Re: [pfSense] Layer7 container rule halts all traffic
From what I read on this forum many people are complaining that L7 blocks nothing. On my system all traffic (not vpn though) are blocked. I added an all pass Lan rule (tcp/udp) and selected the container under advanced options. The container is set to block torrent traffic. The moment I add this rule all is blocked. Many other posts report this to work so I'm suspecting something wrong on my side. I'm running pf 2.01 It'd be great if I could get this working. morning all, i've got the exact same issue -- if LAN rule is applied to all, all traffic blocked. I've applied the rule to a single LAN test host, and it only is blocked. can some some suggest how to diagnose this further? no entries in firewall log for the host's blocked packets. thanks m ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN clients affected by upgrade from 1.2 to 2.0?
On 2/3/2012 3:16 AM, Chris Buechler wrote: On Fri, Feb 3, 2012 at 2:04 AM, Pete Boyd petes-li...@thegoldenear.org wrote: I have pfSense 1.2.3 setup to use its OpenVPN server. I use TinyCA to create CA and client certificates and keys on a separate computer, giving the CA cert to pfSense and the client certs keys to users. If I upgrade pfSense 1.2.3 to 2.0.1, the OpenVPN will migrate fine, but will OpenVPN clients continue to be able to VPN into the pfSense OpenVPN server despite them not being in the User Manager, or do I have to additionally, manually, create accounts and paste in certs keys using the User Manager? It'll stay exactly as it is. You won't be able to use the OpenVPN Client Export without importing the user keys, but what you already have will work just the same. ^ That, with a couple exceptions. There were some bugs in the upgrade code for OpenVPN that I fixed post-2.0.1 https://github.com/bsdperimeter/pfsense/commit/0d2156e5fa7a6504c7a7ceef24bc51dfe402c6ea https://github.com/bsdperimeter/pfsense/commit/d87d2f6767707193cde5fab59bf954db51ae430b https://github.com/bsdperimeter/pfsense/commit/4724f8b8bb6d3495c5c41296e25f64e05b113502 https://github.com/bsdperimeter/pfsense/commit/3ef4cae6048c1763b2666aa991bc2b58683932bf Most people didn't hit those, but still worth being on the lookout for. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] squid over ipsec dial-in
Hi ! I'l have to wait now until Wednesday when our ISP will establish the IPSec tunnel and then we'll try further ;-) Thanks so far, Martin -Ursprüngliche Nachricht- Von: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] Im Auftrag von Jim Pingle Gesendet: Donnerstag, 2. Februar 2012 17:12 An: pfSense support and discussion Betreff: Re: [pfSense] squid over ipsec dial-in On 2/2/2012 10:32 AM, Fuchs, Martin wrote: For OpenVPN you mean assign the OpenVPN as a interface under interfaces - assign ? Sounds reasonable... Yep. When it's assigned there you can do NAT (inbound or out) and even listen on the interface. But how would I do such a port forward inbound ? I tried to setup a NAT rule from IPSec to any dst tcp 80 forward to 127.0.0.1:3128 but it seemed it did not work (but perhaps I missed sth...) But that would be the right way, correct ? Sounds about right. I've never tried that so I didn't know if it would work, but I suspected it wouldn't given the history of IPsec+NAT. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dual wan issues
On 2012-02-03 11:56, - Dickie Bradford - wrote: On 1/1/2012 8:11 PM, - Dickie Bradford - wrote: On 12/28/2011 1:55 AM, bruno.deb...@cyberoso.com wrote: Le Tue, 27 Dec 2011 22:53:15 -0500, - Dickie Bradford -dbradf...@never-enuff.net a écrit : I am currently running dual wans to help with traffic load, I have sticky connections and allow default gateway switching checked, My wans are both setup as tier1 in gateway groups and my rules allow outbound traffic out via that group. This has been working pretty well except for a hand full of websites that just behave odd, ( 1 off hand: Vonage) when I log in and when I go to check my voicemail on line, it makes me login again, it seems like it looses its session. I have made a work around rule the for the few particular sites i know of, I just send all their traffic out a single gateway and this works fine and normal, but may get to be a pain if I have to do it to my other dual wan systems. Is there anything else I could look for or do to remedy this? Thnx Dickie I did have the same problem. On https sites, authentication randomly goes away. As a workaround, I had to force one box as the gateway for https traffic (which is allmost only for these sites in my case anyway) Seems sticky connections does not work on https? Maybe a limitation of the built-in package responsiable for server load balancing (relayd). The haproxy package may be an alternative. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dual wan issues
On 3/2/12 4:56 pm, - Dickie Bradford - wrote: Does anyone know why sticky connections do not work on https ? Is it possible that although the url is the same, the IP address behind it fluctuates. As I understand things, the 'sticky connections' option is by IP (i.e. layer 3) rather than by url (layer 7). Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Orange 3G+ USB Dongle
On 2/3/12 6:56 AM, Seth Mos wrote: Try this, connect the 3g dongle, then reboot the device and try to access it again. I have a ZTE modem that does not release the cdrom device until after it is rebooted or I press save on the 3G wan interface again. So it doesn't work on cold boot, but it does work after a warm reboot. Since there is mild interest on the list, I share our findings: UPON CONNECTING the modem, huawei mobile model number EC 122, we see this in /var/log/system.log: feb 3 07:11:02 firewall kernel: da0: HUAWEI SD storage 2.31 removable direct access SCSI-2 device feb 3 07:11:02 firewall kernel: da0: attempt to query device size failed: NOT READY, media not present and we see nothing having to do with usb or huawei in /var/log/system.log The modem light remains a flashing blue as if it is working. I'll try the warm boot, heck even I work well after a warm bath. I am thinking of going over to Safaricom to tide us over. Mehma ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] OpenVPN as default gateway
Hi, I've got two pfsense machines connected using OpenVPN. Does anyone know if it's possible to set the client machine to use the openvpn tunnel for its default gateway? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
