from:"jonathan gonzalez"

Re: [pfSense Support] What happens if the soekris hardware is defective upon arrival? The Cortex Systems way.

2006-06-26 Thread Jonathan Gonzalez


Hi all,

first of all thanks for your comments and ideas. I wrote because i
wanted to know if i'm wrong or not and to let others khow how some
companies operate.

I work on technology, i work in the world we move, and i usually are
in charged of handle situatios like that, and what i can tell all of
you is that, if the system is faulty upon recepion, the only one
common practice is open an RMA with the provider and send back the
unit at the provider cost.

I think, as somebody pointed in any of the lists i wrote (related to
soekris technology), that the buying process didn't finish yet because
i didn't receive what i bought. And my point of view seems to be
different in some cases: my money or the money of my company is good,
in my account and in the provider's account, so the gear i got should
work fine, is a contract for both sides, not only for me.

No problem at all, i will send tomorrow (i'm out of office today) the
unit back to Cortex Systems and i will put cleary on the box "faulty"
with some documents as the technical and sales consultant pointed me.
I've got an invoice and a UPS delivery note so no fear at all.

Thanks for all.
Best regards,

Jonathan GF

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] What happens if the soekris hardware is defective upon arrival? The Cortex Systems way.

2006-06-26 Thread Jonathan Gonzalez

Hi all,

first of all thanks for your comments and ideas. I wrote because i
wanted to know if i'm wrong or not and to let other how some companies
operate.

I work on technology, i work in the world we move and i usually are in
charged of handle situatios like that and what i can tell all of you
is that if the system is faulty upon recepion the only one common
practice is open an RMA with the provider and send back the unit at
the provider cost.

I think, as somebody pointed in any of the lists i wrote (related to
soekris technology), that the buing process didn't finish because i
didn't receive what i bought. And my point of view seems to be
different in some cases: my money or the money of my company is good,
in my account and in the provider's account, so the gear should work
fine, is a contract for both sides, not only for one.

No problem at all, i will send tomorrow (i'm out of office today) the
unit back to Cortex and i will put cleary on the box "faultly" with
some documents as the technical and sales consultant pointed me. I've
got an invoice and a UPS delivery note so no fear at all.

Thanks for all.
Best regards,

Jonathan GF

On 6/24/06, Frederick Page <[EMAIL PROTECTED]> wrote:

Hi Eric,

Eric Masson wrote on Fri, Jun 23 2006:

>>Might I be the first to recommend https://kd85.com/soekris.html for
>>all of your Soekris needs, am just a satisfied customer

>Wim is clearly a really serious soekris reseller for Europe, never heard
>any complaint about kd85, one of my friends has around 100 boxes all
>shipped by kd85 without any problem.

I only dealt with him two times but can second all positive
experiences.

Best regards  Frederick

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

--
si secretum tibi sit, tege illud, vel revela

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] What happens if the soekris hardware is defective upon arrival? The Cortex Systems way.

2006-06-23 Thread Jonathan Gonzalez

Hi group,

just writting this short note to let you know how Cortex Systems - "your
soekris provider" operate.

I did a bank transfer for a soekris net4801-60 (256MB RAM) and other
elements. When it arrived the hardware only recognizes 128MB of RAM.

I got in touch with the support team and a tecnical & sales consultant
(i will avoid personal references) told the that i should pay the
expenses of send back the box to Denmark.

I told him/her that when i paid i used money in good standing and i wait
to have exactly the same behavior with the product i'm buying.

The answer was "That's the way it works when you buy via the internet,
this is standard practice."

I told him/her that was funny that the standard practice were make a
client pay twice for a product/service.

So friends, think twice if you're going to buy in Cortex Systems your
soekris hardware for Firewall/Router/Misc. because if you have a problem
you will have to pay for a sevice bad offered.

Best regards to all,

Jonathan GF










signature.asc
Description: OpenPGP digital signature

Re: [pfSense Support] Beta 3 on CF images

2006-04-24 Thread Jonathan Gonzalez

Thanks a lot for the information, Bao ;)
Regards,

Jonathan

On 4/23/06, Bao C. Ha <[EMAIL PROTECTED]> wrote:
> Hi Jonathan,
>
> The image for the ad0 is for anybody who want to run CF on a regular
> PC, with a CF-to-IDE adapter. We don't have any products that use
> these images.
>
> The USB flash drive image, for the da0, is just for testing. Any
> PC that can boot from a USB drive should be able to these images,
> inluding ours. We build flash drives that have Ipcop, pfSense
> and M0n0wall on the same drive, for testing od our boxes.
>
> The only images that we do use are for the ad2 drive, secondary
> IDE drive. These are also useful for people who have the Lex
> Light systems.
>
> We build these images using the Grub boot loader, instead of
> the FreeBSD boot loader. In our experience, grub is more stable
> and reliable for booting from compact flash.
>
> As far as benchmarking, I am not sure what you are looking for.
>
> As for questions on operations, I do think one class of our
> products, the 1U racks can support 24x7 remote operations. It
> does not have a fail-over second power supply, though. The
> "bricks" won't support these remote operations because they
> are designed for office environments. Many of them are fanless,
> which may suffer from overheating if placed to field operations.
>
> On another note, we are more of a Linux shop, than FreeBSD. If
> you note carefully on our web site, we only support m0n0wall
> on some of our products, not pfSense.
>
> Sincerely.
> Bao
>
> On Sat, Apr 22, 2006 at 07:17:36PM +0200, jonathan gonzalez wrote:
> > Hi Bao,
> >
> > if i understand fine your post i see you are telling the group you sell
> > specialized "bricks" and you're posting the images for them.
> >
> > I think they are awesome but you don't have availabe a comparision
> > between and also no refer to benchmarking.
> >
> > Why i tell this. Let me explain: i have 8 boxes running in parallel and
> > i need to be sure that they support to be up and running in a 24x7x365
> > basis because some of them are 500 km far from my city and they are
> > giving support to an ISP. Do you think your boxes are prepared to
> > support this hard life?
> >
> > Thanks a lot.
> > Regards,
> >
> > Jonathan
> >
> > Bao C. Ha wrote:
> > >Hello,
> > >
> > >I have put pfSense images on CF for from the pc hardware with
> > >a CF-IDE adapter, our Hacom/Lex hardware or the USB flash drive,
> > >using grub as the boot loader.
> > >
> > >These images in the past can be upgraded with the "emrbedded"
> > >updates.  However, for Beta 3, there is no embedded update
> > >image for "embedded" platform, of which these hardware are
> > >pretend to be.
> > >
> > >1. IBM PC-compatible hardware (CF-IDE primary master). They
> > >should be used if you put the compactflash on the CF-IDE
> > >adapter on the primary IDE master. I have just built but not
> > >tested these, since I don't have the hardware here.
> > >
> > >http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-128-ad0.img.gz
> > >http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-256-ad0.img.gz
> > >http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-512-ad0.img.gz
> > >http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-1gb-ad0.img.gz
> > >
> > >2. For Hacom/Lex hardware which boot the CF from the secondary master
> > >drive.
> > >
> > >http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-128-ad2.img.gz
> > >http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-256-ad2.img.gz
> > >http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-512-ad2.img.gz
> > >http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-1gb-ad2.img.gz
> > >
> > >3. For USB flash drive,
> > >
> > >http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-128-da0.img.gz
> > >http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-256-da0.img.gz
> > >http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-512-da0.img.gz
> > >http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-1gb-da0.img.gz
> > >
> > >To install them, just do
> > >zcat pfSense-1.0-BETA3-256-ad0.img.gz | dd of=/dev/da0 bs=16k
> > >
> > >Just let me know if there are problems.
> > >
> > >Thanks.
> > >Bao
>
>
>
> --
> Best Regards.
> Bao C. Ha
> Hacom OpenBrick Distributor USA http://www.hacom.net
> voice: (714) 530-8817 fax: (714) 530-8818
> 8D66 6672 7A9B 6879 85CD 42E0 9F6C 7908 ED95 6B38
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


--
si secretum tibi sit, tege illud, vel revela

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Beta 3 on CF images

2006-04-22 Thread jonathan gonzalez


Hi Bao,

if i understand fine your post i see you are telling the group you sell 
specialized "bricks" and you're posting the images for them.


I think they are awesome but you don't have availabe a comparision 
between and also no refer to benchmarking.


Why i tell this. Let me explain: i have 8 boxes running in parallel and 
i need to be sure that they support to be up and running in a 24x7x365 
basis because some of them are 500 km far from my city and they are 
giving support to an ISP. Do you think your boxes are prepared to 
support this hard life?


Thanks a lot.
Regards,

Jonathan

Bao C. Ha wrote:

Hello,

I have put pfSense images on CF for from the pc hardware with 
a CF-IDE adapter, our Hacom/Lex hardware or the USB flash drive,

using grub as the boot loader.

These images in the past can be upgraded with the "emrbedded" 
updates.  However, for Beta 3, there is no embedded update 
image for "embedded" platform, of which these hardware are 
pretend to be. 


1. IBM PC-compatible hardware (CF-IDE primary master). They
should be used if you put the compactflash on the CF-IDE
adapter on the primary IDE master. I have just built but not
tested these, since I don't have the hardware here.

http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-128-ad0.img.gz
http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-256-ad0.img.gz
http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-512-ad0.img.gz
http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-1gb-ad0.img.gz

2. For Hacom/Lex hardware which boot the CF from the secondary master
drive.

http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-128-ad2.img.gz
http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-256-ad2.img.gz
http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-512-ad2.img.gz
http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-1gb-ad2.img.gz

3. For USB flash drive,

http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-128-da0.img.gz
http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-256-da0.img.gz
http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-512-da0.img.gz
http://shopping.hacom.net/catalog/pub/pfsense/pfSense-1.0-BETA3-1gb-da0.img.gz

To install them, just do
zcat pfSense-1.0-BETA3-256-ad0.img.gz | dd of=/dev/da0 bs=16k

Just let me know if there are problems.

Thanks.
Bao


signature.asc
Description: OpenPGP digital signature

Re: [pfSense Support] openvpn certificate creation

2006-03-25 Thread jonathan gonzalez


Peter,

i did it before post here. The scripts and command refered in the 
openvpn site didn't help me populate the boxex in the pfsense's openvpn 
tab.


Can you be a bit more explicit?
TIA.

jonathan

Peter Curran wrote:

Refer to the instructions at www.openvpn.org

/peter

On Saturday 25 March 2006 03:14, jonathan gonzalez wrote:


hi,

can anybody point me how to create the certificates for the openvpn
package that is already enabled in beta 1?

thanks in advance,

jonathan





signature.asc
Description: OpenPGP digital signature

[pfSense Support] openvpn certificate creation

2006-03-24 Thread jonathan gonzalez


hi,

can anybody point me how to create the certificates for the openvpn 
package that is already enabled in beta 1?


thanks in advance,

jonathan


signature.asc
Description: OpenPGP digital signature

Re: [pfSense Support] HTTPS Captive Portal

2006-01-31 Thread jonathan gonzalez


hi Stéphane,

what you have to do is simply copy the certificates from the https mode 
of the admnistration to the boxes in the captive portal configuration 
place. Just this ;)


regards,

jonathan



HOFMAN Stéphane wrote:

Hi,

Can someone explain how to configure an HTTPS Captive Portal with PFSENSE ?
My captive portal is OK with HTTP (and RADIUS authentification), but I don't
understand with HTTPS.

Thanks a lot

Stephane HOFMAN



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






signature.asc
Description: OpenPGP digital signature

Re: [pfSense Support] Support for custom tables

2005-11-28 Thread Jonathan Gonzalez

An example of how the scripts works would be useful in terms to
imagine a gui behaviour for configuration, don't you think?

On 11/28/05, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
> Touché ;-)
>
> I will meditate upon this and see if I can come up with anything useful.
>
>
>
> Scott Ullrich wrote:
> > Well, I was thinking more how the GUI's would work and operate.  Any
> > suggestions?
> >
> > The coding part is easy, but getting a solid idea of how everything
> > works/interacts is a different story :P
> >
> > On 11/27/05, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
> >
> >> I wonder if there might be a PHP class out there that will deal with PF
> >> interaction.  That seems to be a reasonable approach.
> >>
> >> Though, I must concede that I'm not much of a programmer.
> >>
> >> If PFSense could allow tables to be created, say, in different files -
> >> it could load them into a web-based config.   Might need some utility to
> >> sync that content with anything that changes in memory (ie: live editing
> >> of the tables via pfctl).
> >>
> >> Anyone else have some useful suggestions?
> >>
> >> Thanks.
> >>
> >>
> >>
> >>
> >> Scott Ullrich wrote:
> >>
> >>> That is true.  Can you give some suggestions of easily adding custom
> >>> table support that would work within the paramaters of your scripts?
> >>> On 11/27/05, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
> >>>
> >>>
>  I have some scripts that need to interact with PF (pfctl) directly to
>  interact with the tables... I presume this method is available only via
>  manual entry through the GUI.
> 
> 
> 
>  Scott Ullrich wrote:
> 
> 
> > Well, our aliases do something similar now.   You can add an alias
> > then add multiple ip's, ports or network cidr entries.
> >
> > Is this what you have in mind?
> >
> > On 11/27/05, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
> >
> >
> >
> >> Do you not think support for custom tables would be useful?
> >>
> >> I think it would - especially in the enterprise where you want to
> >> selectively block and or do things that require (or benefit from) table
> >> based entries.
> >>
> >>
> >>
> >>
> >> Scott Ullrich wrote:
> >>
> >>
> >>
> >>> We have ALIASES which give somewhat the same functionality.   I have a
> >>> alias import wizard in 1.01.   With that said, there are no plans for
> >>> custom tables in 1.0.
> >>>
> >>> Scott
> >>>
> >>> On 11/27/05, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
> >>>
> >>>
> >>>
> >>>
>  Will there be support for custom tables in PFSense... sometime?
> 
> 
>  Thanks.
> 
> 
>  -
>  To unsubscribe, e-mail: [EMAIL PROTECTED]
>  For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> 
> 
> 
> 
> >>> -
> >>> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>> For additional commands, e-mail: [EMAIL PROTECTED]
> >>>
> >>>
> >>>
> >>>
> >>>
> >> -
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >>
> >>
> >>
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> >
>  -
>  To unsubscribe, e-mail: [EMAIL PROTECTED]
>  For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> 
> 
> >>> -
> >>> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>> For additional commands, e-mail: [EMAIL PROTECTED]
> >>>
> >>>
> >>>
> >> -
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >>
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] captive portal - Is this possible?

2005-11-11 Thread jonathan gonzalez


spoofed ip/arp ;) ??

Szasz Revai Endre wrote:

Hello,

Today I noticed a user time out using the captive portal:
Oct 30 10:20:18 logportalauth[56054]: TIMEOUT: shimon, 
00:07:95:d3:d2:97, 192.168.11.100 

It is using an ip from the class of the lan.
The problem is, that I assign ip addresses to all the users of the LAN, 
with static arp entries.
This user is not in the list (not the ip, nor mac address). How is that 
possible that he logged on from that ip?
He shouldn't even be seeing the pfsense gateway if I have static arp 
entries, right?


Any wild guesses?
Thank you.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] wegGUI modification

2005-10-30 Thread Jonathan Gonzalez

Hi Scott,

i think this feature beside with profiles to get access the webGUI
would be interesting from many point of views: operative, because you
can give read access to the system in production environments to other
users/groups; funcional, being easy to sell to the chief/manager,
etc...

Maybe this can enter the roadmap ;)

Regards,

jonathan



On 10/30/05, Scott Ullrich <[EMAIL PROTECTED]> wrote:
> At this time you'll have to modify fbegin.inc and remove the items
> that you do not want to presented.   Depending on how popular this
> "feature" is we can consider it down the road.
>
> Scott
>
>
> On 10/30/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:
> > Hi group,
> >
> > i think this has been discussed briefly before but i couldn't find it on
> > the archives, so, what i would like to know is if i want to modify the
> > webGUI menu to show only some parts for a pre-production environment,
> > can i get rid such parts form a config file and then upload the new
> > config xml to achieve this?
> >
> > I look forward to hearing from you.
> > Thanks in advance.
> >
> > jonathan
> >
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] wegGUI modification

2005-10-30 Thread jonathan gonzalez


Hi group,

i think this has been discussed briefly before but i couldn't find it on 
the archives, so, what i would like to know is if i want to modify the 
webGUI menu to show only some parts for a pre-production environment, 
can i get rid such parts form a config file and then upload the new 
config xml to achieve this?


I look forward to hearing from you.
Thanks in advance.

jonathan


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] passive ftp (strike 2)

2005-10-24 Thread jonathan gonzalez


Jason,

what you say is interesting, i mean, weigh up between open ports or use 
active connections...hum... i'll think about it!


Thnx!

jonahtan



Jason J. Ellingson wrote:

I had to use a passive port range (I chose 5000-5099) on the FTP server
software and then open a firewall rule for those ports to that server.  I
don't like it, but at least it works for me for now.  I see the FTP
helper/proxy correctly changing the PORT commands, but the firewall states
aren't allowing the connection through.

Jason J Ellingson

615.301.1682 : nashville
612.605.1132 : minneapolis

www.ellingson.com
[EMAIL PROTECTED]

-Original Message-
From: jonathan gonzalez [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 24, 2005 4:18 PM

To: support@pfsense.com
Subject: Re: [pfSense Support] passive ftp (strike 2)

Scott,

i put a rule as you told me but this doesn't seems to work. The only way 
to enable ftp (active) is de-activating the ftp-helper.


This is a snippet of the ftp window in my workstation:


220-Local time is now 23:05. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.

[...]

ftp> ls
200 PORT command successful
150 Connecting to port 3378

[...]

ftp> passive
Passive mode on.
ftp> ls -l
227 Entering Passive Mode (192,168,1,11,237,181)
ftp: connect: No route to host
ftp>
ftp>
ftp> passive
Passive mode off.
ftp> ls -l
200 PORT command successful
150 Connecting to port 3380

[...]

226-Options: -l
226 4 matches total



As you can see active connections works but passive don't. The 
negotiated port within the connection is 60853 ((256*237) + 181). My ftp 
server (pure-ftpd) is allowing passive ports from 49000 to 65000 (49000 
that is the first port that pfSense understands as available for passive 
transfers as i saw in the internal code) so it shows the passive ftp is 
not yet working :(


Any ideas?
Hope this helps.
Regards,


jonathan




Scott Ullrich wrote:


Do you have a rule permitting traffic from the WAN interface to
127.0.0.1?   If not, try this.

On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:



Scott,

0.89.2
built on Sat Oct 22 22:16:29 UTC 2005


jonathan



Scott Ullrich wrote:



What version?

On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:




Hi group,

i keep on having trouble while access my ftp server on one of my lan's



from internet.




Active ftp works fine, but, even if we have discussed this in the past
and a ticket in the cvs were opened to solve somehow this issue
something seems to be present yet arround this theme.

I tried, as i said, to ftp from internet to my ftp server but i'm
unable. If i disable ftp-helper it works in active mode but passive ftp
won't (of course there's not ftp-helper running).

Also i think (i should test it more times) that the pftpx command do not
update the ip address in the '-b' flag (the public ip) when the wan
interface is dynamic, so in some cases the pftpx command is running in
the pfSense box with an ip address for the '-b' flag that is not the
configured in the WAN interface.

I think you should take this into consideration for future releases.

I look forward someone to help me telling me if someone else is having
the same behaviour in their boxes.

Thanks in advance.

jonathan






-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] feature request

2005-10-24 Thread jonathan gonzalez


Hi Scott,

in fact is what i did once i realized that both webGUI and captive 
portal were sharing the same certificate.


I only stated the posibility to do this automatically but it's 100% 
understandable your PoV.


Thanks ;)

jonathan

PS: i'm writting a FAQ proposal as Bill told me about how to do it 
manually ;)





Scott Ullrich wrote:

On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


Hi,

i would like to request the following feature (i'll do it on the cvstrac
if its cleary accepted here in order to not stain the cvstrac).

HTTPS web interface and HTTPS captive portal share the same certificate
and private key for the SSL layer.

This certificates are generated from the web interface thru the menu
System -> Advanced funcations -> webGUI SSL certificate/key.

Being the same certificate the two pair of boxes (certificate and key)
would be nice to be auto-completed automatically once the certificate is
generated in the Advanced funcions.

Why do it so?

The certificate and its private key can be generated using 'System ->
Advanced funcations -> webGUI SSL certificate/key'. The admin can decide
to put the webGUI in SSL or not, but if (s)he wants to enable Captive
Portal over SSL the certificate will be present and being populated in
the boxes.

Why mantain the boxes so?

If an admin (his/her company) is paying for SSL signing services with
verisign, thawte or other company (s)he can decide use a real
certificate in i.e. the captive portal boxes and a self-signed
certificate in the wegGUI of pfSense.

I think this changes can help so much the implementation of Captive
Portal because will enable the user/admin to only select how (s)he wants
the portal to be running (SSL or not) using a simple click. If (s)he has
bigger needs then (s)he can populate the certificate and key boxes with
real worldwide accepted certificates for the captive portal (and of
course for the webGUI interface).

I look forward to hearing from you abouth this theme.
Regards,



Have you tried copy and pasting the key from the advanced screen to
the captive portal configuration screen?  I know this is not what your
looking for but it should work.At this point since we are syncing
against m0n0wall I would rather not change the captive portal code
unless we submit changes upstream to be included.

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] passive ftp (strike 2)

2005-10-24 Thread jonathan gonzalez


Scott,

i put a rule as you told me but this doesn't seems to work. The only way 
to enable ftp (active) is de-activating the ftp-helper.


This is a snippet of the ftp window in my workstation:


220-Local time is now 23:05. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.

[...]

ftp> ls
200 PORT command successful
150 Connecting to port 3378

[...]

ftp> passive
Passive mode on.
ftp> ls -l
227 Entering Passive Mode (192,168,1,11,237,181)
ftp: connect: No route to host
ftp>
ftp>
ftp> passive
Passive mode off.
ftp> ls -l
200 PORT command successful
150 Connecting to port 3380

[...]

226-Options: -l
226 4 matches total



As you can see active connections works but passive don't. The 
negotiated port within the connection is 60853 ((256*237) + 181). My ftp 
server (pure-ftpd) is allowing passive ports from 49000 to 65000 (49000 
that is the first port that pfSense understands as available for passive 
transfers as i saw in the internal code) so it shows the passive ftp is 
not yet working :(


Any ideas?
Hope this helps.
Regards,


jonathan




Scott Ullrich wrote:

Do you have a rule permitting traffic from the WAN interface to
127.0.0.1?   If not, try this.

On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


Scott,

0.89.2
built on Sat Oct 22 22:16:29 UTC 2005


jonathan



Scott Ullrich wrote:


What version?

On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:



Hi group,

i keep on having trouble while access my ftp server on one of my lan's



from internet.



Active ftp works fine, but, even if we have discussed this in the past
and a ticket in the cvs were opened to solve somehow this issue
something seems to be present yet arround this theme.

I tried, as i said, to ftp from internet to my ftp server but i'm
unable. If i disable ftp-helper it works in active mode but passive ftp
won't (of course there's not ftp-helper running).

Also i think (i should test it more times) that the pftpx command do not
update the ip address in the '-b' flag (the public ip) when the wan
interface is dynamic, so in some cases the pftpx command is running in
the pfSense box with an ip address for the '-b' flag that is not the
configured in the WAN interface.

I think you should take this into consideration for future releases.

I look forward someone to help me telling me if someone else is having
the same behaviour in their boxes.

Thanks in advance.

jonathan






-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] feature request

2005-10-24 Thread jonathan gonzalez


Hi,

i would like to request the following feature (i'll do it on the cvstrac 
if its cleary accepted here in order to not stain the cvstrac).


HTTPS web interface and HTTPS captive portal share the same certificate 
and private key for the SSL layer.


This certificates are generated from the web interface thru the menu 
System -> Advanced funcations -> webGUI SSL certificate/key.


Being the same certificate the two pair of boxes (certificate and key) 
would be nice to be auto-completed automatically once the certificate is 
generated in the Advanced funcions.


Why do it so?

The certificate and its private key can be generated using 'System -> 
Advanced funcations -> webGUI SSL certificate/key'. The admin can decide 
to put the webGUI in SSL or not, but if (s)he wants to enable Captive 
Portal over SSL the certificate will be present and being populated in 
the boxes.


Why mantain the boxes so?

If an admin (his/her company) is paying for SSL signing services with 
verisign, thawte or other company (s)he can decide use a real 
certificate in i.e. the captive portal boxes and a self-signed 
certificate in the wegGUI of pfSense.


I think this changes can help so much the implementation of Captive 
Portal because will enable the user/admin to only select how (s)he wants 
the portal to be running (SSL or not) using a simple click. If (s)he has 
bigger needs then (s)he can populate the certificate and key boxes with 
real worldwide accepted certificates for the captive portal (and of 
course for the webGUI interface).


I look forward to hearing from you abouth this theme.
Regards,

jonathan



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] passive ftp (strike 2)

2005-10-24 Thread jonathan gonzalez


Scott,

0.89.2
built on Sat Oct 22 22:16:29 UTC 2005


jonathan



Scott Ullrich wrote:

What version?

On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


Hi group,

i keep on having trouble while access my ftp server on one of my lan's
from internet.

Active ftp works fine, but, even if we have discussed this in the past
and a ticket in the cvs were opened to solve somehow this issue
something seems to be present yet arround this theme.

I tried, as i said, to ftp from internet to my ftp server but i'm
unable. If i disable ftp-helper it works in active mode but passive ftp
won't (of course there's not ftp-helper running).

Also i think (i should test it more times) that the pftpx command do not
update the ip address in the '-b' flag (the public ip) when the wan
interface is dynamic, so in some cases the pftpx command is running in
the pfSense box with an ip address for the '-b' flag that is not the
configured in the WAN interface.

I think you should take this into consideration for future releases.

I look forward someone to help me telling me if someone else is having
the same behaviour in their boxes.

Thanks in advance.

jonathan






-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] pfSense web certificate creation error (openssl related)

2005-10-24 Thread jonathan gonzalez


Bill,

pfSense - Ticket #635

It's done ;)

jonathan



Bill Marquette wrote:

If you haven't already, please file this as a bug in cvstrac (I'd like
to have something to track for the fix and the MFC).  Thanks

--Bill

On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


Hi group,

i have detected an error in the generation of the web certificate for
pfSense.

This error is something internal that only applies to the fields that
openssl processes to generate a PEM file (certificate + private key),
the file (certificate) that is used to access via SSL pfSense and for
the captive portal while running with HTTPS enabled.

A normal certificate like this includes the following fields:

CN, OU, O, L, ST, C

In this case the certificate that is generated using pfSense has a
duplicate entry for the country field ( C ).

An example of mine:

C = US
CN = pfsense
OU = security
O = surestorm.com
L = gijon
ST = asturias
C = es

As you can see the first 'C' entry and it's value shouldn't be there.

You can check your certificates taking a deep inspection in the Issuer,
Subject and Authority Key Identifier fields of the certificate properties.

I hope this can be fixed in future releases.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] passive ftp (strike 2)

2005-10-24 Thread jonathan gonzalez


Hi group,

i keep on having trouble while access my ftp server on one of my lan's 
from internet.


Active ftp works fine, but, even if we have discussed this in the past 
and a ticket in the cvs were opened to solve somehow this issue 
something seems to be present yet arround this theme.


I tried, as i said, to ftp from internet to my ftp server but i'm 
unable. If i disable ftp-helper it works in active mode but passive ftp 
won't (of course there's not ftp-helper running).


Also i think (i should test it more times) that the pftpx command do not 
update the ip address in the '-b' flag (the public ip) when the wan 
interface is dynamic, so in some cases the pftpx command is running in 
the pfSense box with an ip address for the '-b' flag that is not the 
configured in the WAN interface.


I think you should take this into consideration for future releases.

I look forward someone to help me telling me if someone else is having 
the same behaviour in their boxes.


Thanks in advance.

jonathan






-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] pfSense web certificate creation error (openssl related)

2005-10-24 Thread jonathan gonzalez


Hi group,

i have detected an error in the generation of the web certificate for 
pfSense.


This error is something internal that only applies to the fields that 
openssl processes to generate a PEM file (certificate + private key), 
the file (certificate) that is used to access via SSL pfSense and for 
the captive portal while running with HTTPS enabled.


A normal certificate like this includes the following fields:

CN, OU, O, L, ST, C

In this case the certificate that is generated using pfSense has a 
duplicate entry for the country field ( C ).


An example of mine:

C = US
CN = pfsense
OU = security
O = surestorm.com
L = gijon
ST = asturias
C = es

As you can see the first 'C' entry and it's value shouldn't be there.

You can check your certificates taking a deep inspection in the Issuer, 
Subject and Authority Key Identifier fields of the certificate properties.


I hope this can be fixed in future releases.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] 0.89.2

2005-10-24 Thread Jonathan Gonzalez

Hi

i have recently added a post in the faq indicating an url that can be
used to grab old packages, ISO's, and so forth from the project page 
(thanks to Scott for the reference).

In order to get old versions please visit -> http://www.pfsense.com/old/

Hope this helps ;)

jonathan



On 10/24/05, Kevin Wolf <[EMAIL PROTECTED]> wrote:
> Bill Marquette wrote:
>
> >On 10/23/05, Kevin Wolf <[EMAIL PROTECTED]> wrote:
> >
> >
> >>You can tell the port that I'm getting all the traffic on is not 7700.
> >>This means that the port that I'm sending on through the WAN is not 7700
> >>like it should be according to the rule I made.  I even doublechecked
> >>that my IP was typed correctly and the settings in my game were right.
> >>I can only get this game working in 0.89.2 if I use 1:1.  I got the game
> >>working with advanced outbound NAT in 0.86.4.  The same exact setup in
> >>0.89.2 is not working for me.
> >>
> >>
> >
> >Hmmm, I fixed a bug with advanced outbound NAT after 0.86.4.  Can you
> >send me /tmp/rules.debug from a working 0.86.4 and one from a broken
> >0.89.2 so I can compare and see why it's now not working.
> >
> >--Bill
> >
> >-
> >To unsubscribe, e-mail: [EMAIL PROTECTED]
> >For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> >
> I can't find my 0.86.4 cd, and it's not on the mirrors :(  Does anyone
> have a link where I can download it at?
>
> Here's what cat /tmp/rules.debug | grep 700 looks like from my 0.89.2 setup:
> # cat /tmp/rules.debug | grep 700
> nat on xl1 from 192.168.1.200/32 to any port 7700  -> (xl1) port 7700
> rdr on xl1 proto udp from any to 68.7.144.105 port { 7700 } ->
> 192.168.1.200 port 7700
> pass in quick on $wan proto udp from any to {  192.168.1.200 } port =
> 7700 keep state  label "USER_RULE: NAT wolfk-desk gunz"
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] https in the captive portal -> solved!

2005-10-23 Thread jonathan gonzalez


Hi group,

i have been talking about this theme with Scott Ullrich and at the end 
it worked, the captive portal works fine with https.


In order to achieve this what i have done is to take a look using the 
shell at the file /var/etc/cert.pem


A PEM file is a type of file that includes certificate + key. Knowing 
this was normal to think that if the captive portal requiere in the web 
frontend a key and a certificate that i can use the information included 
in the past named file.


So i did. I pasted the portion of code labeled as "-BEGIN 
CERTIFICATE-" into the certificate box in the web frontend and the 
code labeled as "-BEGIN RSA PRIVATE KEY-" into the key box in 
the web frontend.


Then i marked the HTTP login (avoiding the comments about that the use 
of this feature is only for Radius authentication) and now my box opens 
the 8001 port and validates the captive portal against pfSense using a 
SSL tunnel, avoiding eavesdroppers to gather information on-the-fly.


Hope this helps others.
Kind regards,

jonathan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] http - https and captive portal

2005-10-23 Thread jonathan gonzalez


Hi Scott,

i sniffed the session while using the captive portal, and definitively a 
non-HTTPS session is used.


I would like to know where i can modify the global variable 
"$PORTAL_ACTION$" to use https://

Thanks in advance.

jonathan




Scott Ullrich wrote:

There is no way for me to see this code correctly.  Make sure your
form is posting to https://$IPOFpfSENSE  ...  If for some reason the
form doesn't post then you know its not running on HTTPS.

Scott
PS: please do not send html mail to public lists.

On 10/22/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


This is the exim of the command you tell:

root  511  0.0  0.4  2552  2004  ??  Ss   12:26PM   0:02.77
/usr/local/sbin/mini_httpd -S -E /var/etc/cert.pem -c **.php|**.cgi -u
root -maxproc 16 -i /var/run/mi
root  567  0.0  0.3  2512  1608  ??  Ss   12:26PM   0:00.01
/usr/local/sbin/mini_httpd -a -M 0 -u root -maxproc 72 -p 8000 -i
/var/run/mini_httpd.cp.pid
root  570  0.0  0.1  1180   712  ??  Ss   12:26PM   0:00.20
/usr/local/bin/minicron 60 /var/run/minicron.pid /etc/rc.prunecaptiveportal



I can see something related to a PEM file. Should i think mini_httpd is
running with SSL support? My tests show me that it doesnt :(

About the "lock icon", which auth page do you refer?

I already attach my home made captive portal page using the form code
pfsense provide from the web admin panel for your evaluation. Am i doing
something wrong or incomplete?

Wait for your thoughts!
Regards,


jonathan






Scott Ullrich wrote:


Please run a ps awux | grep mini and show the results from a shell.

Also, do you not see a lock icon in the browser when visiting the auth page?


On 10/22/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:



Hi,

i have a reasonable doubt (i think): if i set up web admin access using
SSL, why the captive portal is running (and processing authentication)
on standard http?

I look forward to get your thoughts.
Regards,

jonathan


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]









SURESTORM.COM CAPTIVE PORTAL

In order to get in/out of the LAN you'll need to authenticate to the central 
AAA server.
  Provide your username and password below and check your access rights.



Username:

Password:




If you have furher trouble get in touch via email to [EMAIL PROTECTED]
  Kind regards  


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] nat & firewall logs

2005-10-23 Thread jonathan gonzalez


Bill,

your options are quite valid, but anyway, exporting to netflow, a rule 
number in the log line will help so much.


Would be posible to achieve this in a "low cost of time" fashion? Do the 
developers find this interesing for 'your' product?


TIA,

jonathan




Bill Marquette wrote:

On 10/23/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


Hi,

this post is more likely to be a request than a support post.

I think that the firewall logs should be complemented with nat logs and
a very imporant column (on both logs) in order to review a lot of logs:
rule number.

I think this would be important in high production environmentes where
an admin must review a lot of logs.

Also an option to recover the whole list of lines in the whole logs
should be important in order to do some 'forensic analysis'.



I'd recommend using pfflowd to log the passed traffic (you did say
forensic analysis) and syslog to send the logs to another machine. 
Right now our syslog only does UDP, but if someone was willing to

create a syslog-ng package and modify the system to make syslog
changing dynamic (we're not moving away from clog for the base system)
then you can syslog considerably more securely.

--Bill

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] nat & firewall logs

2005-10-23 Thread jonathan gonzalez


Hi,

this post is more likely to be a request than a support post.

I think that the firewall logs should be complemented with nat logs and 
a very imporant column (on both logs) in order to review a lot of logs: 
rule number.


I think this would be important in high production environmentes where 
an admin must review a lot of logs.


Also an option to recover the whole list of lines in the whole logs 
should be important in order to do some 'forensic analysis'.


Hope this helps.
Wait for your thoughts!
Regards,


jonathan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] http - https and captive portal

2005-10-22 Thread jonathan gonzalez


This is the exim of the command you tell:

root  511  0.0  0.4  2552  2004  ??  Ss   12:26PM   0:02.77 
/usr/local/sbin/mini_httpd -S -E /var/etc/cert.pem -c **.php|**.cgi -u 
root -maxproc 16 -i /var/run/mi
root  567  0.0  0.3  2512  1608  ??  Ss   12:26PM   0:00.01 
/usr/local/sbin/mini_httpd -a -M 0 -u root -maxproc 72 -p 8000 -i 
/var/run/mini_httpd.cp.pid
root  570  0.0  0.1  1180   712  ??  Ss   12:26PM   0:00.20 
/usr/local/bin/minicron 60 /var/run/minicron.pid /etc/rc.prunecaptiveportal




I can see something related to a PEM file. Should i think mini_httpd is 
running with SSL support? My tests show me that it doesnt :(


About the "lock icon", which auth page do you refer?

I already attach my home made captive portal page using the form code 
pfsense provide from the web admin panel for your evaluation. Am i doing 
something wrong or incomplete?


Wait for your thoughts!
Regards,


jonathan





Scott Ullrich wrote:

Please run a ps awux | grep mini and show the results from a shell.

Also, do you not see a lock icon in the browser when visiting the auth page?


On 10/22/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


Hi,

i have a reasonable doubt (i think): if i set up web admin access using
SSL, why the captive portal is running (and processing authentication)
on standard http?

I look forward to get your thoughts.
Regards,

jonathan


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Title: SURESTORM.COM Captive Portal








  

SURESTORM.COM CAPTIVE PORTAL
  In order to get in/out of the LAN you'll need to authenticate to the central AAA server. 
  Provide your username and password below and check your access rights. 
  
	  
	  
	
	  

  Username:
   
  


  Password:
   
  


  
   
  

  

	   
	
	If you have furher trouble get in touch via email to [EMAIL PROTECTED]
	  Kind regards	
	  
	

  




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] system logs icons and behaviour

2005-10-22 Thread jonathan gonzalez


hi

in the ruleset i have defined a rule with a reject behaviour (yellow 
cross icon) but in the system logs -> firewall, in the act column 
appears a red cross icon.


I understand this is a minor bug related to presentation.

Hope this will be solved in next versions :)

Regards,


jonathan


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] http - https and captive portal

2005-10-22 Thread jonathan gonzalez


Hi,

i have a reasonable doubt (i think): if i set up web admin access using 
SSL, why the captive portal is running (and processing authentication) 
on standard http?


I look forward to get your thoughts.
Regards,

jonathan


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] ipsec

2005-10-22 Thread jonathan gonzalez

i'm working also in the openvpn implementation in my box so if either 
each one obtain good result would be grateful to post the good news in 
the list, don't you think? ;)


Regards,

jonathan



alan walters wrote:

Yep I use an email address as the cn.
Open vpn would be great but this seems to still not be available.
Even a gre tunnel would do what I require but again not built into pfsense.

So I persevere this way. The only security concern that I can see is the the vpn hub. This is a concern but pfsense seems to be reasonably well locked down. 


The whole point of the hub is to be able to get a central public block to a 
large number of remote sites that I cannot route blocks to.

I might take you advise though and try with openvpn if I can get the devel 
options to work and enable it.



-Original Message-----
From: jonathan gonzalez [mailto:[EMAIL PROTECTED]
Sent: 22 October 2005 17:57
To: support@pfsense.com
Subject: Re: [pfSense Support] ipsec

Hi guys,

i know that this question may seem to be silly but, if what you want is
to establish an ipsec tunnel in a roadwarrior-fashion why don't you use
any other type of CN?

i mean, use a dyndns name, an email address, etc...

In contrary case you can use OpenVPN, that is not ipsec but will enable
you easily achieve what i think you need.

Just to finnish, 0.0.0.0 is not a good idea because you use ipsec to
setup net-to-net tunnel... Using 0.0.0.0 you likely be a vpn hub that is
something 'weird' from the security point of view.

That's my 0.02€ ;)

Regards,

jonathan





alan walters wrote:


This must have got overwritten when we sync'd to m0n0wall for their
certificate support.  Do a update_file.sh
/usr/local/www/vpn_ipsec_edit.php and all should be well again (I
hope).

Scott



[alan walters]

I copyed that file from the releng branch of the cvs but stillthe same.
The box is isolated from the internet so no way to update it apart from
manually. This still produced the same error. Remote subnet bits cannot
be zero.




On 10/21/05, alan walters <[EMAIL PROTECTED]> wrote:




I know some time ago we looked at ipsec tunnels with 0.0.0.0/0


subnets.



I



upgraded to 0.86.4 and again to 0.88.0

Neither seem to support the following configuration in gui any more.



The will not work:



Localnet192.168.1.1/24   remotegateway:


public



address

Remotenet0.0.0.0/0



But this works :



Localnet0.0.0.0/0   remotegateway:


public



address

Remotenet192.168.1.1/24



Regards.



Hope you can help me with this.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] ipsec

2005-10-22 Thread jonathan gonzalez


Hi guys,

i know that this question may seem to be silly but, if what you want is 
to establish an ipsec tunnel in a roadwarrior-fashion why don't you use 
any other type of CN?


i mean, use a dyndns name, an email address, etc...

In contrary case you can use OpenVPN, that is not ipsec but will enable 
you easily achieve what i think you need.


Just to finnish, 0.0.0.0 is not a good idea because you use ipsec to 
setup net-to-net tunnel... Using 0.0.0.0 you likely be a vpn hub that is 
something 'weird' from the security point of view.


That's my 0.02€ ;)

Regards,

jonathan





alan walters wrote:

This must have got overwritten when we sync'd to m0n0wall for their
certificate support.  Do a update_file.sh
/usr/local/www/vpn_ipsec_edit.php and all should be well again (I
hope).

Scott



[alan walters] 


I copyed that file from the releng branch of the cvs but stillthe same.
The box is isolated from the internet so no way to update it apart from
manually. This still produced the same error. Remote subnet bits cannot
be zero.




On 10/21/05, alan walters <[EMAIL PROTECTED]> wrote:




I know some time ago we looked at ipsec tunnels with 0.0.0.0/0


subnets.


I


upgraded to 0.86.4 and again to 0.88.0

Neither seem to support the following configuration in gui any more.



The will not work:



Localnet192.168.1.1/24   remotegateway:


public


address

Remotenet0.0.0.0/0



But this works :



Localnet0.0.0.0/0   remotegateway:


public


address

Remotenet192.168.1.1/24



Regards.



Hope you can help me with this.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic shaping dropdown unit option not working

2005-10-20 Thread jonathan gonzalez


Bill,

if future versions of pfSense can include support for the nveX driver 
(NVIDIA nForce MCP2 Networking Adapter) that would be fantastic ;)


Regards :)

jonathan


Bill Marquette wrote:

On 10/20/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


Hi group,

in the menu option Interfaces -> WAN the third entry (Bandwidth
Management (Traffic Shaping)) has a bug.

If i introduce my dsl value and select the appropiate unit, in this case
Kilobit/s, after push the 'save' button the dropdown turns the unit to
bit's, and this shouldn't.

I don't know if this affects the traffic shaping engine because i
couldn't test yet this feature (one of my nic's is not supported with
ALTQ).



Yeah, I seem to recall leaving that in place but that it no longer
means much (or shouldn't).  What type of NIC is it that altq doesn't
support (I know that there are a number, just curious as to which one
you have - what driver it's using)?

--Bill

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Traffic shaping dropdown unit option not working

2005-10-20 Thread jonathan gonzalez


Hi Bill,

 the interface that seems not to support the ALTQ is the onboard nic. 
This is a cut of my `dmesg`:


nve0:  port 0xe000-0xe007 mem 
0xee083000-0xee083fff irq 20 at device 4.0 on pci0

nve0: Ethernet address 00:00:00:XX:XX:XX

Regards ;)

jonathan



Bill Marquette wrote:

On 10/20/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


Hi group,

in the menu option Interfaces -> WAN the third entry (Bandwidth
Management (Traffic Shaping)) has a bug.

If i introduce my dsl value and select the appropiate unit, in this case
Kilobit/s, after push the 'save' button the dropdown turns the unit to
bit's, and this shouldn't.

I don't know if this affects the traffic shaping engine because i
couldn't test yet this feature (one of my nic's is not supported with
ALTQ).



Yeah, I seem to recall leaving that in place but that it no longer
means much (or shouldn't).  What type of NIC is it that altq doesn't
support (I know that there are a number, just curious as to which one
you have - what driver it's using)?

--Bill

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] Traffic shaping dropdown unit option not working

2005-10-20 Thread jonathan gonzalez


Hi group,

in the menu option Interfaces -> WAN the third entry (Bandwidth 
Management (Traffic Shaping)) has a bug.


If i introduce my dsl value and select the appropiate unit, in this case 
Kilobit/s, after push the 'save' button the dropdown turns the unit to 
bit's, and this shouldn't.


I don't know if this affects the traffic shaping engine because i 
couldn't test yet this feature (one of my nic's is not supported with 
ALTQ).


Just writting to inform other that can check this issue.
Regards,


jonathan


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] after upgrading to 0.88...

2005-10-20 Thread jonathan gonzalez


Scott,

i attach last minute logs. The rest of the system logs shows exactly the 
same behavior:




Oct 20 23:15:42 mpd: [pppoe] device is now in state OPENING
Oct 20 23:15:42 mpd: [pppoe] device: OPEN event in state DOWN
Oct 20 23:15:41 mpd: [pppoe] device is now in state DOWN
Oct 20 23:15:41 mpd: [pppoe] pausing 1 seconds before open
Oct 20 23:15:41 mpd: [pppoe] device: OPEN event in state DOWN
Oct 20 23:15:37 mpd: [pppoe] device is now in state DOWN
Oct 20 23:15:37 mpd: [pppoe] pausing 4 seconds before open
Oct 20 23:15:37 mpd: [pppoe] device: OPEN event in state DOWN
Oct 20 23:15:37 mpd: [pppoe] LCP: Down event
Oct 20 23:15:37 mpd: [pppoe] link: DOWN event
Oct 20 23:15:37 mpd: [pppoe] device is now in state DOWN
Oct 20 23:15:37 mpd: [pppoe] device: DOWN event in state OPENING
Oct 20 23:15:37 mpd: [pppoe] PPPoE connection timeout after 9 seconds
Oct 20 23:15:28 mpd: [pppoe] device is now in state OPENING
Oct 20 23:15:28 mpd: [pppoe] device: OPEN event in state DOWN
Oct 20 23:15:22 mpd: [pppoe] device is now in state DOWN
Oct 20 23:15:22 mpd: [pppoe] pausing 6 seconds before open
Oct 20 23:15:22 mpd: [pppoe] device: OPEN event in state DOWN
Oct 20 23:15:22 mpd: [pppoe] LCP: Down event
Oct 20 23:15:22 mpd: [pppoe] link: DOWN event
Oct 20 23:15:22 mpd: [pppoe] device is now in state DOWN
Oct 20 23:15:22 mpd: [pppoe] device: DOWN event in state OPENING
Oct 20 23:15:22 mpd: [pppoe] PPPoE connection timeout after 9 seconds
Oct 20 23:15:13 mpd: [pppoe] device is now in state OPENING
Oct 20 23:15:13 mpd: [pppoe] device: OPEN event in state DOWN
Oct 20 23:15:07 mpd: [pppoe] device is now in state DOWN
Oct 20 23:15:07 mpd: [pppoe] pausing 6 seconds before open
Oct 20 23:15:07 mpd: [pppoe] device: OPEN event in state DOWN
Oct 20 23:15:07 mpd: [pppoe] LCP: Down event
Oct 20 23:15:07 mpd: [pppoe] link: DOWN event
Oct 20 23:15:07 mpd: [pppoe] device is now in state DOWN
Oct 20 23:15:07 mpd: [pppoe] device: DOWN event in state OPENING
Oct 20 23:15:07 mpd: [pppoe] PPPoE connection timeout after 9 seconds


jonathan






Scott Ullrich wrote:

Anything in the system logs?

On 10/20/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


Sorry Scott i forgot to include such information in the prevous post

1.) PPPoE Connection
2.) No DynDNS client running
3.) xl0 driver/nic type

Anything else that you can found interesting?

Rgds,

jonathan


Scott Ullrich wrote:


First I have heard of this.  It would be rather helpful if you told us
how the WAN is configured.

On 10/20/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:



... my wan interface left to work and i cannot connect to internet.
Something known about this?

TIA,

jonathan


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] after upgrading to 0.88...

2005-10-20 Thread jonathan gonzalez


Sorry Scott i forgot to include such information in the prevous post

1.) PPPoE Connection
2.) No DynDNS client running
3.) xl0 driver/nic type

Anything else that you can found interesting?

Rgds,

jonathan


Scott Ullrich wrote:

First I have heard of this.  It would be rather helpful if you told us
how the WAN is configured.

On 10/20/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


... my wan interface left to work and i cannot connect to internet.
Something known about this?

TIA,

jonathan


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] after upgrading to 0.88...

2005-10-20 Thread jonathan gonzalez

... my wan interface left to work and i cannot connect to internet. 
Something known about this?


TIA,

jonathan


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] dual/quad nic support

2005-10-19 Thread jonathan gonzalez


ok, thanks a lot!

jonathan



Bill Marquette wrote:

On 10/19/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


Hi group,

i would like to know if the dual/quad nic's are valid to pfsense,
specially thinking in the traffic shaping feature (of course i know that
it deppends the nic driver/module).



I assume you mean the Intel nics?  These should work just fine.



Any experiences from people that are using/testing pfSense with such
type of nic's will be welcomed.



At least one person on this list is using the dual cards with pfSense.
  I've got a stack of quads at work, but haven't had a chance to put
pfSense on a box with one yet.

--Bill

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] dual/quad nic support

2005-10-19 Thread jonathan gonzalez


Hi group,

i would like to know if the dual/quad nic's are valid to pfsense, 
specially thinking in the traffic shaping feature (of course i know that 
it deppends the nic driver/module).


Any experiences from people that are using/testing pfSense with such 
type of nic's will be welcomed.


Thanks in advance.
Regards,

jonathan


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] console access

2005-10-19 Thread Jonathan Gonzalez

Hi group,

i have tried in my barebone to connect to the comX port once activated
thru the web environment but i was unable. Anyway i'm not sure if this
is a problem of the operating system or a problem of the barebone.

In any case what i would like to know is if it's posible to configure
permanently the boot/kernel to by default send the vga thru console
port, either a cable is plugged or not.

In positive case i would appreciate if you can describe the process in
order to accomplish this thing.

Thanks in advance.
Rgds,

jonathan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] No Internet Traffic after 1 Day

2005-10-18 Thread jonathan gonzalez

Isn't necessary, today it left to work. I experienced myself. What i 
don't know is why it didn't happen to me before now ¿?


Rgds,

jonathan



Damien Dupertuis wrote:

After exactly one day, the wan-side stops working...

You turn the dyndns client off, restart pfsense and...
it works again...

If you want to know more, look at the archives...

regards...

Damien



--- Jonathan Gonzalez <[EMAIL PROTECTED]> a écrit :



What is exactly the problem? Does the system hungs
or what happens?

jonathan


On 10/18/05, Damien Dupertuis <[EMAIL PROTECTED]>
wrote:


Great... but remember, you'll have to wait one day


so


see the bug...

I wish you could find it... becaus it bothers me


...


Regards...

Damien



--- Bill Marquette <[EMAIL PROTECTED]> a


écrit


:



On 10/18/05, Damien Dupertuis


<[EMAIL PROTECTED]>


wrote:


:-( It don't worked for me :-(

I've been running it without the dyndns client


for


8


days without a glitch...

Maybe I should re-enable dyndns and see what
happends...

regards...


I'm on 86.4 on the only box I have that does


pppoe,


I can try setting
up dyndns tonight and see if things break.

--Bill





-


To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]












___


Appel audio GRATUIT partout dans le monde avec le


nouveau Yahoo! Messenger


Téléchargez cette version sur


http://fr.messenger.yahoo.com




-


To unsubscribe, e-mail:


[EMAIL PROTECTED]


For additional commands, e-mail:


[EMAIL PROTECTED]






-


To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]











___ 
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger 
Téléchargez cette version sur http://fr.messenger.yahoo.com


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] FreeRadius state

2005-10-18 Thread jonathan gonzalez


Hi group,

i would like to know more about the state of the FreeRadius package that 
actually appears as "broken" in the package list:


   freeradiusSecurityBROKEN 1.0.4

Thanks in advance,
Rgds,

jonathan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] No Internet Traffic after 1 Day

2005-10-18 Thread Jonathan Gonzalez

What is exactly the problem? Does the system hungs or what happens?

jonathan


On 10/18/05, Damien Dupertuis <[EMAIL PROTECTED]> wrote:
> Great... but remember, you'll have to wait one day so
> see the bug...
>
> I wish you could find it... becaus it bothers me ...
>
> Regards...
>
> Damien
>
>
>
> --- Bill Marquette <[EMAIL PROTECTED]> a écrit
> :
>
> > On 10/18/05, Damien Dupertuis <[EMAIL PROTECTED]>
> > wrote:
> > > :-( It don't worked for me :-(
> > >
> > > I've been running it without the dyndns client for
> > 8
> > > days without a glitch...
> > >
> > > Maybe I should re-enable dyndns and see what
> > > happends...
> > >
> > > regards...
> >
> > I'm on 86.4 on the only box I have that does pppoe,
> > I can try setting
> > up dyndns tonight and see if things break.
> >
> > --Bill
> >
> >
> -
> > To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
> > For additional commands, e-mail:
> > [EMAIL PROTECTED]
> >
> >
>
>
>
>
>
>
>
> ___
> Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
> Téléchargez cette version sur http://fr.messenger.yahoo.com
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] No Internet Traffic after 1 Day

2005-10-18 Thread jonathan gonzalez


yes, i setup the built-in client. My version is 0.86.4

jonathan



Damien Dupertuis wrote:

Is your dyndns client on your pfsense box???


--- jonathan gonzalez <[EMAIL PROTECTED]> a écrit :



hi,

i'm using PPPoE and dyndns client and i think it
doesn't affect me :(

Rgds,

jonathan





Damien Dupertuis wrote:


Hello,

Are you using pppoe and dyndns client???

If so, this is why your pfsense hangs.

Disable the dyndns client, reboot and ewerything
should work... This is a long-story bug I hope the
devellopers will solve...

regards..

Damien




--- Carsten Clementschitsch


<[EMAIL PROTECTED]> a


écrit :




Hi,

I tested the last 3 versions, every time the same
problem, After using a 
fresh install it works for about a day, then no
traffic to the internet 
is possible, although the internet connection is


up.

Only a complete 
reset can fix the problem for a another day.


the attached file is the state in which the router
doesn't work any more.

thanx
Carsten







-
pfSense.skynet - pfSense: status

var theme = "pfsense" 

webConfigurator

pfSense.skynet  







System


 Advanced   
 Firmware   
 General Setup  

 Packages   

 Static routes  

Interfaces


 (assign)   
 WAN

 LAN



Firewall


 Aliases
 NAT
 Rules  
 Traffic Shaper 
 Virtual IPs


Services


 Captive portal 
 DNS forwarder  
 DHCP relay 
 DHCP server
 Dynamic DNS
 Load Balancer  
 SNMP   
 Wake on LAN


VPN


 IPsec  

 PPTP

Re: [pfSense Support] openvpn certs creation

2005-10-12 Thread jonathan gonzalez


oook ;) perfect... i'll try the new packages.

Thanks a lot!

jonathan


Scott Ullrich wrote:
I will sync the latest OpenVPN from Peter (m0n0wall commiter) today.  
Should have a version for you to play with in a bit.


Scott


On 10/12/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


I realized that the tun interface was not present and also in the Rules
menu appeared a new tab named OPT1.

In my case i only have 2 NICS so i don't have and optional third interface.

I'm not sure if the vpn hung

- because there was not rules that explicitly allows such traffic
- because the tun driver was not present
- maybe the silliest: there's not openvpn config file in the firewall :)

I'm checking the openvpn configuration options on their website and
comparing the environment with pfsense.

The openvpn client logs don't say much information reason because i
don't post it. Anyway if you want to see the exit i will do.

Any thoughts will be welcomed ;)
Regards,

jonathan


Scott Ullrich wrote:


device  tun # Packet tunnel.

We have tun in the kernel.  What exactly is the problem?

On 10/12/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:



Hi,

i created a openvpn client (client3) using pkcs12 scripts so i can get
of the box a p12 file closed by password to send a client to access the
vpn.

I put this p12 file in my pc and tried to establish a connection to the
pfsense box.

The first part of the negotiation went fine, because the openvpn client
i'm using requested me the p12 passkey to open the p12 file.

Then the connection hangs with the firewall. I didn't look at the
openvpn server configuration yet but i think something is wrong with the
interface TUN becaue i can see it on the ifconfig -a listing.

If somebody have an idea, please tell ;)
Regards,

jonathan


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] openvpn certs creation

2005-10-12 Thread jonathan gonzalez

I realized that the tun interface was not present and also in the Rules 
menu appeared a new tab named OPT1.


In my case i only have 2 NICS so i don't have and optional third interface.

I'm not sure if the vpn hung

- because there was not rules that explicitly allows such traffic
- because the tun driver was not present
- maybe the silliest: there's not openvpn config file in the firewall :)

I'm checking the openvpn configuration options on their website and 
comparing the environment with pfsense.


The openvpn client logs don't say much information reason because i 
don't post it. Anyway if you want to see the exit i will do.


Any thoughts will be welcomed ;)
Regards,

jonathan


Scott Ullrich wrote:

device  tun # Packet tunnel.

We have tun in the kernel.  What exactly is the problem?

On 10/12/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


Hi,

i created a openvpn client (client3) using pkcs12 scripts so i can get
of the box a p12 file closed by password to send a client to access the
vpn.

I put this p12 file in my pc and tried to establish a connection to the
pfsense box.

The first part of the negotiation went fine, because the openvpn client
i'm using requested me the p12 passkey to open the p12 file.

Then the connection hangs with the firewall. I didn't look at the
openvpn server configuration yet but i think something is wrong with the
interface TUN becaue i can see it on the ifconfig -a listing.

If somebody have an idea, please tell ;)
Regards,

jonathan


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] openvpn certs creation

2005-10-12 Thread jonathan gonzalez


Hi,

i created a openvpn client (client3) using pkcs12 scripts so i can get 
of the box a p12 file closed by password to send a client to access the 
vpn.


I put this p12 file in my pc and tried to establish a connection to the 
pfsense box.


The first part of the negotiation went fine, because the openvpn client 
i'm using requested me the p12 passkey to open the p12 file.


Then the connection hangs with the firewall. I didn't look at the 
openvpn server configuration yet but i think something is wrong with the 
interface TUN becaue i can see it on the ifconfig -a listing.


If somebody have an idea, please tell ;)
Regards,

jonathan


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] openvpn certs creation

2005-10-12 Thread jonathan gonzalez


Hi all

about the client web interface, when you click to add a new user two 
things happens that i understand it shouldn't:


a) the web interface is lost (no present skin)
b) again is necesary to provide the CA certificate. Why? Is defined in 
the global server and client certificates are generated with this CA. 
They have inherit the parameters that refer to such CA.


Then after the creation of the user certificate this appears in the web 
page (without skin)


Warning: Invalid argument supplied for foreach() in /etc/inc/openvpn.inc 
on line 445 Warning: Invalid argument supplied for foreach() in 
/etc/inc/openvpn.inc on line 729 Warning: Cannot modify header 
information - headers already sent by (output started at 
/etc/inc/openvpn.inc:445) in /usr/local/www/vpn_openvpn_cli_edit.php on 
line 175



Comments?
Regards,

jonathan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] openvpn certs creation

2005-10-12 Thread jonathan gonzalez


Hi all,

i have downloaded the openvpn package from the openvpn site, modified 
some of the easy-rsa scripts, added bash to pfsense and executed all 
steps necessary to have certificates for the server and client, keys for 
server and clients, the DH parameteres and so forth.


Then i went to the web environment and after fill all the required boxes 
with the information required and applied the SAVE button i get on the 
web environment this warning:


Warning: Missing argument 1 for ovpn_config_server() in 
/etc/inc/openvpn.inc on line 127 Warning: Invalid argument supplied for 
foreach() in /etc/inc/openvpn.inc on line 130



This lines refers to this portion of the code:


125 /* Configure the server */
126 function ovpn_config_server($reconfigure) {
127global $config, $g;
128
129foreach ($config['ovpn']['server']['tunnel'] as $id => $server) {
130/* get tunnel interface */
131$tun = $server['tun_iface'];
132

Is something missing related to the TUN interface. Should it be defined 
always on the box so in case to enable OpenVPN this would be present on 
the system?


I look forward to receive your comments and suggestions.
Regards,

jonathan


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] openvpn certs creation

2005-10-12 Thread jonathan gonzalez

Hi Scott,

i did what you told. Now i have a bash running (not as default) in the 
firewall (accessible thru menu option 8)

The installation included the following packages:

bash.tbz
libiconv-1.9.2_1.tbz
gettext-0.14.5.tbz

I continue with the process describing all steps as much as posible :)

Thanks a lot!

jonathan

Scott Ullrich wrote:
For the sake of getting this working now (and if you need bash), try the 
following:

 >From a shell:

pkg_add -r bash
rehash
bash

Scott

On 10/11/05, *jonathan gonzalez* <[EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>> wrote:

Hi group,

i tried to achieve this today but i couldn't get good news.

I downloaded the last package from openvpn site, got the easy-rsa
scripts, put it on the pfsense box in /etc/openvpn (everything as
recomended) but i was unable to get it work yet.

First i had some trouble due to the inexistence of the built-in 'export'
command, so variables must be populated either manually on the CLI (with
the 'set' command), or calling a script with the 'source' command.

Then all the scripts are designed to be run on a normal bash so a lot of
modifications should be necessary i think.

I'm doing checks/tasks by my own. If i get something stable in
reasonable amount of time keep for sure i will write the list to
inform.

Regards to all ;)

jonathan

Scott Ullrich wrote:
 > Please refer to the m0n0wall documentation conerning OpenVPN.
 >
 > This may be helpful:
 >
 > http://m0n0.ch/wall/list/showmsg.php?id=103/47
 >
 > Scott
 >
 >
 > On 10/9/05, jonathan gonzalez <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
 >
 >>hi,
 >>
 >>i've activated developer menu options to get access to openvpn.
i'd need
 >>to create the certs, dh-params and keys. I would like to know if
i can
 >>do this thru the interface (i suppouse that not), and else i'd
like to
 >>know if sb can provide me a script or code to do it on console, or in
 >>any other place but with the distro tools (sorry but i'm starting
 >>knowing the system and i don't know all the ins and outs yet).
 >>
 >>thanks in advance,
 >>regards,
 >>
 >>jonathan
 >>
 >>-
 >>To unsubscribe, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
 >>For additional commands, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
 >>
 >>
 >
 >
 > -
 > To unsubscribe, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
 > For additional commands, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
 >
 >

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] openvpn certs creation

2005-10-11 Thread jonathan gonzalez


Hi group,

i tried to achieve this today but i couldn't get good news.

I downloaded the last package from openvpn site, got the easy-rsa 
scripts, put it on the pfsense box in /etc/openvpn (everything as 
recomended) but i was unable to get it work yet.


First i had some trouble due to the inexistence of the built-in 'export' 
command, so variables must be populated either manually on the CLI (with 
the 'set' command), or calling a script with the 'source' command.


Then all the scripts are designed to be run on a normal bash so a lot of 
modifications should be necessary i think.


I'm doing checks/tasks by my own. If i get something stable in 
reasonable amount of time keep for sure i will write the list to inform.


Regards to all ;)

jonathan




Scott Ullrich wrote:

Please refer to the m0n0wall documentation conerning OpenVPN.

This may be helpful:

http://m0n0.ch/wall/list/showmsg.php?id=103/47

Scott


On 10/9/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


hi,

i've activated developer menu options to get access to openvpn. i'd need
to create the certs, dh-params and keys. I would like to know if i can
do this thru the interface (i suppouse that not), and else i'd like to
know if sb can provide me a script or code to do it on console, or in
any other place but with the distro tools (sorry but i'm starting
knowing the system and i don't know all the ins and outs yet).

thanks in advance,
regards,

jonathan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] openvpn certs creation

2005-10-10 Thread jonathan gonzalez


Hi Scott,

i will try to do it tomorrow. Are you (the group) interested in have in 
the wiki a page describing the process, so there's no need to refer to 
m0n0wall, and will be available from pfsense site?


Should you be interested please let me know. I will take note of the 
process to document it.


Cheers,

jonathan

Scott Ullrich wrote:

Please refer to the m0n0wall documentation conerning OpenVPN.

This may be helpful:

http://m0n0.ch/wall/list/showmsg.php?id=103/47

Scott


On 10/9/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote:


hi,

i've activated developer menu options to get access to openvpn. i'd need
to create the certs, dh-params and keys. I would like to know if i can
do this thru the interface (i suppouse that not), and else i'd like to
know if sb can provide me a script or code to do it on console, or in
any other place but with the distro tools (sorry but i'm starting
knowing the system and i don't know all the ins and outs yet).

thanks in advance,
regards,

jonathan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] passive ftp

2005-10-10 Thread Jonathan Gonzalez

Hi Dave [hi all],

when i said passive ftp i was thinking in allow passive ftp to work
from external clients to my server, which is hosted behind pfsense.

I understand that your comment only applies to internal to external
connections, isn't it?

TIA,
Rgds,

jonathan



On 10/10/05, Dave <[EMAIL PROTECTED]> wrote:
> Hi,
> I've got passive ftp going, here's the relevant rules. I'm trying to get
> active working and that is not.
> Thanks.
> Dave.
>
> rules
> ext_if = "rl0"
> int_if = "xl0"
> int_net="$int_if:network"
> tcp_state="flags S/SA modulate state"
> # translate lan client addresses to that of the external interface
> nat on $ext_if from $int_if:network to any -> ($ext_if)
> # Redirect lan client FTP requests (to an FTP server's control port 21)
> # to the ftp-proxy running on the firewall host (via inetd on port 8021)
> rdr on $int_if inet proto tcp from $int_net to any port 21 -> 127.0.0.1 port
> 8021
>
> # block by default
> block log all
>
> # pass all loopback traffic
> pass quick on lo0 all
>
> # Allow remote FTP servers (on data port 20) to respond to the proxy's
> # active FTP requests by contacting it on the port range specified in
> inetd.conf
> pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port
> 55000 >< 57000 user proxy $tcp_state
>
> # Allow ftp-proxy packets destined to port 20 to exit $ext_if
> # in order to maintain communications with the ftp server
> pass out quick on $ext_if inet proto tcp from $ext_if to any port 20
> $tcp_state
>
> # Allow firewall to contact ftp server on behalf of passive ftp client
> pass out quick on $ext_if inet proto tcp from $ext_if  port 55000:57000 to
> any user proxy $tcp_state
>
> # allow ftp connections from lan to proxy
> pass in quick on $int_if inet proto tcp from $int_net to lo0 port 8021
> $tcp_state
> pass in quick on $int_if inet proto tcp from $int_net to $ext_if port
> 55000:57000 $tcp_state
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] upgrade from 86.2 to 86.4 - howto

2005-10-10 Thread Jonathan Gonzalez

Thanks a lot Holger ;)

jonathan



On 10/10/05, Holger Bauer <[EMAIL PROTECTED]> wrote:
> 1. Download the latest full upgradefile from a mirror near you (like 
> ftp://reflection.ncsa.uiuc.edu/pub/pfSense/updates/pfSense-Full-Update-0.86.4.tgz
>  ). You find the mirrors selection at our page under Downloads/Upgrades.
>
> 2. Go in your WebGui to general>firmware and go to tab "manual upgrade"
>
> 3. Hit enable Firmwareupload
>
> 4. Search for the file you downloaded and click upload
>
> 5. wait for your firewall to do the upgrade. It'll  reboot after it's done 
> and will be up after that with your last configuration.
>
> Holger
>
> -Ursprüngliche Nachricht-
> Von: Jonathan Gonzalez [mailto:[EMAIL PROTECTED]
> Gesendet: Montag, 10. Oktober 2005 13:16
> An: support@pfsense.com
> Betreff: [pfSense Support] upgrade from 86.2 to 86.4 - howto
>
>
> Hi,
>
> i think the information on the web do not reflect my inquiry but of
> course i may be wrong. I would like to know how to upgrade my platform
> from 0.86.2 to 0.86.4.
>
> I would appreciate a link or a quick how-to.
>
> TIA,
> Rgds,
>
> jonathan
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> 
> Virus checked by G DATA AntiVirusKit
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] upgrade from 86.2 to 86.4 - howto

2005-10-10 Thread Jonathan Gonzalez

Hi,

i think the information on the web do not reflect my inquiry but of
course i may be wrong. I would like to know how to upgrade my platform
from 0.86.2 to 0.86.4.

I would appreciate a link or a quick how-to.

TIA,
Rgds,

jonathan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] passive ftp

2005-10-10 Thread Jonathan Gonzalez

hi,

i would like to know how to enable passive ftp transfers thru pfsense
because opening 21/tcp and 20/tcp|20/udp seems not to be enough (what
about the dynamically open ports to allow such type of connection?)

TIA,
Rgds,

jonathan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] openvpn certs creation

2005-10-09 Thread jonathan gonzalez


hi,

i've activated developer menu options to get access to openvpn. i'd need 
to create the certs, dh-params and keys. I would like to know if i can 
do this thru the interface (i suppouse that not), and else i'd like to 
know if sb can provide me a script or code to do it on console, or in 
any other place but with the distro tools (sorry but i'm starting 
knowing the system and i don't know all the ins and outs yet).


thanks in advance,
regards,

jonathan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Re: Unable to login to webconfigurator (0.86.2)

2005-10-09 Thread jonathan gonzalez


Hi,

i'm new to the list and, since a few, new to the disto as well, but what 
i can  say is that i realized the system after a reboot looses the web 
admin password.


Exactly, i can access the SSH daemon with *my* defined password, and the 
web interface is only available with username admin and no password.


I suppouse this would be a bug, but being new to the environment i'm not 
sure. Can anyone confirm?


TIA,
Rgds,

jonathan

Scott Ullrich wrote:

I left the ISO so people could test out the new installer.   I will be
releasing a ne version soon.

Scott


On 10/9/05, HenryNettles <[EMAIL PROTECTED]> wrote:


On Sat, 8 Oct 2005 17:44:13 -0400, Scott Ullrich wrote:



Sounds like it.   I will pull the update and do some tests.

Scott


On 10/8/05, Jeroen Geusebroek <[EMAIL PROTECTED]> wrote:


Hi,

I just upgraded to 0.86.2, but i can't seem to logon to the web configurator.
I can SSH into the box without any problem.

If i reset the password i can login untill i reboot. Then after the
boot it fails again.

Known bug?

--
Jeroen


Scott, it looks like you pulled the update for 86.2, but not the iso image.
Sort of confusing for those not reading this newsgroup (mailing list).


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

57 matches

Mail list logo