Re: [pfSense] OpenVPN users no access to LAN - HA pfSense Setup

2017-05-12 Thread Mark Wiater 

On 5/12/2017 12:49 PM, Steve Yates wrote:

-Original Message-

Hey guys, last night I did my first HA installation of 2 XG-2758
appliances. It worked great, my only issue is with OpenVPN Remote Access.
At first it wasn't working on the WAN VIP because I had OpenVPN listening
on the interfaces instead of on the VIP, so changed it to listen on the VIP.

I have many such installations deployed.

Now I'm stuck where the local subnet route is added to the remote users
just fine, for example on a laptop I see a route of 192.168.0.0/24 over the
VPN interface.
But nothing actually reaches the destination.

On pfSense nothing shows up in the firewall logs to help. The OpenVPN
interface has a rule to allow all traffic, added by the OpenVPN wizard.
Can you do tcpdump on the openvpn interface of the master? If nothing is 
showing up there, perhaps look at the client firewall rules?



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] uncomplete update to 2.3.4, no route to host

2017-05-12 Thread Jim Pingle 
On 05/12/2017 12:47 PM, Steve Yates wrote:
>They're missing the DNS record for pkg.pfsense.org.  Per the SOA 
>ad...@netgate.com is the contact; I've bcc'd this there.

pkg does not use A/ records, it uses SRV records, which are present
and work fine:


$ host -t srv _https._tcp.pkg.pfsense.org
_https._tcp.pkg.pfsense.org has SRV record 10 10 443 files00.netgate.com.
_https._tcp.pkg.pfsense.org has SRV record 10 10 443 files01.netgate.com.

OPs problem is not related to DNS. "No route to host" indicates they
have a problem with their connectivity, for example they may have broken
or half-configured IPv6 that is present but not usable for routing.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN users no access to LAN - HA pfSense Setup

2017-05-12 Thread Arthur Wiebe 
Yeah unique subnet on both ends. And the VPN is going to whatever the
master is because the user is connected to the WAN VIP, and I confirmed
that the connection is active on the master pfsense unit.
The problem was reproduced on multiple laptops that connect remotely.

On Fri, May 12, 2017 at 12:49 PM Steve Yates  wrote:

> Wandering on by...we have OpenVPN set up on the WAN interfaces so that
> should work.  Haven't gotten around to moving it to the CARP VIP.  However
> I've found if you have HA and try to OpenVPN in directly to router2 while
> router1 is the Master, that doesn't work.
>
> Is OpenVPN using a unique subnet at both ends (you and pfSense)?
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Arthur
> Wiebe
> Sent: Friday, May 12, 2017 10:22 AM
> To: pfSense Support and Discussion Mailing List 
> Subject: [pfSense] OpenVPN users no access to LAN - HA pfSense Setup
>
> Hey guys, last night I did my first HA installation of 2 XG-2758
> appliances. It worked great, my only issue is with OpenVPN Remote Access.
> At first it wasn't working on the WAN VIP because I had OpenVPN listening
> on the interfaces instead of on the VIP, so changed it to listen on the
> VIP.
>
> Now I'm stuck where the local subnet route is added to the remote users
> just fine, for example on a laptop I see a route of 192.168.0.0/24 over
> the
> VPN interface.
> But nothing actually reaches the destination.
>
> On pfSense nothing shows up in the firewall logs to help. The OpenVPN
> interface has a rule to allow all traffic, added by the OpenVPN wizard.
>
> I've searched the forums and can't find anything that works.
>
> For now because we needed something running for the morning, we are using
> an OpenVPN Access Server virtual machine and it's working fine.
> --
> Arthur Wiebe | +1 519-670-5255 <(519)%20670-5255>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
-- 
Arthur Wiebe | +1 519-670-5255
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] uncomplete update to 2.3.4, no route to host

2017-05-12 Thread Steve Yates 
They're missing the DNS record for pkg.pfsense.org.  Per the SOA 
ad...@netgate.com is the contact; I've bcc'd this there.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Stefan Fuhrmann
Sent: Thursday, May 11, 2017 11:18 AM
To: list@lists.pfsense.org
Subject: [pfSense] uncomplete update to 2.3.4, no route to host

Hello all,

I did an update via console and there are some packages open:

Enter an option: 13

>>> Updating repositories metadata... 
Updating pfSense-core repository catalogue...
pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-
pfSense-core.sqlite) failed: No such file or directory
pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-core/meta.txz: No route to 
host
repository pfSense-core has no meta file, using default settings
pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-core/packagesite.txz: No 
route to host
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo-
pfSense.sqlite) failed: No such file or directory
pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-pfSense_v2_3_4/meta.txz: No 
route to host
repository pfSense has no meta file, using default settings
pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-pfSense_v2_3_4/
packagesite.txz: No route to host
Unable to update repository pfSense
Error updating repositories!
*** Welcome to pfSense 2.3.4-RELEASE (i386 full-install) on border ***

a dig shows:

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45499
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pkg.pfsense.org.   IN  A

;; AUTHORITY SECTION:
pfsense.org.300 IN  SOA ns1.netgate.com. 
admin.netgate.com. 201608310 3600 7200 1209600 3600

;; Query time: 193 msec
;; SERVER: 10.100.100.10#53(10.100.100.10)
;; WHEN: Thu May 11 18:09:16 CEST 2017
;; MSG SIZE  rcvd: 101



there is no such host pkg.pfsense.org and I can not find any pfSense-
core.sqlite on the system.

Can someone help?

Tia Stefan

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] smartctl supporting mSATA controller

2017-05-12 Thread WebDawg 
On Fri, Apr 28, 2017 at 5:04 PM, Karl Fife  wrote:

> Can anyone recommend a good mSATA drive (i.e. controller chip) that
> supports a full suite of smartctl commands, such as an ATA (hdparm) secure
> erase, and self-test?  Many have partial support, and it's really hard to
> find out what support exists short of bench testing.
>
> ___
>


No one gave you a recommendation?  Most of the SSD type devices support all
this stuff now.  I wish I could help more.  I thought there was a spec now,
at least I know there is a space for SAS devices.

I wonder if you seach for OPAL disks if you will come up with better
results:  https://en.wikipedia.org/wiki/Opal_Storage_Specification

https://wiki.hackspherelabs.com/index.php?title=SED_Hard_Drives
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] RFC2136 Dynamic DNS doesn't update when the "Public IP" option is set

2017-05-12 Thread Julian Heisz 
Looks like it might be that I was using a custom Check IP service. Trying
on a new installation of pfSense without a custom one it worked fine.

On Fri, May 12, 2017 at 8:47 AM Vick Khera  wrote:

> On Thu, May 11, 2017 at 3:40 PM, Julian Heisz 
> wrote:
>
> > Are you using the default public IP finder (forget the specific term
> > pfSense uses and not in a position to check at the moment) or do you
> have a
> > custom one set up? I have a custom one set up, which works for other DDNS
> > but may for some reason not work here.
> >
>
> All I did was fill out the form on the RFC2136 client page and check the
> "use public IP" box. This has been working for me for a couple of years in
> this configuration.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] OpenVPN users no access to LAN - HA pfSense Setup

2017-05-12 Thread Arthur Wiebe 
Hey guys, last night I did my first HA installation of 2 XG-2758
appliances. It worked great, my only issue is with OpenVPN Remote Access.
At first it wasn't working on the WAN VIP because I had OpenVPN listening
on the interfaces instead of on the VIP, so changed it to listen on the VIP.

Now I'm stuck where the local subnet route is added to the remote users
just fine, for example on a laptop I see a route of 192.168.0.0/24 over the
VPN interface.
But nothing actually reaches the destination.

On pfSense nothing shows up in the firewall logs to help. The OpenVPN
interface has a rule to allow all traffic, added by the OpenVPN wizard.

I've searched the forums and can't find anything that works.

For now because we needed something running for the morning, we are using
an OpenVPN Access Server virtual machine and it's working fine.
-- 
Arthur Wiebe | +1 519-670-5255
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Wifi

2017-05-12 Thread Alfredo Tapia Sabogal 
Vick
Thank you so much!!!

Regads

Alfredo

El may 11, 2017 1:55 PM, "Vick Khera"  escribió:

> 1. Assign a static IP for the device to control via the DHCP server. Force
> the device to re-fetch its IP so it can get this new dedicated address.
> 2. create a schedule entry in the Firewall -> Schedules configuration. For
> example, 4pm - 8pm Sunday through Thursday (I call this "school
> afternoons").
> 3. Create a "block" rule on the LAN. open the "advanced" options and select
> your schedule from the menu for schedules.
> 4. save and apply the rules.
>
> On Thu, May 11, 2017 at 12:22 PM, Alfredo Tapia Sabogal <
> alfred.ta...@gmail.com> wrote:
>
> > Hello everyone, hope some of you have any step by step how to control the
> > wifi access with  time restriction for internet access.
> >
> > Thank you so much!!!
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] RFC2136 Dynamic DNS doesn't update when the "Public IP" option is set

2017-05-12 Thread Vick Khera 
On Thu, May 11, 2017 at 3:40 PM, Julian Heisz 
wrote:

> Are you using the default public IP finder (forget the specific term
> pfSense uses and not in a position to check at the moment) or do you have a
> custom one set up? I have a custom one set up, which works for other DDNS
> but may for some reason not work here.
>

All I did was fill out the form on the RFC2136 client page and check the
"use public IP" box. This has been working for me for a couple of years in
this configuration.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] About SSL Filtering: Squid and Squidguard.

2017-05-12 Thread Volker Kuhlmann 
On Tue 09 May 2017 23:14:37 NZST +1200, José Gregorio Díaz Unda wrote:

> It looks like I should use PFS only as a firewall and DNS resolver, and
> setup independently DHCP and Squid.

The DHCP server in pfsense is very good. With squid and squidguard I am
less than impressed. It is more secure to run a web proxy on a different
host than the firewall. If you want MITM filtering, pfsense is probably
the easiest to set up because theoretically it's only a few clicks. I
think there was a package for getting letsencrypt certs, if you trust
them, you don't then need to import certs into all your clients. 

> May be Squid/Squidguard in a "solo-mode" are less complex to setup to
> filter SSL. Or I should find a different alternative for Proxy/SSLFiltering.

The best choice depends on what you want. The pfsense squidguard
interface is not a time saver, some short strategic scripts in your own
setup will probably be way faster in the long run.

Volker

-- 
Volker Kuhlmann is list0570 with the domain in header.
http://volker.top.geek.nz/  Please do not CC list postings to me.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold