Re: [pfSense] pfSense Routing - VPN's
its very simple...! first u have to configure a main vpn site to site vpn server at your main branch then u can easily configure a b c etc. with share key and tunnel network. On Fri, May 16, 2014 at 2:53 AM, Alex Threlfall a...@cyberprog.net wrote: Hi All, I currently have a number of sites which have VPN’s between them, with each site having a VPN to one another. This is becoming harder to manage, we currently have 5 sites, (6 if you include my home) and it would make sense to me to adopt more of a star architecture with a central site. However, I can’t work out how to configure this! Each site has it’s own /24 of private address, and I have a central branch. How can I configure things so that the if branch B needs to get to branch C, it knows that it must go via branch A? Branch A has the best connectivity – bonded FTTC’s, so would make sense as well as it being our “hub” branch for the stock control system also. Any advice would be appreciated! -- Alex Threlfall Cyberprog New Media www.cyberprog.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense Routing - VPN's
This is exactly what we do. We make the hub the OpenVPN server, and the spokes the clients because the hub IP is static, and we can manage all of the OpenVPN listeners on one instance. If your whole network is a /16, and each spoke is a /24, all you need is a route directive on each of the spokes for the entire /16. In OpenVPN Advanced route 192.168.0.0 255.255.0.0; You don't need any routing directives on the 'hub' because the addition of each connection will take care of that. With respect to rules: We find it best to make the first rule on the hub's OpenVPN interface this: Any source/port NOT destined for THIS hub subnet is allowed to pass. That way each branch can manage their ingress policy privately because the hub will just route anything not destined for its subnet. We also find it best to set up DNS forwarders to the spoke networks, i.e. Hub: mybranch.mycompany.com dns dips are at 192.168.11.1. Spokes can dip the hub if so configured which can in turn dip OTHER spokes if so configured. Inverse lookups work too. For example, add a dns forwarder of 10.168.192.in-addr.arpa to allow inverse lookups in the spoke in the subnet 192.168.10.0/24 It's been rock-solid for many years now! Good luck. On 5/16/2014 1:16 AM, A Mohan Rao wrote: its very simple...! first u have to configure a main vpn site to site vpn server at your main branch then u can easily configure a b c etc. with share key and tunnel network. On Fri, May 16, 2014 at 2:53 AM, Alex Threlfall a...@cyberprog.net mailto:a...@cyberprog.net wrote: Hi All, I currently have a number of sites which have VPN's between them, with each site having a VPN to one another. This is becoming harder to manage, we currently have 5 sites, (6 if you include my home) and it would make sense to me to adopt more of a star architecture with a central site. However, I can't work out how to configure this! Each site has it's own /24 of private address, and I have a central branch. How can I configure things so that the if branch B needs to get to branch C, it knows that it must go via branch A? Branch A has the best connectivity -- bonded FTTC's, so would make sense as well as it being our hub branch for the stock control system also. Any advice would be appreciated! -- Alex Threlfall Cyberprog New Media www.cyberprog.net http://www.cyberprog.net ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Status of pfSense 2.2 regarding 802.11n
On 16/05/14 00:36, Victor Padro wrote: On Thu, May 15, 2014 at 3:29 PM, Matthias May matth...@may.nu mailto:matth...@may.nu wrote: Am 15.05.2014 20:49, schrieb Jim Pingle: On 5/15/2014 1:03 PM, b...@todoo.biz mailto:b...@todoo.biz wrote: I wanted to know what was the status of 2.2 regarding WLAN (802.11 n) support / implementation ? I am mainly interested in Atheros driver support since most of our HW is based on this chipset. The drivers are there, and the GUI options should pick up on the supported protocols automatically. I don't have an 802.11n capable card in anything running pfSense at the moment to try it, but it should be there. Jim ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list I'm using 2.2 with some atheros based cards. Works pretty well. One thing i'm missing is the ability to configure the specific n features. e.g. the GUI settings for the antenna are specifically for non-n cards. Not sure what these settings will actually do (i guess nothing). By default just everything you usually want is enabled. Matthias ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list Will it be able to support 300 Mbps? I have an atheros card which only supports 54-150Mbps so far. -- Everything that irritates us about others can lead us to an understanding of ourselves ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list Here are results of some tests i did: https://forum.pfsense.org/index.php?topic=74672.msg411023#msg411023 This setup was running at 3x3 (450Mbit). A table to understand what MCS22/23 and short/long guard interval (SGI) means regarding bandwidth: http://mcsindex.com/ ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense Routing - VPN's
I have the same issue. We manage firewalls for a growing business, and currently everything links to their 'corp' office. But their corp office connection is overloaded with all the traffic going between offices. When I ran plain Linux boxes with Shorewall installed, I wrote a tool called 'openmesher' that would automatically generate all the link combinations and create DEB packages to install the SITE-to-SITE.conf file in /etc/openvpn/ along with shared keys. Then my boss decided he wanted a GUI to manage the firewalls, so we switched to pfSense. Unfortunately there is no API or easy way to automate the configuration (XML, ugh!) ...but I'm working on modifying openmesher to generate the XML snippet for OpenVPN configs. You still have to copy/paste in to your config file, but it'll still save a bunch of clinking. I love pfSense, but I *hate* XML and the lack of an API. The power of *nix comes from the tools to rapidly edit simple text files and interop through simple APIs. *wonders about funding the next pfSense hackathon with an eye towards an API* -A On Thu, May 15, 2014 at 11:55 PM, Karl Fife karlf...@gmail.com wrote: This is exactly what we do. We make the hub the OpenVPN server, and the spokes the clients because the hub IP is static, and we can manage all of the OpenVPN listeners on one instance. If your whole network is a /16, and each spoke is a /24, all you need is a route directive on each of the spokes for the entire /16. In OpenVPN Advanced route 192.168.0.0 255.255.0.0; You don't need any routing directives on the 'hub' because the addition of each connection will take care of that. With respect to rules: We find it best to make the first rule on the hub's OpenVPN interface this: Any source/port NOT destined for THIS hub subnet is allowed to pass. That way each branch can manage their ingress policy privately because the hub will just route anything not destined for its subnet. We also find it best to set up DNS forwarders to the spoke networks, i.e. Hub: mybranch.mycompany.com dns dips are at 192.168.11.1. Spokes can dip the hub if so configured which can in turn dip OTHER spokes if so configured. Inverse lookups work too. For example, add a dns forwarder of 10.168.192.in-addr.arpa to allow inverse lookups in the spoke in the subnet 192.168.10.0/24 It's been rock-solid for many years now! Good luck. On 5/16/2014 1:16 AM, A Mohan Rao wrote: its very simple...! first u have to configure a main vpn site to site vpn server at your main branch then u can easily configure a b c etc. with share key and tunnel network. On Fri, May 16, 2014 at 2:53 AM, Alex Threlfall a...@cyberprog.netwrote: Hi All, I currently have a number of sites which have VPN’s between them, with each site having a VPN to one another. This is becoming harder to manage, we currently have 5 sites, (6 if you include my home) and it would make sense to me to adopt more of a star architecture with a central site. However, I can’t work out how to configure this! Each site has it’s own /24 of private address, and I have a central branch. How can I configure things so that the if branch B needs to get to branch C, it knows that it must go via branch A? Branch A has the best connectivity – bonded FTTC’s, so would make sense as well as it being our “hub” branch for the stock control system also. Any advice would be appreciated! -- Alex Threlfall Cyberprog New Media www.cyberprog.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Gateway on a gateway...
When i try to do this .. Pfsense gives me error that firewall is not local to my subnet which is .. 172.16.1.16 on subnet 255.255.248.0 Branch router is on 172.16.11.0/24 which connects to firewall subnet via MPLS provider router i.e 10.152.8.117/30 So what to do ? Regards Sent from my HTC - Reply message - From: dragonator dragona...@sleepydragon.net To: faisal.gill...@akesp.org, list@lists.pfsense.org Subject: [pfSense] Gateway on a gateway... Date: Sat, May 17, 2014 12:51 AM Change route on the site 2 gateway to route all traffic to that firewall. Sent via the Samsung Galaxy S™ III, an ATT 4G LTE smartphone Original message From: faisal.gill...@akesp.org Date: 05/15/2014 19:39 (GMT-05:00) To: pfSense Support and Discussion Mailing List list@lists.pfsense.org Subject: [pfSense] Gateway on a gateway... II have two networks connected together with an MPLS network all the clients on both networks can access each other. Site 1( 172.16.0.0/21) has a packet filtering multi WAN firewall (172.16.1.16) on its local subnet which local clients connect to use internet. Site 2 (172.16.11.0/24) clients connects to local router (172.16.11.17) which routes all site 1 destend traffic to site 1 router (172.16.0.17). all site 2 clients have the ip of site 2 router which is (172.16.11.17) in their default gateway.Now i want clients on site 2 to use my packet filtering firewall (172.16.1.16) for their internet needs so how do i define this which out breaking the already communication can anyone guide me in this ? Sent from my HTC ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Gateway on a gateway...
On the pfSense firewall? Nothing. You need to change your routers. Ideally, your MPLS routers are using BGP. Then on the site 1 router under the BGP section you can tell it to advertise the 0.0.0.0 route by adding network 0.0.0.0 and make sure you have a static route on that router for 0.0.0.0 to the firewall. Site 2 should then use the MPLS router as their default gateway instead of the firewall. As an added bonus you can have site 2 failover to their local internet when the MPLS is down by adding a lower metric (255) default route that will kick in when the BGP advertised route disappears when the MPLS goes down. - Reply message - From: faisal.gill...@akesp.org faisal.gill...@akesp.org To: dragonator dragona...@sleepydragon.net, list@lists.pfsense.org Subject: [pfSense]Gateway on a gateway... Date: Fri, May 16, 2014 11:27 PM When i try to do this .. Pfsense gives me error that firewall is not local to my subnet which is .. 172.16.1.16 on subnet 255.255.248.0 Branch router is on 172.16.11.0/24 which connects to firewall subnet via MPLS provider router i.e 10.152.8.117/30 So what to do ? Regards Sent from my HTC - Reply message - From: dragonator dragona...@sleepydragon.net To: faisal.gill...@akesp.org, list@lists.pfsense.org Subject: [pfSense] Gateway on a gateway... Date: Sat, May 17, 2014 12:51 AM Change route on the site 2 gateway to route all traffic to that firewall. Sent via the Samsung Galaxy S™ III, an ATT 4G LTE smartphone Original message From: faisal.gill...@akesp.org Date: 05/15/2014 19:39 (GMT-05:00) To: pfSense Support and Discussion Mailing List list@lists.pfsense.org Subject: [pfSense] Gateway on a gateway... II have two networks connected together with an MPLS network all the clients on both networks can access each other. Site 1( 172.16.0.0/21) has a packet filtering multi WAN firewall (172.16.1.16) on its local subnet which local clients connect to use internet. Site 2 (172.16.11.0/24) clients connects to local router (172.16.11.17) which routes all site 1 destend traffic to site 1 router (172.16.0.17). all site 2 clients have the ip of site 2 router which is (172.16.11.17) in their default gateway.Now i want clients on site 2 to use my packet filtering firewall (172.16.1.16) for their internet needs so how do i define this which out breaking the already communication can anyone guide me in this ? Sent from my HTC ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list