Re: [pfSense Support] Redirecting Traffic Destined for outbound NAT
I have done a little experimenting with this over the past few hours (while dodging IT requests, I am sure most of you are familiar). I setup a VLAN interface that is off of the LAN interface to put the email server in a DMZ. I then created a rule that will look for my workstation as a source IP and the Source PORT of 25 and forward them to the new VLAN subnet/machine on port 25. Admitantly, I am a little confused by this, as I had always thought that the source PORT range would most likely not be the port I was trying to match as most programs generate a higher port on the client side then establish a connection to the server. Am I wrong? What more information can I provide that would help me understand what is going on, and/or fix this issue? -Joel Robison On Mon, Feb 9, 2009 at 3:11 PM, Chris Buechler wrote: > On Mon, Feb 9, 2009 at 5:43 PM, Tim Nelson wrote: > > - "Bill Marquette" wrote: > >> > >> The MTA needs to not be on the same network as you are redirecting. > >> ie. You can't send LAN traffic back to LAN, it MUST go to a > >> different > >> interface (say a DMZ). There are ways around the issue Tim > >> describes, > >> but it's not really pertinent to your issue at the moment anyway. > >> Bottom line, you can't port forward to an address on the same network > >> as the traffic is sourced from. > > > > Care to share the ways around the issue? :-) > > > > Specifying source IP/net in port forward rules, which isn't possible > in pfSense 1.2 nor 2.0 at this time. It's on the feature request list > already. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
[pfSense Support] Redirecting Traffic Destined for outbound NAT
Hello All, I was wondering if anyone here would be able to give me some pointers in context of traffic redirection. What I am attempting (and failing at I should add) to do is redirect all SMTP traffic from the LAN to another machine on the LAN interface for mail processing with a given set of rules I have created for the postfix instance (Think DLP reasons). Essentially this should be no different that setting up a transparent proxy server with squid (redirecting all web traffic to another server before it egresses the firewall). I know that at some point I have used PFSense to do the latter, but as I mentioned before I am failing, as the rule I have added to the LAN tab never gets hits. Here is the rule: Proto Source Port Destination Port Gateway Schedule Description TCP/UDP LAN net * 10.10.1.151 25 (SMTP) * Any ideas what it is that I am NOT doing? or that I am doing wrong? -Joel
Re: [pfSense Support] bash in pfsense
If you login to the box and then type pkg_add -r bash, that should pull down and install bash for you. -Joel On Oct 20, 2008, at 2:33 AM, Mikel Jimenez wrote: Hello Is possible to install bash interpreter in pfsense? -- Mikel Jimenez Irontec, Internet y Sistemas sobre GNU/LinuX - http://www.irontec.com +34 94.404.81.82 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] unexpected network throughput
Just a thought, you may want to try using '-c blowfish' on your scp/ rsync transfer. It is a faster and lighter cypher. It may not help at all, but it would be interesting as a test. -Joel On Mar 22, 2008, at 5:22 PM, Eric Baenen wrote: Hello, I'm very new to pfSense, but I am very impressed. I've installed it in my environment and everything is working except I'm getting less network throughput than I would have expected and was just wondering if anyone might have some insight into why. My setup and use of pfSense is admittedly out of the ordinary but it does seem to be working fine. I have 8 laboratory facilities on a campus interconnected with a flat gigabit ethernet standalone backbone (ie. no external access). Each of the laboratories is firewalled off from each other (pfSense firewalls) but maintains a permanent OpenVPN based VPN connection to a centralized 'core' of services (Zimbra for lab-to-lab email/ webmail, OpenFire jabber IM server, Apache/TikiWiki web/ collaboration, BackupPC centralized backup server, centralized file server, OSSIM security monitor, etc.). In the near future we will configure individual lab to lab VPN connections to facilitate collaboration, resource sharing, etc. Seven of the labs connected have the following setup. lab machines/servers - lab gigabit switch - pfSense firewall - backbone gigabit switch The pfSense firewalls are all Dell 2.6GHz GX270's with 512MB RAM, an on-board gigabit port, and a second Intel Pro 1000 gigabit NIC. Both ports in each of the firewalls appear to be running at 1000base full duplex The 8th lab setup is a bit goofy - it's not currently connected and will be the subject of a follow up email to this list. The VPN connections from each lab to the core are OpenVPN, UDP, shared key, AES 128bit (for now), LZO compression enabled. Each lab network is on a unique IP space - for example: Lab 1: 192.168.10.0/24 Lab 2: 192.168.15.0/24 Lab 3: 192.168.20.0/24 Lab 4: 192.168.25.0/24 Lab 5: 192.168.30.0/24 Lab 6: 192.168.35.0/24 Lab 7: 192.168.40.0/24 Core: 192.168.250.0/24 I'm not sure if this is the right, best or most efficient way to set up the VPN's but based on the instructions on the pfSense site I set up a separate OpenVPN tunnel for each lab... Lab 1: port 1191 on the Core pfSense firewall (vpn subnet: 192.168.249.0/24) Lab 2: port 1192 on the Core pfSense firewall (vpn subnet: 192.168.248.0/24) Lab 3: port 1193 on the Core pfSense firewall (vpn subnet: 192.168.247.0/24) Lab 4: port 1194 on the Core pfSense firewall (vpn subnet: 192.168.246.0/24) Lab 5: port 1195 on the Core pfSense firewall (vpn subnet: 192.168.245.0/24) Lab 6: port 1196 on the Core pfSense firewall (vpn subnet: 192.168.244.0/24) Lab 7: port 1197 on the Core pfSense firewall (vpn subnet: 192.168.243.0/24) As I said before - all is working fine - except: when doing rsync's over ssh/scp from the lab machines to the services core, I'm seeing a maximum sustained throughput of around 60Mbps. With gigabit end to end - even with the AES encryption overhead of the OpenVPN connection and the scp encryption overhead of the file transfer, I would have expected higher throughput than this. The sending machines and the receiving server are not showing high CPU load so I don't think the encryption is the issue. Any thoughts or ideas? Thank you, Eric
[pfSense Support] Load Balancer Question
Hi ALL! I have a few questions about the load balancer function: 1. Can I round-robin udp packets? for instance I would like to setup and internal(LAN side) VIP that will be in front of 2 dns servers. 2. Will it allow me to load balance internally? i.e not a on the WAN side but on the LAN side. I am assuming both of the above are "yes it will", but I was wondering if anyone had done this and would be able to offer me a few pointers or guide me though the process. Something unrelated to the above questions, is there a FAQ about asterisk and pfsense? -Joel Robison Systems Administrator - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Support in 1.3 for nforce ethernet driver?
Hello, I have had a bad experience with that chipset myself. The board doest perform very well even with the driver working correctly ( I had to modify the driver to include the MCP51 ethernet device and recompile). If you have something else, preferably intel, I would suggest using that instead. Thats my 2 cents. -Joel On Nov 10, 2007, at 2:04 PM, Mike Myers wrote: Hi. I am redoing a bunch of servers to rack amount everything, and I figured it would be good to move my pfsense firewall to a more modern hardware config at the same time I stuffed it into a 2U rackmount case. My new Since the hardware compatibility list said nforce and my old nforce2 based system worked fine, I went with a new hardware config is an AMD CPU with an Nforce 430 based motherboard with integrated 6150 graphics. When I tried to load pfsense 1.3 RC3 on it, it failed to detect the onboard interface. Upon closer study, it looks like this interface is supported by the nfe driver, which doesn't appear to be part of pfsense 1.3. I found a reference to a freebsd 6 nve driver here: http://www.f.csce.kyushu-u.ac.jp/~shigeaki/software/freebsd-nfe.html . Is it possible to get this added to pfsense? These motherboards are quite popular for small firewalls because of the onboard video support. Thanks Mike __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SV: [pfSense Support] New Build
Wow, That is a really nice solution at http://www.kd85.com/liantec.html. The only problem that I would have with that in my scenario is that the NIC's dont support checksum offloading via the if_em driver. Just something to be aware of. For home use this really isnt an issue, but I have found that for corporate use with multiple GigE connections and 100+ states, one can use all the help they can get from the hardware. -Joel Robison On Nov 5, 2007, at 11:11 PM, Craig Drown wrote: Hi, we've just installed a Liantec box from Wim Vandeputte at kd85.com in Belguim and it's fantastic. Has 4 x 1Gbps Intel NICs. His throughput graphs using pfsense are worth a look (375mbps!) : http://www.kd85.com/liantec.html We're running a full install with a 2.5" hard drive but it has a CF slot too. Vim is very helpful. Cheers, Craig On Mon, 5 Nov 2007 13:33:40 -1000, Jeremy Bennett appears to have written: Thanks everyone for the help. I'm going to start with a ALIX.2C3 from Netgate when they are available next week. As they are more affordable than the FX5620 I'll be able to stock spares, though I do look forward to finding a stateside vendor for a 6 lan port model. On Nov 5, 2007, at 12:12 PM, Chris Buechler wrote: Jeremy Bennett wrote: Anders, Thank you for your firsthand account. I was looking at this unit, but concerned about the realtek nics... I've had problems with those in the past, but if it works for you, then I'm interested. Are you able to use each of the 6 lan ports on this unit as a different interface/subnet in PFsense? If so, PFsense makes this a heavy duty little box. I stated it somewhere in a forum post recently I believe, the Realtek NIC's in embedded hardware always seem to be very reliable (contrary to some of the wide array of PCI cards with Realtek chipsets that are out there). I have multiple embedded devices with Realtek NIC's from vendors on our recommended vendors page, including a FX5620, and they're all rock solid. I use mine as a VLAN router at home, trunk on the gig interface with other network segments coming into other interfaces. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Sustainable Solutions Kathmandu, Nepal Auckland, New Zealand ph 977 1 5548021 [EMAIL PROTECTED] http://www.sussol.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multiple User Support
Awesome! Thank you very much. -Joel Robison On 10/17/07, Holger Bauer <[EMAIL PROTECTED]> wrote: > > What you are talking about is already worked on and will be available in > a future version. Stay tuned, we are not there yet ;-) > > Holger > > > -Original Message- > > From: Joel Robison [mailto:[EMAIL PROTECTED] > > Sent: Thursday, October 18, 2007 1:23 AM > > To: support@pfsense.com > > Subject: [pfSense Support] Multiple User Support > > > > Hello all, > > > > First off I would like to say that PFSense does an awesome > > job, I used to do most of these things with an OpenBSD box by > > hand before, I was reluctant to switch over all my rules > > initialy in fear it would not be able to provide me with the > > complexity I needed and I was wrong, it has really been a > > great experience, I have multiple locations with 2 PFSense > > machines using hot-failover(CARP) and each has been handling > > 1 GBit link with 200k states without a problem! > > Awesome guys keep up your great work! > > > > I only have one request: > > I would love to have the ability to have multiple > > users/classes of users. As my current company grows I have > > realized it would be nice to provide different users access > > to different support tiers, for instance I would be able to > > give a guest user access to view the graphs and such for > > monitoring but the changes would be made by a more privileged > > account. Maybe even through a simple LDAP auth system? > > > > Does this sound Reasonable? > > > > -Joel Robison > > Very Happy Network Administrator > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] For > > additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
[pfSense Support] Multiple User Support
Hello all, First off I would like to say that PFSense does an awesome job, I used to do most of these things with an OpenBSD box by hand before, I was reluctant to switch over all my rules initialy in fear it would not be able to provide me with the complexity I needed and I was wrong, it has really been a great experience, I have multiple locations with 2 PFSense machines using hot-failover(CARP) and each has been handling 1 GBit link with 200k states without a problem! Awesome guys keep up your great work! I only have one request: I would love to have the ability to have multiple users/classes of users. As my current company grows I have realized it would be nice to provide different users access to different support tiers, for instance I would be able to give a guest user access to view the graphs and such for monitoring but the changes would be made by a more privileged account. Maybe even through a simple LDAP auth system? Does this sound Reasonable? -Joel Robison Very Happy Network Administrator - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] PFSense with PPTP and external FreeRadius
Hello All, I have recently tried to setup PFSense 1.2 B2 with pptp and Radius auth against an external radius server that uses an LDAP backend. I was just wondering if anyone on the list had done this already and would be able to give me a few pointers and share some gotcha's (if any). Thanks, Joel Robison
Re: [pfSense Support] VMWare ESX : Unable to access WAN interfaceof pfSense
I have had some experience with ESX server, the only thing that comes to mind is that maybe setting a static MAC on that interface to match what VMware has configured would help? If not that then at least we have that base covered. -Joel Robison On Jun 12, 2007, at 9:38 AM, Ted Eiles wrote: I forgot to say I did try to open up the WAN interfaces a bit, but maybe not correctly. I setup this Port Forward rule: NAT Rule - WAN TCP 8088 192.168.30.200 (ext.: any) 80 (HTTP) ... and a WAN rule to let everything in: Firewall Rule > WAN Tab --- Pass TCP * * WAN address * * I ping the pfSense VM using the web tool "Diagnostics: Ping" it can ping itself from the WAN Interface: PING 8.*.*.243 (8.*.*.243) from 8.*.*.243: 56 data bytes 64 bytes from 8.*.*.243: icmp_seq=0 ttl=64 time=0.713 ms 64 bytes from 8.*.*.243: icmp_seq=1 ttl=64 time=0.218 ms 64 bytes from 8.*.*.243: icmp_seq=2 ttl=64 time=0.225 ms --- 8.*.*.243 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss I'm still unable to access the WAN interface from any external machine. --- Ted -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 12, 2007 12:21 AM To: support@pfsense.com Subject: Re: [pfSense Support] VMWare ESX : Unable to access WAN interfaceof pfSense On Mon, 2007-06-11 at 20:29 -0400, Ted Eiles wrote: Goal: Connect ESX/Dell to WAN port and use a pfSense VM as the firewall/vpn/etc. Issue: Unable to access WAN Interface of pfSense vm (ping, http, https) By default nothing will pass the WAN. You need to put in firewall rules on the WAN permitting the traffic. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Remote Traffic Monitoring
This can be accomplished using the netflow package and NTOP, this how I use it at least and it works very well. -Joel On Jun 6, 2007, at 2:40 PM, Tim Nelson wrote: WOW amazing timing. I just posted about monitoring traffic as well. It appears you are looking to do actual packet capture, not just seeing how much data flows through your box. It sounds crude, but you could always throw a hub (not a switch...) on the interface you want to capture and run Wireshark directly... Tim Nelson Technical Consultant Rockbochs Inc. Anderson Carli wrote: Hi all! I´m trying to monitor the traffic of my pfSense box. What I want is to dump all WAN traffic to a host in my LAN. Well, I achieve this using tcpdump, netcat and WireShark: 1. Capture all traffic with tcpdump and redirect to my host using netcat tcpdump -n -i fxp1 -w- | nc 192.168.0.1 4321 & 2. In the client host: nc -L -p 4321 > c:\fxp1.log 3. Now I can open the fxp1.log file with WireShark and see all the WAN traffic. But I´m wondering if there is a better way to do the same thing without netcat (using rpcap for example) Cheers Anderson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] NAT question
on the console you can view the nat table by issue'ing 'pfctl -sn' or view all tables and states by using 'pfctl -sa'. hope that helps. -Joel Robison On Jun 6, 2007, at 12:56 PM, David Strout wrote: If I were planning on migrating from "Automatic outbound NAT rule generation" to "Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))", were could I look to see what NAT rules are already being generated so as to get a good overview of what has to be manually created to do this migration? Is there a CLI command to see the currently running NAT table? Thanks in advance! -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]