Re: [pfSense] OpenVPN users no access to LAN - HA pfSense Setup
On 5/12/2017 12:49 PM, Steve Yates wrote: -Original Message- Hey guys, last night I did my first HA installation of 2 XG-2758 appliances. It worked great, my only issue is with OpenVPN Remote Access. At first it wasn't working on the WAN VIP because I had OpenVPN listening on the interfaces instead of on the VIP, so changed it to listen on the VIP. I have many such installations deployed. Now I'm stuck where the local subnet route is added to the remote users just fine, for example on a laptop I see a route of 192.168.0.0/24 over the VPN interface. But nothing actually reaches the destination. On pfSense nothing shows up in the firewall logs to help. The OpenVPN interface has a rule to allow all traffic, added by the OpenVPN wizard. Can you do tcpdump on the openvpn interface of the master? If nothing is showing up there, perhaps look at the client firewall rules? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] uncomplete update to 2.3.4, no route to host
On 05/12/2017 12:47 PM, Steve Yates wrote: >They're missing the DNS record for pkg.pfsense.org. Per the SOA >ad...@netgate.com is the contact; I've bcc'd this there. pkg does not use A/ records, it uses SRV records, which are present and work fine: $ host -t srv _https._tcp.pkg.pfsense.org _https._tcp.pkg.pfsense.org has SRV record 10 10 443 files00.netgate.com. _https._tcp.pkg.pfsense.org has SRV record 10 10 443 files01.netgate.com. OPs problem is not related to DNS. "No route to host" indicates they have a problem with their connectivity, for example they may have broken or half-configured IPv6 that is present but not usable for routing. Jim P. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] OpenVPN users no access to LAN - HA pfSense Setup
Yeah unique subnet on both ends. And the VPN is going to whatever the master is because the user is connected to the WAN VIP, and I confirmed that the connection is active on the master pfsense unit. The problem was reproduced on multiple laptops that connect remotely. On Fri, May 12, 2017 at 12:49 PM Steve Yateswrote: > Wandering on by...we have OpenVPN set up on the WAN interfaces so that > should work. Haven't gotten around to moving it to the CARP VIP. However > I've found if you have HA and try to OpenVPN in directly to router2 while > router1 is the Master, that doesn't work. > > Is OpenVPN using a unique subnet at both ends (you and pfSense)? > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Arthur > Wiebe > Sent: Friday, May 12, 2017 10:22 AM > To: pfSense Support and Discussion Mailing List > Subject: [pfSense] OpenVPN users no access to LAN - HA pfSense Setup > > Hey guys, last night I did my first HA installation of 2 XG-2758 > appliances. It worked great, my only issue is with OpenVPN Remote Access. > At first it wasn't working on the WAN VIP because I had OpenVPN listening > on the interfaces instead of on the VIP, so changed it to listen on the > VIP. > > Now I'm stuck where the local subnet route is added to the remote users > just fine, for example on a laptop I see a route of 192.168.0.0/24 over > the > VPN interface. > But nothing actually reaches the destination. > > On pfSense nothing shows up in the firewall logs to help. The OpenVPN > interface has a rule to allow all traffic, added by the OpenVPN wizard. > > I've searched the forums and can't find anything that works. > > For now because we needed something running for the morning, we are using > an OpenVPN Access Server virtual machine and it's working fine. > -- > Arthur Wiebe | +1 519-670-5255 <(519)%20670-5255> > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- Arthur Wiebe | +1 519-670-5255 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] uncomplete update to 2.3.4, no route to host
They're missing the DNS record for pkg.pfsense.org. Per the SOA ad...@netgate.com is the contact; I've bcc'd this there. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Stefan Fuhrmann Sent: Thursday, May 11, 2017 11:18 AM To: list@lists.pfsense.org Subject: [pfSense] uncomplete update to 2.3.4, no route to host Hello all, I did an update via console and there are some packages open: Enter an option: 13 >>> Updating repositories metadata... Updating pfSense-core repository catalogue... pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo- pfSense-core.sqlite) failed: No such file or directory pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-core/meta.txz: No route to host repository pfSense-core has no meta file, using default settings pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-core/packagesite.txz: No route to host Unable to update repository pfSense-core Updating pfSense repository catalogue... pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo- pfSense.sqlite) failed: No such file or directory pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-pfSense_v2_3_4/meta.txz: No route to host repository pfSense has no meta file, using default settings pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-pfSense_v2_3_4/ packagesite.txz: No route to host Unable to update repository pfSense Error updating repositories! *** Welcome to pfSense 2.3.4-RELEASE (i386 full-install) on border *** a dig shows: ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45499 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pkg.pfsense.org. IN A ;; AUTHORITY SECTION: pfsense.org.300 IN SOA ns1.netgate.com. admin.netgate.com. 201608310 3600 7200 1209600 3600 ;; Query time: 193 msec ;; SERVER: 10.100.100.10#53(10.100.100.10) ;; WHEN: Thu May 11 18:09:16 CEST 2017 ;; MSG SIZE rcvd: 101 there is no such host pkg.pfsense.org and I can not find any pfSense- core.sqlite on the system. Can someone help? Tia Stefan ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] smartctl supporting mSATA controller
On Fri, Apr 28, 2017 at 5:04 PM, Karl Fifewrote: > Can anyone recommend a good mSATA drive (i.e. controller chip) that > supports a full suite of smartctl commands, such as an ATA (hdparm) secure > erase, and self-test? Many have partial support, and it's really hard to > find out what support exists short of bench testing. > > ___ > No one gave you a recommendation? Most of the SSD type devices support all this stuff now. I wish I could help more. I thought there was a spec now, at least I know there is a space for SAS devices. I wonder if you seach for OPAL disks if you will come up with better results: https://en.wikipedia.org/wiki/Opal_Storage_Specification https://wiki.hackspherelabs.com/index.php?title=SED_Hard_Drives ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] RFC2136 Dynamic DNS doesn't update when the "Public IP" option is set
Looks like it might be that I was using a custom Check IP service. Trying on a new installation of pfSense without a custom one it worked fine. On Fri, May 12, 2017 at 8:47 AM Vick Kherawrote: > On Thu, May 11, 2017 at 3:40 PM, Julian Heisz > wrote: > > > Are you using the default public IP finder (forget the specific term > > pfSense uses and not in a position to check at the moment) or do you > have a > > custom one set up? I have a custom one set up, which works for other DDNS > > but may for some reason not work here. > > > > All I did was fill out the form on the RFC2136 client page and check the > "use public IP" box. This has been working for me for a couple of years in > this configuration. > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] OpenVPN users no access to LAN - HA pfSense Setup
Hey guys, last night I did my first HA installation of 2 XG-2758 appliances. It worked great, my only issue is with OpenVPN Remote Access. At first it wasn't working on the WAN VIP because I had OpenVPN listening on the interfaces instead of on the VIP, so changed it to listen on the VIP. Now I'm stuck where the local subnet route is added to the remote users just fine, for example on a laptop I see a route of 192.168.0.0/24 over the VPN interface. But nothing actually reaches the destination. On pfSense nothing shows up in the firewall logs to help. The OpenVPN interface has a rule to allow all traffic, added by the OpenVPN wizard. I've searched the forums and can't find anything that works. For now because we needed something running for the morning, we are using an OpenVPN Access Server virtual machine and it's working fine. -- Arthur Wiebe | +1 519-670-5255 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Wifi
Vick Thank you so much!!! Regads Alfredo El may 11, 2017 1:55 PM, "Vick Khera"escribió: > 1. Assign a static IP for the device to control via the DHCP server. Force > the device to re-fetch its IP so it can get this new dedicated address. > 2. create a schedule entry in the Firewall -> Schedules configuration. For > example, 4pm - 8pm Sunday through Thursday (I call this "school > afternoons"). > 3. Create a "block" rule on the LAN. open the "advanced" options and select > your schedule from the menu for schedules. > 4. save and apply the rules. > > On Thu, May 11, 2017 at 12:22 PM, Alfredo Tapia Sabogal < > alfred.ta...@gmail.com> wrote: > > > Hello everyone, hope some of you have any step by step how to control the > > wifi access with time restriction for internet access. > > > > Thank you so much!!! > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] RFC2136 Dynamic DNS doesn't update when the "Public IP" option is set
On Thu, May 11, 2017 at 3:40 PM, Julian Heiszwrote: > Are you using the default public IP finder (forget the specific term > pfSense uses and not in a position to check at the moment) or do you have a > custom one set up? I have a custom one set up, which works for other DDNS > but may for some reason not work here. > All I did was fill out the form on the RFC2136 client page and check the "use public IP" box. This has been working for me for a couple of years in this configuration. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] About SSL Filtering: Squid and Squidguard.
On Tue 09 May 2017 23:14:37 NZST +1200, José Gregorio Díaz Unda wrote: > It looks like I should use PFS only as a firewall and DNS resolver, and > setup independently DHCP and Squid. The DHCP server in pfsense is very good. With squid and squidguard I am less than impressed. It is more secure to run a web proxy on a different host than the firewall. If you want MITM filtering, pfsense is probably the easiest to set up because theoretically it's only a few clicks. I think there was a package for getting letsencrypt certs, if you trust them, you don't then need to import certs into all your clients. > May be Squid/Squidguard in a "solo-mode" are less complex to setup to > filter SSL. Or I should find a different alternative for Proxy/SSLFiltering. The best choice depends on what you want. The pfsense squidguard interface is not a time saver, some short strategic scripts in your own setup will probably be way faster in the long run. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold