Re: [pfSense Support] FreeRADIUS Package
On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Where would I go if I wanted to grab the source of the FreeRADIUS package and potentially add some features? http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/ I am looking to add some support for additional parameters to return to radius clients—for example, I am setting up a network for a couple of office buildings, and they purchased two HP 3500yl switches. I would like to be able to provision tenants for NATted internet access, or provision them for direct internet access based on the mac based authentication scheme that the hp switches have. It is possible to dynamically assign clients to a particular VLAN on those switches via a radius server based on the response from the radius server—so, since we are already using pfSense out there, I figure that maybe I can look into adding support for some of these additional radius user/client options in the FreeRADIUS package and contribute them back. http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradius.inc http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradius.xml http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradiusclients.xml http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradiussettings.xml Looking forward to seeing your updates, Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] FreeRADIUS Package
Where would I go if I wanted to grab the source of the FreeRADIUS package and potentially add some features? I am looking to add some support for additional parameters to return to radius clients-for example, I am setting up a network for a couple of office buildings, and they purchased two HP 3500yl switches. I would like to be able to provision tenants for NATted internet access, or provision them for direct internet access based on the mac based authentication scheme that the hp switches have. It is possible to dynamically assign clients to a particular VLAN on those switches via a radius server based on the response from the radius server-so, since we are already using pfSense out there, I figure that maybe I can look into adding support for some of these additional radius user/client options in the FreeRADIUS package and contribute them back. Bill, I think you are the maintainer of that package? Dimitri Rodis Integrita Systems LLC [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
Once I have changes made, how should I go about getting these changes into a pfSense install to test before I send any patches up? Should I be using the dev iso? Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, February 11, 2008 2:38 PM To: support@pfsense.com Subject: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Where would I go if I wanted to grab the source of the FreeRADIUS package and potentially add some features? http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/ I am looking to add some support for additional parameters to return to radius clients-for example, I am setting up a network for a couple of office buildings, and they purchased two HP 3500yl switches. I would like to be able to provision tenants for NATted internet access, or provision them for direct internet access based on the mac based authentication scheme that the hp switches have. It is possible to dynamically assign clients to a particular VLAN on those switches via a radius server based on the response from the radius server-so, since we are already using pfSense out there, I figure that maybe I can look into adding support for some of these additional radius user/client options in the FreeRADIUS package and contribute them back. http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradius.inc http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradius.xml http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradiusclien ts.xml http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradiussetti ngs.xml Looking forward to seeing your updates, Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SV: [pfSense Support] I need a friend in the USA or Canada...
On Feb 11, 2008 9:25 AM, Holger Goetz [EMAIL PROTECTED] wrote: Hi Anders, This is no recommendation, just a FYI, but: Did you come across this website: http://www.myus.com/ - i never tried, but it might be a way. I know there are US based mail order companies willing to ship to such a address. Hmmm...time to figure out what addresses they give out so I can blacklist them in any future ebay auctions. Apologies in advance to all the people _legitimately_ using such companies. --Bill
RE: [pfSense Support] FreeRADIUS Package
The FreeRadius log seems to be located at /var/log/radius.log. According to the current package, there is no logging set up in the package, so you basically have to ssh into pfSense to look at the log. What's involved in web enabling the FreeRADIUS log? (looked in the forums, didn't find much.) Does it take something more than just adding a reference to the location of the log in the .xml file somewhere? Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Monday, February 11, 2008 4:29 PM To: support@pfsense.com Subject: RE: [pfSense Support] FreeRADIUS Package Yep, got it figured out. I just ssh'd into the pfSense install and ftp'd the files out, made the changes, and ftp'd them back into /usr/local/pkg... I just made what I think are the appropriate mods to the files, just need to test them with the switches and make sure everything works as expected. Once they do, I'll send them up. Thanks-- Dimitri Rodis Integrita Systems LLC -Original Message- From: Fuchs, Martin [mailto:[EMAIL PROTECTED] Sent: Monday, February 11, 2008 3:52 PM To: support@pfsense.com Subject: AW: [pfSense Support] FreeRADIUS Package Or just replace the chenged files in your pfsense-install (using putty or WinSCP when using windows) The files are mostly placed under /usr/local/xxx (have a look there) Try your changes and fix all errors... then send your patches using diff-rub to [EMAIL PROTECTED] :-) Martin -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 12. Februar 2008 00:26 An: support@pfsense.com Betreff: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Once I have changes made, how should I go about getting these changes into a pfSense install to test before I send any patches up? Should I be using the dev iso? Look in the packages are on the forum where there is a good howto. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SV: [pfSense Support] I need a friend in the USA or Canada...
Hi Anders, This is no recommendation, just a FYI, but: Did you come across this website: http://www.myus.com/ - i never tried, but it might be a way. I know there are US based mail order companies willing to ship to such a address. Holger On Sun, 2008-02-10 at 10:18 +0100, Anders Dahl wrote: Thanks RB Holger Bauer But neither mini-box.com or linitx.com is offering exactly these items. Fortunately a Danish guy living in San Francisco, has contacted me, and is willing to help. Anders -Oprindelig meddelelse- Fra: Holger Bauer [mailto:[EMAIL PROTECTED] Sendt: 10. februar 2008 01:28 Til: support@pfsense.com Emne: RE: [pfSense Support] I need a friend in the USA or Canada... Also have a look at http://linitx.com/index.php . Linitx is also a recommended vendor and supporter of the pfSense project. Holger -Original Message- From: RB [mailto:[EMAIL PROTECTED] Sent: Saturday, February 09, 2008 10:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] I need a friend in the USA or Canada... Have you considered mini-box.com directly? They're the manufacturer of that PSU, but will also sell directly to the public. Looks like they ship internationally, but no specific mention of where or what the rates are, only that they are higher. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] BGP status
Royce Mitchell III wrote: Adam Armstrong wrote: Carp is unnecessary when using BGP, as the provider sees routes into your network via the individual devices and both devices see routes out. You wouldn't want to run BGP from a CARP IP anyawys, as it would result in BGP flapping when the CARP switched. adam. Okay, please forgive my ignorance, but if you have two redundant routers servicing your BGP, how will they decide who is going to handle a packet without some sort of CARP/VRRP communication between them? There are a number of mechanisms for doing this, generally you'll set the localpref high for prefixes coming from the peer you want to use, and set the MED low for prefixes being announced to that peer, that way your peer will send traffic to you on the correct link (lowest MED wins) and you'll send traffic out on the correct link (highest localpref wins). However, if you're doing BGP solely to get redundant connectivity to the same ISP you should look again at CARP and ask what your ISP can do by way of HSRP/VRRP to present a single IP to you from two of their devices. VRRP/CARP/HSRP is generally a far better solution for that due to the slowlness of BGP convergence. adam. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRADIUS Package
On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Once I have changes made, how should I go about getting these changes into a pfSense install to test before I send any patches up? Should I be using the dev iso? Look in the packages are on the forum where there is a good howto. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] BGP status
Adam Armstrong wrote: Carp is unnecessary when using BGP, as the provider sees routes into your network via the individual devices and both devices see routes out. You wouldn't want to run BGP from a CARP IP anyawys, as it would result in BGP flapping when the CARP switched. adam. Okay, please forgive my ignorance, but if you have two redundant routers servicing your BGP, how will they decide who is going to handle a packet without some sort of CARP/VRRP communication between them? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] BGP status
Paul M wrote: Royce Mitchell III wrote: Is the BGP package for pfsense available, yet? Also, does it play nice with CARP, or is CARP even necessary when you have BGP? I think CARP is a very different thing - BGP is a way of having multiple circuits to different ISPs to get resilience internet connectivity. CARP is a way of having two devices share an IP. Or am I missing some clever use of BGP and CARP? Carp is unnecessary when using BGP, as the provider sees routes into your network via the individual devices and both devices see routes out. You wouldn't want to run BGP from a CARP IP anyawys, as it would result in BGP flapping when the CARP switched. adam. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Allow UDP scan of pfSense LAN from remote IPSEC tunnels?
I believe that is my PCAnywhere problem; I haven't allowed remote VPN tunnels to UDP scan the LAN for listening PCAW hosts. Any insight here? I am missing something trivial here. Thanks guys, Gabe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] 1.2RC5 or release
Hi, given the a number of minor bug fixes, we will be seeing a 1.2RC5 variant sometime, or is the next step a full release? thanks Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] BGP status
Royce Mitchell III wrote: Is the BGP package for pfsense available, yet? Also, does it play nice with CARP, or is CARP even necessary when you have BGP? I think CARP is a very different thing - BGP is a way of having multiple circuits to different ISPs to get resilience internet connectivity. CARP is a way of having two devices share an IP. Or am I missing some clever use of BGP and CARP? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
Yep, got it figured out. I just ssh'd into the pfSense install and ftp'd the files out, made the changes, and ftp'd them back into /usr/local/pkg... I just made what I think are the appropriate mods to the files, just need to test them with the switches and make sure everything works as expected. Once they do, I'll send them up. Thanks-- Dimitri Rodis Integrita Systems LLC -Original Message- From: Fuchs, Martin [mailto:[EMAIL PROTECTED] Sent: Monday, February 11, 2008 3:52 PM To: support@pfsense.com Subject: AW: [pfSense Support] FreeRADIUS Package Or just replace the chenged files in your pfsense-install (using putty or WinSCP when using windows) The files are mostly placed under /usr/local/xxx (have a look there) Try your changes and fix all errors... then send your patches using diff-rub to [EMAIL PROTECTED] :-) Martin -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 12. Februar 2008 00:26 An: support@pfsense.com Betreff: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Once I have changes made, how should I go about getting these changes into a pfSense install to test before I send any patches up? Should I be using the dev iso? Look in the packages are on the forum where there is a good howto. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] BGP status
Adam Armstrong wrote: Royce Mitchell III wrote: Okay, please forgive my ignorance, but if you have two redundant routers servicing your BGP, how will they decide who is going to handle a packet without some sort of CARP/VRRP communication between them? There are a number of mechanisms for doing this, generally you'll set the localpref high for prefixes coming from the peer you want to use, and set the MED low for prefixes being announced to that peer, that way your peer will send traffic to you on the correct link (lowest MED wins) and you'll send traffic out on the correct link (highest localpref wins). However, if you're doing BGP solely to get redundant connectivity to the same ISP you should look again at CARP and ask what your ISP can do by way of HSRP/VRRP to present a single IP to you from two of their devices. VRRP/CARP/HSRP is generally a far better solution for that due to the slowlness of BGP convergence. adam. This client has two ISP's, and wants to setup BGP so he can reroute a /24, but he wants redundant routers to service the BGP so that if one goes down he still has both ISPs. So, both routers will respond to both legs of the of the BGP route. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] FreeRADIUS Package
Or just replace the chenged files in your pfsense-install (using putty or WinSCP when using windows) The files are mostly placed under /usr/local/xxx (have a look there) Try your changes and fix all errors... then send your patches using diff-rub to [EMAIL PROTECTED] :-) Martin -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 12. Februar 2008 00:26 An: support@pfsense.com Betreff: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Once I have changes made, how should I go about getting these changes into a pfSense install to test before I send any patches up? Should I be using the dev iso? Look in the packages are on the forum where there is a good howto. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] carp status page wish
Hi, would it be possible to have the carp status page also show the carp description field, as as the moment it's not very informative. AtDhVaAnNkCsE Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] BGP status
On Feb 11, 2008 8:12 AM, Royce Mitchell III [EMAIL PROTECTED] wrote: Okay, please forgive my ignorance, but if you have two redundant routers servicing your BGP, how will they decide who is going to handle a packet without some sort of CARP/VRRP communication between them? OpenBSD does play well with CARP + BGP but since we do not have CARPDEV yet, we will not have these features. Stuff like[1]: -c Force bgpd to do carp(4) demotion at startup when the demote functionality is used. Normally, bgpd will only do demotion at startup when the demotion counter for the group in ques- tion is already greater than 0. bgpd will start handling de- motion after all sessions with demotion configured for the given group have been successfully established. At system startup, rc(8) has the demotion counter for the group carp increased until after bgpd is started, so this option should not be used in rc.conf(8). Will hopefully be available some time in the future. A patch is being tested on 7.X right now. Scott [1] http://www.openbsd.org/cgi-bin/man.cgi?query=bgpdapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]