RE: [pfSense Support] Static ARP
I have a client who was using Linux as a proxy server it had this one LAN interface and a WAN, LAN NIC in the virtual one he had, as follows: eth0: 1, eth0: 2, eth0: 3, so he had: We kind of already answered this one yesterday... but What you want to do will not work like they had it on the linux box, and really is not a recommended way to setup a network. It provides NO real security on your network - so what is the reason for segregating? If it is to provide security, then you may as well not bother because it would be trivial to hop networks at that point. If it is for access restrictions after the firewall - you can do what you want with what was recommended yesterday. Open up the network with a 192.168.0.0/22 Put the DHCP Range on 192.168.3.1 -192.168.3.254 Put in STATIC DHCP for devices on 192.168.1.0 and 192.168.2.0 Then setup Rule restrictions for the ip ranges. The only other option I can think of would be to setup 3 NICs for 3 LANs then plug them all into the same switch. Turn DHCP on all of them, restricted 2 of them to STATIC MAC mappings. I have no idea how that would work, or if it would - but you are welcome to give it a shot. Seems like it would be a broadcast nightmare - but if you want to try it -Tim
RE: [pfSense Support] Monitor IP in gateway, strange behavior
Everything is working fine, with load balance between the links, redundancy etc... the issue is only with the IP to test if the gateway is up or not You have to have a SEPARATE IP for each monitor address... If you are going out through the same gateway, than traceroute out on the net somewhere and see if you can ping some local routers along the way. Put their IP in as a monitor address. Pick one with as few hops as you can find.
RE: [pfSense Support] Kingston SSD filesystem corruption
About a year ago, I switched to running the full pfSense 2.0 (beta something at the time) on a Kingston SS100S2/8G embedded SSD. I installed the 30G version in 12 systems, all of which failed within 6 months. I moved to Intel 320s and/or WD Greens (depending on budget of the site) so we'll see how they hold up. I also had the 64G version running Untangle systems which failed as well... in short I would not recommend the Kingston SSDs at all... it's been a major pain having to swap them all out of live systems.
RE: [pfSense Support] Splitting a /24 into multiple subnets
Now I'm trying to segment the /24 into 4 subnets with the pfSense interfaces being: It sounds easy enough - but may be because I'm not understanding exactly what you want. But the simplest method I could come up with would be to setup your WAN to accept every IP your ISP routes to you, then do 1:1 to each internal network you need. Create each internal network on a separate interface (either physical or VLAN) Then set the RULES inbound on your WAN interface as needed. That allows you to do any routing you want between interfaces / WAN and gives you granular control of everything. -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] fail update package on pfsense 1.2.3
Has anyone experience this or how can i have a fix to the problem. Unable to reach that file from here either... Looks like the packages 7.2 folder was removed from the FTP server. See here: ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/ -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multiple WAN subnets
I thought so, but that does not seem to work either. Make sure you power cycle the router that is passing that subnet to your firewall. I had this same issue when I set this up, and racked my head for hours before doing that. I opted for the separate interface approach when I did the install (which works great) You will want to setup the Virtual IPs first, then power cycle the router. It will then arp out when it boots and get the IPs routed correctly. -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Auto-update Check fails
No 2.0 as Xmas present this year? --- I don't see this happening really, a RC could be possible, but that's unlikely too. Per Scott on Twitter (@sullrich) Now is the time to speak up if you know of any issues in pfSense. Final push to RC1 begins today. Speak up now or forever hold your... This was tweeted yesterday, so it looks like he is working for an Xmas present! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Assign custom Gateway
Is there a way in PF to have dhcp assign a custom gateway in the static dhcp setup. Why don't you whitelist the IPs you want to pass in the captive portal configuration. They would all go through the captive portal, but those IPs assigned to bypass wouldn't be blocked. -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Large Files ftp package?
Does pfsense have a package which would allow me to send a link to a big file sitting on my network that someone can either ftp or scp safely? Take a look at http://openupload.sf.net/ Not a package, but a nice web utility - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service
Contacting you off the board, as I have questions about the other firewall software you carry. What do you think of Vyatta and Untangled? I came from using m0n0wall so naturally recommend pfSense to my clients, but wanted to know if you think either of the others are better. I use both pfSense and Untangled on my sites. I can't give up pfSense for the power it has as a multi-network router/firewall. I really haven't come across anything that can come close. However, Untangle is a great platform as a UTM - it's dang simple to install, and the reporting is great to keep on file, and easily readable for HR etc.. I tried Vyatta for a week (and gave Endian a try too) and there were no features that I used that trumped pfSense.
RE: [pfSense Support] question on blocks SSH connections
I don't know the IP addresses of the SSH servers on the Internet. Then only allow to the SSH servers you know/want? You can go either way... block all and allow only certain IPs Or allow all, and block certain IPs On 2.0 you can block by OS type too...
RE: [pfSense Support] multi-wan, multi-lan security
I disagree with this statement. What makes you believe this? Windows has had built-in, default firewalling for quite some time, as has almost every desktop distribution of linux. SOHO firewalls that don't firewall IPv6 don't do so because they're generally not IPv6 capable (see PFSense for an example of default-deny IPv6 when $supported=0). Most ISPs drop the most vulnerable Windows ports at their border and often even at the CPE, agnostic of addressing protocol. This is again, assuming that security is in place... when looking at security at the perimeter, we must assume there is NO security in place. (and adjust for it) Is it possible someone disabled the firewall on windows? Absolutely! , linux? Yes again! We can go back and forth on this Ifs, but assuming the worse, and preparing for it - is the best (and only) solution. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] multi-wan, multi-lan security
I still don't follow. NAT is not a security mechanism, and MAC addresses are not privileged information. True, but once you know the MAC you can find out the vendor quite easily, and then go about running exploits specific to that piece of hardware. Adam - While that's certainly true, in my opinion, whether an IP is known or unknown is irrelevant to that host's security. Again true, but i would change whether an IP is known or unknown IS irrelevant to whether an IP is known or unknown SHOULD BE irrelevant - the truth is, it's not though... For the most part we are talking mainstream people here... and while if a piece of hardware has been bullet tested (security wise) by a professional - a public address/mac shouldn't effect it, as the security measures are in place... to an untrained person with no or little security in place, every piece of information that is accessible is more fuel used to attach the host. You can fight either way, but the truth is , the more information you can keep secret - the better, this whole thread can be summed up with that... -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] RE: Heli new intall
Just installed pfsense on linux locked myself out. pfSense runs on FreeBSD - how'd you manage that!? ;) If you have an SSH session there is a prompt to reset the webmin password - just hit that. If you are on linux with a VM (maybe that's what you are talking about) - then use the VM console or re-install? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] 2 WAN IP's in the same net.
It is posible to make load balancing whit 2 acounts of 30mbps from the same ISP? For the current release you have to put another device in front of one of the WANs so that it has a separate gateway. -tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] pfsense 1.2.3 Captive portal File Manager
Hi, has anyone tried loading a .png file format to pfsense 1.2.3 captive portal File Manager since only .jpg file format is only allowed. I'm having a .png file in which i would like to use since it displays on my login .html page perfectly, can anyone advise how could we allow other picture formats apart from .jpg file formats to be allowed in the File Manager in captive portal. I'm using png files in a 1.2.3 install... just upload all files with captiveportal- prefix such as captiveportal-header.png Then you can call the image in your html as a root file such has src=captiveportal-header.png Just make sure you keep the total file size under the limit. -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] 3 interface box with transparent bridge between 2 of them
... Any idea as to 1.x and not plugging a cable into WAN while bridging 2 OPTs? Setup WAN to a VLAN - just to get it out of the way... - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] 3 interface box with transparent bridge between 2 of them
How would I go about not doing what I suggest above but instead setting WAN to a VLAN as you suggest? When setting up your NICS - choose YES to add VLANS. Just add some extra VLANS even if you aren't using them. OR you can set it up in the GUI after, by adding VLANS then assigning to the interface. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] VPN LAN TO LAN
any help on how could i connect to the client PC's on my pfsense LAN interface as current i set my LAN interface to DHCP pool address. Take a look here: http://doc.pfsense.org/index.php/OpenVPN_Bridging I'm assuming that's what you are asking... - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] VPN LAN TO LAN
➢ if you are saying PPTP not being the most secure means of VPN which VPN i sthe most secure to use ??? I’ll take this off list – as it’s been covered before – I’ll email you directly, Joseph. -tim
RE: [pfSense Support] VPN LAN TO LAN
Traditionally PPTP has been prone to more flaws than other technologies... and most industry managers frown on it. With Vista and Win7 - Microsoft filled in a lot of holes and upped the encryption size - so should be sufficient, especially for personal use. It doesn't use a dual authentication, like openVPN can (key + password), so is more susceptible to hacks via brute force. But you can negate all that by adding source rules to your ports. (if you know the IPs you will be dialing in from - add them to the SOURCE of the rule - and it will ONLY allow those IPs to connect to your PPTP server) I have to say - it is by far the most convenient especially for your use. I'd say go for it - just wanted to make sure you were fully informed. Let me know if you have any more questions. -Tim From: Joseph Rotan [mailto:joseph.ro...@gmail.com] Sent: Friday, April 02, 2010 8:59 PM To: support@pfsense.com Subject: Re: [pfSense Support] VPN LAN TO LAN Tim, if you are saying PPTP not being the most secure means of VPN which VPN i sthe most secure to use ??? As currently I'm having PPTP just to login remotely to other sites and check for maintenence or other associates problems. Any advise on having a secure VPN tunneling. Cheers, Joseph. On Fri, Apr 2, 2010 at 10:54 AM, Tim Dickson tdick...@aubergeresorts.commailto:tdick...@aubergeresorts.com wrote: well strange because i can access my box with the following http://IPhttp://ip/ address:443 how is it possible as you you've said it should be https://IPhttps://ip/ address:443 If you setup HTTP as port 443 I this would work - kind of goes against web standards - but it's your box :) - you probably just didn't tick HTTPS as the protocol So i can use any port nubers as you've said , this will gurantee my PPTP tunneling secure ??? Yes - System | General Setup As for PPTP - totally different thing, and you'll need to open those ports as well. PPTP not being the most secure means of VPN - but probably sufficient for your needs. As for purchasing the pfsense book is it poosible to send money through wired transfer like western union money transfer then the book is send to my postal address ??? Standard Amazon billing applies - not sure if they do wire transfers... This may help? http://www.amazon.com/gp/help/customer/display.html/ref=help_search_1-1?ie=UTF8nodeId=15399401qid=1270158715sr=1-1 Can you purchase a prepaid visa gift card at a local market? - To unsubscribe, e-mail: support-unsubscr...@pfsense.commailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.commailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.orghttps://portal.pfsense.org/
RE: [pfSense Support] VPN LAN TO LAN
Errr After all that - forgot to change the TO: ... sorry list!
RE: [pfSense Support] VPN LAN TO LAN
If you left the HTTPS port in the config to 443 it would be https://IP If you made it another port (say ), you'll want to open that port in your firewall and put https://IP: It sounds like the pfsense book would be a good companion for you! http://www.amazon.com/pfSense-Definitive-Christopher-M-Buechler/dp/0979034280/ref=sr_1_1?ie=UTF8s=booksqid=1270137863sr=8-1 Well worth the 30 bucks, and you'll come away understanding your network infinitely better. From: Joseph Rotan [mailto:joseph.ro...@gmail.com] Sent: Wednesday, March 31, 2010 7:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] VPN LAN TO LAN OK, i've Enable HTTPS(443) on the WAN interface of my pfsense box; then how could I access my box remotely through internet is it https://ip address:443 Correct me if i'm wrong as looks like i could not access my box using https(443) what went wrong that i could not access by pfsense box. Joseph. On Sat, Mar 27, 2010 at 5:18 AM, Tim Dickson tdick...@aubergeresorts.com wrote: -- any hint on how to apply https over the INTERNET to my PFSENSE box ??? Enable HTTPS (443) on the WAN interface in your ruleset. -- and how could i access my LAN (clients PC) You were correct with VPN being the best way. You could put port forwards in as well, and you could also enable SSH and use tunneling. Totally depends on your needs - I'd check out OpenVPN. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] VPN LAN TO LAN
well strange because i can access my box with the following http://IP address:443 how is it possible as you you've said it should be https://IP address:443 If you setup HTTP as port 443 I this would work - kind of goes against web standards - but it's your box :) - you probably just didn't tick HTTPS as the protocol So i can use any port nubers as you've said , this will gurantee my PPTP tunneling secure ??? Yes - System | General Setup As for PPTP - totally different thing, and you'll need to open those ports as well. PPTP not being the most secure means of VPN - but probably sufficient for your needs. As for purchasing the pfsense book is it poosible to send money through wired transfer like western union money transfer then the book is send to my postal address ??? Standard Amazon billing applies - not sure if they do wire transfers... This may help? http://www.amazon.com/gp/help/customer/display.html/ref=help_search_1-1?ie=UTF8nodeId=15399401qid=1270158715sr=1-1 Can you purchase a prepaid visa gift card at a local market? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] VPN LAN TO LAN
-- any hint on how to apply https over the INTERNET to my PFSENSE box ??? Enable HTTPS (443) on the WAN interface in your ruleset. -- and how could i access my LAN (clients PC) You were correct with VPN being the best way. You could put port forwards in as well, and you could also enable SSH and use tunneling. Totally depends on your needs - I'd check out OpenVPN. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] VLAN Setup
The 1.2.2 and 1.2.3 GUI interface section does indeed allow for definition of multiple VLAN IDs -- but exactly one IPv4 address per physical interface. Define the VLAN and it becomes an interface in the GUI where you can define an IP/subnet. I currently have 5 VLANs (with separate IP and subnets) leaving a single physical NIC. I think the key is to either use VLANS on a physical nic OR the physical interface. IE if interface 1 is to be used for VLANS, don't assign it as a physical interface. It can work that way - but I believe is a best practice to avoid. So step 1. Assign VLANS, Step 2 go to interfaces tab, enable the interface, and set the IP/Subnet Step 3 Configure VLANS on the switch port that is connected to the NIC. -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] WAN2 Setting Problem In Failover
and in the WAN2 interface,I set Type to static,IP address to 192.168.1.254/32,Gateway to 192.168.1.1. I believe you want it to be 192.168.1.254/24 Right now the gateway and static IP are in two different subnets. -tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Old Firebox question
-Original Message- From: Sean Cavanaugh [mailto:millenia2...@hotmail.com] Sent: Thursday, December 03, 2009 9:18 AM To: support@pfsense.com Subject: RE: [pfSense Support] Old Firebox question Date: Thu, 3 Dec 2009 08:18:13 -0800 From: tjdres...@gmail.com To: support@pfsense.com Subject: [pfSense Support] Old Firebox question Hi folks, In a former like I replaced an overworked Firebox with an IPCop installation (this was before I knew about pfSense, all my firewalls are now pfSense now. Anyways... the only thing I miss about that Firebox was this cool little graphical traffic graph that updated in real time. On one side of the screen they had the external IP and port or protocol, and on the other was the internal IP and port/protocol. I've got the rate package installed which does a nice job of breaking down the traffic, but its not as pretty. Does anyone know what I'm taking about, and if so, does anyone know about a package out there that might replicate this completely frivolous non-security related eye-candy? With regards, - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org personally i get most of that style info from the ntop package. theres also an addon widget that adds IP information next to the traffic graph, forgot what its called - If only NTOP was stable on more than 1% of installssigh RATE is the package with that functionality... and it is a very welcome addition to the package family! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Port forward beyond local internal subnet.
From: Matt [mailto:mnaism...@gmail.com] Sent: Tuesday, November 10, 2009 5:05 PM To: support@pfsense.com Subject: [pfSense Support] Port forward beyond local internal subnet. Hi, I have a router behind pfsense with multiple internal subnets behind that. Will a pfsense port forward from the WAN to any of my internal subnets work ? Assuming pfsense can route to the internal subnets the port forward should work fine right ? thanks. Matt. Most likely it will work but is not recommended. (Double NATing that is) And this is assuming the secondary router is routing the packets correctly. What is the purpose of pfSense in this case? Would using it in bridge mode work better for you? Or is there a reason you need the multiple Routers . How about removing the secondary Router and programming pfsense for all the subnets? -tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Vista DHCP Issue
On Thu, Oct 1, 2009 at 6:07 PM, Jim Pingle li...@pingle.org wrote: Chris Buechler wrote: On Thu, Oct 1, 2009 at 4:10 PM, Curtis LaMasters curtislamast...@gmail.com wrote: I've searched around and read about others with this issue. Basically I have 5 different Vista laptops that cannot get a DHCP address unless I modify the registry and disable a broadcast setting. Does anybody have a solution to this that would prevent me from having to touch each workstation? If you can find a solution for ISC dhcpd we'd implement it. I'm not sure exactly how that ends up set on some Vista systems but not others. My repair bench segment is also behind pfSense, and it has seen hundreds of different machines of all makes and models, many of them using Vista, and I've not had one yet that couldn't pull an IP address from DHCP on pfSense. It's always Just Worked(tm) Could this be induced by the switch, perhaps? I've had it happen first hand... it's a pain in the *ss!!! Sometimes an elevated CMD prompt - ipconfig /release /renew works But I'd say it's about an 45% success rate. Next step is to disable/renew the adapter - that brings it to about a 65% success rate. This is after following the broadcast regedits - turning off IP6, etc on this machine btw. The good news is that it only happens about once a month, but when it does - man it's annoying. I do run procurve switches on my network - by dhcp server is a windows 2003 server. (pfSense being the gateway though) If anyone else finds a permanent solution - shout it out - because I've yet to find one. (My only permanent solution so far - was to upgrade to the RTM of win7) -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] 192.0.2.112
-Original Message- From: Curtis LaMasters [mailto:curtislamast...@gmail.com] Sent: Tuesday, September 29, 2009 5:50 AM To: support@pfsense.com Subject: Re: [pfSense Support] 192.0.2.112 I'm not sure how the dynamic dns daemon works on pf, however I could possibly understand this issue if the ISP was doing NAT with their cable/dsl modem and passing off a private IP range to your WAN interface. What IP is assigned to the WAN? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Sep 29, 2009 at 5:52 AM, Fuchs, Martin martin.fu...@trendchiller.com wrote: Hi ! A friend of mine has a strange problem: everytime he reboots his pfsense his dyndns updates with 192.0.2.112 He had this problem with 1.2.2 and now updatet to 1.2.3 RC3 and it still exists. Anyone hast he same issues ? Any ideas ? Regards, Martin - Yep, I've had a few modems that do this... they start with the private subnet until assigned the IP from the ISP - then it switches. I'm guessing it's for diagnosing the line - but is just a pain in the hind One of our sites opted for the $5 static IP... the other just waited for it to update... not sure if there is another way around it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Fresh install can't access internet.
On Wed, Aug 19, 2009 at 3:55 PM, li...@mgreg.comli...@mgreg.com wrote: Hi All, I've decided to give pfSense a go. When I initially installed it about (20 mins ago), everything seemed to work just fine. Now, however, I can ping and SSH to all machines behind the pfSense box, but I can't access the internet. Looks like you have the LAN IP the same as your ISP Gateway... Change that IP to something other than 192.168.1.1 -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multiple WAN Interface and Specific Traffic to Each Interface
One way to do it is to setup an 1:1 NAT rule (you can do this in addition to your standard port forward) then setup a rule on your LAN interface for the 10.10.10.10 IP and set its GW as the OPT1 IP. -Tim From: Ron Lemon [mailto:r...@maplewood.com] Sent: Friday, July 17, 2009 12:32 PM To: 'support@pfsense.com' Subject: [pfSense Support] Multiple WAN Interface and Specific Traffic to Each Interface I have a pfSense box with a WAN link that goes to the internet. This is where all the web surfing and e-mail comes and goes from. I have a second WAN link (OPT1) that goes to a pubic semi-private network and I need to route traffic for a couple of specific IPs to this interface. I have the NAT rules setup so that when traffic comes from IP 1.2.3.4 on port 25 it goes to 10.10.10.10 what do I need to do the ensure that traffic destined from 1.2.3.4 goes back out via OPT1 and not WAN? Thanks, Ron - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Filtering streaming - peer to peer - instant messaging
And again... not to take away from pfsense. But untangle has some filtering. ( I actually use pfsense for our firewall/vpn/routing etc... and untangle for web/protocol filtering) As a firewall it is severely lacking, but is a half decent web/protocol filter - at least for those that are free. www.untangle.com -Tim -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Wednesday, July 15, 2009 11:44 AM To: support@pfsense.com Subject: Re: [pfSense Support] Filtering streaming - peer to peer - instant messaging On Wed, Jul 15, 2009 at 8:48 AM, bsdb...@todoo.biz wrote: Hello, I am about to answer a public tender and am looking for a reliable open-source filtering solution. I need to filter layer 3 and 4 of TCP/IP stack (TCP and Application layer) specially for stream such as Peer to Peer - IM - Streaming - Virus. You have your layers wrong. L3 (IPs) and L4 (protocol, TCP, UDP, GRE, ESP, etc.) are fully supported. I presume you mean higher layers, identifying what traffic is based on the actual payload rather than L3/4 header. 2.0 does have some application intelligence but that's not an option for immediate use. There aren't any similar open source options that do have that kind of functionality unless you build it yourself. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Captive Portal and Wifi network
- Lunix1618 [mailto:lunix1...@gmail.com] Hello everybody, I am in study phase to do a Wireless network and requirement is need to force users authenticate first. I figured out that can be done with Captive Portal feature of pfsense. However, I want to know if anybody did a Wifi network with 1 main access point connect directly to pfsense box and expand the wireless signal with some kind of Wifi extender ? TIA, - Yes, absolutely - if your Access Points support it - but you will be chopping bandwidth in half at every relay point. Two hops is probably OK, but I'd reconsider your setup for multiple hops. -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Does it matter which interface I specify for static routes?
Thinking out loud here. But the static routes are only for those subnets which are not directly routable to the interface. I'm assuming your vpn concentrator takes care of that already? I think you'd be better off setting up the LAN3 as a gateway and routing your packets with rules? ( any with dest 10.0.19.0 out gw LAN3) From: Steve Harman [mailto:steve.har...@envisional.com] Sent: Tuesday, June 02, 2009 2:55 AM To: support@pfsense.com Subject: [pfSense Support] Does it matter which interface I specify for static routes? Hi! We have four internal NICs on our pfSense box; LAN , LAN2, LAN3 and LAN4. I need to setup a static route for a remotely hosted network at our parent company's office so any traffic destined for that network is directed towards our site-to-site VPN concentrator / gateway box sitting on LAN3. My question is this; when creating static routes for a remote network, say 10.0.19.0 in System Static Routes I'm asked to specify the Interface from a pulldown menu. If I specify LAN as my Interface does that mean the static route is only in effect for traffic on the LAN interface? (and not LAN2, LAN3 and LAN4). After adding my 10.0.19.0 route I've tried adding additional static routes to 10.0.19.0 and selecting LAN2 but the system tells me A route to this destination network already exists (which of course it does!) Thanks in advance, Steve
RE: [pfSense Support] bridging 2 networks with pfsense+openvpn
Just looking at this quickly... looks like you are trying to route two networks without having two networks. What I mean is you have the same subnet for both of your networks, so the pfsense boxes don't know whether to route internally or push to the other pfsense box. You need a separate subnet for each physical network so that routing can occur. I may be reading your setup wrong - but that's what it looks like to me. -Tim -Original Message- From: Brian Josefsen [mailto:josef...@sjovedyr.dk] Sent: Wednesday, April 22, 2009 3:22 PM To: support@pfsense.com Subject: [pfSense Support] bridging 2 networks with pfsense+openvpn Hi I have 2 pfsense boxes, one embedded on each side of the atlantic ocean. They connect fine, but i can't contact any of the other side, both side have the pfsense as a primary gw. network 192.168.1.0/24 Box local is 192.168.1.241 Box remote is 192.168.1.242 I can only reach the other box with a ssh login to one of the boxes and use ssh to the other box's ipaddress on the tun adapter. Do I need fw rules, or am I missing some commands? -- Med venlig hilsen / Best regards Brian Josefsen - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] bridging 2 networks with pfsense+openvpn
Yes, you'll push the two networks across. It's how I've set it up... maybe someone else has more ideas here. You may be able to do some custom routing the other way - but two subnets will work. -Original Message- From: Brian Josefsen [mailto:josef...@sjovedyr.dk] Sent: Wednesday, April 22, 2009 4:32 PM To: support@pfsense.com Subject: Re: [pfSense Support] bridging 2 networks with pfsense+openvpn 2009/4/23 Tim Dickson tdick...@calistogaranch.com: Just looking at this quickly... looks like you are trying to route two networks without having two networks. What I mean is you have the same subnet for both of your networks, so the pfsense boxes don't know whether to route internally or push to the other pfsense box. You need a separate subnet for each physical network so that routing can occur. I may be reading your setup wrong - but that's what it looks like to me. -Tim I thought i could bridege the two networks together this way. But what you're saying, if I change one of the networks, I can route in between them and connect from lan client to another lan client? -- Med venlig hilsen / Best regards Brian Josefsen - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website brows
Sorry for the delay... Go to your rules for your LAN and add a new rule at the top of your ruleset (rules process top down) With the source IP you sited below, and set it to block. And yes, your machine should handle the amount of machines you require. Last, looking at the image you sent - depending on that amount of time since uptime - it doesn't look like you are getting hammered too much. What is your state table? -Original Message- From: Juan Rivera [mailto:jriv...@americancableco.com] Sent: Tuesday, April 14, 2009 6:25 AM To: support@pfsense.com Subject: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing Now how can I block that IP address its not showing on our dns and im not too familiar with the pfsence fire wall please help!!! -Original Message- From: Ryan [mailto:radiote...@aaremail.com] Sent: Tuesday, April 14, 2009 9:23 AM To: support@pfsense.com Subject: [SPAM] RE: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing Block the IP and wait to see who complains that they are disconnected. Ryan Rodrigue Office: (985) 876-4096 Fax: (985) 853-0134 -Original Message- From: Juan Rivera [mailto:jriv...@americancableco.com] Sent: Tuesday, April 14, 2009 6:55 AM To: support@pfsense.com Subject: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing Now as you see in the picture there is IP 192.168.1.147 that IP address cant be located with a computer name how can I locate who is using that IP address I have use Advance IP scanner but its saying that the IP address is dead and also look at our Dns records and nothing no computer with that IP address u think is a computer infected with malware and can you help me on how to locate it -Original Message- From: Tim Dickson [mailto:tdick...@calistogaranch.com] Sent: Monday, April 13, 2009 4:19 PM To: support@pfsense.com Subject: [SPAM] RE: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing It all depends on throughput levels - but yes, I can pretty much guarantee it can handle it. (1990's hardware can handle 70 users with modest throughput), but if you are curious - what are your specs? I was more wondering if you had a couple machines with malware that may be pegging out your connections state table, or some P2P users. Check your state table and make sure it isn't maxing out. And make sure if you have P2P users, that they aren't maxing out your bandwidth. Blank MTU in your config is fine - that means it will be at 1500 - which is the standard on most connections (at least in the US). You didn't answer if all was well when bypassing the pfSense box. If it is, then start segregating things. Try it with JUST your machine - pfSense - Modem, and see how that works... this is granting your box is malware free :) - if in doubt, grab an Ubuntu LiveCD (or variant) and boot it up on your machine to test. Good luck! -Tim -Original Message- From: Juan Rivera [mailto:jriv...@americancableco.com] Sent: Monday, April 13, 2009 12:57 PM To: support@pfsense.com Subject: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing Yeah just called my ISP they are checking on the modem to see if there is something wrong with it as the MTU was blank before I made any changes to it, now it got me thinking I have more than 70 computers connecting to my free BSD you think it can't handle that many ? -Original Message- From: Tim Dickson [mailto:tdick...@calistogaranch.com] Sent: Monday, April 13, 2009 2:54 PM To: support@pfsense.com Subject: [SPAM] RE: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing Sounds like you are pulling at straws here - but try and find out what the root of your problem is. If your packets are fragmented, then yes this will slow things down - but it could be totally irrelevant to your issue. If you bypass pfSense is everything fine? How do your traffic graphs look? (how many connections are you doing - check the state table) If it is in fact your MTU - check with your ISP on what your MTU should be, you'll want to leave it matching theirs as changing MTU will just cause MORE packet fragmentation where it isn't necessary, or causing more packets with less data. And if your MTU is correct, your traffic is minimal, and you are still having latency issues start a trace and find the routers your traffic is passing through. Then test the MTU levels to each router to find out which router is causing
RE: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing
Sounds like you are pulling at straws here - but try and find out what the root of your problem is. If your packets are fragmented, then yes this will slow things down - but it could be totally irrelevant to your issue. If you bypass pfSense is everything fine? How do your traffic graphs look? (how many connections are you doing - check the state table) If it is in fact your MTU - check with your ISP on what your MTU should be, you'll want to leave it matching theirs as changing MTU will just cause MORE packet fragmentation where it isn't necessary, or causing more packets with less data. And if your MTU is correct, your traffic is minimal, and you are still having latency issues start a trace and find the routers your traffic is passing through. Then test the MTU levels to each router to find out which router is causing your fragmentation. You should then point your ISP to that router. The random MTU guess isn't going to get you anywhere. Just my 2cents though... -Tim -Original Message- From: Juan Rivera [mailto:jriv...@americancableco.com] Sent: Monday, April 13, 2009 11:12 AM To: support@pfsense.com Subject: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing ok I've done that but still the internet slow the MTU is not at 1400 but internet slow is there anything else that could be the problem -Original Message- From: Gary Buckmaster [mailto:g...@centipedenetworks.com] Sent: Monday, April 13, 2009 1:28 PM To: support@pfsense.com Subject: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing This is not the way to do this as the configuration will not survive reboots. You can set the MTU on the interface configuration page for your WAN interface in the webGUI. I would encourage you to check that out. Mikel Jimenez Fernandez wrote: Hi Yo have to reduce the MTU of interfaces ifconfig interface mtu 1380 for example Do it in LAN and WAN and tell me results Thanks Juan Rivera wrote: How did you reduce the MTU files? What is happening on my end is that when I download files it works perfectly fine but when I browse the internet it take a while to show the page and sometime we get PAGE CAN NOT BE DISPLAY its getting annoying now and getting a lot of complains form users can you tell me how to reduce the MTU files? Thank you -Original Message- From: Mikel Jimenez Fernandez [mailto:mi...@irontec.com] Sent: Monday, April 13, 2009 11:31 AM To: support@pfsense.com Subject: [SPAM] Re: [pfSense Support] website browsing Hello I have this issue and i solve it reducing de MTU values. Thanks Juan Rivera wrote: Hi I'm having trouble trying to browse some websites it loads really slow is there anything that can help us improve that? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing
It all depends on throughput levels - but yes, I can pretty much guarantee it can handle it. (1990's hardware can handle 70 users with modest throughput), but if you are curious - what are your specs? I was more wondering if you had a couple machines with malware that may be pegging out your connections state table, or some P2P users. Check your state table and make sure it isn't maxing out. And make sure if you have P2P users, that they aren't maxing out your bandwidth. Blank MTU in your config is fine - that means it will be at 1500 - which is the standard on most connections (at least in the US). You didn't answer if all was well when bypassing the pfSense box. If it is, then start segregating things. Try it with JUST your machine - pfSense - Modem, and see how that works... this is granting your box is malware free :) - if in doubt, grab an Ubuntu LiveCD (or variant) and boot it up on your machine to test. Good luck! -Tim -Original Message- From: Juan Rivera [mailto:jriv...@americancableco.com] Sent: Monday, April 13, 2009 12:57 PM To: support@pfsense.com Subject: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing Yeah just called my ISP they are checking on the modem to see if there is something wrong with it as the MTU was blank before I made any changes to it, now it got me thinking I have more than 70 computers connecting to my free BSD you think it can't handle that many ? -Original Message- From: Tim Dickson [mailto:tdick...@calistogaranch.com] Sent: Monday, April 13, 2009 2:54 PM To: support@pfsense.com Subject: [SPAM] RE: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing Sounds like you are pulling at straws here - but try and find out what the root of your problem is. If your packets are fragmented, then yes this will slow things down - but it could be totally irrelevant to your issue. If you bypass pfSense is everything fine? How do your traffic graphs look? (how many connections are you doing - check the state table) If it is in fact your MTU - check with your ISP on what your MTU should be, you'll want to leave it matching theirs as changing MTU will just cause MORE packet fragmentation where it isn't necessary, or causing more packets with less data. And if your MTU is correct, your traffic is minimal, and you are still having latency issues start a trace and find the routers your traffic is passing through. Then test the MTU levels to each router to find out which router is causing your fragmentation. You should then point your ISP to that router. The random MTU guess isn't going to get you anywhere. Just my 2cents though... -Tim -Original Message- From: Juan Rivera [mailto:jriv...@americancableco.com] Sent: Monday, April 13, 2009 11:12 AM To: support@pfsense.com Subject: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing ok I've done that but still the internet slow the MTU is not at 1400 but internet slow is there anything else that could be the problem -Original Message- From: Gary Buckmaster [mailto:g...@centipedenetworks.com] Sent: Monday, April 13, 2009 1:28 PM To: support@pfsense.com Subject: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing This is not the way to do this as the configuration will not survive reboots. You can set the MTU on the interface configuration page for your WAN interface in the webGUI. I would encourage you to check that out. Mikel Jimenez Fernandez wrote: Hi Yo have to reduce the MTU of interfaces ifconfig interface mtu 1380 for example Do it in LAN and WAN and tell me results Thanks Juan Rivera wrote: How did you reduce the MTU files? What is happening on my end is that when I download files it works perfectly fine but when I browse the internet it take a while to show the page and sometime we get PAGE CAN NOT BE DISPLAY its getting annoying now and getting a lot of complains form users can you tell me how to reduce the MTU files? Thank you -Original Message- From: Mikel Jimenez Fernandez [mailto:mi...@irontec.com] Sent: Monday, April 13, 2009 11:31 AM To: support@pfsense.com Subject: [SPAM] Re: [pfSense Support] website browsing Hello I have this issue and i solve it reducing de MTU values. Thanks Juan Rivera wrote: Hi I'm having trouble trying to browse some websites it loads really slow is there anything that can help us improve that? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr
RE: [pfSense Support] Block LAN ip from communicating
Remember rules are top down... so make sure you don't have an allow rule ahead of it. -Tim From: Abdulrehman [mailto:arvagabo...@gmail.com] Sent: Saturday, February 28, 2009 2:12 PM To: support@pfsense.com Subject: Re: [pfSense Support] Block LAN ip from communicating Which version of Pfsense are you using currently...? I have used 1.2.1 and 1.2.2.its really simple and it worked fine for me Regards Abdulrehman On Fri, Feb 27, 2009 at 11:43 PM, Chris Flugstad ch...@cascadelink.com wrote: This should be simple. i tried adding firewall rules to block traffic from that ip, but didnt work. any help? Chris Flugstad Cascadelink 900 1st ave s, suite 201a seattle, wa 98134 p: 206.774.3660 | f: 206.577.5066 ch...@cascadelink.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Skype relaying
I'm assuming they mean to enable UPnP... Not sure of all the security risks, but it does allow programs to designate ports for their use. Others on the list probably no more details about UPnP, you can always reference: http://en.wikipedia.org/wiki/UPnP -Tim -Original Message- From: Joe Laffey [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 02, 2008 5:11 PM To: support@pfsense.com Subject: [pfSense Support] Skype relaying Is there a way to prevent Skype from relay connections using pfsense. The Skype tech page doesn't go into much detail... just that you want a p2p friendly firewall... http://support.skype.com/index.php?_a=knowledgebase_j=questiondetails_i=12 7 If this can be permitted what are the security implications? Thanks, -- Joe Laffey| Visual Effects for Film and Video LAFFEY Computer Imaging | - St. Louis, MO | Show Reel http://LAFFEY.tv/?e13010 USA | - . |-*- Digital Fusion Plugins -*- -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Can't connect to subaru.com on port 80
I had this same issue with fedex.com a while back Adjusted mtu, did a fresh install, never could find a solution... one day it started working again. (weird thing was half our clients could connect and half could not.) -Tim -Original Message- From: Tim Nelson [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 01, 2008 3:46 PM To: support@pfsense.com Subject: Re: [pfSense Support] Can't connect to subaru.com on port 80 It may be helpful to see your rulesets on your LAN and WAN interfaces... or paste the pertinent XML from your config file.. Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - BSD Wiz [EMAIL PROTECTED] wrote: i'm connected via cable modem, mtu is set to 1500. thanks -phil On Oct 1, 2008, at 5:23 PM, Chris Buechler wrote: On Wed, Oct 1, 2008 at 6:18 PM, BSD Wiz [EMAIL PROTECTED] wrote: pfSense 1.2.1 RC1 only add-on package installed is iperf. I have rules to allow allow traffic out on port 80 and 443. I have also(just to be sure) allowed *ALL* traffic out from my static ip on my macbook. Problem is I can't get to the site subaru.com. I don't see anything in the logs and I've never had a problem getting to any other site. If I telnet from the pfsense firewall to subaru.com on port 80 it get's connected. If i try that from my machine(laptop macbook) it times out. am i missing something or what? We don't like Subaru. ;) kidding sounds like a MTU issue, try lowering your MTU on WAN if you have PPPoE. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ntop still not installing
Just my 2cents, but ntop is VERY unstable right now (and not maintained as you can see) I would avoid putting it on your box... instead run it on a separate box if you want to use it. I've never had it crash my pfSense box, but keeping it(ntop) running is a whole nother story... you'll be lucky if you can keep it up for more than a few minutes at a time. -Tim -Original Message- From: JJB [mailto:[EMAIL PROTECTED] Sent: Friday, September 26, 2008 1:15 PM To: support@pfsense.com Subject: [pfSense Support] ntop still not installing There does not seem to be any stuck processes. Also, as I understand it the install process seems to use the local web browser to do the download and install, if you navigate away from the page the install will not complete. Other packages install just fine. Could there be a problem with wherever pfsense is downloading the package from? If the other packages complete the download and this one doesn't, I would imagine it might be related to the site it is being downloaded from. Anyone know where that is, and who to contact? On the packages page it says: Maintainer: Nobody. Apply mailto:[EMAIL PROTECTED] for it! Does that affect where it is hosted and who makes sure the download server is working? Thanks Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] PPTP server
Multiple incoming should already work the issue is connecting multiple internal devices to the same external pptp server. 1.2.1 is supposed to have addressed that issue to, so if thats what you meant then try it out. As written, it should already be working. -Tim From: Samer Chaer [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 8:13 AM To: support@pfsense.com Subject: [pfSense Support] PPTP server Hi, I am using Pfsense 1.2 as a pptp server. do you suggest an upgrade to 1.2.1 latest snapshot sor multiple simultaneous PPTP incoming connections can work? thanks, Sam. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Re: PPTP and NAT
Yes ;) -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Ugo Bellavance Sent: Tuesday, July 22, 2008 3:50 AM To: support@pfsense.com Subject: [pfSense Support] Re: PPTP and NAT Chris Buechler wrote: Ugo Bellavance wrote: Hi, Is there a way to make it possible to have computers behind a Natting pfsense to connect to a PPTP server on the net? More than one concurrent PPTP connection? http://www.pfsense.org/index.php?option=com_contenttask=viewid=40Itemid=4 3 PPTP and GRE Limitation - The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server. This means if you use PPTP VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet. A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server. The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server. This is not a problem with other types of VPN connections. A solution for this is currently under development. Ok, will a 1-to-1 NAT work? Regards, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] DNS cache poisoning
Tested using those tests, out of curiosity - and we passed with flying colors. Could it be your ISPs DNS that is bad? (that pfSense is relaying?) and not pfSense directly? -Tim -Original Message- From: Beat Siegenthaler [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 1:11 PM To: support@pfsense.com Subject: Re: [pfSense Support] DNS cache poisoning Chris Buechler wrote: No, pf has randomized source ports on all NATed TCP and UDP traffic for 8 years. I was surprised to find out that's the exception rather than the norm. Cisco, Checkpoint, amongst numerous others apparently do not randomize source ports on NATed traffic. I am not enthusiastic about this: Same Server behind pfSense and dd-wrt does differ sightly: The server runs patched [EMAIL PROTECTED] pfSense: [EMAIL PROTECTED]:~] # dig +short porttest.dns-oarc.net TXT z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. IP is POOR: 26 queries in 4.7 seconds from 26 ports with std dev 8.47 dd-wrt: [EMAIL PROTECTED]:~] # dig +short porttest.dns-oarc.net TXT z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. IP is GOOD: 26 queries in 4.6 seconds from 26 ports with std dev 17271.44 Source: https://www.dns-oarc.net/ Also the web-based test is very interesting: pfsense: source-port randomness=poor (deviation 17) transaction id randomness=great (deviation 19030) dd-wrt: source-port randomness=great (deviation 21110) transaction id randomness=great (deviation 17122) Other Test @ www.doxpara.com : Your name server, at x.y.z.y, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 5. Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds. Requests seen for e85e29497dea.toorrr.com: x.y.z.y:11970 TXID=47044 x.y.z.y:11971 TXID=62299 x.y.z.y:11972 TXID=65287 x.y.z.y:11973 TXID=13892 x.y.z.y:11975 TXID=50242 Not really a problem for me, but some may have ;-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Re: PPTP and NAT
Find another method, or set up an outside IP for every client. -Tim -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Ugo Bellavance Sent: Monday, July 21, 2008 3:43 PM To: support@pfsense.com Subject: [pfSense Support] Re: PPTP and NAT Ugo Bellavance wrote: Hi, Is there a way to make it possible to have computers behind a Natting pfsense to connect to a PPTP server on the net? More than one concurrent PPTP connection? I forgot to add that we're using PPTP to connect remotely. We could probably find another way to connect if we would need to make outgoing PPTP work. Regards, Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Tracking a specific user
Ntop can be usefull. If you can keep it running ;)... I recommend throwing it on another machine though I've had a world of trouble keeping the service up in pfSense -Tim -Original Message- From: Richard Sperry [mailto:[EMAIL PROTECTED] Sent: Monday, July 14, 2008 2:06 PM To: support@pfsense.com Cc: [EMAIL PROTECTED] Subject: RE: [pfSense Support] Tracking a specific user Ntop can be usefull. Richard Sperry Director of Operations WrinkleBrain, Inc. [EMAIL PROTECTED] Ph. 877.878.7676 x11 Fax. 206.267.9449 MCP - Small Business Specialist WOT - Thawte Notary CONFIDENTIALITY NOTICE: The information in this electronic mail transmission is legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of the transmission is strictly prohibited. If you have received this transmission in error, please delete the message and immediately notify us by telephone at 877.878.7676 or by responding to this email. If this email is signed or encrypted you may not forward to another party with out written permission in a signed email. Recycle Notice: This email was sent using recycled electrons. -Original Message- From: Joshua Galvez [mailto:[EMAIL PROTECTED] Sent: Monday, July 14, 2008 10:03 AM To: support@pfsense.com Subject: [pfSense Support] Tracking a specific user I'm managing a firewall on DSL connection, and every so often I see something like this where I'm almost certain one user is downloading and maxing out the connection, this happens sometimes with downloads, and sometimes with uploads. How can I go about identifying what this traffic is, and who is the source? reference the RRD graph below. -Josh - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Trying to rebrand pfsense
Are you just trying to change the look of pfsense? If so you can do this in the current build with themes. Youll want to SFTP over to the server and browse to /usr/local/www/themes (your SFTP login is root - your password is the password you set in the GUI ) Just download one of the existing themes and then upload your changes under a new folder. You can switch the theme in your SYSTEM GENERAL SETUP You can then Brand it for the property you are working for. I may be totally off on what you were looking for, but thought I'd pass the info on anyways - maybe someone else here would need it ;) -Tim -- From: Ahmed Abdallah [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 09, 2008 12:54 PM To: support@pfsense.com Subject: Re: [pfSense Support] Trying to rebrand pfsense Ok guys, thanks so much for your help so far. And I'm doing that for the company I work in now, but anyway, Why don't you guys start talking about having authorized partners and resellers if so, I guess my company can be your first reseller :) On Wed, Jul 9, 2008 at 6:32 PM, Chris Buechler [EMAIL PROTECTED] wrote: I would be extremely surprised if you had access to git. Yeah, unless you're an existing committer, you have no access to git just yet. It's firewalled off from the world until it's less of a test case and more production ready. Not so shockingly, there also won't be many too keen on providing free help with the creation of something you're going to sell (a rebranded version) unless you've contributed extensively in the past, so I wouldn't expect much aside from the basic guidance you've gotten to date. If you need in depth build support, contact Scott ([EMAIL PROTECTED]) and you can get it, for a fee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Ahmed Abdalla --Systems Engineer Linux-Plus Information Systems L.L.C Tel : +20 2 2527 6616 EXT : 806 Fax : +20 2 2526 1055 Mobile : +20 10 688 9009 email : [EMAIL PROTECTED] website : http://www.linux-plus.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] portforward
A drawing would make things easier: But if you set your portforward up, you'll also have to setup rules. I'm assuming that when you say on DMZ that your apache server is on a separate interface called DMZ? If so you'll want to add rules in your LAN interface to allow it access to your DMZ WAN rules will automatically be created if you leave the check mark checked when you create the port forward, but be sure your LAN rules are set as well :) -Tim - From: Peter Todorov [mailto:[EMAIL PROTECTED] Sent: Friday, May 30, 2008 9:31 AM To: support@pfsense.com Subject: [pfSense Support] portforward Hello can somebody help me with port forward with pfsense. I enable port forward for wan and computers from internet (external) can access my apache server on DMZ, but I cannot access my apache server from LAN. -- честността не е порок - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] CP Issue
Well I don't have squid running on the interface in question. Squid is running on LAN and I want CP on LAN2.. does that make a difference? Quick Drawing WAN DSL DSL2 || | PFSENSE | | SquidCP | | LAN LAN2 | | DefaultLoad Balancing? -Tim -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Monday, April 28, 2008 6:02 PM To: support@pfsense.com Subject: Re: [pfSense Support] CP Issue On Mon, Apr 28, 2008 at 12:48 PM, Tim Dickson [EMAIL PROTECTED] wrote: I did state Squid was in there ;) ... I have squid setup with defaults (non transparent) on LAN ONLY I have lightsquid installed for reporting So, anything else to try? I'm willing to help the cause if you have any ideas... Squid can only use the primary WAN at this time (services on localhost strictly obey the system routing table), so it won't load balance regardless. Though route-to rules should bypass Squid and let you load balance, they also bypass CP. Aside from manually hacking the pf and ipfw rules to figure out what's really going on with ipfw and pf route-to rules, I don't have any suggestions at this point. It is something I'm going to look into eventually. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] CP Issue
Thanks Chris and Team -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 29, 2008 4:07 PM To: support@pfsense.com Subject: Re: [pfSense Support] CP Issue On Tue, Apr 29, 2008 at 7:04 PM, Tim Dickson [EMAIL PROTECTED] wrote: Well I don't have squid running on the interface in question. Squid is running on LAN and I want CP on LAN2.. does that make a difference? No, Squid really isn't relevant here, it's the route-to rules and their interaction (or lack thereof) with ipfw. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] CP Issue
I did state Squid was in there ;) ... I have squid setup with defaults (non transparent) on LAN ONLY I have lightsquid installed for reporting So, anything else to try? I'm willing to help the cause if you have any ideas... -Timm -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Sunday, April 27, 2008 1:47 PM To: support@pfsense.com Subject: Re: [pfSense Support] CP Issue On Sat, Apr 26, 2008 at 3:51 AM, Tim Dickson [EMAIL PROTECTED] wrote: Setting up the Rule to put traffic to the interface address out the default gateway did not work Setting the gateway to JUST the second WAN (non-loadbalance) failed Setting the gateway to DEFAULT worked... (With Squid running) [snip] Squid is not compatible with CP. This would have been helpful if you told this up front :) Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] CP Issue
Setting up the Rule to put traffic to the interface address out the default gateway did not work Setting the gateway to JUST the second WAN (non-loadbalance) failed Setting the gateway to DEFAULT worked... (With Squid running) Any more ideas? I'd love to keep Load-Balancing! (or is this another area where local services must always use the default route?) Thanks! -Tim PS... sorry about the html, the thread was plaintext until I responded to your email which was html so it carried over, and I forgot to reset :( -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, April 24, 2008 10:46 AM To: support@pfsense.com Subject: Re: [pfSense Support] CP Issue On 4/24/08, Tim Dickson [EMAIL PROTECTED] wrote: (I'll be back on site tomorrow and will test) So it would be on the GUEST LAN: Proto: TCP Source: GuestLan Destination: Interface Address ports 8000 and 8001 Gateway: Default Or are you saying SOURCE should be the Interface address and port? I'll test his tomorrow and post back thanks! Set the source to any, the interface would be the captive portal interface. Gateway default. Looks good. Scott PS: please do not send html emails to public lists. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] CP Issue
Ah, so I was wondering about that So do I have to send it out default? Or can I pick, say - DSL2? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Buechler Sent: Wednesday, April 23, 2008 6:09 PM To: support@pfsense.com Subject: Re: [pfSense Support] CP Issue On Wed, Apr 23, 2008 at 8:24 PM, Tim Dickson [EMAIL PROTECTED] wrote: Finally deploying captive portal at one of our new sites. But am coming across a redirect issue I'm hoping you can shed some light on. BACKGROUND: I have 3 Wans setup - WAN, DSL, DSL2 I have 3 Lans setup - LAN, GUEST, PHONE I have load balancing setup with DSL + DSL2 for the GUEST WAN I have Failover setup with WAN - DSL - DSL2 for the LAN I have squid setup with defaults (non transparent) on LAN ONLY I have lightsquid installed for reporting ISSUE: Clients accessing on the GUEST interface are bypassing the Captive Portal for the redirect ports. PORT 80,443 They are not able to access non-redirect ports (such as 25 etc) because of course they have not authenticated. Multi-WAN and CP have interoperability issues because any rule specifying a load balancing/failover pool or gateway will bypass CP. There may be a work around, there is a ticket open but I haven't had time to look into it yet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] CP Issue
(I'll be back on site tomorrow and will test) So it would be on the GUEST LAN: Proto: TCP Source: GuestLan Destination: Interface Address ports 8000 and 8001 Gateway: Default Or are you saying SOURCE should be the Interface address and port? I'll test his tomorrow and post back thanks! -Tim From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, April 24, 2008 9:46 AM To: support@pfsense.com Subject: Re: [pfSense Support] CP Issue On 4/24/08, Tim Dickson [EMAIL PROTECTED] wrote: Ah, so I was wondering about that So do I have to send it out default? Or can I pick, say - DSL2? You can add a rule forcing CP only out the default gateway prior to any load balancing rules which might fix this. Please try this and if it works we'll add these behind the scenes. I believe the ports used for CP are 8000 and 8001. Scott
[pfSense Support] CP Issue
Finally deploying captive portal at one of our new sites. But am coming across a redirect issue I'm hoping you can shed some light on. BACKGROUND: I have 3 Wans setup - WAN, DSL, DSL2 I have 3 Lans setup - LAN, GUEST, PHONE I have load balancing setup with DSL + DSL2 for the GUEST WAN I have Failover setup with WAN - DSL - DSL2 for the LAN I have squid setup with defaults (non transparent) on LAN ONLY I have lightsquid installed for reporting ISSUE: Clients accessing on the GUEST interface are bypassing the Captive Portal for the redirect ports. PORT 80,443 They are not able to access non-redirect ports (such as 25 etc) because of course they have not authenticated. Now if I manually go to the interface address for the GUEST LAN on port 80 - I can get the login page, and if I authenticate all is enabled correctly. (they can access 25 etc) Where do I go from here to find out why it's not redirect correctly? I'm stumped :( I read transparent proxy doesn't work, so I've disabled that. (plus Squid is set to only run on LAN) Am I just SOL with having squid and CP? People on the forums seem to have gotten it working by turning off transparent mode ,but I can't seem to figure it out. -Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Multimple WAN ftp server thing.
Personally I have number 4 setup... It took several days of playing, and to be honest I'm not sure what all was the reason it finally worked. But I have this setup: WAN: Disable the userland FTP-Proxy application CHECKED WAN2: Disable the userland FTP-Proxy application CHECKED WAN3: Disable the userland FTP-Proxy application CHECKED LAN: Disable the userland FTP-Proxy application UNCHECKED LAN2: Disable the userland FTP-Proxy application UNCHECKED I also have a loopback rule set on the LAN and LAN2 (read it somewhere on the forum... and it actually worked) LAN(s) RULE - PROTO:TCP SOURCE:ANY PORT:ANY DESTINATION:127.0.0.1/31 PORT: 8000-8030 GATEWAY:DEFAULT Good luck! And hopefully it works for you! -Original Message- From: David Cavanaugh [mailto:[EMAIL PROTECTED] Sent: Friday, April 11, 2008 10:06 AM To: support@pfsense.com Subject: RE: [pfSense Support] Multimple WAN ftp server thing. O I C. So, I read what I could find, and I could use some clearing up: Choose one of the following: 1) FTP incoming or outgoing is impossible with Multi-WAN on either WAN interface 2) FTP is impossible on Multi-WAN incoming, but possible outgoing only through WAN1 3) FTP is impossible on Multi-WAN incoming, but possible outgoing through either WAN (the lb gateway) 4) FTP is possible on Multi-WAN incoming and outgoing only through WAN1 5) FTP is possible on Multi-WAN incoming only through WAN1 and outgoing through either WAN (the lb gateway) Thanks, Dave -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, April 10, 2008 5:09 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multimple WAN ftp server thing. On 4/10/08, David Cavanaugh [EMAIL PROTECTED] wrote: Hello all and greetings: We've recently switched to pfsense to, among other things, take advantage of the multiple WAN feature. So, we have two interfaces defined thusly: wan ifem0/if mtu/ blockpriv/ media/ mediaopt/ bandwidth100/bandwidth bandwidthtypeMb/bandwidthtype spoofmac/ disableftpproxy/ ipaddr74.x.x.4/ipaddr subnet29/subnet gateway74.x.x.3/gateway /wan opt1 ifsis0/if descrWAN2/descr bridge/ enable/ ipaddr170.x.x.2/ipaddr subnet30/subnet gateway170.x.x.1/gateway spoofmac/ mtu/ /opt1 WAN(WAN) is a T1. OPT1(WAN2) is a DSL. We created a LoadBalance Gateway with WAN and WAN2, as follows: lbpool typegateway/type behaviourfailover/behaviour monitorip/ nameLANLoadBalance/name descLoad Balance LAN/desc port/ serverswan|208.67.217.132/servers serversopt1|208.67.217.132/servers monitor/ /lbpool We have users in the field trying to access an FTP server on the LAN via the OPT1(WAN2) IP address. Without me going any further, is such a thing feasible? Thanks, Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] FTP is not supported on multi-wan. This question comes up every couple months. Search the archives / forum for more information. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ICMP not Replying on Virtual IPs
What kind of NAT are you using? If it is port forward you'll have to forward the packets as well as adding the rule to your Wan ruleset If it is 1:1 it should work for you as long as then respond correctly within your network -tim From: Ron Lemon [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 12:06 PM To: support@pfsense.com Subject: [pfSense Support] ICMP not Replying on Virtual IPs I have setup a rule to allow all ICMP types from any source any port to any destination on any port via any gateway. If I ping my WAN IP it responds correctly. My WAN link also has 6 Virtual Ips of type other configured. I can access the resources via NAT that are on these virtual Ips but when I ping one of them I never get a response. What else do I need to do to get the virtual Ips to respond to ICMP requests. Thanks Ron.
RE: [pfSense Support] DMZ
They are all the firewall itself, yes. But they are all different interfaces - keep that in mind when you get to your rules. Pfsense processes rules as they enter the interface, so once you are in you can go anywhere -Tim From: Anil Garg [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 4:37 PM To: support@pfsense.com Subject: [pfSense Support] DMZ Progressing to DMZ with pfsense. Say we have a WAN with 203.xxx.xxx.201 (IP provided by the IS) Gateway is 203.xxx.xxx.001 DNS1 is 203.xxx.xxx.002 DNS2 is 203.xxx.xxx.003 LAN is 192.168.1.1/24 with NO DHCP Not bridged to any interface One server is configured as 192.168.1.10/32 Gateway 192.168.1.1 DNS 192.168.1.1 DMZ is 192.168.100.1/24 with NO DHCP Not bridged to any interface One DMZ server is configured as 192.168.100.10/32 Gateway 192.168.100.1 === Is this correct? DNS 192.168.100.1 === Is this correct? Am I right in assuming that after the firewall rules are applied 203.xxx.xxx.201 and 192.168.1.1 and 192.168.100.1 are all same address of the firewall itself Sorry if this is stupid question. Best Anil Garg
RE: [pfSense Support] Basic question
As a general rule you want to block all and then allow the services you want. This way you aren't left with any oops forgot to block that one mistakes. But really, it's your firewall and you can manage it how you see fit! -Tim -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Ugo Bellavance Sent: Saturday, February 02, 2008 7:41 PM To: support@pfsense.com Subject: [pfSense Support] Basic question Hi, I was wondering if that is possible. I have 6 zones on my pfsense. One WAN, 4 'LANs' and PPTP. Is it possible, with just one rule, to say 'this zone can only access the internet'? Or should do one rule allowing everything, and a set of rules denying all traffice to/from the other subnets? Regards, Ugo Bellavance - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] user interface bug with minimum font size set
Why don't you guys use a different theme? Or customize your own? Just curious... I find the pfsense theme to be the easiest to jump around in - so I customize that one with company logos... But anyrate for those with small screens pfsense will definitely help you out. -Tim -Original Message- From: Robert Goley [mailto:[EMAIL PROTECTED] Sent: Friday, January 04, 2008 2:04 PM To: support@pfsense.com Subject: Re: [pfSense Support] user interface bug with minimum font size set I have had this issue also. The quickest fix to to use the CTRL + or CTRL - keys to change the font temporarily. This way you don't have to deal with a smaller size font all the time. Robert On Friday 04 January 2008 11:01, Chris Buechler wrote: Paul M wrote: is this a known feature/bug? using firefox on linux and setting minimum font size to 13, and the metallic theme on pfsense 1.2RC3, I find that the diagnostics tab wraps off the end and appears under the system tab, and then you can't access anything under the system tab any more. this confused me greatly until I stumbled across the reason just now - my laptop (whose small hires display) first exhibited the problem and I didn't realise the connection between my installing extra fonts and tweaking the minimum size. That's been known for a while. IIRC there isn't any easy fix, or at least it hasn't been a priority, so the stock reply is don't do that. :) If you know of a fix, patches are welcome. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Virtual Ips
What are the rules you are using on the WAN for traffic. Keep in mind when you are defining the destination address it should be the PRIVATE IP not the PUBLIC one If you are getting the correct address on whatismyip then the NAT mapping is fine. it is firewall rules that are messing you up. -Tim From: Ryan Rodrigue [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 10:27 AM To: support@pfsense.com Subject: RE: [pfSense Support] Virtual Ips I have it setup as Proxy ARP I went to 1:1 NAT and firewall rules and specified the 73 and 72 as two seperate entries using the /32 subnet mask on the WAN interface it is setup as x.x.x.74 /29 I setup a wan rule to allow anything with the destination 192.168.1.10 and same for 192.168.1.100 I can still not get anything to work. I am getting the correct IP address if i go to whatismyip.com, but when i try to hit the webserver ip from my phone (seperate network all together) it doesn't work. I thought this was going to be fairly simple. lol -Original Message- From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 12:00 PM To: support@pfsense.com Subject: Re: [pfSense Support] Virtual Ips Under Virtual IP's are you using Carp, Proxy Arp, or IP? If you want to use 1:1 NAT, go ahead and do so for that specific IP address, then under the firewall rules add in a rule to match the traffic you would like to permit. It should be that simple. Additionally, the IP's 73 and 72 are within your given range correct? Are you using the correct subnet mask? Curtis
RE: [pfSense Support] Virtual Ips
And in your firewall logs do you have show blocked by default rule? If so check the logs and see if you can find anything stopping it. Also check out your states you can watch active connections by throwing 192.168.1.10 in your filter. If you see connections coming through on those states it may be a misconfiguration on the server itself. -Tim From: Ryan Rodrigue [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 11:05 AM To: support@pfsense.com Subject: RE: [pfSense Support] Virtual Ips Sorry. I forgot to let you know. I do have the correct IP address assigned by my isp. To answer your other question, the wan rule is pass protocol:any port:any source:any destination:192.168.1.10 gateway:default this rule is at the top of the list. (first processed) i figured id go for simple and the block what i don't need after. -Original Message- From: Tim Dickson [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 12:19 PM To: support@pfsense.com Subject: RE: [pfSense Support] Virtual Ips What are the rules you are using on the WAN for traffic. Keep in mind when you are defining the destination address it should be the PRIVATE IP not the PUBLIC one If you are getting the correct address on whatismyip then the NAT mapping is fine. it is firewall rules that are messing you up. -Tim From: Ryan Rodrigue [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 10:27 AM To: support@pfsense.com Subject: RE: [pfSense Support] Virtual Ips I have it setup as Proxy ARP I went to 1:1 NAT and firewall rules and specified the 73 and 72 as two seperate entries using the /32 subnet mask on the WAN interface it is setup as x.x.x.74 /29 I setup a wan rule to allow anything with the destination 192.168.1.10 and same for 192.168.1.100 I can still not get anything to work. I am getting the correct IP address if i go to whatismyip.com, but when i try to hit the webserver ip from my phone (seperate network all together) it doesn't work. I thought this was going to be fairly simple. lol -Original Message- From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 12:00 PM To: support@pfsense.com Subject: Re: [pfSense Support] Virtual Ips Under Virtual IP's are you using Carp, Proxy Arp, or IP? If you want to use 1:1 NAT, go ahead and do so for that specific IP address, then under the firewall rules add in a rule to match the traffic you would like to permit. It should be that simple. Additionally, the IP's 73 and 72 are within your given range correct? Are you using the correct subnet mask? Curtis __ NOD32 2747 (20071225) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com
RE: [pfSense Support] Setting up on Soekris NET5501-70 with all features
Embedded images running on compact flash are not designed for the kinds of page writes that would be involved with most packages. This is to make the system as stable as possible. Once SSD becomes a standard I'm sure they'll take a look at that, but for now - the stability wouldn't be there. As for your install get it up and running on another machine (doesn't matter about the interfaces - just get the LAN setup so you can turn on the console) Then when you swap the drive over it will detect the new interfaces upon boot and you can reassign them. I've done this several times - and it isn't as difficult as you seem to be thinking it is. -Tim -Original Message- From: Chris Bagnall [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 12:14 PM To: support@pfsense.com Subject: RE: [pfSense Support] Setting up on Soekris NET5501-70 with all features the embedded install image has a disk image for putting it on compact flash, but that wont let you install any packages once up and running. Perhaps the answer might be to modify that behaviour so that packages can be installed onto systems built using the embedded images? Surely that'd resolve the issue the OP was trying to work around? Regards, Chris -- C.M. Bagnall, Director, Minotaur I.T. Limited For full contact details visit http://www.minotaur.it This email is made from 100% recycled electrons - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Setting up on Soekris NET5501-70 with all features
Yes that would be fine. All you need is to setup the LAN with an IP so you can get in and turn on the console. Then when you pull it up via serial on the new device choose assign interfaces and set it up with the new interfaces. Btw... - and it isn't as difficult as you seem to be thinking it is was supposed to be encouraging, re-reading it I can see it coming off as a bash - so sorry if it did come across that way. -Tim -Original Message- From: Christopher Iarocci [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 12:34 PM To: support@pfsense.com Subject: RE: [pfSense Support] Setting up on Soekris NET5501-70 with all features Tim, I'm not thinking it's difficult. I'm used to m0n0wall where you must have 2 interfaces. Also, the drive I am using is a SATA drive. The only machine I have with a SATA interface is a laptop. Could I use a laptop to set this up with a single interface? If the answer is yes, then I can do it simply enough. If the answer is no, then I'm stuck with not having the hardware to do it in the manner suggested. Chris -Original Message- From: Tim Dickson [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 3:28 PM To: support@pfsense.com Subject: RE: [pfSense Support] Setting up on Soekris NET5501-70 with all features Embedded images running on compact flash are not designed for the kinds of page writes that would be involved with most packages. This is to make the system as stable as possible. Once SSD becomes a standard I'm sure they'll take a look at that, but for now - the stability wouldn't be there. As for your install get it up and running on another machine (doesn't matter about the interfaces - just get the LAN setup so you can turn on the console) Then when you swap the drive over it will detect the new interfaces upon boot and you can reassign them. I've done this several times - and it isn't as difficult as you seem to be thinking it is. -Tim -Original Message- From: Chris Bagnall [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 12:14 PM To: support@pfsense.com Subject: RE: [pfSense Support] Setting up on Soekris NET5501-70 with all features the embedded install image has a disk image for putting it on compact flash, but that wont let you install any packages once up and running. Perhaps the answer might be to modify that behaviour so that packages can be installed onto systems built using the embedded images? Surely that'd resolve the issue the OP was trying to work around? Regards, Chris -- C.M. Bagnall, Director, Minotaur I.T. Limited For full contact details visit http://www.minotaur.it This email is made from 100% recycled electrons - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Setting up on Soekris NET5501-70 with all features
It's been about 6 months since I did it last... but did you try and add vlans for the WAN? -Original Message- From: Christopher Iarocci [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 4:57 PM To: support@pfsense.com Subject: RE: [pfSense Support] Setting up on Soekris NET5501-70 with all features Tim, I appreciate the help. I didn't think you were bashing. Anyway, I ran the liveCD on my laptop, and as I suspected it complains that I do not have 2 working interfaces and will not go any further (it also doesn't recognize my NIC card in the machine). So, I'm stuck needing an image with the serial port on, or needing instructions on how to do it myself (I do not have the hardware needed to install it, configure it, and then move the hard drive). Can anyone help me??? I really want to use pfsense for this project, but right now I'm stuck without some guidance. The live CD does allow for shell access. I'm wondering if I can somehow do it through there or if I need to decompress the ISO and modify the loader. The other question I have is, once I know how to modify the files needed, what exactly do I put in them, and where? Thanks. Chris P.S. Couldn't an image be made for this purpose? I didn't think I was doing anything out of the ordinary putting a hard disk in a Net5501. It is quite a robust little machine and certainly can handle the full version. support@pfsense.com wrote: Yes that would be fine. All you need is to setup the LAN with an IP so you can get in and turn on the console. Then when you pull it up via serial on the new device choose assign interfaces and set it up with the new interfaces. Btw... - and it isn't as difficult as you seem to be thinking it is was supposed to be encouraging, re-reading it I can see it coming off as a bash - so sorry if it did come across that way. -Tim -Original Message- From: Christopher Iarocci [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 12:34 PM To: support@pfsense.com Subject: RE: [pfSense Support] Setting up on Soekris NET5501-70 with all features Tim, I'm not thinking it's difficult. I'm used to m0n0wall where you must have 2 interfaces. Also, the drive I am using is a SATA drive. The only machine I have with a SATA interface is a laptop. Could I use a laptop to set this up with a single interface? If the answer is yes, then I can do it simply enough. If the answer is no, then I'm stuck with not having the hardware to do it in the manner suggested. Chris -Original Message- From: Tim Dickson [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 3:28 PM To: support@pfsense.com Subject: RE: [pfSense Support] Setting up on Soekris NET5501-70 with all features Embedded images running on compact flash are not designed for the kinds of page writes that would be involved with most packages. This is to make the system as stable as possible. Once SSD becomes a standard I'm sure they'll take a look at that, but for now - the stability wouldn't be there. As for your install get it up and running on another machine (doesn't matter about the interfaces - just get the LAN setup so you can turn on the console) Then when you swap the drive over it will detect the new interfaces upon boot and you can reassign them. I've done this several times - and it isn't as difficult as you seem to be thinking it is. -Tim -Original Message- From: Chris Bagnall [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 12:14 PM To: support@pfsense.com Subject: RE: [pfSense Support] Setting up on Soekris NET5501-70 with all features the embedded install image has a disk image for putting it on compact flash, but that wont let you install any packages once up and running. Perhaps the answer might be to modify that behaviour so that packages can be installed onto systems built using the embedded images? Surely that'd resolve the issue the OP was trying to work around? Regards, Chris -- C.M. Bagnall, Director, Minotaur I.T. Limited For full contact details visit http://www.minotaur.it This email is made from 100% recycled electrons - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] VIPs + NAT??
The easiest way to do this is via DNS. Enable a DNS on the inside that will translate your external IP's to your internal IP's. Although below would be ideal - I've never gotten it to work on PFSense, and this works just fine. -Tim From: Justin Refice [mailto:[EMAIL PROTECTED] Sent: Thursday, November 08, 2007 12:38 PM To: support@pfsense.com Subject: [pfSense Support] VIPs + NAT?? I've got what appears to be simple question, but for the life of me I can't figure this one out. I've got a pfsense firewall setup between a local subnet (192.168/16) and my internet provider. The provider has given me two subnets 11.22.33.192/29 and 11.22.44.16/28. The WAN IP is in the larger subnet: 11.22.44.17/28 For any given IP in the above subnets, 1 or more IP's exist in the private domain. Eg: 11.22.33.194 port 25 = 192.168.0.2 port 25 11.22.33.194 port 80 = 192.168.0.3 port 80 11.22.44.17 port 25 = 192.168.0.4 port 25 This is all working fine (yay!). The problem is that the private subnet can't access IP's on the public subnet. So, for example, 192.168.0.2 can connect to www.google.com just fine. 192.168.0.2 can NOT connect to 11.22.33.194 though... the packet just gets dropped somewhere. I've got the VIP's setup using Proxy ARP, because there are two subnets (And apparently CARP requires that the IP exist in the same subnet as the WAN IP). Just as a test, I setup a CARP for 11.22.44.18, and the same problem exists. Basically, it seems like I need to tell the firewall the right rules on the LAN interface to clear this up... but like I said, I can't figure it out. Thanks for any help, Justin
RE: [pfSense Support] Watchguard X series platform
Im a couple months off from trying this http://www.abmx.com/1u-12inch-deep-mini-server-p-287.html Im debating on whether to throw a 4 NIC intel in the PCI slot or try the 3 NIC card they can add (that doesnt use up the PCI slot either) Itll use the re driver (its a Realtek RTL8110S) - and in the past I've stayed away from realtek -Tim --- From: Charles Alvis [mailto:[EMAIL PROTECTED] Sent: Monday, October 29, 2007 11:47 AM To: support@pfsense.com Subject: Re: [pfSense Support] Watchguard X series platform I am in kind of the same boat. If you can get the Watchguard appliance to work with pfsense that would be pretty cool, but I bet it will drive up the cost of the units on Ebay :) I have been looking at the machines on hacom.net as well. They have some pretty good candidate machines for installing pfsense on. Keep us informed of your efforts. On 10/29/07, Andrew Cotter [EMAIL PROTECTED] wrote: -Original Message- From: Andrew Cotter [mailto: [EMAIL PROTECTED] Sent: Tuesday, October 16, 2007 3:12 PM To: support@pfsense.com Subject: [pfSense Support] Watchguard X series platform Hello, I have seen a number of posts both here and on the M0n0wall list about the older Watchguard Firebox I/II series boxes and the ability to use them. Does anyone have any experience on the Watchguard Core X500/X700/X1000 series boxes? I am looking for a platform that is a little more powerful than the WRAP/ALIX or Sokeris 5501 systems, but would prefer to stay away from full blown servers. Thanks for any input! Andrew Well I got no response so I went out and picked a Watchguard X500 up off of ebay. I am happy to report that once you crack the thing open there is a nice little onboard slot for a CF. Mine had a 64MB card in it which I quickly swapped out with a freshly imaged M0n0all CF. I powered it up, consoled into it, and it saw all 6 adapters. Have not tried pfsense yet, but I will be trying that out sometime over the next week or so. For those of you out there that prefer certain cards, the 6 ports are Realtek chips which may be a drawback. Needless to say, I am happy a the gamble I took and will probably be putting this box into full time service fairly soon. Andrew I am in kind of the same boat. If you can get Watchguard appliance to work with pfsense that would be pretty cool, but I bet it will drive up the cost of the units on Ebay :) I have been looking at the machines on hacom.net as well. They have some pretty good candiate machines for installing pfsense on. Keep us informed of your efforts. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Poor DNS performances and websurfing...
And just for the sake of trying... give opendns.com a shot. -Tim -Original Message- From: Rainer Duffner [mailto:[EMAIL PROTECTED] Sent: Thursday, September 27, 2007 3:18 PM To: support@pfsense.com Subject: Re: [pfSense Support] Poor DNS performances and websurfing... Am 27.09.2007 um 23:17 schrieb tester: Hello, In the last week I noticed poor DNS performances and obviously web surfing suffers, too. This is the output from a PC configured to use the IP address of the main pfSense machine: What DNS-servers did the pfsense get from the ISP? Do they work? Could it be that one of them is dead? Try with [EMAIL PROTECTED] www.somedomainyouvenotcheckedbefore.com and [EMAIL PROTECTED] www.someotherdomain.com cheers, Rainer -- Rainer Duffner CISSP, LPI, MCSE [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Strange issues with Fedex.com
I am having a weird issue accessing fedex.com and I'm wondering if you can help me determine if it is firewall related (or what it is). Now almost all of our machines (except servers) are nat'ed to the same external IP. (servers are 1:1 to their own public IP) Half of our workstations can access fedex.com the others cannot (although every once in a while the machines can access it). And half of our servers can and half cannot. DNS resolves correctly and I can take the IP from a machine that works and paste it into iexplorer and it won't resolve. I tried Mozilla firefox thinking it might be an IE messup... didn't work there either. I've reset all states in the firewall and resolved it from the firewall. (I've also checked all rules, which I don't have any outgoing rules for our network besides pass all rule for the subnet) And when I found a machine that worked I swapped IP's with a machine that didn't work. The machine still wouldn't work (incase it happened to be a rule in the firewall I missed). I am totally lost at what this could be... here is what I've concluded: DNS issue - Nope, able to resolve correctly (using nslookup) IP conflict - Nope, changed IP's and no dice Firewall issue - all machines use the same external IP so I don't think fedex would be blocking our IP, logs show nothing. Tracert - passes well past our gateway. If I turn on logging I can see the packet hit the firewall so I don't think it is anything internal. https://firewall.cr.com:8081/diag_logs_filter.php https://firewall.cr.com:8081/themes/CalistogaRanch/images/icons/icon_pass.gi fAug 1 10:07:20 LAN 192.168.5.18:3574 199.81.218.50:80 TCP I've changed the Optimization Options as well. is this a firewall issue? I'm stuck! If you guys can think of anything I skipped let me know. image001.gif
RE: [pfSense Support] Strange issues with Fedex.com
Plain Text noted(thanks, just wanted to get the pass image in the rule :) ) Recommened MTU is 1504, so 1500 should be fine ( I switched to 1400 just for kicks to no avail) FYI, this is ONLY for fedex.com too... Am I right to assume it isn't the firewall? -Tim -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 01, 2007 11:28 AM To: support@pfsense.com Subject: Re: [pfSense Support] Strange issues with Fedex.com On 8/1/07, Tim Dickson [EMAIL PROTECTED] wrote: I am having a weird issue accessing fedex.com and I'm wondering if you can help me determine if it is firewall related (or what it is). Now almost all of our machines (except servers) are nat'ed to the same external IP. (servers are 1:1 to their own public IP) Half of our workstations can access fedex.com the others cannot (although every once in a while the machines can access it). And half of our servers can and half cannot. DNS resolves correctly and I can take the IP from a machine that works and paste it into iexplorer and it won't resolve. I tried Mozilla firefox thinking it might be an IE messup... didn't work there either. I've reset all states in the firewall and resolved it from the firewall. (I've also checked all rules, which I don't have any outgoing rules for our network besides pass all rule for the subnet) And when I found a machine that worked I swapped IP's with a machine that didn't work. The machine still wouldn't work (incase it happened to be a rule in the firewall I missed). I am totally lost at what this could be... here is what I've concluded: DNS issue - Nope, able to resolve correctly (using nslookup) IP conflict - Nope, changed IP's and no dice Firewall issue - all machines use the same external IP so I don't think fedex would be blocking our IP, logs show nothing. Tracert - passes well past our gateway. If I turn on logging I can see the packet hit the firewall so I don't think it is anything internal. Aug 1 10:07:20 LAN 192.168.5.18:3574 199.81.218.50:80 TCP I've changed the Optimization Options as well. is this a firewall issue? I'm stuck! If you guys can think of anything I skipped let me know. Is the MTU on wan correct to what the ISP expects? Maybe phone your ISP and ask if 1500 is okay for your connection. If you are using PPPoE you might want to lower your MTU to 1400 or so and see if it helps. Scott PS: please send plain text emails to public mailing lists. Sending HTML is considered to be bad manners. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Strange issues with Fedex.com
I am on 1.01 release, I was holding off till final releases since this is in production. I can upgrade later today and try. Occasionally it will work from a machine that doesn't work. If it ends up working it will continue to work pretty consistently until it doesn't work then it won't work for a while. I'll keep you posted... Thanks for the help. -Tim -Original Message- From: Rainer Duffner [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 01, 2007 12:13 PM To: support@pfsense.com Subject: Re: [pfSense Support] Strange issues with Fedex.com Am 01.08.2007 um 20:53 schrieb Scott Ullrich: On 8/1/07, Tim Dickson [EMAIL PROTECTED] wrote: Plain Text noted(thanks, just wanted to get the pass image in the rule :) ) Recommened MTU is 1504, so 1500 should be fine ( I switched to 1400 just for kicks to no avail) FYI, this is ONLY for fedex.com too... Am I right to assume it isn't the firewall? -Tim Hrm, I wouldn't be so sure as of yet. What version are you on? If you are not on a recent snapshot can you please try? We fixed a bug in PF w/ modulate state but I doubt that would help but it's worth a try. The only other thing that I can think of would be to try 1300 as a MTU. I have seen this problem when MTU issues are on the WAN link. I have such a MTU problem (going to eBay.com, for example, usually doesn't work, or cgiX.ebay.com etc.) - but it requires setting the MTU to 1452. Values less than 1452 don't work so well, either. The half of your workstations that can access the site - are they always the same half? What you can do is run a tcpdump on the WAN-interface (or tcpdump on a host behind the WAN-interface, via a hub) so see what pfsense is doing and what fedex is sending (if at all). cheers, Rainer -- Rainer Duffner CISSP, LPI, MCSE [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Multiple IPs
Good to hear you got it going Dave, Jai, you will want to set them up with a /32 if proxy arp isn't working you can also try carp. I suppose it COULD be a faulty NIC, but give the above a shot. and do power down the router/or modem (whichever the case) between each shot. -Tim -Original Message- From: jai lamerton [mailto:[EMAIL PROTECTED] Sent: Tue 7/3/2007 9:24 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multiple IPs Hi Tim, Thanks for the info... I have tried what you mentioned to no avail, I'm not sure my failure is due to an arp cache problem with the router (although i did suspect that) because connecting a laptop to the subnet and changing it's IP address has no problems, and there is no delay while arp timeouts. Same is true if I change the WAN IP address to any of the other IP's in the subnet. I wonder if I'm configuring the virtual IP wrong. I've been entering the IP address as Single addresses, ie /32 bit mask. Could it be the hardware? Jai On 04/07/2007, at 11:26 AM, Tim Dickson wrote: The IP's are in the same subnet right? If you can use the ip's bypassing pfSense, then pfSense can use the IP's. Add them to the Virtual IP's list, apply your settings and then reboot the router (not pfSense, fyi...maybe that is where you have been stuck) What this does is pfSense now answers for the IP's you've added to the list. If they are usuable, then pfSense will respond to them. IF you are still having trouble, power down your router for a longer period of time. It is necessary for it to clear it's cache and resend it's arp requests so pfSense can respond. I guarantee it is not an issue with pfSense I have it working on every install I've done (that needed multiple IP's that is) -Tim -Original Message- From: Dave Cabot [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 6:10 PM To: support@pfsense.com Subject: RE: [pfSense Support] Multiple IPs Didn't work. What can we do to collect info in order to determine what the actual problem is? If it's the kernel, we need to know so a patch may be done. Dave -Original Message- From: Tim Dickson [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 4:40 PM To: support@pfsense.com Subject: RE: [pfSense Support] Multiple IPs And be sure to reboot your router! Sometimes the cache time is realy long -tim -Original Message- From: Dave Cabot [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 3:16 PM To: support@pfsense.com Subject: RE: [pfSense Support] Multiple IPs I did try that and as you said, it doesn't work. I'm going to try to switch interfaces and see if it'll work on the vr0 device. (currently using a rl0). Thanks, Dave -Original Message- From: jai lamerton [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 12:37 AM To: support@pfsense.com Subject: Re: [pfSense Support] Multiple IPs Dave, its under firewall-Virtual IP's It's interesting but as I mentioned before I tried to get proxy ARP to work but couldn't get pfsense to respond to who has arp requests for any IP other than the WAN. Does anyone know if some network cards are just so shitty (rl0) that they will now work with proxy ARP? I would assume it has to do with the kernel and not the network card. On 03/07/2007, at 1:41 PM, Dave Cabot wrote: How do I do that exactly? I thought ARP was self-discovery. Dave -Original Message- From: Tim Dickson [mailto:[EMAIL PROTECTED] Sent: Monday, July 02, 2007 8:13 PM To: support@pfsense.com Subject: RE: [pfSense Support] Multiple IPs You will need to set arp up because your firewall needs to say hey I'm here... send these packets to me After you do that you may need to power cycle your router to clear it's arp cache. It works great... use it on all my sites. -Tim -Original Message- From: jai lamerton [mailto:[EMAIL PROTECTED] Sent: Monday, July 02, 2007 5:22 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multiple IPs I was unsuccessful in achieving this type of setup, which is strange as it seems it should be very possible. According to that link I don't need to add the IP addresses as proxy ARP, It should just work with 1:1 NAT. I might have another go with just the NAT. I would be interested to know how you went. Cheers. On 03/07/2007, at 2:29 AM, sai wrote: On 7/2/07, Dave Cabot [EMAIL PROTECTED] wrote: How does pfS handle multiple IPs on the WAN interface? Would it just be filter rules or the port fowarding? My ISPs gateway will be x.x.x.145. I've got x.x.x.146-x.x.x.150 (netmask 255.255.255.248) I'll set the WAN port to x.x.x.150, but I need it to receive the packets for all 5 IPs. I need to be able to forward based off of IP and port to whatever server inside the LAN. Is this doable? Its doable. See http://doc.m0n0.ch/handbook/examples.html#id2603650 pfSense is based on m0n0
RE: [pfSense Support] Multiple IPs
And be sure to reboot your router! Sometimes the cache time is realy long -tim -Original Message- From: Dave Cabot [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 3:16 PM To: support@pfsense.com Subject: RE: [pfSense Support] Multiple IPs I did try that and as you said, it doesn't work. I'm going to try to switch interfaces and see if it'll work on the vr0 device. (currently using a rl0). Thanks, Dave -Original Message- From: jai lamerton [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 12:37 AM To: support@pfsense.com Subject: Re: [pfSense Support] Multiple IPs Dave, its under firewall-Virtual IP's It's interesting but as I mentioned before I tried to get proxy ARP to work but couldn't get pfsense to respond to who has arp requests for any IP other than the WAN. Does anyone know if some network cards are just so shitty (rl0) that they will now work with proxy ARP? I would assume it has to do with the kernel and not the network card. On 03/07/2007, at 1:41 PM, Dave Cabot wrote: How do I do that exactly? I thought ARP was self-discovery. Dave -Original Message- From: Tim Dickson [mailto:[EMAIL PROTECTED] Sent: Monday, July 02, 2007 8:13 PM To: support@pfsense.com Subject: RE: [pfSense Support] Multiple IPs You will need to set arp up because your firewall needs to say hey I'm here... send these packets to me After you do that you may need to power cycle your router to clear it's arp cache. It works great... use it on all my sites. -Tim -Original Message- From: jai lamerton [mailto:[EMAIL PROTECTED] Sent: Monday, July 02, 2007 5:22 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multiple IPs I was unsuccessful in achieving this type of setup, which is strange as it seems it should be very possible. According to that link I don't need to add the IP addresses as proxy ARP, It should just work with 1:1 NAT. I might have another go with just the NAT. I would be interested to know how you went. Cheers. On 03/07/2007, at 2:29 AM, sai wrote: On 7/2/07, Dave Cabot [EMAIL PROTECTED] wrote: How does pfS handle multiple IPs on the WAN interface? Would it just be filter rules or the port fowarding? My ISPs gateway will be x.x.x.145. I've got x.x.x.146-x.x.x.150 (netmask 255.255.255.248) I'll set the WAN port to x.x.x.150, but I need it to receive the packets for all 5 IPs. I need to be able to forward based off of IP and port to whatever server inside the LAN. Is this doable? Its doable. See http://doc.m0n0.ch/handbook/examples.html#id2603650 pfSense is based on m0n0 and this should help you get started. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Multiple IPs
The IP's are in the same subnet right? If you can use the ip's bypassing pfSense, then pfSense can use the IP's. Add them to the Virtual IP's list, apply your settings and then reboot the router (not pfSense, fyi...maybe that is where you have been stuck) What this does is pfSense now answers for the IP's you've added to the list. If they are usuable, then pfSense will respond to them. IF you are still having trouble, power down your router for a longer period of time. It is necessary for it to clear it's cache and resend it's arp requests so pfSense can respond. I guarantee it is not an issue with pfSense I have it working on every install I've done (that needed multiple IP's that is) -Tim -Original Message- From: Dave Cabot [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 6:10 PM To: support@pfsense.com Subject: RE: [pfSense Support] Multiple IPs Didn't work. What can we do to collect info in order to determine what the actual problem is? If it's the kernel, we need to know so a patch may be done. Dave -Original Message- From: Tim Dickson [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 4:40 PM To: support@pfsense.com Subject: RE: [pfSense Support] Multiple IPs And be sure to reboot your router! Sometimes the cache time is realy long -tim -Original Message- From: Dave Cabot [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 3:16 PM To: support@pfsense.com Subject: RE: [pfSense Support] Multiple IPs I did try that and as you said, it doesn't work. I'm going to try to switch interfaces and see if it'll work on the vr0 device. (currently using a rl0). Thanks, Dave -Original Message- From: jai lamerton [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 12:37 AM To: support@pfsense.com Subject: Re: [pfSense Support] Multiple IPs Dave, its under firewall-Virtual IP's It's interesting but as I mentioned before I tried to get proxy ARP to work but couldn't get pfsense to respond to who has arp requests for any IP other than the WAN. Does anyone know if some network cards are just so shitty (rl0) that they will now work with proxy ARP? I would assume it has to do with the kernel and not the network card. On 03/07/2007, at 1:41 PM, Dave Cabot wrote: How do I do that exactly? I thought ARP was self-discovery. Dave -Original Message- From: Tim Dickson [mailto:[EMAIL PROTECTED] Sent: Monday, July 02, 2007 8:13 PM To: support@pfsense.com Subject: RE: [pfSense Support] Multiple IPs You will need to set arp up because your firewall needs to say hey I'm here... send these packets to me After you do that you may need to power cycle your router to clear it's arp cache. It works great... use it on all my sites. -Tim -Original Message- From: jai lamerton [mailto:[EMAIL PROTECTED] Sent: Monday, July 02, 2007 5:22 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multiple IPs I was unsuccessful in achieving this type of setup, which is strange as it seems it should be very possible. According to that link I don't need to add the IP addresses as proxy ARP, It should just work with 1:1 NAT. I might have another go with just the NAT. I would be interested to know how you went. Cheers. On 03/07/2007, at 2:29 AM, sai wrote: On 7/2/07, Dave Cabot [EMAIL PROTECTED] wrote: How does pfS handle multiple IPs on the WAN interface? Would it just be filter rules or the port fowarding? My ISPs gateway will be x.x.x.145. I've got x.x.x.146-x.x.x.150 (netmask 255.255.255.248) I'll set the WAN port to x.x.x.150, but I need it to receive the packets for all 5 IPs. I need to be able to forward based off of IP and port to whatever server inside the LAN. Is this doable? Its doable. See http://doc.m0n0.ch/handbook/examples.html#id2603650 pfSense is based on m0n0 and this should help you get started. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e
RE: [pfSense Support] Multiple IPs
You will need to set arp up because your firewall needs to say hey I'm here... send these packets to me After you do that you may need to power cycle your router to clear it's arp cache. It works great... use it on all my sites. -Tim -Original Message- From: jai lamerton [mailto:[EMAIL PROTECTED] Sent: Monday, July 02, 2007 5:22 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multiple IPs I was unsuccessful in achieving this type of setup, which is strange as it seems it should be very possible. According to that link I don't need to add the IP addresses as proxy ARP, It should just work with 1:1 NAT. I might have another go with just the NAT. I would be interested to know how you went. Cheers. On 03/07/2007, at 2:29 AM, sai wrote: On 7/2/07, Dave Cabot [EMAIL PROTECTED] wrote: How does pfS handle multiple IPs on the WAN interface? Would it just be filter rules or the port fowarding? My ISPs gateway will be x.x.x.145. I've got x.x.x.146-x.x.x.150 (netmask 255.255.255.248) I'll set the WAN port to x.x.x.150, but I need it to receive the packets for all 5 IPs. I need to be able to forward based off of IP and port to whatever server inside the LAN. Is this doable? Its doable. See http://doc.m0n0.ch/handbook/examples.html#id2603650 pfSense is based on m0n0 and this should help you get started. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] VPN question
I'll throw in my 2 cents... I've used PPTP and OpenVPN. I like the ease of use of OpenVPN to the end user (via the openvpn GUI) The manuals on pfSense.com walk you through it step by step... so setup is easy for you as well. Just click and go! is all the user has to do, and if their connection drops for whatever reason, it will automatically reconnect for them. I also like the way it adds the interface rather that tunneling all traffic. This saves our precious bandwidth on site and lets all the downloading at home go out their own gateway. PPTP is nice for the devices that can't support openvpn (such as pocketpc's), so I use both protocols -Tim -Original Message- From: Steven Hodgen [mailto:[EMAIL PROTECTED] Sent: Monday, June 25, 2007 4:45 PM To: support@pfsense.com Subject: [pfSense Support] VPN question Ok, so I hope you will all forgive my inexcusable use of this list for questions that aren't 100% specific to pfSense. Nevertheless, I want to use pfSense to let me create a road-warrior for our internal Windows domain. So, at some level there are questions specific to pfSense. Actually, what this message is really about is my ignorance, and lack of ability to ferret out cogent answers on Google and searching this list. Information: * We have a server running Windows 2003 Standard Edition. * Another machine running pfSense 1.2 Beta-1 * A Comcast Business WAN with a static IP. * An internal LAN subnet 192.168.1.0/24 * Another subnet on a different different ethernet port 192.168.2.0/24 used for isolating our internal wireless traffic (we're a school and kids all use wireless and are not on domain). * So, we're using three of four available ethernet ports on the firewall machine. * I have roaming profiles configured and lots of Group Policy rules. Questions: 1. What is the best way to configure pfSense so that a road-warrior can access our LAN domain as if he/she was here (except for speed, of course). 2. Related to 1: what is the best (balance easy with secure) of the four choices: IPsec, OpenVPN, PPPoE, PPTP, way to achieve this. Pros/Cons. Ok, so now I'm going to thank you in advance for putting up with my questions. Truthfully, I know just about enough about networking and TCP/IP, etc. to be dangerous. But I learn quickly, and really appreciate your help. I hope I gave you all enough information. If there's a specific log or config file that would help you, please let me know. --Steven - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Four port intel PCI-e?
If you are jammed for interfaces, and can spare the bandwidth... you can try v-lans... that will give you a few more interfaces without adding physical interfaces. Just a suggestion ;) -Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 01, 2007 12:44 PM To: support@pfsense.com Subject: [pfSense Support] Four port intel PCI-e? Are there any PCI-e cards supported by pfsense that will give me four gigabit copper ports? I'd much prefer intel, and see they have a couple of models, but don't know how well FreeBSD supports them. - Ron. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] help to config dmz
I would add a fourth interface and make it a part of that new subnet. Then you can bridge that interface to your DMZ. That will allow pfSense to do the routing. In your rules just make sure to make the gateway the second wan interface. (that's how I have it setup... and it works) -Tim PS... I opted for 1:1 rather than bridging. This gives the servers public addresses, but also allows me to expand in ways not possible with bridging. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Terhaar Sent: Friday, May 25, 2007 9:37 AM To: support@pfsense.com Subject: Re: [pfSense Support] help to config dmz On 5/25/07, Christos Pelekis [EMAIL PROTECTED] wrote: Hi, thanks. But also now i have and one more problem. The WAN is PPPoE and i want to add in WAN one more subnet with 16 ips. You know how i can do this? Regards setup an additional router? :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfSense DHCP-relay
Wouldn't you want to bridge the two interfaces together? Just thinking out loud here. You could also set the interface DHCP on WLAN to hand a certain range of address in the same subnet as your LAN, and then set rules accordingly. Lastly... would it not work to open up the DHCP server in the Rules to the LAN and then let the request flow to it? I'm not sure broadcasts will flow through interfaces... but theoretically I guess it could work. Sorry I don't have any definite answers... someone else on here might. -Tim PS... is there a reason in particular you want that specific server to serve up your DHCP requests? From: Fuchs, Martin [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 23, 2007 3:05 AM To: support@pfsense.com Subject: [pfSense Support] pfSense DHCP-relay Hi, all DHCP-relay gurus ;-) I need to relay DHCP-requests from my WLAN Interface ath0 to my LAN internal DHCP-server. Now i had a look at the DHCP-relay and am a bit confused about this... I'm running the latest snapshot I chose the enable the server. I do NOT want to relay DHCP to WAN, but to LAN... but i cannot check this, correct ? Would that not make sense to relay wo LAN, too ? or to let the user chose ? When I add the server IP in the destination-server field and hit save it tells me that the destination server is required... so I cannot get it working at all... :-( Regards, Martin
RE: [pfSense Support] helo there
Also, keep your PPTP addresses in the same subnet as your file server. If you don't, you'll have to go into some advanced routing... -Tim -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Friday, April 20, 2007 7:33 AM To: support@pfsense.com Subject: Re: [pfSense Support] helo there Arthur Mitchell wrote: Hi my name is Arthur and i have a problem setting up my pfsense pptp server i get it working but i want clients to acces my network and if been struggeling for three weeks so how do i foward my server's add to a local lan add to open a windows file server? Do you have an allow rule on the PPTP interface? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Acess pfsense from WAN
Yes, just enable the port you want used to the local interface. ( a non standard port is recommended) -Tim From: Anil garg [mailto:[EMAIL PROTECTED] Sent: Monday, March 12, 2007 2:04 PM To: support@pfsense.com Subject: [pfSense Support] Acess pfsense from WAN Is there a way to access and configure pfsense from outside / WAN using HTTPS or something like that?
RE: [pfSense Support] VLAN'S on pfSense
Well what part are you stuck on... you'll have a lot better luck asking specifics than something so time consuming and general... there are a million different combinations you could be looking for. Work your way through, ask questions when you get stuck, and write the docs as you go. In the end you will have a working configuration, a lot of knowledge of how things work, and a document you can share with the community. After all... that's what opensource is all about! -Tim _ From: Sloan Miller [mailto:[EMAIL PROTECTED] Sent: Thursday, March 01, 2007 11:10 AM To: support@pfsense.com Subject: Re: [pfSense Support] VLAN'S on pfSense I will be happy to write it. The problem is I am one of those people who is coming over from the cheaper SOHO gear and can't get this working on my test LAN. So I need someone to show me how. I have posted requests for help 2x on the forums to no avail. Once I have the steps I will write it up and post it. Sloan On 3/1/07, Bill Marquette [EMAIL PROTECTED] wrote: On 2/28/07, Sloan Miller [EMAIL PROTECTED] wrote: Users of Small Office and Home Office networks are quickly finding the need for more advanced features such as VLAN's These people are graduating from the basic Netgear and Linksys gear, and needing the features of pfSense. pf docs are not clear in the VLAN area. We can make the Docs better. would anyone like to work on a tutorial about setting up pfSense and creating VLAN's. Thanks for volunteering. Let us know when it's done and we'll get it posted on the site. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] supported Hardware?
Unless I've missed an update along the way... 64bit is not supported. -Tim _ From: Abdul Aziz [mailto:[EMAIL PROTECTED] Sent: Monday, February 19, 2007 10:47 PM To: support@pfsense.com Subject: [pfSense Support] supported Hardware? Dear Sir, i'm trying to install pfSense-1.0.1-LIVE-CD on hard disk(ata3-master SATA150) with ASUS AM2 [M2V-TVM]- VIA(r) K8M890 + VIA(r) VT8237R Plus Chipset (64 bit) but can't install default setup after that try safeMode successfully installed but after reboot the system error 128 lba 42173327 invalid format again reboot ad6: TIMEOUT-READ_DMA retrying (1 retry left) LBA=4781234 than continuesly reboot which problem? plz define me Regards: aaziz
RE: [pfSense Support] CDROM ISO boot using input/output from COM1 (Serial)?
Probably a miss configuration in the bios then... it boots up fine in the other machine? Check the bios first... Then you can pull all cards and peripherals and see if it boots. If it boots put them cards and peripherals back in one by one till you find the conflict. -Tim -Original Message- From: Kyle Mott [mailto:[EMAIL PROTECTED] Sent: Thursday, February 01, 2007 3:25 PM To: support@pfsense.com Subject: Re: [pfSense Support] CDROM ISO boot using input/output from COM1 (Serial)? That doesn't work either. When I put the drive back in the server, it always says DISK BOOT FAILURE. Ahh well, win some, lose some. -Kyle Sean Cavanaugh wrote: just do like what was stated earlier and install pfsense onto the HDD while its attached to a different computer and move it over later. - Original Message - From: Chris Buechler [EMAIL PROTECTED] To: support@pfsense.com Sent: Wednesday, January 31, 2007 3:05 PM Subject: Re: [pfSense Support] CDROM ISO boot using input/output from COM1 (Serial)? Kyle Mott wrote: Ok, I got it to (sort of) boot by getting a video card installed. However, when I boot from the USB CDROM, I get Unable to load kernel and it dumps me to the boot loader prompt. USB CD-ROM's don't work for FreeBSD nor pfsense installs unfortunately. there's a lot of info on the FreeBSD lists about it, part of which you found, and it doesn't seem to be important enough to anyone with the skills to fix it for it to get resolved. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] CDROM ISO boot using input/output from COM1 (Serial)?
It will work... just means you missed something somewhere. You also could setup everything on the harddrive on another machine and then swap it over. -tim -Original Message- From: Kyle Mott [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 31, 2007 9:22 AM To: support@pfsense.com Subject: Re: [pfSense Support] CDROM ISO boot using input/output from COM1 (Serial)? That didn't work. Any other ideas? -Kyle Holger Bauer wrote: Create a config.xml on a different system with enabled serial console. Then move it to a dos formatted usbstick as /conf/config.xml and bootup the livecd with the stick attached. It should come up with serial console enabled. Holger -Original Message- From: Kyle Mott [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 31, 2007 5:03 PM To: support@pfsense.com Subject: [pfSense Support] CDROM ISO boot using input/output from COM1 (Serial)? Hi, Is there any way to get one of the snapshots to boot from a CDROM, using COM1 (serial) for the input/output? I've got a box that has 10 x gigabit Intel NIC's, and I'm trying to get pfSense on it but it has no video port. : -Kyle - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Dual WAN, but only 1 default route...
Apologies, should have been less vague in my descriptions... I'm also using DHCP on my OPTX interface: Rules look like... *LAN net * * * GATEWAY LAN - WAN2 I had a hard time getting it to work at first and resetting the modem/router/or switch in front of the firewall fixed it. It was holding on to the old MAC before the firewall was plugged in. So to be safe... shutdown all your equip and unplug (be sure power is drained completely) then power everything back on and you shouldn't have a problem! -Tim -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, January 19, 2007 11:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] Dual WAN, but only 1 default route... This is partially incorrect. There is no need to make the cable modem the primary provider. It should work with DHCP on the OPTX interfaces as well. I am running a Cable modem at my work now on OPT4 and it works fine. But remember, the key is the gateway option in each firewall rule. This is how you utilize multi-wan routing. On 1/19/07, Robert Goley [EMAIL PROTECTED] wrote: I had a setup similar to this for a while. Our cable company offers static IPs now. You will need to setup the Cable connection as your WAN connection. If I remember correctly, this is the only interface you can setup using DHCP. You will add your DSL as OPT1 and use you NAT rules to define what traffic goes out over each connection based on your needs. You will handle this with rules on the LAN interface for outgoing connections. Because one of the connections is DHCP you will have to use this as a policy based dual wan setup as it is labeled in the docs. Robert On Friday 19 January 2007 12:17, Tim Dickson wrote: Not quite sure what you are asking... but if I got it right: Setup everything like the DUAL WAN Manual shows Then set everything as the default gateway in your rules except for the IP you want to go out the cable... set that to the cable IP -Tim -Original Message- From: Jaye Mathisen [mailto:[EMAIL PROTECTED] Sent: Friday, January 19, 2007 12:47 AM To: support@pfsense.com Subject: [pfSense Support] Dual WAN, but only 1 default route... I have a DSL connection wiht 32 static IP's, and a cable connection. I have one very specific use for the cable connection and everythign else goes over the DSL. The Cable uses DHCP to assign IP's, and static is not an option for them. My office subnet is NAT'd behind one of the 32 static IP's. I want to continue NAT'ing 99% of the traffic out that interface, and out the cable interface, for the 1 connection to the 1 resource, I want it to be NAT'd, but use the cable for outbound traffic. The catch is, I don't want the cable DHCP info to over-write the default route info that I have configured... Can I do this? Or am I perhaps not asking the question clearly? Probably the latter. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] PFSense Administrators
I'm not certain about the BSD users... (although it seems logical that it would work) I do know that a multiuser environment is being developed and tested and eventually this will be a feature in PFSense. What release depends on what bugs arise I'm sure :) -Tim -Original Message- From: Joseph Favia Jr. [mailto:[EMAIL PROTECTED] Sent: Friday, January 05, 2007 7:58 AM To: support@pfsense.com Subject: [pfSense Support] PFSense Administrators Hi, Is there only one administrator user in pfsense? As far as I can see, there is only a single user for the webgui, but how about the BSD users? I would like to setup two different administrators for the firewall, and each user should have his own password. This cannot be accomplished through the PFSENSE web interface, but how about if I use SSH for administration purposes? Do I have to rule out the possibility of using a centralized authentication server (RADIUS,etc.) for my administrators? Thanks Joe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Squid transparent proxy
And how can you expect help if you don't give any information to work from!!! As extremely brilliant as the developers are... they cannot read your mind (or your problems, which seem abundant) If you want help... be willing to work a bit, or be gone! -Tim -Original Message- From: SDamron [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 03, 2007 6:30 PM To: support@pfsense.com Subject: Re: [pfSense Support] Squid transparent proxy You have just earned your 15 minutes of fame, now everyone on the entire internet can google search your name and come up with the profound statement you just made...congratulations. On 1/3/07, Tim Martin [EMAIL PROTECTED] wrote: Yea, fuck you too, asshole! lol Bill Marquette wrote: On 1/3/07, Tim Martin [EMAIL PROTECTED] wrote: Excuse me for saying anything at all! You're excused. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Stop Spam Now: http://www.spamarrest.com/affl?4025320 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- --- A fight to the death between zombies has a few inherent problems. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] 3 LAN + 3 WAN (balanced) accessing to external FTP
Not sure about the first half... but if you are looking for a way to reload the web interface remotely... (not even sure if that's what you're asking) try PuTTy http://www.chiark.greenend.org.uk/~sgtatham/putty/ it gives you a remote console where you can reboot the machine, web, or whatever you would normally do at the console. -Tim -Original Message- From: Robert Goley [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 22, 2006 7:48 AM To: support@pfsense.com Subject: Re: [pfSense Support] 3 LAN + 3 WAN (balanced) accessing to external FTP Has anyone found the cause or a fix for the following error besides robooting? I am using a NFORCE2 based athlon system with 4 3com 905B NICS using the livecd version and config file on a floppy. I am unable to access firewall via the webface after I get this error. I keep getting this error. I usingually get it after viewing or trying to view the firewall settings screen. SIDE QUESTION: Is is possible to edit the config.xml file by and and issue a command to perform the same type of reload the webinterface does? Robert Fatal error: Unknown function: parse_config() in /etc/inc/config.inc on line 198 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ntop blank page
Same thing happens to me once I switched to https on the webconfigurator. just use http://yourfirewall:3000 you'll get in just fine :) -Tim -Original Message- From: Bestul, Kurt [mailto:[EMAIL PROTECTED] Sent: Thu 11/9/2006 12:16 PM To: support@pfsense.com Cc: Subject: [pfSense Support] ntop blank page Installed ntop package. Initially it would not start, but setting the password resolved that. After I did so, it starts and stops upon request. However, when I attempt to view the ntop page (dianosticsntop), I get a completely blank page on the browser with the root address of my pfsense server. Should I have been challenged for my recently set password when I requested the page (I wasn't)? If I look at the page source, that is completely blank too. Seems like the underlying configuration must be incomplete, but I can't find any documentation or prior mail list entries that provide solutions to this problem. Advice? P.S., I am veiwing the webConfigurator using firefox 2.0. winmail.dat- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] dns forwarder and PPTP VPN clients
Actually I am struggling with this too. I never had an issue before, but I noticed after going to 1.0 that public DNS is used. I have turned DNS forwarder off, on, set the DNS servers on the General tab to local DNS servers instead of public, and any other combination I can think of... and the only way to resolve hostnames at this point is to set the WINS server manually on the PPTP connection on the client machine. Any help here would be appreciated! -Tim -Original Message- From: Lee J. Imber [mailto:[EMAIL PROTECTED] Sent: Monday, November 06, 2006 9:22 AM To: support@pfsense.com Subject: [pfSense Support] dns forwarder and PPTP VPN clients I am trying to get PPTP clients that connect to the pfsense box to resolve local clients IP addresses. But when I get connected and try to ping a internal host I get the public IP not the internal. I have the DNS forwarder on and entries for the local hosts. I also confirm that the entries have been made in the hosts file on the pfsense box. I specifically tell the XP client to use pfsense's LAN IP for the it's PPTP DNS server. But when I run nslookups on the XP box after I connect it still uses the local DNS not the PPTP DNS server. What gives? Is there some setting to tell XP to only use the PPTP DNS servers when an active VPN connection is made? Thanks, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] DHCP Question
Well I have the default lease time set for 60 minutes and the maximum at 1 day. The server still wont release those IPs back to the pool until it goes through the whole subnet. Generally we only have about 40 users a day, which would be fine but occasionally we get around 80 90 with meetings and this would go beyond our 1:1 mappings. If we never went over 59 users Id set the range from 194-253 and call it done (and this works fine as soon as it goes through the subnet it starts back with the released IPs) But again, it feels the need to finish the subnet before going back to the retired IPs. Was just wondering if there was a way to turn up the aggressiveness of the server so that it will use the Retired IPs as soon as they are, well retired. If this cant be done its not really that big of deal, most users dont have trouble with NAT, its just a few here and there. Thanks guys, -Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Terhaar Sent: Monday, October 30, 2006 6:31 PM To: support@pfsense.com Subject: Re: [pfSense Support] DHCP Question On 10/30/06, Tim Dickson [EMAIL PROTECTED] wrote: I have a DCHP range setup up on one of my interfaces of 192.168.1.100 253 I have 1:1 mappings on 192.168.1.194 253. I would like it to use those in the 1:1 range before going below. We are a hotel and so have a high turn around time for DHCP. I have it setup for a days release, but it still seems to go through the list before reassigning those IP's that have expired. Is there a way to turn up the aggressiveness of DHCP? I want to leave the range rather large incase we have a full house, but would like to stick with the 1:1's because It helps alleviate a lot of VPN and general connectivity issues for our guests. Any comments welcome. -Tim I'me not sure how to set it in Pfsense, but the key phrase that you're looking for here is lease time If you're generally getting hundreds of clients on the same subnet you should consider adding additional subnets to your network.
[pfSense Support] NTOP Port
I changed my webGUI to HTTPS and moved the port to 8081 Now when I try to access NTOP I have to type it in manually it tries to access it at 8081 for some reason. If I force it to 3000 it works beautifully. Is there a way to change that link in the files somewhere even if through winSCP? Im going to try a reinstall of the package, but just thought Id pass it along incase it is a bug. -Tim
RE: [pfSense Support] NTOP Port
Uninstalled and Reinstalled the Package put it still tries to open http:192.168.1.1:8081 instead of 192.168.1.1:3000 -Tim From: Tim Dickson Sent: Monday, October 30, 2006 8:42 AM To: support@pfsense.com Subject: [pfSense Support] NTOP Port I changed my webGUI to HTTPS and moved the port to 8081 Now when I try to access NTOP I have to type it in manually it tries to access it at 8081 for some reason. If I force it to 3000 it works beautifully. Is there a way to change that link in the files somewhere even if through winSCP? Im going to try a reinstall of the package, but just thought Id pass it along incase it is a bug. -Tim
RE: [pfSense Support] pfsense using 4 nics?
Been running 4 NICS for 8 months now... I am up to the 1.0 release I am using the xl driver. (there is actually a fifth that is not in use right now) Might I recommend turning off everything you are not using in the BIOS and then reinstalling. -Tim -Original Message- From: Randy B [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 24, 2006 6:20 AM To: support@pfsense.com Subject: Re: [pfSense Support] pfsense using 4 nics? I've run with as many as 7 interfaces - one SIS, one dual fxp, and one quad fxp; no issues there. However, I've not done that on 1.0 On 10/24/06, Rudi Potgieter [EMAIL PROTECTED] wrote: Hi All Does pfsense have a problem using 4 nics? Whenever I install a fourth in the machine, one of the nics (usually opt1 or opt2) conflict with the LAN interface. When starting up pfsense, there is an asterisk next to LAN* and OPT1(OPT1)* ? And if LAN interface is up, then OPT1 interface is up as well even though no cable plugged in. When the pc starts up each network controller is using its own irq. Any help. Thanx Rudi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Load balancer problem
You guys crack me up! :) Honestly, I'm surprised you have as much patience as you do! -Tim -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 19, 2006 9:46 AM To: support@pfsense.com Subject: Re: [pfSense Support] Load balancer problem On 9/19/06, Bill Marquette [EMAIL PROTECTED] wrote: Hmm, there is a README in the same directory that explains quite a bit. README?! What's that!? Shouldn't I just be asking questions and not READING!? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
