Re: [pfSense] IPSec tunnels on AT U-Verse

[Matthew Hall]

Try enabling and reading the debug logs first to scavenge some output from both 
tunnel ends. I found a lot of my brokenness enabling and reading the docs 
listed in PFSense's debug log listing wikipage for IPSec linked in my previous 
mails. It saves a lot of time over going in blind if you can catch some more 
specific issues from those logs. 

Matthew Hall

> On May 15, 2017, at 8:57 PM, Jim Thompson  wrote:
> 
> 
> 
>> On May 15, 2017, at 10:02 PM, Laz C. Peterson  wrote:
>> 
>> Is Openswan what is used for IPSec?
> 
> Strongswan. 
> 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How To install MySQL on Pfsense 2.4

[Erik Anderson]

pfSense is a purpose-built router distribution, not a general-purpose
OS. While it may be possible to do what you propose, you *should not*
do this. Instead, if you require a database server, host it on a
separate machine.

On Mon, May 15, 2017 at 11:27 PM, mohsen Abbaspour
 wrote:
> Hello  everyone
> English is not my first language , excuse me for mistakes
>
> I know that this is a repetitive questioning   " How  to install Mysql  on
> pfsense ?"
>
> But , I searched  almost  topic about that , and finally I dont understand
> what is correct solution ? maybe  install Mysql on pfsense 2.4 ?? if the
> answer is yes  so How to do that ?  if  the answer is no   what is
> alternative  solution ??
>
> integration  freeradius and  mysql is my reason for  Mysql installation
>  ,  I  want to grouped my internet  user and   have separated   group
> So tnx
>
>
> --
>
>
>
>
> Check out my professional profile and connect with me on LinkedIn.
> http://lnkd.in/RqFEqH
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] How To install MySQL on Pfsense 2.4

[mohsen Abbaspour]

Hello  everyone
English is not my first language , excuse me for mistakes

I know that this is a repetitive questioning   " How  to install Mysql  on
pfsense ?"

But , I searched  almost  topic about that , and finally I dont understand
what is correct solution ? maybe  install Mysql on pfsense 2.4 ?? if the
answer is yes  so How to do that ?  if  the answer is no   what is
alternative  solution ??

integration  freeradius and  mysql is my reason for  Mysql installation
 ,  I  want to grouped my internet  user and   have separated   group
So tnx


-- 




Check out my professional profile and connect with me on LinkedIn.
http://lnkd.in/RqFEqH
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec tunnels on AT U-Verse

[Jim Thompson]

> On May 15, 2017, at 10:02 PM, Laz C. Peterson  wrote:
> 
> Is Openswan what is used for IPSec?

Strongswan. 


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec tunnels on AT U-Verse

[Laz C. Peterson]

Matthew and Jim,

We didn’t get a chance to test anything today.  It turned out to be “one of 
those Mondays” … But there’s something really weird going on.  I know nothing 
about the subject compared to Matthew — and he claims he knows nothing about 
it.. Ha ha …

Is Openswan what is used for IPSec?  Maybe there’s information specific to 
Openswan that someone else has run into (that wouldn’t turn up on a “pfSense” 
search).  I haven’t had a chance to check yet.

Hoping to study and learn about what you all have discussed here.  Maybe will 
get a chance to test by the end of the week.

Thanks so much.

~ Laz Peterson
Paravis, LLC

> On May 15, 2017, at 11:54 AM, Matthew Hall  wrote:
> 
> Hi Jim,
> 
>> On May 14, 2017, at 6:38 PM, Jim Thompson  wrote:
>>> 3. Create one or more P2s to make selectors for traffic inclusion and 
>>> exclusion. Note there's a bug in PFSense, where if you do IPSec from 
>>> not-LAN 
>>> interfaces, the traffic to the firewall's IP gets stolen unless you 
>>> manually 
>>> hack the PHP file that generates the IPSec traffic selector configuration, 
>>> to 
>>> whitelist more interfaces. This prevents being able to do Ping, DNS, NTP, 
>>> etc. 
>>> all other services against the firewall on non-LAN if IPSec is on. Bad 
>>> times 
>>> right there.
>> 
>> Additional details would be great here.  Even better would be to open a bug 
>> on redmine.pfsense.org with these additional details.
>> 
> 
> I did discuss this problem previously in the mailing list and forum. I was 
> seeking some views on the topic, before I went forward with filing a defect, 
> as IPSec traffic selectors are an area I don't profess to understand 
> incredibly well, and I wasn't 100% sure I didn't miss something in my 
> analysis, and didn't want to generate a bogus bug if so.
> 
> I found this when creating a restricted LAN on the OPT1 port that was allowed 
> to use IPSec when the LAN connected to the LAN port was not supposed to use 
> IPSec. Basically, it's a DMZ network inside a house, walled off from the 
> normal network, with a separate wireless SSID and separate Ethernet ports, 
> which is then IPSec connected to a colo facility, w/ the PFSense IPSec on 
> both ends.
> 
> The issue happens here:
> 
> https://github.com/pfsense/pfsense/blob/e470f72139ed54972465e653e27536687ce58b23/src/etc/inc/vpn.inc#L807
> 
> If you look at this code, it doesn't exempt all of the firewall's own IPs or 
> at least Internal IPs from getting captured by the IPSec selectors for any 
> tunnels. So management / admin traffic / other helpers to and from the 
> firewall, like Ping, DNS, NTP, DHCP / SLAAC, etc. don't get through or don't 
> get replies because only the LAN IP gets exempted when the UI Checkbox for 
> bypass is checked and not all of the other interfaces (or specifically chosen 
> interfaces... it only has a checkbox for LAN and not for any others). Also 
> it's only exempting IPv4 so IPv6 will get broken even more than IPv4 will, if 
> you're doing IKEv2 w/ IPv6 tunnels on top, which I use heavily in my case.
> 
> I "fixed it" by hand-editing this file that generates the VPN setup to make 
> more bypass exemptions, and promptly watching the issues stop happening after 
> I added this hack.
> 
>> Don’t know what you mean by “broad”, but it’s all (multiple) /24s here.
> 
> It took quite some time, for example, to get ::/0 in IPv6 routing across my 
> tunnel w/o malfunctions. And the same would apply using 0.0.0.0/0, and it was 
> very critical to read and follow this document, and the logical equivalent 
> behavior for IPv6, to the letter for it to work.
> 
> Regarding when the issues hit exactly... it can happen if you aren't really 
> careful to make sure that the selectors grabbing big swaths of IP space on 
> one tunnel end, aren't carefully restricted to a narrow range of IP space on 
> the other tunnel end. It's not saying PFSense did something wrong, but more 
> that with the IPSec stuff, you have to be extremely judicious with the setup 
> of the selectors, to prevent them from stealing unexpected traffic and 
> sending it in the tunnel. If you make typos here or mess up, you can make 
> your firewall unreachable (especially w/ the bypass issues I wrote about 
> above), and have to come in from the console to roll things back if they 
> aren't set up 100% perfectly.
> 
>>> 10. Instead of the MOBIKE and DPD crap, keep the tunnel up, by using valid 
>>> IPs 
>>> on PFSense on other end of tunnel in the P2 auto-ping host entry. This will 
>>> keep the IPSec up all the time and keep it from getting foobarred, unless 
>>> the 
>>> link itself has a gnarly outage, in which case you're down regardless.
>>> 
>>> 11. On both the P1 and P2, lock down the list of KEX, Enc, and Auth 
>>> algorithms 
>>> to a single solid algorithm. If the negotiation screws up, it causes weird 
>>> connection problems which you will damage your brain trying to debug.
>> 
>> All of this is of 

Re: [pfSense] speed problems with SG-1000

[Melvin]

Based on the product page the max throughput as you described would seem to
be 200Mbps.

https://www.netgate.com/products/sg-1000.html

See the notes at the bottom of the page.


-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of John DeSoi
Sent: Monday, May 15, 2017 6:42 PM
To: list@lists.pfsense.org
Subject: [pfSense] speed problems with SG-1000

I just purchased a SG-1000 for use with my Google Fiber installation. I did
minimal configuration of the SG-1000, only changing the LAN address to
192.168.200.X (GF is 192.168.100.X). I hooked the WAN port to one of the GF
ethernet ports and then my laptop to the LAN port on the SG-1000. Using GF
performance test, the upload/download speed is only about 10% of what I get
compared to plugging my laptop directly into the GF ethernet port (1000 Mbps
versus 100 Mbps using the SG-1000). The SG-1000 shows both ethernet
connections are 1000baseT. Shouldn't this device be able to basic routing at
the full speed of the WAN connection?

I did the same setup with a consumer router (ASUS) and it has no problem
with upload/download over 900 Mbps. 

John DeSoi, Ph.D.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] speed problems with SG-1000

[WebDawg]

Did you do the firmware upgrades?

On Mon, May 15, 2017 at 6:41 PM, John DeSoi  wrote:

> I just purchased a SG-1000 for use with my Google Fiber installation. I
> did minimal configuration of the SG-1000, only changing the LAN address to
> 192.168.200.X (GF is 192.168.100.X). I hooked the WAN port to one of the GF
> ethernet ports and then my laptop to the LAN port on the SG-1000. Using GF
> performance test, the upload/download speed is only about 10% of what I get
> compared to plugging my laptop directly into the GF ethernet port (1000
> Mbps versus 100 Mbps using the SG-1000). The SG-1000 shows both ethernet
> connections are 1000baseT. Shouldn't this device be able to basic routing
> at the full speed of the WAN connection?
>
> I did the same setup with a consumer router (ASUS) and it has no problem
> with upload/download over 900 Mbps.
>
> John DeSoi, Ph.D.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Found a Bug?

[WebDawg]

On Mon, May 15, 2017 at 3:24 PM, Daniel  wrote:

> Hi there,
>
> it seems i found a bug. 2 times i run in the same Problem.
> Harddisk in my PfSense went to 100% Disk usages. (suricata logs)
> After booting in rescue mode and deleted 100GB Logs the pfSense loses the
> whole configuration and I needed to reinstall the whole Server and restore
> a backup.
>
> This was happened 2 times with the same behavior. Disk went full –
> configuration got lost.
>
> Cheers
>
> Daniel
>
> ___
>
>
Did you look at the log to see what is filling up the log space?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Found a Bug?

[Daniel]

Hi there,

it seems i found a bug. 2 times i run in the same Problem.
Harddisk in my PfSense went to 100% Disk usages. (suricata logs)
After booting in rescue mode and deleted 100GB Logs the pfSense loses the whole 
configuration and I needed to reinstall the whole Server and restore a backup.

This was happened 2 times with the same behavior. Disk went full – 
configuration get lost.

Cheers

Daniel

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Found a Bug?

[Daniel]

Hi there,

it seems i found a bug. 2 times i run in the same Problem.
Harddisk in my PfSense went to 100% Disk usages. (suricata logs)
After booting in rescue mode and deleted 100GB Logs the pfSense loses the whole 
configuration and I needed to reinstall the whole Server and restore a backup.

This was happened 2 times with the same behavior. Disk went full – 
configuration got lost.

Cheers

Daniel

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] speed problems with SG-1000

[John DeSoi]

I just purchased a SG-1000 for use with my Google Fiber installation. I did 
minimal configuration of the SG-1000, only changing the LAN address to 
192.168.200.X (GF is 192.168.100.X). I hooked the WAN port to one of the GF 
ethernet ports and then my laptop to the LAN port on the SG-1000. Using GF 
performance test, the upload/download speed is only about 10% of what I get 
compared to plugging my laptop directly into the GF ethernet port (1000 Mbps 
versus 100 Mbps using the SG-1000). The SG-1000 shows both ethernet connections 
are 1000baseT. Shouldn't this device be able to basic routing at the full speed 
of the WAN connection?

I did the same setup with a consumer router (ASUS) and it has no problem with 
upload/download over 900 Mbps. 

John DeSoi, Ph.D.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec tunnels on AT U-Verse

[Matthew Hall]

Hi Jim,

> On May 14, 2017, at 6:38 PM, Jim Thompson  wrote:
>> 3. Create one or more P2s to make selectors for traffic inclusion and 
>> exclusion. Note there's a bug in PFSense, where if you do IPSec from not-LAN 
>> interfaces, the traffic to the firewall's IP gets stolen unless you manually 
>> hack the PHP file that generates the IPSec traffic selector configuration, 
>> to 
>> whitelist more interfaces. This prevents being able to do Ping, DNS, NTP, 
>> etc. 
>> all other services against the firewall on non-LAN if IPSec is on. Bad times 
>> right there.
> 
> Additional details would be great here.  Even better would be to open a bug 
> on redmine.pfsense.org with these additional details.
> 

I did discuss this problem previously in the mailing list and forum. I was 
seeking some views on the topic, before I went forward with filing a defect, as 
IPSec traffic selectors are an area I don't profess to understand incredibly 
well, and I wasn't 100% sure I didn't miss something in my analysis, and didn't 
want to generate a bogus bug if so.

I found this when creating a restricted LAN on the OPT1 port that was allowed 
to use IPSec when the LAN connected to the LAN port was not supposed to use 
IPSec. Basically, it's a DMZ network inside a house, walled off from the normal 
network, with a separate wireless SSID and separate Ethernet ports, which is 
then IPSec connected to a colo facility, w/ the PFSense IPSec on both ends.

The issue happens here:

https://github.com/pfsense/pfsense/blob/e470f72139ed54972465e653e27536687ce58b23/src/etc/inc/vpn.inc#L807

If you look at this code, it doesn't exempt all of the firewall's own IPs or at 
least Internal IPs from getting captured by the IPSec selectors for any 
tunnels. So management / admin traffic / other helpers to and from the 
firewall, like Ping, DNS, NTP, DHCP / SLAAC, etc. don't get through or don't 
get replies because only the LAN IP gets exempted when the UI Checkbox for 
bypass is checked and not all of the other interfaces (or specifically chosen 
interfaces... it only has a checkbox for LAN and not for any others). Also it's 
only exempting IPv4 so IPv6 will get broken even more than IPv4 will, if you're 
doing IKEv2 w/ IPv6 tunnels on top, which I use heavily in my case.

I "fixed it" by hand-editing this file that generates the VPN setup to make 
more bypass exemptions, and promptly watching the issues stop happening after I 
added this hack.

> Don’t know what you mean by “broad”, but it’s all (multiple) /24s here.

It took quite some time, for example, to get ::/0 in IPv6 routing across my 
tunnel w/o malfunctions. And the same would apply using 0.0.0.0/0, and it was 
very critical to read and follow this document, and the logical equivalent 
behavior for IPv6, to the letter for it to work.

Regarding when the issues hit exactly... it can happen if you aren't really 
careful to make sure that the selectors grabbing big swaths of IP space on one 
tunnel end, aren't carefully restricted to a narrow range of IP space on the 
other tunnel end. It's not saying PFSense did something wrong, but more that 
with the IPSec stuff, you have to be extremely judicious with the setup of the 
selectors, to prevent them from stealing unexpected traffic and sending it in 
the tunnel. If you make typos here or mess up, you can make your firewall 
unreachable (especially w/ the bypass issues I wrote about above), and have to 
come in from the console to roll things back if they aren't set up 100% 
perfectly.

>> 10. Instead of the MOBIKE and DPD crap, keep the tunnel up, by using valid 
>> IPs 
>> on PFSense on other end of tunnel in the P2 auto-ping host entry. This will 
>> keep the IPSec up all the time and keep it from getting foobarred, unless 
>> the 
>> link itself has a gnarly outage, in which case you're down regardless.
>> 
>> 11. On both the P1 and P2, lock down the list of KEX, Enc, and Auth 
>> algorithms 
>> to a single solid algorithm. If the negotiation screws up, it causes weird 
>> connection problems which you will damage your brain trying to debug.
> 
> All of this is of interest, and deeply appreciated, but I’ve got an IPsec 
> connection between home and work that has been stable since … a couple years 
> ago.

I have very reliably working connections now as well, but only after hacking on 
vpn.inc as described above, and only when MOBIKE, DPD, Rekey, are all disabled. 
Otherwise, in my case, when the tunnel times out due to rekey, MOBIKE, DPD, 
detecting drops or relocation of anything, the renegotiation that gets 
triggered seems to get stuck, and all the traffic going through the tunnel is 
getting blocked.

It's surely possible the UVerse router was causing the brokenness. I can play 
with the settings some more on the cleaner Comcast connection to see if I can 
reproduce it again.

I forgot to mention another item, in the last go-around, which seemed to 
prevent me from getting as many IPSec tunnels stuck, 

Re: [pfSense] About SSL Filtering: Squid and Squidguard.

[José Gregorio Díaz Unda]

Hi Volker and thanks for your guidance.

I'm trying to avoid "MITM filtering" and Transparent-mode. I've read there
are problems with MITM when clients access bank sites.

As you said, keep the proxy and firewall separated is a better choice.
These service must be 100% controlled and sometimes this web interfaces
hide processes.

Thank again!

José G.




On Fri, May 12, 2017 at 3:05 AM, Volker Kuhlmann 
wrote:

> On Tue 09 May 2017 23:14:37 NZST +1200, José Gregorio Díaz Unda wrote:
>
> > It looks like I should use PFS only as a firewall and DNS resolver, and
> > setup independently DHCP and Squid.
>
> The DHCP server in pfsense is very good. With squid and squidguard I am
> less than impressed. It is more secure to run a web proxy on a different
> host than the firewall. If you want MITM filtering, pfsense is probably
> the easiest to set up because theoretically it's only a few clicks. I
> think there was a package for getting letsencrypt certs, if you trust
> them, you don't then need to import certs into all your clients.
>
> > May be Squid/Squidguard in a "solo-mode" are less complex to setup to
> > filter SSL. Or I should find a different alternative for
> Proxy/SSLFiltering.
>
> The best choice depends on what you want. The pfsense squidguard
> interface is not a time saver, some short strategic scripts in your own
> setup will probably be way faster in the long run.
>
> Volker
>
> --
> Volker Kuhlmann is list0570 with the domain in header.
> http://volker.top.geek.nz/  Please do not CC list postings to me.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Detect suspicious traffic from OpenVPN clients

[André Rodier]

Hello everyone,

I have installed pfSense successfully as a firewall / gateway, with snort.

I have some alerts working, for instance when I start a port scan from 
an internal server to an external IP address.


I also have OpenVPN working nicely, using a tunnel set up.

Now, I would like to know how to configure snort, to detect malicious 
traffic from machines connected through the VPN.


These machines would be not 100% under my control, so I would like to 
receive an alert as soon as there is suspicious traffic, in two cases:


- From a VPN client to an internal server
- From a VPN client to an external server

The VPN is configured to force the traffic to its gateway, and this is 
working nicely as well.


--
pfSense details:
2.3.4-RELEASE (amd64)
built on Wed May 03 15:13:29 CDT 2017
FreeBSD 10.3-RELEASE-p19
--

Thanks for your advices.
André
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Host Overrides in Services/DNS Forwarder not working until manual restart of DNS Forwarder Service

[Stefan Baur]

Am 15.05.2017 um 03:29 schrieb Chris L:
> Maybe this:
> "Do not use 'local' as a domain name. It will cause local hosts running mDNS 
> (avahi, bonjour, etc.) to be unable to resolve local hosts not running mDNS.”

Nope, sorry, it's not that easy.  It fails *all* entries made in that
list, even if they're used to override valid external DNS names (e.g.
when I want somehost.example.com to resolve to a 192.168.x.x internally).

Judging from the logs, it seems that during startup, dnsmasq believes
/etc/hosts is empty - it states that it read 0 hosts from there.

I now have an ugly two-step workaround:
1) Install ShellCmd package.
2) Add a shellcmd entry 'pfSsh.php playback svc restart dnsmasq'.

After that, the log file states the correct number of hosts in /etc/hosts.

Could this be some kind of weird race condition, maybe?  'dnsmasq'
starting before the hosts from the XML are added to /etc/hosts?

Hmm - even weirder - first it reports the correct number, then it's down
to 0, then it reports the correct number again twice
(the 07:43:45 entries are triggered by the workaround listed above):

May 15 07:43:43 cora dnsmasq[17417]: started, version 2.76 cachesize 1
May 15 07:43:43 cora dnsmasq[17417]: compile time options: IPv6
GNU-getopt no-DBus i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset
auth DNSSEC loop-detect no-inotify
May 15 07:43:43 cora dnsmasq[17417]: reading /etc/resolv.conf
May 15 07:43:43 cora dnsmasq[17417]: ignoring nameserver 127.0.0.1 -
local interface
May 15 07:43:43 cora dnsmasq[17417]: using nameserver 192.168.0.1#53
May 15 07:43:43 cora dnsmasq[17417]: read /etc/hosts - 7 addresses
May 15 07:43:44 cora dnsmasq[17417]: read /etc/hosts - 0 addresses
May 15 07:43:44 cora dnsmasq[17417]: exiting on receipt of SIGTERM
May 15 07:43:45 cora dnsmasq[32840]: started, version 2.76 cachesize 1
May 15 07:43:45 cora dnsmasq[32840]: compile time options: IPv6
GNU-getopt no-DBus i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset
auth DNSSEC loop-detect no-inotify
May 15 07:43:45 cora dnsmasq[32840]: reading /etc/resolv.conf
May 15 07:43:45 cora dnsmasq[32840]: ignoring nameserver 127.0.0.1 -
local interface
May 15 07:43:45 cora dnsmasq[32840]: using nameserver 192.168.0.1#53
May 15 07:43:45 cora dnsmasq[32840]: read /etc/hosts - 7 addresses
May 15 07:43:45 cora dnsmasq[32840]: read /etc/hosts - 7 addresses

Kind Regards,
Stefan Baur
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold