Re: [pfSense] IPSec tunnels on AT U-Verse

2017-05-13 Thread Laz C. Peterson 
We’ll try that, thanks for the suggestion.

I don’t recall us using that anywhere else … Would be great if it works!

I’ll let you know.  Thanks Jim.

~ Laz Peterson
Paravis, LLC

> On May 13, 2017, at 3:57 PM, Jim Thompson  wrote:
> 
> 
> Maybe NAT traversal?
> 
> https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal
> 
>> On May 13, 2017, at 5:30 PM, Laz C. Peterson  wrote:
>> 
>> Hello everyone,
>> 
>> We’re having a pretty interesting problem here …
>> 
>> To give you the quick summary, we have AT U-Verse “Business Fiber” (which 
>> is a fancy way of saying it’s actual fiber, but the budget kind …) and have 
>> very serious issues establishing any TLS or SSL encrypted connections 
>> through IPSec tunnels.
>> 
>> If we plug a SonicWALL device in, same tunnel settings, we have no issues at 
>> all.  But our pfSense device (it is a SG-2440) struggles very hard and we 
>> cannot do simple encrypted services over this tunnel — including downloading 
>> email, synchronizing AD domain servers, or even rsync over SSH.
>> 
>> It’s been very troubling.  When plugging in the SonicWALL, all of these 
>> services work completely flawlessly.  The second we use the pfSense, none of 
>> the encrypted protocols through the tunnel work.
>> 
>> I’ve been thinking about MSS and MTU, but I really don’t know where to 
>> begin.  The SonicWALL seems to be able to figure these things out on its own 
>> (if that’s even the issue).  But I’m at a total loss.
>> 
>> Any suggestions?
>> 
>> ~ Laz Peterson
>> Paravis, LLC
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] solved: Re: uncomplete update to 2.3.4, no route to host

2017-05-13 Thread Stefan Fuhrmann 
Ahoi Jim,

Am Freitag, 12. Mai 2017, 13:25:25 CEST schrieb Jim Pingle:
> pkg does not use A/ records, it uses SRV records, which are present
> and work fine:
ah, okay!
 
> 
> $ host -t srv _https._tcp.pkg.pfsense.org
> _https._tcp.pkg.pfsense.org has SRV record 10 10 443 files00.netgate.com.
> _https._tcp.pkg.pfsense.org has SRV record 10 10 443 files01.netgate.com.
> 
> OPs problem is not related to DNS. "No route to host" indicates they
> have a problem with their connectivity, for example they may have broken
> or half-configured IPv6 that is present but not usable for routing.

thanks! for clearing this!!
I just tried it and it works now.

Stefan
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec tunnels on AT U-Verse

2017-05-13 Thread Jim Thompson 

Maybe NAT traversal?

https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal

> On May 13, 2017, at 5:30 PM, Laz C. Peterson  wrote:
> 
> Hello everyone,
> 
> We’re having a pretty interesting problem here …
> 
> To give you the quick summary, we have AT U-Verse “Business Fiber” (which 
> is a fancy way of saying it’s actual fiber, but the budget kind …) and have 
> very serious issues establishing any TLS or SSL encrypted connections through 
> IPSec tunnels.
> 
> If we plug a SonicWALL device in, same tunnel settings, we have no issues at 
> all.  But our pfSense device (it is a SG-2440) struggles very hard and we 
> cannot do simple encrypted services over this tunnel — including downloading 
> email, synchronizing AD domain servers, or even rsync over SSH.
> 
> It’s been very troubling.  When plugging in the SonicWALL, all of these 
> services work completely flawlessly.  The second we use the pfSense, none of 
> the encrypted protocols through the tunnel work.
> 
> I’ve been thinking about MSS and MTU, but I really don’t know where to begin. 
>  The SonicWALL seems to be able to figure these things out on its own (if 
> that’s even the issue).  But I’m at a total loss.
> 
> Any suggestions?
> 
> ~ Laz Peterson
> Paravis, LLC
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPSec tunnels on AT U-Verse

2017-05-13 Thread Laz C. Peterson 
Hello everyone,

We’re having a pretty interesting problem here …

To give you the quick summary, we have AT U-Verse “Business Fiber” (which is 
a fancy way of saying it’s actual fiber, but the budget kind …) and have very 
serious issues establishing any TLS or SSL encrypted connections through IPSec 
tunnels.

If we plug a SonicWALL device in, same tunnel settings, we have no issues at 
all.  But our pfSense device (it is a SG-2440) struggles very hard and we 
cannot do simple encrypted services over this tunnel — including downloading 
email, synchronizing AD domain servers, or even rsync over SSH.

It’s been very troubling.  When plugging in the SonicWALL, all of these 
services work completely flawlessly.  The second we use the pfSense, none of 
the encrypted protocols through the tunnel work.

I’ve been thinking about MSS and MTU, but I really don’t know where to begin.  
The SonicWALL seems to be able to figure these things out on its own (if that’s 
even the issue).  But I’m at a total loss.

Any suggestions?

~ Laz Peterson
Paravis, LLC
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Host Overrides in Services/DNS Forwarder not working until manual restart of DNS Forwarder Service

2017-05-13 Thread Stefan Baur 
Hi,

I'm seeing this on 2.3.3-RELEASE and 2.3.4-RELEASE, not sure if older
versions are affected as well.

I have multiple entries in the Services/DNS Forwarder/Host Overrides
section, all looking similar to this one:

|wpad|office.local|192.168.2.3|Microsoft Proxy Autoconfiguration|

When I attach a Client computer to any of the downstream interfaces of
this pfSense installation (it has two), I get:

nslookup wpad.office.local
Server: 192.168.134.1
Address:192.168.134.1#53

** server can't find wpad.office.local: NXDOMAIN

(192.168.134.1 is the pfSense IP on that network)

As soon as I log in to the pfSense WebGUI, go to Services/DNS Forwarder,
and hit the "circle arrow" that says "Restart Service", DNS lookups from
the clients start to work.

Upstream DNS resolving is not affected, though - trying

nslookup www.google.com

will give the correct result from the start.

This somehow doesn't look right.

Any insights? Bug in pfSense or misconfiguration on my side?

Kind Regards,
Stefan Baur
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold