[pfSense Support] Stateful shaping

[Daniel Lloyd]

Is it possible to do shaping based on connection properties, such as shaping
based on bytes transferred?  I am looking to drop http based file transfers
below normal web browsing, but am thinking this lies a little outside the
current state of the shaper.  If this already exists, or is planned to be
included in the future, I would love to hear about it.  Thanks
-Dan Lloyd

Re: [pfSense Support] Logging IGMP recognized as ESP

[Chris Buechler]

On Tue, Mar 3, 2009 at 5:17 AM, Simon Gerber  wrote:
> Why are IGMP Packets recognized as ESP (Encapsulated Security Payload)
> in GUI?
>

Looks like a log decoding bug. I opened a ticket to see if I can
verify at some point.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] VPN into a network allowing access to two subnets?

[Tim Nelson]

Use OpenVPN and push some routes out to your users. 

Tim Nelson 
Systems/Network Support 
Rockbochs Inc. 
(218)727-4332 x105 

- "Chuck Mariotti"  wrote: 
> 
> 

I have a similar situation it sounds like to Paul. 



Specifically, I would like to setup pfSense to allow access to a 10.10.10.1 
network to access other computers there. But I also need to allow the VPN users 
access to another subnet that hosts the telephone system (10.10.200.1). 



How can this be done? If so, how does one do this? 



Chuck 



> 

From: Borowicz, Paul [mailto:pborow...@behaviorcorp.org] 
> Sent: Friday, March 06, 2009 11:23 AM 
> To: support@pfsense.com 
> Subject: [pfSense Support] VPN routing 




I'm in the process of transitioning the subnet of my datacenter, I only have a 
dozen or so servers. Everything is currently on a nonstandard subnet 
(192.0.1.0/24) due to a previous network admin. 





I want to move everything to 10.97.0.0/24, but I have alot of VPN's that 
terminate into the datacenter on my pfsense firewall. I know you can't route 
VPN's, if I use a second interface on my pfsense box can I bridge those two 
subnets? Can someone give me a quick example? 





If that's not possible, should I just create a second VPN for each site that 
points to the other subnet? Since both subnets will have a port on the pfsense 
box I should be able to point an ipsec VPN at either one, right? 





thanks, 




Paul F. Borowicz 

Network Administrator 

Behavior Corp 

(317) 587-0521 

pborow...@behaviorcorp.org 

Re: [pfSense Support] VPN routing

[Chris Buechler]

On Fri, Mar 6, 2009 at 11:23 AM, Borowicz, Paul
 wrote:
> I'm in the process of transitioning the subnet of my datacenter, I only have
> a dozen or so servers.  Everything is currently on a nonstandard subnet
> (192.0.1.0/24) due to a previous network admin.
>
> I want to move everything to 10.97.0.0/24, but I have alot of VPN's that
> terminate into the datacenter on my pfsense firewall.  I know you can't
> route VPN's, if I use a second interface on my pfsense box can I bridge
> those two subnets?
>

That's not how I would suggest approaching it. You can setup parallel
IPsec tunnels to use both subnets over VPN simultaneously, then when
you're finished migrating to the other subnet, remove the VPN for the
old subnet.

I suggest putting each subnet on a dedicated interface, though it's
possible to put them both on the same interface if you must.
http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] VPN into a network allowing access to two subnets?

[Chuck Mariotti]

I have a similar situation it sounds like to Paul.

Specifically, I would like to setup pfSense to allow access to a 10.10.10.1 
network to access other computers there. But I also need to allow the VPN users 
access to another subnet that hosts the telephone system (10.10.200.1).

How can this be done? If so, how does one do this?

Chuck

From: Borowicz, Paul [mailto:pborow...@behaviorcorp.org]
Sent: Friday, March 06, 2009 11:23 AM
To: support@pfsense.com
Subject: [pfSense Support] VPN routing

I'm in the process of transitioning the subnet of my datacenter, I only have a 
dozen or so servers.  Everything is currently on a nonstandard subnet 
(192.0.1.0/24) due to a previous network admin.

I want to move everything to 10.97.0.0/24, but I have alot of VPN's that 
terminate into the datacenter on my pfsense firewall.  I know you can't route 
VPN's, if I use a second interface on my pfsense box can I bridge those two 
subnets?  Can someone give me a quick example?

If that's not possible, should I just create a second VPN for each site that 
points to the other subnet?  Since both subnets will have a port on the pfsense 
box I should be able to point an ipsec VPN at either one, right?

thanks,

Paul F. Borowicz
Network Administrator
Behavior Corp
(317) 587-0521
pborow...@behaviorcorp.org

Re: [pfSense Support] LCDProc Package on Embedded

[Scott Ullrich]

On Fri, Mar 6, 2009 at 3:17 PM, Jeppe Øland  wrote:
> Actually, LCDProc would be a pretty cool feature to have as standard in the
> embedded version of pfSense.
> If there are problems with the embedded boxes, it's virtually impossible to
> figure out whats going on.
> The LCD could display LAN/WAN IP addresses as well as temperature/load and
> so on.

LCD displays and FreeBSD are a royal mess.   99% of the LCD displays
that we have come across require custom kernel changes.   As long as
this package is in such bad shape there is no possible chance we will
add this to the base system until the problems are resolved in the
FreeBSD kernel (not having to patch for every device we encounter).

Scott

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] LCDProc Package on Embedded

[Jeppe Øland]

Actually, LCDProc would be a pretty cool feature to have as standard in the
embedded version of pfSense.If there are problems with the embedded boxes,
it's virtually impossible to figure out whats going on.
The LCD could display LAN/WAN IP addresses as well as temperature/load and
so on.

Regards,
-Jeppe

On Fri, Mar 6, 2009 at 11:51 AM, Dimitri Rodis <
dimit...@integritasystems.com> wrote:

>  Just installed 1.2-RELEASE embedded on an old FireBox x500. I read in the
> forums that someone wrote an LCDProc package for this. Of course, you can't
> do packages on the embedded platform. I found this link in the forums
> http://forum.pfsense.org/index.php/topic,12995.0.html which tells you how
> to make pfsense think it's a full install, but my question is this: does
> anyone know if the LCDProc package really needs rw access once it's
> installed?
>
>
>
> In other words, can I reverse this safely after LCDProc installed? Or
> should I just leave it rw?
>
> echo "/dev/ufs/pfSense / ufs rw 1 1" > /etc/fstab; echo
> "/dev/ufs/pfSenseCfg /cf ufs rw 1 1" >> /etc/fstab
>
>
>
> Dimitri Rodis
>
> Integrita Systems LLC
>
> http://www.integritasystems.com
>

[pfSense Support] LCDProc Package on Embedded

[Dimitri Rodis]

Just installed 1.2-RELEASE embedded on an old FireBox x500. I read in the
forums that someone wrote an LCDProc package for this. Of course, you can't
do packages on the embedded platform. I found this link in the forums
http://forum.pfsense.org/index.php/topic,12995.0.html which tells you how to
make pfsense think it's a full install, but my question is this: does anyone
know if the LCDProc package really needs rw access once it's installed?

 

In other words, can I reverse this safely after LCDProc installed? Or should
I just leave it rw?

echo "/dev/ufs/pfSense / ufs rw 1 1" > /etc/fstab; echo "/dev/ufs/pfSenseCfg
/cf ufs rw 1 1" >> /etc/fstab

 

Dimitri Rodis

Integrita Systems LLC 

http://www.integritasystems.com



smime.p7s
Description: S/MIME cryptographic signature

[pfSense Support] VPN routing

[Borowicz, Paul]

I'm in the process of transitioning the subnet of my datacenter, I only
have a dozen or so servers.  Everything is currently on a nonstandard
subnet (192.0.1.0/24) due to a previous network admin.
 
I want to move everything to 10.97.0.0/24, but I have alot of VPN's that
terminate into the datacenter on my pfsense firewall.  I know you can't
route VPN's, if I use a second interface on my pfsense box can I bridge
those two subnets?  Can someone give me a quick example?
 
If that's not possible, should I just create a second VPN for each site
that points to the other subnet?  Since both subnets will have a port on
the pfsense box I should be able to point an ipsec VPN at either one,
right?
 
thanks,
 
Paul F. Borowicz
Network Administrator
Behavior Corp
(317) 587-0521
pborow...@behaviorcorp.org
 

[pfSense Support] Errors in lighttpd.error.log

[Atkins, Dwane P]

We have been having to accomplished numerous reboots on a pfsense device
and we are trying to understand why.

 

I am looking at the lighttpd.error.log now and have discovered errors
that I am not sure where they are coming from.

 

(connections.c.290) SSL: 1 error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request

 

(connections.c.606) connection closed: write failed on fd 11

 

(connections.c.262) SSL: -1 5 54 Connection reset by peer

 

(mod_fastcgi.c.1768) connect failed: Connection refused on
unix:/tmp/php-fastcgi.socket-0 

(mod_fastcgi.c.2956) backend died; we'll disable it for 5 seconds and
send the request to another backend instead: reconnects: 0 load: 193 

 (mod_fastcgi.c.3568) all handlers for  /index.php on .php are down. 

 (mod_fastcgi.c.2769) fcgi-server re-enabled:
unix:/tmp/php-fastcgi.socket-0 

 

 (request.c.1153) request-size too long: 2147479552 -> 413 

 

I am looking through the forum now but we would like to see if we can
take steps to prevent these errors from happening.  We get these errors
on both release 1.2.3 and 1.2.1 RC2.  

 

Thanks for your help

 

Dwane