey all,

Was wondering if Windows-VPN-client compatible L2TP/IPsec is planned 
for a future release. 

For those with VPN routers at home, we use roadwarrior IPSec and it 
works well, or TheGreenBow, but that costs money.

Thoughts?

Thanks again for pfSense...



Gabe,

Have you looked into this? It doesn't implement L2TP but uses 
standards based IPsec on windows platforms and is Freeware. 
Unfortunately, pfsense doesn't exploit a wide range of new features ( 
such as user Xauth, auto client configuration, etc ) that are provided 
by both modern ipsec-tools and the client. Hopefully this will change 
in the future.


http://www.shrew.net/?page=software

Here is a post I made that contains some limited configuration 
information which may be useful.


http://www.mail-archive.com/support@pfsense.com/msg09745.html

Thanks,

-Matthew


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] Spanning tree support

2008-02-06 Thread Chris Bagnall 
Greetings list,

Does anyone know if pfSense includes support for failover between two LAN 
interfaces?

For example, one can provide high availability using CARP to create a virtual 
router IP failing over between 2 pfSense boxes, but that's not going to solve 
the problem of a switch dying. It'd be useful to be able to connect 2 
interfaces from each box to the LAN (one to each switch), then configure them 
using spanning tree protocol (or one of the derivatives).

If it's not currently included, are there plans to do so, and/or what sort of 
financial incentive would encourage development on that front? :-)

Regards,

Chris
-- 
C.M. Bagnall, Director, Minotaur I.T. Limited
For full contact details visit http://www.minotaur.it
This email is made from 100% recycled electrons





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Multiple servers behind NAT'd firewall

2008-02-06 Thread Trave Harmon 
Mine is on but it still doesn't work. 

Is there a way to verifiy at the command prompt level if it is working?





-Original Message-
From: Dimitri Rodis [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 06, 2008 8:10 PM
To: support@pfsense.com
Subject: RE: [pfSense Support] Multiple servers behind NAT'd firewall

Maybe I'm off the mark by saying this, but I think NAT reflection should
be ON by default-- can't think of any security risks associated with it
really, since the machine you are trying to hit is presumably already
behind the same NAT as you are..

That would solve any future issues, anyway..

Dimitri Rodis
Integrita Systems LLC 

-Original Message-
From: Scott Ullrich [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 06, 2008 12:31 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] Multiple servers behind NAT'd firewall

On Feb 6, 2008 3:29 PM, Sean Cavanaugh <[EMAIL PROTECTED]> wrote:
>
> you have "internal NAT reflection" turned off?
>
> -Sean

Toggle System -> Advanced -> Disable Reflection

This question is coming up weekly now.  How can we (the developers)
make this situation more clear?

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Multiple servers behind NAT'd firewall

2008-02-06 Thread Dimitri Rodis 
Maybe I'm off the mark by saying this, but I think NAT reflection should
be ON by default-- can't think of any security risks associated with it
really, since the machine you are trying to hit is presumably already
behind the same NAT as you are..

That would solve any future issues, anyway..

Dimitri Rodis
Integrita Systems LLC 

-Original Message-
From: Scott Ullrich [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 06, 2008 12:31 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] Multiple servers behind NAT'd firewall

On Feb 6, 2008 3:29 PM, Sean Cavanaugh <[EMAIL PROTECTED]> wrote:
>
> you have "internal NAT reflection" turned off?
>
> -Sean

Toggle System -> Advanced -> Disable Reflection

This question is coming up weekly now.  How can we (the developers)
make this situation more clear?

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] router failover

2008-02-06 Thread Chris Flugstad 

Paul M wrote:

Curtis LaMasters wrote:
  

I've been operating in this configuration for 6 months in two locations
without a problem.  The version upgrade went very nicely as well because
I could fail over to the 2nd firewall, do the upgrade and reboot without
taking down the network.  We are running on Dell 1750's w/ 2Gb ram, dual
proc, dual power supplies and 4 NIC's per server (1 wan, 1 lan, 1 sync,
1 future 2nd ISP).  Probably the cheapest and most robust solution on
the market.



 we too  - three sets of paired machined firewall clusters.

except we're using commodity Tyan 1U servers with core2duo motherboards
with 2GB RAM. the motherboards have dual Intel 1000baseT (em0) and a
single Intel 100baseT (fxp), the latter used for sync; some also have
twin-port 1000baseT pcix cards for DMZs. I use vlans for the internal
network into cisco 3560E's (wire speed gig switch).

when they're not fiddled with they "just work".

our only problem has been "split brain" at our colo site, we think
because the separate patching to the ISPs routers is filtering traffic
which is affecting CARP, we don't get this elsewhere.

we also use pfSense as a VPN termination server, core2quad for number
crunching.

so, we're happy. memo to self: look into making another donation.

Paul

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

  
This is a small office, but still it cant go down.  Im using soekris 
5501 , 256 Ram 433mhz geode procs.  prolly not the fastest, but small, 
low power, and price is right ;)


I've used slower and had no problems, but am open to questions or concerns.

-chris/topher

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Windows VPN client compatible L2TP/IPsec?

2008-02-06 Thread Curtis LaMasters 
For the client side, you may want to check out
http://m0n0.ch/wall/screencasts.php and look at TheGreenBow IPSEC VPN
client.  I personally would rather use OpenVPN.

Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com

[pfSense Support] RE: [SPAM] - RE: [pfSense Support] Multiple servers behind NAT'd firewall - Email found in subject

2008-02-06 Thread Trave Harmon 
On or off, it doesn't work. I tried Carp based IP, ARP based, 1:1, none
of them are working.

When I try totelnet 10.0.3.2 25   from 10.0.3.1   it works without a
problem, but if I 

telnet 66.77.33.12 25  from 10.0.3.1 on the inside it just sits
there, blank, and when I hit any key it goes to command prompt.

 

If I telnet 66.77.33.12 25 from outside of the network it presents me
with my mail host and is ready for commands. 

 

 

 

 

 

you have "internal NAT reflection" turned off?

-Sean



Date: Wed, 6 Feb 2008 15:03:34 -0500
From: [EMAIL PROTECTED]
To: support@pfsense.com
Subject: [pfSense Support] Multiple servers behind NAT'd firewall

I am having a problem:

 

I have multiple virtual mail servers behind a pfsense firewall. Now on
each server, I have multiple domains. Now sending to the domain from
google or yahoo is perfect and out again is perfect but when I send a
message from one virtual server to another which is hosting the
destination domain, it errors out. 

 

Now when I telnet the public IP that the 1st virtual is assigned, it
just sits there and times out. This is making it impossible to send
messages from domain to domain within the network. 

 

Any ideas?

 

 

 

 

 



Need to know the score, the latest news, or you need your Hotmail(r)-get
your "fix". Check it out.  

BEGIN:VCARD
VERSION:2.1
N:Harmon;Trave
FN:[EMAIL PROTECTED]
ORG:Triton Technologies
TITLE:CEO
TEL;WORK;VOICE:(866) 304-4300
TEL;CELL;VOICE:(860) 922-9398
TEL;WORK;FAX:(866) 304-4300
ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;Triton Computer Corporation=0D=0A390 Main St.;Worcester;Ma;01688;United St=
ates of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Triton Computer Corporation=0D=0A390 Main St.=0D=0AWorcester, Ma 01688=0D=
=0AUnited States of America
URL;WORK:http://www.tritoncomputercorp.com
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070102T151631Z
END:VCARD
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Multiple servers behind NAT'd firewall

2008-02-06 Thread Trave Harmon 
Doesn't work.




-Original Message-
From: Scott Ullrich [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 06, 2008 3:31 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] Multiple servers behind NAT'd firewall

On Feb 6, 2008 3:29 PM, Sean Cavanaugh <[EMAIL PROTECTED]> wrote:
>
> you have "internal NAT reflection" turned off?
>
> -Sean

Toggle System -> Advanced -> Disable Reflection

This question is coming up weekly now.  How can we (the developers)
make this situation more clear?

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Multiple servers behind NAT'd firewall

2008-02-06 Thread Scott Ullrich 
On Feb 6, 2008 3:29 PM, Sean Cavanaugh <[EMAIL PROTECTED]> wrote:
>
> you have "internal NAT reflection" turned off?
>
> -Sean

Toggle System -> Advanced -> Disable Reflection

This question is coming up weekly now.  How can we (the developers)
make this situation more clear?

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] RE: [SPAM] - Re: [pfSense Support] Multiple servers behind NAT'd firewall - Email found in subject

2008-02-06 Thread Trave Harmon 
I would love to do that, but I host nearly 700 domains in about 30
different virtual mail servers. 

 

Yes that way does work but it would require a lot of work to get it to
work that way all the time. 

BEGIN:VCARD
VERSION:2.1
N:Harmon;Trave
FN:[EMAIL PROTECTED]
ORG:Triton Technologies
TITLE:CEO
TEL;WORK;VOICE:(866) 304-4300
TEL;CELL;VOICE:(860) 922-9398
TEL;WORK;FAX:(866) 304-4300
ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;Triton Computer Corporation=0D=0A390 Main St.;Worcester;Ma;01688;United St=
ates of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Triton Computer Corporation=0D=0A390 Main St.=0D=0AWorcester, Ma 01688=0D=
=0AUnited States of America
URL;WORK:http://www.tritoncomputercorp.com
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070102T151631Z
END:VCARD
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Multiple servers behind NAT'd firewall

2008-02-06 Thread Sean Cavanaugh 
you have "internal NAT reflection" turned off?-Sean


Date: Wed, 6 Feb 2008 15:03:34 -0500From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: 
[pfSense Support] Multiple servers behind NAT'd firewall




I am having a problem:
 
I have multiple virtual mail servers behind a pfsense firewall. Now on each 
server, I have multiple domains. Now sending to the domain from google or yahoo 
is perfect and out again is perfect but when I send a message from one virtual 
server to another which is hosting the destination domain, it errors out. 
 
Now when I telnet the public IP that the 1st virtual is assigned, it just sits 
there and times out. This is making it impossible to send messages from domain 
to domain within the network. 
 
Any ideas?
 
 
 
 
_
Need to know the score, the latest news, or you need your HotmailĀ®-get your 
"fix".
http://www.msnmobilefix.com/Default.aspx

Re: [pfSense Support] Multiple servers behind NAT'd firewall

2008-02-06 Thread Vivek Khera 


On Feb 6, 2008, at 3:03 PM, Trave Harmon wrote:

Now when I telnet the public IP that the 1st virtual is assigned, it  
just sits there and times out. This is making it impossible to send  
messages from domain to domain within the network.




configure your servers to bypass the default MX lookup business and  
route the traffic for the given domain directly to the internal IP  
address.  in postfix, this is trivial with a transport map.

[pfSense Support] Multiple servers behind NAT'd firewall

2008-02-06 Thread Trave Harmon 
I am having a problem:

 

I have multiple virtual mail servers behind a pfsense firewall. Now on
each server, I have multiple domains. Now sending to the domain from
google or yahoo is perfect and out again is perfect but when I send a
message from one virtual server to another which is hosting the
destination domain, it errors out. 

 

Now when I telnet the public IP that the 1st virtual is assigned, it
just sits there and times out. This is making it impossible to send
messages from domain to domain within the network. 

 

Any ideas?

[pfSense Support] Windows VPN client compatible L2TP/IPsec?

2008-02-06 Thread Gabe Green 

Hey all,

Was wondering if Windows-VPN-client compatible L2TP/IPsec is planned for 
a future release.  Right now, for simplicity's sake, we use PPTP for our 
remote users (with strong passwords), but it would be nice to have this 
as well.


For those with VPN routers at home, we use roadwarrior IPSec and it 
works well, but everyone has the Windows client.


Thoughts?

Thanks again for pfSense...

Gabe

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] router failover

2008-02-06 Thread Paul M 
Curtis LaMasters wrote:
> I've been operating in this configuration for 6 months in two locations
> without a problem.  The version upgrade went very nicely as well because
> I could fail over to the 2nd firewall, do the upgrade and reboot without
> taking down the network.  We are running on Dell 1750's w/ 2Gb ram, dual
> proc, dual power supplies and 4 NIC's per server (1 wan, 1 lan, 1 sync,
> 1 future 2nd ISP).  Probably the cheapest and most robust solution on
> the market.

 we too  - three sets of paired machined firewall clusters.

except we're using commodity Tyan 1U servers with core2duo motherboards
with 2GB RAM. the motherboards have dual Intel 1000baseT (em0) and a
single Intel 100baseT (fxp), the latter used for sync; some also have
twin-port 1000baseT pcix cards for DMZs. I use vlans for the internal
network into cisco 3560E's (wire speed gig switch).

when they're not fiddled with they "just work".

our only problem has been "split brain" at our colo site, we think
because the separate patching to the ISPs routers is filtering traffic
which is affecting CARP, we don't get this elsewhere.

we also use pfSense as a VPN termination server, core2quad for number
crunching.

so, we're happy. memo to self: look into making another donation.

Paul

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]