Re: [pfSense] DynDNS troubles, once again
Am 25.07.2012 18:36, schrieb RB: However, repeatedly firing off fetch -q -o - http://checkip.dyndns.org | sed 's/^.*Current IP Address: \(.*\)\/body.*$/\1/' within the same minute doesn't error out, so it doesn't look like a limit that's enforced by dyndns. My only guess is that they're enforcing by trend rather than burst. Regardless, I'll be interested to know your outcome. Still no luck. :-( Old IP shows up as red after the nightly IP change. You mentioned a cron job for updating; are you hijacking pfSense built-in functions for that or did you roll your own script that needs to be passed login credentials for the DynDNS provider? -Stefan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Using pfSense to route inbound traffic via Domain Name instead of IP
Not sure if this is helpful to you at all, but I've looked at a possible workaround for SSL and a lack of public IPs. Host a virtualized pfsense box with a service provider (I'm using ARP networks). Get a /29 (or more as needed). Set up a tunnel between the virtualized box and your local pfsense route traffic from the addresses on the /29 to different local IPs on your internal network (or NAT to different ports on one local IP. Full disclosure, I haven't yet gotten this working, have asked a couple times on forums and this list, and people have seemed to think it's feasible, but have gotten bored before being able to help me through the nitty gritty. And I'm not knowledgeable enough about the intricacies of routing to figure out what the problem is myself. I'm thinking about just getting a support subscription and seeing if that will get if functioning. Assuming I'm not chasing a pipe dream, this could be something that would work for you, and I'd be happy to let you know/write up a how-to for the wiki/etc. if I am ever successful. There's obviously an extra cost for this, but it's not too bad, and our only option for an ISP (short of getting a T1) won't give out more than a /29 (and I've already used up all the available IPs, so have none left over for extra SSL sites). On Thu, Jul 26, 2012 at 2:53 AM, Seth Mos seth@dds.nl wrote: Op 26-7-2012 5:01, Moshe Katz schreef: On Wed, Jul 25, 2012 at 10:24 PM, Joseph Hardeman jharde...@cirracore.com mailto:jhardeman@cirracore.**comjharde...@cirracore.com wrote: There isn't really any built-in way to do this. What you really want is a reverse-proxy server (which could or could not be running on the pfSense box). However, your Reverse Proxy would either have to support SNI or have a single certificate with all of the domains on it. Your reverse-proxy would then route by domain name. Indeed, you need a full on proxy server like HAproxy or Varnish depending on your tastes to do this. Not sure which one does the man in the middle for SSL, the proxy will need to terminate the SSL connection and can speak http or https to the backend. Two parenthetical notes about SNI: * IIS 8 (release next month or so, RC currently available) does support SNI. * Windows XP does not support SNI. (Firefox on XP does, as well as Chrome 6 do). As Moshe makes clear here there is no other feature you can use except SNI for SSL name based virtual hosting. Otherwise you need one IP per SSL certificate, proxy or not. Regards, Seth __**_ List mailing list List@lists.pfsense.org http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DynDNS troubles, once again
On Thu, Jul 26, 2012 at 1:09 AM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: Still no luck. :-( Old IP shows up as red after the nightly IP change. Crud, sorry to hear but unsurprised. You mentioned a cron job for updating; are you hijacking pfSense built-in functions for that or did you roll your own script that needs to be passed login credentials for the DynDNS provider? I've switched to another package (ddclient) running on another internal system for consistency's sake. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Using pfSense to route inbound traffic via Domain Name instead of IP
Hey Seth and Moshe, I know that Varnish will be able to do most and Haproxy can definitely handle the hostname to IP issue, but haproxy as far as I know won't do SSL you have to have stunnel setup in front of it and it still requires the IP's set. I was hoping that it could be done and I may still keep playing when I get time. Thanks for everything Joe -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Seth Mos Sent: Thursday, July 26, 2012 2:54 AM To: list@lists.pfsense.org Subject: Re: [pfSense] Using pfSense to route inbound traffic via Domain Name instead of IP Op 26-7-2012 5:01, Moshe Katz schreef: On Wed, Jul 25, 2012 at 10:24 PM, Joseph Hardeman jharde...@cirracore.com mailto:jharde...@cirracore.com wrote: There isn't really any built-in way to do this. What you really want is a reverse-proxy server (which could or could not be running on the pfSense box). However, your Reverse Proxy would either have to support SNI or have a single certificate with all of the domains on it. Your reverse-proxy would then route by domain name. Indeed, you need a full on proxy server like HAproxy or Varnish depending on your tastes to do this. Not sure which one does the man in the middle for SSL, the proxy will need to terminate the SSL connection and can speak http or https to the backend. Two parenthetical notes about SNI: * IIS 8 (release next month or so, RC currently available) does support SNI. * Windows XP does not support SNI. (Firefox on XP does, as well as Chrome 6 do). As Moshe makes clear here there is no other feature you can use except SNI for SSL name based virtual hosting. Otherwise you need one IP per SSL certificate, proxy or not. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DynDNS troubles, once again
Hi Stefan, On Thu, Jul 26, 2012 at 09:09:35AM +0200, Stefan Baur wrote: Am 25.07.2012 18:36, schrieb RB: However, repeatedly firing off fetch -q -o - http://checkip.dyndns.org | sed 's/^.*Current IP Address: \(.*\)\/body.*$/\1/' within the same minute doesn't error out, so it doesn't look like a limit that's enforced by dyndns. Just some thoughts: - what does your log say about dyndns? - are there messages about cron-errors in the logs (maybe invisable special character, ..) - if you *update* dyndns manually (curl, fetch, wget, whatever) every 10m - does /that/ work? ... because just using checkip does not give any information about if or if not the *update* works when periodically executed - does ist still works, if you call /etc/rc.dyndns.update manually ? - do some brute-force debugging :) - replace /etc/rc.dyndns.update by an own script. See if it's called - tcpdump the connection with the dyndns Server, analyze dump -- Gruss Frank ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Using pfSense to route inbound traffic via Domain Name instead of IP
Unfortunately the proxy route really wouldn't be an option. SNI support isn't universal enough for that to work for us, and we can't mix different client's sites on one certificate for business reasons. If either of those were an option there would be no problem as we could just have a single public IP serve all the sites. Multi-wan is unappetizing because of the added complexity, and having yet another point of failure. Plus we have a warm-failover site, so a second provider would need to be at each site as well, whereas the redirection I'm trying to set up could just be pointed to a different site upon failure. And I really wish that a larger block was possible, but we've bumped it up the chain and they just are not set up for it apparently. On Thu, Jul 26, 2012 at 4:46 PM, Joseph Hardeman jharde...@cirracore.comwrote: Hey Adam, ** ** I see what your trying to do, basically use IP space on another provider and tunnel through to your local machines. So this is feasible and should be able to be done, how though I would have to play with it myself and see. ** ** I could tell them to simply go the multi-wan approach or get a larger block of IP’s. Or do what Seth and Moshe recommended and setup a proxy. Something to discuss with them about. ** ** Thanks for the advice. ** ** Joe ** ** ** ** *From:* list-boun...@lists.pfsense.org [mailto: list-boun...@lists.pfsense.org] *On Behalf Of *Adam Stasiak *Sent:* Thursday, July 26, 2012 9:48 AM *To:* pfSense support and discussion *Subject:* Re: [pfSense] Using pfSense to route inbound traffic via Domain Name instead of IP ** ** Not sure if this is helpful to you at all, but I've looked at a possible workaround for SSL and a lack of public IPs. Host a virtualized pfsense box with a service provider (I'm using ARP networks). Get a /29 (or more as needed). Set up a tunnel between the virtualized box and your local pfsense route traffic from the addresses on the /29 to different local IPs on your internal network (or NAT to different ports on one local IP. Full disclosure, I haven't yet gotten this working, have asked a couple times on forums and this list, and people have seemed to think it's feasible, but have gotten bored before being able to help me through the nitty gritty. And I'm not knowledgeable enough about the intricacies of routing to figure out what the problem is myself. I'm thinking about just getting a support subscription and seeing if that will get if functioning. Assuming I'm not chasing a pipe dream, this could be something that would work for you, and I'd be happy to let you know/write up a how-to for the wiki/etc. if I am ever successful. There's obviously an extra cost for this, but it's not too bad, and our only option for an ISP (short of getting a T1) won't give out more than a /29 (and I've already used up all the available IPs, so have none left over for extra SSL sites). On Thu, Jul 26, 2012 at 2:53 AM, Seth Mos seth@dds.nl wrote: Op 26-7-2012 5:01, Moshe Katz schreef: On Wed, Jul 25, 2012 at 10:24 PM, Joseph Hardeman jharde...@cirracore.com mailto:jharde...@cirracore.com wrote: ** ** There isn't really any built-in way to do this. What you really want is a reverse-proxy server (which could or could not be running on the pfSense box). However, your Reverse Proxy would either have to support SNI or have a single certificate with all of the domains on it. Your reverse-proxy would then route by domain name. ** ** Indeed, you need a full on proxy server like HAproxy or Varnish depending on your tastes to do this. Not sure which one does the man in the middle for SSL, the proxy will need to terminate the SSL connection and can speak http or https to the backend. Two parenthetical notes about SNI: * IIS 8 (release next month or so, RC currently available) does support SNI. * Windows XP does not support SNI. (Firefox on XP does, as well as Chrome 6 do). As Moshe makes clear here there is no other feature you can use except SNI for SSL name based virtual hosting. Otherwise you need one IP per SSL certificate, proxy or not. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ** ** ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DynDNS troubles, once again
On Fri, Jul 27, 2012 at 2:44 AM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: Am 26.07.2012 22:45, schrieb Frank: I'm not getting what you're trying to prove or disprove with that. Care to explain? Fact is, triggering the update by refreshing the DynDNS page in the WebGUI works. Are you running dual WAN setup with gateway failover by any chance? I am running a setup and at times dyndns entries are not updated because it tries before the system could replace the default route with the gateway of active link. Both the links of mine are PPPoE. -Nishant ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DynDNS troubles, once again
Am 26.07.2012 23:53, schrieb Nishant Sharma: Are you running dual WAN setup with gateway failover by any chance? Nope, single WAN, but in private IP space, as there is another router above it. -Stefan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DynDNS troubles, once again
Am 27.07.2012 01:16, schrieb Jeppe Øland: On Thu, Jul 26, 2012 at 2:14 PM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: - what does your log say about dyndns? Nothing that would look helpful: check_reload_status: Updating all dyndns is the only message containing the string dyn, and it only appears once during startup. There's got to be more in the log than just that! Nope, there isn't... but... Maybe (or not) this bugreport is related to your problem. The bug is marked as resolved, but I am not sure that's actually true: http://redmine.pfsense.org/issues/943 Exactly from there: This is gonna sound really stupid but: Do me a favor and see if you maybe by accidend checked the disable checkbox at the top of the dyndns account settings (i did this once and it took me three days to notice this...) And GH, it seems that I hit that disable checkbox some time when I wasn't paying attention. Will wait for the next upstream IP change to confirm, but I guess that was the solution. Fsck. Is there a particular reason why this is check to disable and not check to enable? -Stefan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfsense behind a router question
Hello I have *2.0.1-RELEASE * (amd64) installed in a server that is behind a cisco RV082 V03 router. I was asked to use openvpn to allow many vpn users from the a single remote site. the problem is how should I configure the openvpn behind a router if all the documentation I have found uses the openvpn as the front machine/router of the private network. Any suggestions are welcome Regards Marcos Luna ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DynDNS troubles, once again
On Thu, Jul 26, 2012 at 4:25 PM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: There's got to be more in the log than just that! Nope, there isn't... but... Exactly from there: Do me a favor and see if you maybe by accidend checked the disable And GH, it seems that I hit that disable checkbox some time when I Haha - that's classic. :-P Regards, -Jeppe ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense behind a router question
My guess would be you need to forward whatever port you choose for OpenVPN through the cisco to the pfSense box, and choose the appropriate public IP when configuring the other end of the tunnel. (I'm assuming you're talking about setting up a tunnel from one site to another, from your description). On Thu, Jul 26, 2012 at 8:25 PM, Marcos Luna marcos.l...@gmail.com wrote: Hello I have *2.0.1-RELEASE * (amd64) installed in a server that is behind a cisco RV082 V03 router. I was asked to use openvpn to allow many vpn users from the a single remote site. the problem is how should I configure the openvpn behind a router if all the documentation I have found uses the openvpn as the front machine/router of the private network. Any suggestions are welcome Regards Marcos Luna ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense behind a router question
Hello, yes, Im forwarding all tcp traffic from ports 1190-1199 (openvpn uses 1194) to the internal wan ip of openvpn but it is not reaching the pfsense box and dont know why Marcos Luna On Thu, Jul 26, 2012 at 7:25 PM, Adam Stasiak pales...@gmail.com wrote: My guess would be you need to forward whatever port you choose for OpenVPN through the cisco to the pfSense box, and choose the appropriate public IP when configuring the other end of the tunnel. (I'm assuming you're talking about setting up a tunnel from one site to another, from your description). On Thu, Jul 26, 2012 at 8:25 PM, Marcos Luna marcos.l...@gmail.comwrote: Hello I have *2.0.1-RELEASE * (amd64) installed in a server that is behind a cisco RV082 V03 router. I was asked to use openvpn to allow many vpn users from the a single remote site. the problem is how should I configure the openvpn behind a router if all the documentation I have found uses the openvpn as the front machine/router of the private network. Any suggestions are welcome Regards Marcos Luna ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense behind a router question
On Thu, Jul 26, 2012 at 9:46 PM, Marcos Luna marcos.l...@gmail.com wrote: Hello, yes, Im forwarding all tcp traffic from ports 1190-1199 (openvpn uses 1194) OpenVPN generally uses UDP not TCP. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Odd log entries 2.0.1 Release
On Thu, Jul 26, 2012 at 11:51 AM, Peder Rovelstad provels...@comcast.net wrote: Just happened to see this today in my system logs. Does it mean something? This is a home network with only about 6 active devices. The DHCP range is only 192.168.100 - .110 Means your scope used to be bigger/different and there are old leases in the leases file that are outside of the current range. They'll go away eventually, and it's not anything to be concerned with. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
