[pfSense Support] Heli new intall
Hi Just installed pfsense on linux & locked myself out. I still have the ssh session i used to install. But basic linux commands are not working... How do i shut pfsense down - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] RE: Heli new intall
> Just installed pfsense on linux & locked myself out. pfSense runs on FreeBSD - how'd you manage that!? ;) If you have an SSH session there is a prompt to reset the webmin password - just hit that. If you are on linux with a VM (maybe that's what you are talking about) - then use the VM console or re-install? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: Heli new intall
There a zcat dd command to install on linux In the wiki On Jul 22, 2010, at 4:13 PM, "Tim Dickson" wrote: >> Just installed pfsense on linux & locked myself out. > > pfSense runs on FreeBSD - how'd you manage that!? ;) > If you have an SSH session there is a prompt to reset the webmin password - > just hit that. > > If you are on linux with a VM (maybe that's what you are talking about) - > then use the VM console or re-install? > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: Heli new intall
On Thu, Jul 22, 2010 at 4:22 PM, Ujjval Karihaloo wrote: > There a zcat dd command to install on linux In the wiki Was your target device also your Linux boot device? Or was it another, such as a spare hard drive or compact flash card? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: Heli new intall
No linux commands are working like ls, etc...only pwd& cd pfctl -d to shut it down is also not working... I am at the console now to chk this bad boy out On Jul 22, 2010, at 4:13 PM, "Tim Dickson" wrote: >> Just installed pfsense on linux & locked myself out. > > pfSense runs on FreeBSD - how'd you manage that!? ;) > If you have an SSH session there is a prompt to reset the webmin password - > just hit that. > > If you are on linux with a VM (maybe that's what you are talking about) - > then use the VM console or re-install? > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: Heli new intall
On Thu, Jul 22, 2010 at 4:24 PM, Ujjval Karihaloo wrote: > No linux commands are working like ls, etc...only pwd& cd > > pfctl -d to shut it down is also not working... I am at the console now to > chk this bad boy out pfsense is designed to be operated from the web UI. Try connecting a browser to the LAN interface and go from there. It's not recommended to use the console shell unless you know what you want to accomplish, that you can't accomplish it from the web UI, and have a fair knowledge of FreeBSD CLI. Some specific guidance on the thing you're trying to do is also good. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: Heli new intall
- "Ujjval Karihaloo" wrote: > No linux commands are working like ls, etc...only pwd& cd > > pfctl -d to shut it down is also not working... I am at the console > now to chk this bad boy out > Uh oh... I think I see where this is headed... Did you blindly follow the wiki instructions and write the pfSense image to /dev/sda? If your system's internal drive is /dev/sda, you just overwrote the beginning sectors of your hard drive (the actual amount depending on the image size you downloaded). This would explain the problems you're experiencing. Plus, 'pfctl -d' will only work from *INSIDE* the running pfSense system, not on your Linux system used to flash the pfSense image. Can you clarify what steps you took exactly to get where you are now? Maybe send us the output of 'uname' and 'dmesg' from your system so we can see your environment? --Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] RE: Heli new intall
Thx for the help.. I guess you are right... I followed instructions here http://doc.pfsense.org/index.php/HOWTO_Install_pfSense#Linux And overwrote like you said my CentOS install... Now Console is showing kernel panic after I rebooted it.. Any way to boot off my old install and not from the img I installed using: zcat pfsense-embedded.img.gz | dd of=/dev/sd[a] bs=16k -Original Message- From: Tim Nelson [mailto:tnel...@rockbochs.com] Sent: Thursday, July 22, 2010 4:37 PM To: support@pfsense.com Subject: Re: [pfSense Support] RE: Heli new intall - "Ujjval Karihaloo" wrote: > No linux commands are working like ls, etc...only pwd& cd > > pfctl -d to shut it down is also not working... I am at the console > now to chk this bad boy out > Uh oh... I think I see where this is headed... Did you blindly follow the wiki instructions and write the pfSense image to /dev/sda? If your system's internal drive is /dev/sda, you just overwrote the beginning sectors of your hard drive (the actual amount depending on the image size you downloaded). This would explain the problems you're experiencing. Plus, 'pfctl -d' will only work from *INSIDE* the running pfSense system, not on your Linux system used to flash the pfSense image. Can you clarify what steps you took exactly to get where you are now? Maybe send us the output of 'uname' and 'dmesg' from your system so we can see your environment? --Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] RE: Heli new intall
At this point looks like I need to just reinstall the OS...CentOS that is... Rescuing from the CentOS CD did not find any installed Linux OS's -Original Message- From: Ujjval Karihaloo [mailto:ujj...@simplesignal.com] Sent: Thursday, July 22, 2010 4:40 PM To: support@pfsense.com Subject: RE: [pfSense Support] RE: Heli new intall Thx for the help.. I guess you are right... I followed instructions here http://doc.pfsense.org/index.php/HOWTO_Install_pfSense#Linux And overwrote like you said my CentOS install... Now Console is showing kernel panic after I rebooted it.. Any way to boot off my old install and not from the img I installed using: zcat pfsense-embedded.img.gz | dd of=/dev/sd[a] bs=16k -Original Message- From: Tim Nelson [mailto:tnel...@rockbochs.com] Sent: Thursday, July 22, 2010 4:37 PM To: support@pfsense.com Subject: Re: [pfSense Support] RE: Heli new intall - "Ujjval Karihaloo" wrote: > No linux commands are working like ls, etc...only pwd& cd > > pfctl -d to shut it down is also not working... I am at the console > now to chk this bad boy out > Uh oh... I think I see where this is headed... Did you blindly follow the wiki instructions and write the pfSense image to /dev/sda? If your system's internal drive is /dev/sda, you just overwrote the beginning sectors of your hard drive (the actual amount depending on the image size you downloaded). This would explain the problems you're experiencing. Plus, 'pfctl -d' will only work from *INSIDE* the running pfSense system, not on your Linux system used to flash the pfSense image. Can you clarify what steps you took exactly to get where you are now? Maybe send us the output of 'uname' and 'dmesg' from your system so we can see your environment? --Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] pfSense 1.2.3 - Squid authentication
Dominic, This is probably best done on another machine rather than on the pfsense box itself. Squid with NTLM and AD integration (through samba/winbind) can be quite demanding on system resources so I would recommend keeping this off your firewall. In any case I don't believe the functionality for this is built into the pfsense squid package (Some people have expressed their interest in it though). While squid is good for blocking known bad sites etc it is really quite limited in how it can control access. For this reason I would recommend looking in to using something such as DansGuardian. DG uses numerous rules to identify offending content and can do a lot, it also now has built in NTLM authentication support so you can control access based on the user without having to 're-authenticate' the user. I have been been running a proxy built with DansGuardian (Content Filter), Squid (Caching proxy and NTLM authentication proxy), ClamAV (Virus Scanning) and Samba (Winbind for domain auth) for a long time now with very few issues on a medium sized domain (Note: You can do away with using squid as the NTLM auth proxy as DG has NTLM support built in now). This setup does for us what we were paying in excess of $7,000 per year for a dedicated appliance to do. Go to dansguardian.org for more info. Regards, Daniel Davis -Original Message- From: Dominic [mailto:dominic@gmail.com] Sent: Wednesday, 21 July 2010 10:43 PM To: support@pfsense.com Subject: [pfSense Support] pfSense 1.2.3 - Squid authentication Hi, I have been using pfSense for a while and its been great, but now the need has come in to enforce stricter user access through the squid proxy. Is there a way I can do authentication through a Windows 2003 Domain Controller and be able to block certain users from using the proxy based on their login and possibly also deny certain sites for certain users? For example allow all managers to access Facebook but deny all users ? (Yes I know its a cruel world). I know I can block by IP but this doesn't help as many users work through Citrix, I need to be able to deny by username. Please advise. Thank you in advance. Dominic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSense 1.2.3 IPSEC Tunnel dropped, no re-connect
I will update this for others incase they run across this. Had some time to look at this again. The ip was showing correctly in the logs on the dynamic side at home.Didnt think to compare the logs from the office side. I looked at the logs on the pfsense in the office and noticed a different ip in the logs. I did a ping in pfsense from the office and it was going to the wrong ip address. Even though the dyndns account had the correct ip updated to it, the pfsense in the office still had the old ip address cached in the dns and didnt refresh correctly. A DNSMASQ restart corrected the issue and tunnels came right up. Hopefully this helps someone in the future. Paul On Sat, Jul 17, 2010 at 9:55 AM, Paul Peziol wrote: > I do have a dynamic ip but have set the tunnels with dyndns. Verified the > ip thats in the logs to make sure it matches the current ip. > > > On Sat, Jul 17, 2010 at 9:43 AM, Jesse Vollmar wrote: > >> On Sat, Jul 17, 2010 at 10:09 AM, Paul Peziol wrote: >> >>> Have a site-site tunnel between home and work. Had issues getting the >>> tunnels to work initially. Once they were up they were stable for a few >>> weeks. Rebooted the home router this morning and the tunnel does not come >>> back up. Went into IPSEC and re-saved the tunnels and still does not come >>> up. Get this error >>> >>> ERROR: phase2 negotiation failed due to time up waiting for phase1 >>> >>> Jul 17 09:01:11 racoon: *[]*: INFO: initiate new phase 1 negotiation: >>> HOME WAN[500]<=>OFFICE WAN[500] Jul 17 09:01:11 racoon: INFO: begin >>> Aggressive mode. Jul 17 09:01:36 racoon: INFO: request for establishing >>> IPsec-SA was queued due to no phase1 found. Jul 17 09:01:44 racoon: *[] >>> *: ERROR: phase2 negotiation failed due to time up waiting for phase1. >>> ESP OFFICE WAN[0]->HOME WAN[0] Jul 17 09:01:44 racoon: INFO: delete >>> phase 2 handler. Jul 17 09:02:01 racoon: ERROR: phase1 negotiation >>> failed due to time up. dd42e11e42fc3dcb: >>> Puzzled why it would work until a reboot. IPSEC status shows *No IPsec >>> security associations.* >>> I tried to delete the tunnels under SPD, resave the ipsec settings. The >>> spd gets recreated but still no tunnel and the above messages. >>> * >>> >>> * >> >> You say between home and work. Is it possible that you have a dynamic IP >> at home and a reboot of your modem pulled down a new IP address? This could >> potentially have disrupted the IPSec tunnel. >> >> >
Re: [pfSense Support] PFSense 1.2.3 IPSEC Tunnel dropped, no re-connect
On Fri, Jul 23, 2010 at 1:51 AM, Paul Peziol wrote: > I will update this for others incase they run across this. Had some time to > look at this again. The ip was showing correctly in the logs on the dynamic > side at home.Didnt think to compare the logs from the office side. I looked > at the logs on the pfsense in the office and noticed a different ip in the > logs. I did a ping in pfsense from the office and it was going to the wrong > ip address. Even though the dyndns account had the correct ip updated to it, > the pfsense in the office still had the old ip address cached in the dns and > didnt refresh correctly. A DNSMASQ restart corrected the issue and tunnels > came right up. Hopefully this helps someone in the future. > Check the TTL on your dyndns account, that indicates it's much longer than it should be. Normally it's a 30-60 second TTL, which means it'll pick it up within 1 minute or less. It won't cache anything past TTL.
Re: [pfSense Support] PFSense 1.2.3 IPSEC Tunnel dropped, no re-connect
TTL set to 60sec the default they have. The ip/domain was correct on the home side where it refreshed probably with the reboot. On the office side which I did not reboot as I try not to reboot unless I have to was incorrect. Atleast I know to look at logs from both sides in the future and it will alleviate some madness in troubleshooting. On Fri, Jul 23, 2010 at 1:01 AM, Chris Buechler wrote: > > > On Fri, Jul 23, 2010 at 1:51 AM, Paul Peziol wrote: > >> I will update this for others incase they run across this. Had some time >> to look at this again. The ip was showing correctly in the logs on the >> dynamic side at home.Didnt think to compare the logs from the office side. I >> looked at the logs on the pfsense in the office and noticed a different ip >> in the logs. I did a ping in pfsense from the office and it was going to the >> wrong ip address. Even though the dyndns account had the correct ip updated >> to it, the pfsense in the office still had the old ip address cached in the >> dns and didnt refresh correctly. A DNSMASQ restart corrected the issue and >> tunnels came right up. Hopefully this helps someone in the future. >> > > Check the TTL on your dyndns account, that indicates it's much longer than > it should be. Normally it's a 30-60 second TTL, which means it'll pick it up > within 1 minute or less. It won't cache anything past TTL. > >