[pfSense] Hostname resolution of OpenVPN-connected clients

[Marco]

Hello,

we use pfSense since quite a while with success and are very happy overall.

Recently we set up OpenVPN and are facing a DNS issue. Hosts in the LAN can be
addressed using the hostname (thanks to “Register DHCP leases in the DNS
Resolver”) which is working perfectly fine. Hosts on the OpenVPN network can
also resolve hosts in the LAN. However, from the LAN the OpenVPN-connected
hosts cannot be reached (only via IP address, not via hostname). Research
shows¹ that VPN-connected clients don't register their hostnames in the DNS
which is unfortunate and would probably solve the issue we face. The answer
seems to be¹:

> Would have to statically assign them via client overrides and manually add
> to DNS forwarder for them to resolve.

This would work for static hosts that are always on the VPN, but this wouldn't
work for mobile hosts (e.g. employee's laptops) which have a different IP
address, depending on whether they are connected to the LAN or connected via
OpenVPN.

How to access the mobile hosts via the same hostname regardless if
they are connected to the LAN or VPN?

Marco

¹ http://serverfault.com/a/361103/102215
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] 2.2.5 squidGuard fails to start

[Volker Kuhlmann]

After squid and squidguard updates it is neccessary to re-download the
blacklist before attempting to restart squid/guard. Done.

When applying the squidguard config
https://xxx/pkg_edit.php?xml=squidguard.xml=0

An error results and squid isn't running.
No change after several iterations of squid and squidguard config
saving, followed by a reboot.

cache.log contains
2015-11-11 17:59:23 [27438] logfile not allowed in acl other than default
2015-11-11 17:59:23 [27438] logfile not allowed in acl other than default
2015-11-11 17:59:23 [27438] logfile not allowed in acl other than default
2015-11-11 17:59:23 [27438] logfile not allowed in acl other than default
2015-11-11 17:59:23 [27438] logfile not allowed in acl other than default

This is a long-standing bug of an incorrect squidguard config being
generated.

Attempting to start squid succeeds.
Saving the squidguard config (which recreates SG config and restarts
squid) fails.
Attempting to start squid succeeds.

Saving the squidguard config fails.
Starting squidguard fails.
Starting squid succeeds.

Not really good :-((

Volker

-- 
Volker Kuhlmann
http://volker.top.geek.nz/  Please do not CC list postings to me.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] [Bulk] Re: darkstat

[Josh Karli]

Apparently my package installations were corrupted during the upgrade 
from 2.2.4 amd64 to 2.2.5 amd64. It had the reinstalling packages 
warning for hours after the install, then i had to unlock them and 
manually reinstall them. For some reason darkstat went away after I 
uninstalled and then later reappeared in the installed packages list. I 
just uninstalled and reinstalled and all is well.


-- Original Message --
From: "PiBa" 
To: "pfSense Support and Discussion Mailing List" 
; "Josh Karli" 

Sent: 11/8/2015 13:35:31
Subject: Re: [Bulk] Re: [pfSense] darkstat

Package still seems to exist available for installation on my 2.2.5 
box.
If its already installed its nolonger listed between the available 
packages.. Maybe looking in the wrong place?


Op 8-11-2015 om 16:36 schreef Ryan Coleman:

 From October 16 (Subject: "Bandwidth graph”):

Was it darkstat?  https://unix4lyfe.org/darkstat/ 



Packages are maintained by independent coders.




On Nov 7, 2015, at 8:11 PM, Josh Karli  wrote:

Hello all!

Anyone know what happened to the darkstat package? Had it installed 
on pfsense 2.2.4 x64, upgraded to 2.2.5 and it's gone. If it's no 
longer supported, anyone have any suggestions on another pfsense 
package that also lets you drill down to see traffic types by IP 
address?



Cheers!
Josh Karli
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Latency issues with 2.2.25 Release

[Jon Gerdes]

On Wed, 2015-11-11 at 07:47 -0800, Wade Blackwell wrote:
> Good morning list,
>I recently upgraded to *2.2.5-RELEASE * (amd64) on a VMware
> stack
> and noticed that my Wan latency shot up by about 100ms rtt. Nothing
> else on
> the box had changed. I reverted to a pre-upgrade snapshot and the
> latency
> went back down to 10-12 ms rtt. Anyone seen anything like this with
> the
> update to 2.2.5?
> 
> -W
> 
> Wade Blackwell

Wade

I have several 2.2.5 upgrades from earlier versions.  Here's one:

[2.2.5-RELEASE][r...@pf1.blueloop.net]/root: ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=54 time=8.658 ms

The above is in a VMware 5.5 (current patch level) ESXi host on a four
node cluster.  The ESXis are a bit variable in power but it makes no
difference to the RTT

So, are you absolutely sure nothing else changed?  Same host, exactly
the same network path at your end, no funny workloads at the same time
as your upgrade?  No other changes?  Did you leave a VM snapshot
running?  Backups? etc etc.

Have a look at your rrd graphs on the reverted system and see if there
is a pattern that matches the time you did the upgrade.

Incidentally, what version did you back rev to?  Also how are you
measuring WAN RTT time?  What is your WAN anyway?

There are a lot of questions to answer before you can diagnose a fault
in an OS upgrade ...

If you have a spare WAN IP, clone the pfSense VM give it a WAN IP and a
separate VLAN to play with.  You can detatch the vNICs and use the
console to avoid address conflicts.  

Put a test client VM on the test VLAN.  Upgrade the pfSense box and see
how you go.  You can torture the clone to your hearts content until you
get to the bottom of the problem.  If you don't have a spare external
IP you can always put the clone "behind" the live one - ie put its WAN
on your LAN.  Remove NAT on the clone and add a static route on the
real one for your test VLAN via the clone.

If you have a virty setup - use it!

Cheers
Jon
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Hostname resolution of OpenVPN-connected clients

[Espen Johansen]

I think you have to set up a radius server and assign ip based on the user.
That way they will be "static" and then add DNS entries to that static IP.

My 2cents,
-lsf

ons. 11. nov. 2015, 15.47 skrev Marco :

> Hello,
>
> we use pfSense since quite a while with success and are very happy overall.
>
> Recently we set up OpenVPN and are facing a DNS issue. Hosts in the LAN
> can be
> addressed using the hostname (thanks to “Register DHCP leases in the DNS
> Resolver”) which is working perfectly fine. Hosts on the OpenVPN network
> can
> also resolve hosts in the LAN. However, from the LAN the OpenVPN-connected
> hosts cannot be reached (only via IP address, not via hostname). Research
> shows¹ that VPN-connected clients don't register their hostnames in the DNS
> which is unfortunate and would probably solve the issue we face. The answer
> seems to be¹:
>
> > Would have to statically assign them via client overrides and manually
> add
> > to DNS forwarder for them to resolve.
>
> This would work for static hosts that are always on the VPN, but this
> wouldn't
> work for mobile hosts (e.g. employee's laptops) which have a different IP
> address, depending on whether they are connected to the LAN or connected
> via
> OpenVPN.
>
> How to access the mobile hosts via the same hostname regardless if
> they are connected to the LAN or VPN?
>
> Marco
>
> ¹ http://serverfault.com/a/361103/102215
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Latency issues with 2.2.25 Release

[Wade Blackwell]

Good morning list,
   I recently upgraded to *2.2.5-RELEASE * (amd64) on a VMware stack
and noticed that my Wan latency shot up by about 100ms rtt. Nothing else on
the box had changed. I reverted to a pre-upgrade snapshot and the latency
went back down to 10-12 ms rtt. Anyone seen anything like this with the
update to 2.2.5?

-W

Wade Blackwell
Solutions Architect
(D) 805.457.8825
(C) 805.400.8485
(S) coc.wadeblackwell
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Hostname resolution of OpenVPN-connected clients

[Vick Khera]

On Wed, Nov 11, 2015 at 2:46 AM, Marco  wrote:

> How to access the mobile hosts via the same hostname regardless if
> they are connected to the LAN or VPN?
>

Via some form of dynamic DNS perhaps? It seems it should be possible to
have the openvpn client run some script that will register its current IP
into a BIND server via RFC2136 update. Setting up BIND 9 to manage a
dynamic zone is not very difficult.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold