Re: [pfSense] Force CA certificate installation as tsueted root CA on WiFi clients

On 30/1/18 5:22 pm, Izaac wrote: Q: How can I automatically undermine the basis of the SSL PKI by forcing my CA (which, by design, generates certificates for arbitrary sites and thereby main-in-the-middles all communications) onto third parties that happen to be traversing my network? A: You can

Re: [pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering

On 4/11/17 11:41 pm, Jon Gerdes wrote: We all need to have a deep think about what https *really* *really* means. * The aim of SSL/TLS is to ensure confidentiality from one point to another If I put up a website and I want to guarantee that the connection between my website and the end user is

Re: [pfSense] HTTP/HTTPS filtering with Pfsense+Squid+Squidguard for cell phones

On 11 Oct 2017, at 21:05, Adam Cage wrote: > Dear Chris, I need the Squid proxy to filter traffic working with > Squidguard. The guest cell phones will be authenticated to my WiFi, and > after that they can go to HTTP/HTTPS web sites with zero configuration > because I can't

Re: [pfSense] Old pfSense versions

On 1 Aug 2016, at 02:24, Larry Rosenman wrote: > earlier this week: > On 07/13/2016 05:06 AM, Herwig Unterrichter wrote: > I am having troubles finding a certain older pfsense release, in particular > 2.2.4, the memstick am64 image. > Is there some kind of archive server where i

[pfSense] Old pfSense versions

Greetings list, Until fairly recently, there used to be a comprehensive set of old versions/builds available at: http://files.pfsense.org/mirror/downloads/old/ However, that url is now returning 404. Has the archive been moved? I ask because 2.0.3 is the last version that runs reliably (i.e.

Re: [pfSense] Removing obsolete packages

On 27/7/16 2:46 pm, Jim Pingle wrote: At the moment there is no automated way to do that, but you can edit them out of your config.xml. Either by editing in-place using "viconfig" if you're daring, familiar with vi, and don't mind the potential for danger. Or the safer route is to download a

[pfSense] Removing obsolete packages

Greetings list, Is there a procedure for removing obsolete packages from installs? Many moons ago, I upgraded a production install from 2.2.x to 2.3. The install in question had apcupsd on it to control, unsurprisingly, an APC UPS, but I believe apcupsd ceased to be maintained, and that

Re: [pfSense] USB3 to ethernet adaptor

I’m a little late to the discussion, but herewith my two penneth... > Echoing what others have said, most of the USB network cards I have used > have not been so reliable. Broadly speaking, I’d concur with that sentiment. I have had moderate success with this one:

Re: [pfSense] Help with provider assigning multiple IP addresses over PPPoE

On 14 Nov 2015, at 20:19, C. R. Oldham wrote: > My ISP provides access over PPPoE and has given me 2 static IPs via the > following configuration (public IPs sanitized) > Usable IP addresses:xxx.yyy.149.218 > Gateway address:xxx.yyy.149.217 > Subnet mask:

Re: [pfSense] Multi-Wan Setup, High Availability and Traffic Segmentation

On 13 Nov 2015, at 15:09, David White wrote: > I have a unique scenario: > The higher ups require a multi-wan high availability setup, but assuming > both ISPs are working, some traffic is required to use 1 ISP and some > traffic is required to use the other. > I've read in

Re: [pfSense] pfSense 2.2.4, Services: Dynamic DNS client

On 8/9/15 1:04 pm, Vick Khera wrote: You'd have to ask Dyn if they can make host names within your own domain dynamic. I believe they can. I have dyn.mydomain.com delegated to Dyn for precisely this purpose (but mydomain.com is managed outside dyn). I can then create

Re: [pfSense] pfSense 2.2.4, Services: Dynamic DNS client

On 8/9/15 2:24 am, Ryan Coleman wrote: How do you get this to function with Dyn.com (formerly DynDNS.com )? I have the paid domain and I’ve gotten CenturyLink DSL modems to negotiate the IP without issue before but I cannot seem to figure out the configuration for pfSense.

Re: [pfSense] Got an alert after updating to 2.2.4

On 30/7/15 11:34 pm, Rainer Duffner wrote: php: rc.bootup: New alert found: pfSense requires at least 128 MB of RAM. Expect unusual performance. This platform is not supported. So, is the Alix deprecated? I suspect it's more a warning about only 128MB RAM. From my experience (several dozen

Re: [pfSense] Access Point Recommendations?

On 17 Jul 2015, at 15:50, Jim Spaloss jspal...@gmail.com wrote: Ubiquiti Unifi. +1 would recommend - with caveats. The AC model is… flaky - or at least, it was when I tried it at the end of 2014. Only about 50% of client devices would connect at a time - seemingly random - restart the AP and

[pfSense] WebGUI IPv6 Gateways bug?

Greetings list, Wondering if someone who's using v6 with a static gateway address (i.e. not dynamically assigned by DHCP6/SLAAC) would mind checking something for me: - go to System - Gateways - edit an IPv6 gateway - change something trivial (even just the description) - hit save Do

[pfSense] Improving OpenVPN performance

Greetings list, I'm trying to improve OpenVPN performance on a site-to-site link I have between 2 pfSense boxes. - upstream at each site is provided by a VDSL connection delivering ~18Mbps - both pfSenses are PCEngines APU w/ 4GB RAM I am currently only getting around 7Mbps each way

Re: [pfSense] Improving OpenVPN performance

On 1/7/15 3:37 pm, Seth Mos wrote: You mean 18Mbps downstream? Not upstream? No, I mean 18Mbps upstream. Downstream is way higher - around 75Mbps at each site. On 1/7/15 3:40 pm, Jon Gerdes wrote: If your ~18Mbps is a real measured figure then consider: UDP vs TCP, MTU, TUN vs TAP. You

Re: [pfSense] Setting up for 1:1 with block of statics?

On 29/6/15 4:41 pm, Ryan Coleman wrote: I don’t know why I cannot access ANY of it from my other network, though… I have to be outside the building to see it. System - Advanced - NAT Reflection perhaps? Might be worth playing with some of the options in there... (but personally, I'd just

Re: [pfSense] Setting up for 1:1 with block of statics?

On 28 Jun 2015, at 02:38, Ryan Coleman ryan.cole...@cwis.biz wrote: which is the preferred mind you because it would give me all three additional IPs (gateway, network address and broadcast) as addressable… No it won’t. Your network is 18.25.125.16/29. You still have to follow the normal

Re: [pfSense] Using on Fiber

On 5/6/15 3:37 pm, Ryan Coleman wrote: And those of you with VMware experience… if I run the virtual firewall I would need to have at least a VMware Essentials license to come close to the throughput, right? Since the IOps are capped at something like 10MB/sec in the free version. I can't

Re: [pfSense] Bundling multiple OVPN client connection into one fat pipe...

On 30/3/15 6:58 pm, WebDawg wrote: I have done this, there is overhead involved, and bonding tap connections. I tried this with very latent and slow connections, and I did not have good luck with it I've tried this on even relatively fast (80/20 FTTC) connections, and performance is still a

Re: [pfSense] blocking torrents and web based https proxies

On 27/3/15 3:56 am, WebDawg wrote: May I ask why you would like to block it all? +1. It looks like the OP is looking for a technical solution to a social/political problem. I can understand it if your users are primary school children, but surely once your users are university age, you

Re: [pfSense] Pretend to be google's DNS

On 5/3/15 7:02 pm, Vick Khera wrote: It seems like you should figure out why your client VPN software is broken, and fix that. This. Out of interest, is there a particular reason why you need to use Google's public DNS at all - especially now that pfSense 2.2 has a 'proper' DNS resolver

Re: [pfSense] serial port sadness

On 24/2/15 12:08 am, Jeremy Bennett wrote: I've got a USB to serial adapter (which has worked in the past), a Windows 7 computer and Teraterm, but whenever I connect everything up I just get the cursor blinking at me. Agree with others that the most likely culprit here is the USB to serial

Re: [pfSense] Dual Port NIC ports

On 21/2/15 11:33 pm, Tiernan OToole wrote: biggest disadvantage I can think is if you lose one card, you lose booth ports +1. If you have multiple physical cards at your disposal you might as well use ports on different cards - at least that way if something dies it'll be easy to diagnose

Re: [pfSense] Bulk Editing settings on the PFSense dashboard

On 21/2/15 10:54 pm, Tiernan OToole wrote: Meh…. Sounds like a bit of a pain… is there no command line options? The pfSense config file is pretty standard XML, so you could always knock something together in your scripting language of choice to batch add the config sections you need. I've

[pfSense] OpenVPN on Multi WANs (v1.2)

Greetings list, I have a scenario where I need to make pfsense's OpenVPN server available on both WANs in a multi-WAN environment. Read the Wiki I hear you cry: https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN :-) Alas, it's not quite that easy - the site in question's pfSense unit is

Re: [pfSense] Multi-WAN port forwarding

On 12 Feb 2015, at 20:33, Tiernan OToole tier...@tiernanotoole.ie wrote: The steps I took was: Firewall/NAT, Add, interface = WAN1, proto TCP, src addr and port are both *, dest = 5060, nat IP (internal ip of the voip box), nat ports 5060 Did this for each WAN connection and again for other

Re: [pfSense] Installation question

On 10 Jan 2015, at 03:09, k_o_l k_...@hotmail.com wrote: I’ve installed a second hard drive in my firewall the primary is running 2.1.5 and the secondary 2.2RC. How do I setup the firewall to allow my to choose between the two at boot? This is normally a function of the BIOS. If you go into

Re: [pfSense] Enforcing policy routing gateway

On 10 Jan 2015, at 03:30, Tim Eggleston tim.li...@eggleston.ca wrote: I use policy routing (Gateway under Advanced Features) to send traffic from certain hosts down a VPN which is originated on the pfsense machine. This works great. However I noticed today that when the VPN fails, the

Re: [pfSense] More ports

On 14/12/14 2:09 am, Stefan Baur wrote: Plus the app broadcasts the admin password for the switch in plaintext on the entire network. So in-place reconfiguring is a really bad idea. Oh dear gods, how on earth did that one get through QA? :-) Kind regards, Chris -- This email is made from

Re: [pfSense] Client-Side 1:1 NAT for IP address conflicts w/ VPN

On 10/12/14 6:36 am, Chris L wrote: That’s actually your fault for using 10/8, not Comcast's. Even if they were to use something like 10.58.223.0/24 they’d still conflict with your 10/8. There are so many different brands and models of consumer router on the market these days in the 10/8 and

Re: [pfSense] Client-Side 1:1 NAT for IP address conflicts w/ VPN

On 10/12/14 3:30 pm, Giles Coochey wrote: http://tools.ietf.org/html/rfc6598 Unfortunately, there are people who stick their networks (erroneously) on 100.64/10 as well - including at least one government department in the UK - who shall remain nameless for the avoidance of ridicule :-) I

Re: [pfSense] Aliases are auto-deleted

On 9/12/14 12:24 pm, Volker Kuhlmann wrote: I found the problem. My ISP changed the WAN gateway to be mostly non-responsive to pings. But only mostly, so pfsense plays yoyo with it. Funny you should mention that. I've seen similar on a few of our pfSense deployments of late, with several

Re: [pfSense] Revisiting PCIe LTE/4G modems

So I'm hoping to get a possible alternative solution made that would employ APU1 boards and adding a wifi and an LTE/4G device (I see from my board here in front of me there's a SIM slot below the SDXC slot)… What success have the users here had with PCIe LTE/4G radios in their devices?

Re: [pfSense] pfsense h/w

I'm suffering in my efforts to install 2.1.5 onto my box, so can I change the box? A proven hardware platform, available in the UK with at least 6 physical network ports, I can probably justify buying. Suggestions anyone? We’ve used these:

Re: [pfSense] pfsense h/w

I'm trying to use a http://www.mini-itx.com/store/~FX5624 which I think is the same box as your first link, if you can install onto here easily and frequently then it must be me doing something wrong, aaagh Certainly looks like the same unit. Are you trying to install onto a CF card (those

Re: [pfSense] pfsense h/w

I thought there was a very large restriction in packages using CF compared to HDD, is that not the case (I'm coming from 1.2.3 so this might have changed) That may well be true - I must confess I’m of the school of thought that a firewall/router should do firewalling and routing, and not a

Re: [pfSense] Issue with SMTP - Spam behind NAT

On 9/10/14 12:05 pm, Mikey van der Worp wrote: Today I have come to you with the question on how to block users from spamming with smtp/25, behind NAT and the IP of PfSense ( NAT). We do not wish/want to block the entire SMTP traffic in the private range to the world, because there are

Re: [pfSense] Issue with SMTP - Spam behind NAT

On 9/10/14 12:21 pm, Rizul khanna wrote: Hello, please let me know the process for unsubscribing from all the mailing lists of pfsense. Follow the link at the bottom of every list email. Kind regards, Chris -- This email is made from 100% recycled electrons

Re: [pfSense] bogon networks

On 28 Sep 2014, at 12:19, Andrew Mitchell andrew.k.mitch...@att.net wrote: My apologies. 192.40.140.0/23 I'm not sure what pfSense uses as its Bogons source, but my reference has usually been: http://www.team-cymru.org/Services/Bogons/http.html Your IP block isn't in there, from what I can

Re: [pfSense] States Issue with Asterisk behind pfSense

On 26/9/14 11:43 am, Hannes Werner wrote: I wonder what the reason for not getting https://redmine.pfsense.org/issues/1629 fixed? Many gave up waiting for this, but it seems there must be a proper reason for it. May I ask what the problem is not being able to use pfSense with Asterisk? Worth

Re: [pfSense] States Issue with Asterisk behind pfSense

On 26/9/14 12:06 pm, Giles Coochey wrote: I can think of many reasons, why running a service such as Asterisk, on an IP address that you have a temporary lease for (thus only have a passing relationship with, before it is passed to someone else), would be pretty bad practice. I think Giles

Re: [pfSense] States Issue with Asterisk behind pfSense

On 26/9/14 12:42 pm, Hannes Werner wrote: are you saying that people with dynamic IP shouldn't use pfSense behind an Asterisk service? Firstly - it's not my place to say anything of the sort - I have no connection to the pfSense team (apart from as a satisfied user). I suspect one of the

Re: [pfSense] Https blocking

On 24/9/14 6:21 pm, A Mohan Rao wrote: If u really a expert so then pls resolve bmy problem. I have do all the things but still people can access blocked website in pfsense. Sites like Facebook have thousands of servers across the world, split across numerous netblocks and content delivery

Re: [pfSense] OT: Good network switch for 10 machines?

On 23/9/14 6:46 pm, RB wrote: I'd suggest at least a managed switch that can do LACP. This. Given how small the price difference often is between unmanaged and semi-managed (aka 'smart') switches these days, it just doesn't make sense to buy unmanaged any more. You never know when things

Re: [pfSense] OT: Good network switch for 10 machines?

On 23/9/14 7:44 pm, Espen Johansen wrote: A netgear pro switch Be careful which model you get. Some of the newer/cheaper ones that have been sold as 'managed' recently don't have a web interface. They have some horrible management application that uses Adobe Air, only works on Windows, only

Re: [pfSense] [SOT] apu1c4/apu1d4 stability

On 22/9/14 5:10 pm, mayak wrote: in an earlier thread, i recounted issues that i had with the apu1c4 unit silently dying -- this was the only thread that i saw here, so i assume that i just got a bad unit. I cannot give you a sample of 20 - they're too new for that - but I can say of the

Re: [pfSense] No logout in 2.1.5 i386

On 19/9/14 4:41 pm, Ryan Coleman wrote: Also what browser is that? Looks like Firefox to me... Disabled your add-ons (I see there are a few of them - could be an issue)? This is definitely worth a try. As an aside, one of the first things I do with a fresh pfSense install is to revert

Re: [pfSense] VIP,MAC Arp

On 18/9/14 8:13 pm, Nick Upson wrote: We have a new /27 range to go with this new installation and here is the problem, external ping/connectivity to the new IPs doesn't work except one the .225 address, it seems the firebrick requires ARP in order to route them. I have setup several different

Re: [pfSense] questions about carp/xmlrpc

On 9 Sep 2014, at 14:01, Albert Dengg alb...@fsfe.org wrote: the second question is also related to virtual ip's: is there a way to configure a failover for the second wan interface, if there is only one ip assigned to me by the isp? My understanding (and this isn’t limited to pfSense - I’ve

Re: [pfSense] questions about carp/xmlrpc

On 9 Sep 2014, at 14:46, Albert Dengg alb...@fsfe.org wrote: that however still leaves with the problem of the interface mixups for my internal networks, where the sync tries to assignt the virtual ip's to the wrong interfaces…. Is your hardware (and interface names) identical across both your

Re: [pfSense] Triple WAN

On 8 Sep 2014, at 18:07, Joe Laffey j...@laffey.tv wrote: Anyone using Load Balancing for a triple WAN setup? This work OK in pfSense? What about older 1.2.3 systems? I have a triple WAN setup at home, which worked fine in 2.0 and likewise now in 2.1. There are limitations in 1.2.3 that

Re: [pfSense] Difference between APU4 and APU1C4

On 27/7/14 7:06 pm, Matthias May wrote: With intel cards on the same board you can get up to 650 Mbit/s, but i expect it to be lower with additional rules. Have you tried it with Intel cards (I assume you're talking mPCIe cards?) - and if so, what chassis did you use? The ability to install

Re: [pfSense] Difference between APU4 and APU1C4

On 22/7/14 11:17 pm, Nickolai Leschov wrote: I didn't notice this page. So it looks like it's some kind of thermal paste allows for adequate thermal conductivity between the CPU/south bridge and the aluminum heat spreader, but the heat spreader is in dry contact with the case? The one I've

Re: [pfSense] Difference between APU4 and APU1C4

On 23/7/14 2:10 am, Jim Thompson wrote: Very little if this thread is related to pfSense. Please stay on topic. Respectfully, I disagree. Given the APU is - as the de facto successor to the ALIX - likely to be a piece of hardware used in a lot of new pfSense installs, discussion about its

Re: [pfSense] Difference between APU4 and APU1C4

On 23/7/14 4:11 am, Ryan Coleman wrote: I may have fired off the message in a fit of frustration but you made it a public statement - if you wanted to be the “mom” and handle it you should have sent it privately instead of publicly. I can't work out if the above is directed at me or Jim. (I

Re: [pfSense] 802.11ac Mini PCI Express adapter for pfSense

On 21/7/14 4:27 pm, Kevin Tollison wrote: I have used internal card in the past and they typically work well. We have found that an external AP gives a lot more flexibility to an install. +1 for external APs. Your environments may be different, but during installs we often find the best place

Re: [pfSense] Squid Problem and DNS?

On 16/7/14 3:25 pm, Brian Caouette wrote: #1. Initial page lookups are really slow. When I enter a website it will pause for 6-8 seconds then the page is instantly there. I have Googles DNS set in general and currently have stock DNS Forwarder active. It's set to use system defaults. As a

[pfSense] Squid in a Multi-WAN environment

Greetings list, I'm trying to persuade the Squid 3 package to use a load balancing gateway group, unfortunately without much success. I'm afraid my google-fu is failing me: - this link from the official docs seems to relate to 1.2:

Re: [pfSense] Squid3 with https filtering

On 17/6/14 10:32 am, A Mohan Rao wrote: actually i need to block https sites like https facebook or https youtube etc with transparent proxy. So in order to block Facebook and Youtube, you're going to put all your users at risk of SSL MITM attacks on every secure website they visit? You

Re: [pfSense] Migrating from /32 + /29 to just /29

On 12/6/14 11:06 pm, Jon Gerdes wrote: As far as I can tell, the only downside is I lose another address to act as the gateway. Can anyone spot any flaws with this method or is it a general practice? Certainly assigning the first IP in a /29 to the PPPoE client is fairly standard practice in

Re: [pfSense] Monitoring

On 3/6/14 7:21 pm, Brian Caouette wrote: I just installed the NRPE package to pfSense. How its it used? Is there a docs page to make this work with pf? The first thing you'll need is a working install of Nagios somewhere - do you already have that in hand? As an aside, another option to

Re: [pfSense] Setup advice

Brian Caouette wrote: How much space should be allocated for pfsense and squid? In the office here I have 30GB allocated for squid to use as a cache. In this case where the chaps in the workshop are often downloading things like Windows Updates, software packages, etc., the size was chosen

Re: [pfSense] Poweredge 2850

I concur with Ryan's readings with the 2950s - we use them as KVM host machines in a datacentre environment and they average around 250W under moderate load. That's with 4x SSDs in each. Also worth mentioning that pfSense will barely use a gig of disk space; the 6x 73GB SAS units specced by

Re: [pfSense] Poweredge 2850

On 20 May 2014, at 18:45, Brian Caouette bri...@dlois.com wrote: What software is available to do virtual machines? We use KVM. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org

Re: [pfSense] Poweredge 2850

On 20 May 2014, at 21:37, Harlan Stenn har...@everett.org wrote: Where are you that you get electricity for .05/kWh? Here in Oregon we have pretty great rates, and I think we're paying .10-.12/kWh. I don't know where the OP hails from, but here in the UK (Scotland, specifically, at the

Re: [pfSense] Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet

On 9 May 2014, at 23:25, Dave Warren da...@hireahit.com wrote: I'm looking on eBay as well, it's worth the gamble vs buying new. Not pfSense-specific, but I've used quite a few from eBay (both dual and quad port cards) in generic FreeBSD installs and not had a problem with them. As others have

Re: [pfSense] Upgrading Alix 2d13

On 29/4/14 7:40 pm, Vick Khera wrote: I've now upgraded 3 separate ALIX boards to 2.1.2 (one from 2.1.0, the other two from 2.0.1) with zero failures. Perhaps try upgrade from the console menu. Just make sure that the upgrade URL is configured correctly for the i386 version of pfsense. Also

Re: [pfSense] Upgrading Alix 2d13

On 30/4/14 12:31 am, Ryan Coleman wrote: 4GB CF cards are pretty cheap these days - I would just buy one in the store ($20) or online ($10 or so) and image that, pop it in the firewall and import your config. Agreed, if the devices are suitably close to you. A bit more of a problem if

Re: [pfSense] HP DL160 for pfSense in a datacenter

On 23/4/14 4:46 pm, Vick Khera wrote: I reconfigured them to use geom mirror instead, and everything has been much better since. The FreeBSD kernel does a fine job managing the mirror all by itself. We have some DL160s with the same B110i controller running as Linux KVM host machines, and

Re: [pfSense] pfSense Book (Buechler / Pingle)

On 13/4/14 4:25 pm, Adam Thompson wrote: As to the liberated comment, let us know when you've figured out how to make a completely open eReader that doesn't sell for $1000. Nexus 7 + fbreader (freely available)? Opens all the usual suspects (pub, mobi, pdf, etc.) If you don't mind one of the

Re: [pfSense] successor to ALIX is here

On 2/4/14 9:17 pm, Thinker Rix wrote: Unfortunately again only 3 NICs... and Realteks with bad performance. I would love to see such a board one day with at least 4-8 NICs. On that subject, we've recently been experimenting with these:

Re: [pfSense] RDP port forward based on destination name.

On 28/3/14 4:03 pm, Walter Parker wrote: I'd love it if there was simple solution, but I don't see one that would compatible with today's internet. Much of the original design of the internet was for a 1 to 1 mapping of IP addresses, rather than a 1 to many mapping (which is why there is usually

Re: [pfSense] RDP port forward based on destination name.

On 27/3/14 8:17 pm, Walter Parker wrote: That's what I would recommend. The VPN can serve as a second gateway to protect the RDP from the outside world, so you could pitch this solution as higher security method of network access. This. There seem to be lots of dictionary attacks against RDP

Re: [pfSense] Android apps block

On 24 Mar 2014, at 19:19, A Mohan Rao mohanra...@gmail.com wrote: I need to block whatsapp facebook etc android apps of pfsense users. Given that you seem to want to block everything under the sun (though I still don't understand why), how about doing it the other way round? Why not decide

Re: [pfSense] Proxy filter

On 20/3/14 8:42 pm, Rafael Akchurin wrote: May be this will be of any help - http://sichent.wordpress.com/2014/02/22/filtering-https-traffic-with-squid-on-pfsense-2-1/ That approach does require that your users 'trust' the proxy and allow the necessary certificates. It's all well and good

Re: [pfSense] Proxy filter

On 20/3/14 7:14 pm, A Mohan Rao wrote: I m using squid squid guard and light squid for user access websites reporting with live but there is pfsense not read or show ftp server access logs. I also try as pfsense firewall client and to to any other ftp sites then download files but in proxy

Re: [pfSense] Proxy filter

On 20/3/14 7:19 pm, A Mohan Rao wrote: Ok thanks but if i need how i maintain ftp traffic logs. Not really relevant to the question, I appreciate, but I can't think of a good reason why you'd want to do that, unless of course you're running the FTP server, in which case your FTP server

Re: [pfSense] Proxy filter

On 20/3/14 7:22 pm, A Mohan Rao wrote: Also i struggling to block https social networking sites like facebook etc from last 1to 1.5 years. I used for block that domain through DNS FORWARDER. But when user use open dns its working pls any idea its very helpful for me. You might find it easier

Re: [pfSense] Gateway Group / Failover WAN setup question

On 11/3/14 6:48 pm, Justin Edmands wrote: The current rules all read * for the Gateway. Do all of my current LAN, OpenVPN, and IPSec rules need to be altered to include the Gateway as the new Failover1 rule? Those that rely on the WANs, yes. Rules to allow traffic to pass between your VPNs

Re: [pfSense] Blocking based on MAC

On 1/3/14 2:37 am, Ryan Coleman wrote: I just checked google and the “best” solution from a few versions ago is to reserve the MAC IP to something out of range. I’d like to find a “simple” way to do that for my customer. Is there a better way to block a MAC? At the risk of thinking outside

[pfSense] Overzealous Multi-WAN state flushing

Greetings list, A few days ago I finally found time to upgrade my ageing pfSense 2.1-RC0 at home to 2.1 final. Since that upgrade I've noticed that pfSense doesn't seem to be handling state killing on failed gateways very well. A bit of background: I live in a rural location with poor

Re: [pfSense] Unbound

On 15/2/14 6:22 pm, Brian Caouette wrote: I've been trying to use unbound with poor results. Currently it resolves very very slowly. About 4 times longer then the default dns forwarder. Once the site is found and loaded however browsing the site is incredibly fast. Curious what might be the

Re: [pfSense] Firewall Aliases: DNS resolving of domains broken

On 14/2/14 3:37 pm, Thinker Rix wrote: I have had entered some domain names there in the past, which always worked flawlessly. Recently I changed ISP and since then the domain names are not resolved anymore to IPs, so that the traffic using those aliases gets blocked by the firewall. When

Re: [pfSense] Firewall Aliases: DNS resolving of domains broken

On 14/2/14 4:48 pm, Thinker Rix wrote: Any ideas what could be the problem? Have you tried entering the DNS servers your ISP supplies via PPP or DHCP (look on the Status - Interfaces page, they should be listed on there) manually on the General settings page, then disabling DNS via

Re: [pfSense] Setting PPPoE MTU

On 29/1/14 10:57 am, Brian Candler wrote: My uplink is using PPPoE into a DSL router in bridged mode. The connectivity is fine, but the MTU is 1492 and I would like to bump this up to 1500 (assuming the router will take ethernet frames which are 1508 bytes). I looked at this about a year ago

[pfSense] Squid version for pfSense 2.1

Greetings list, I've recently been working on a project in which Squid would be beneficial. So I thought a good starting point would be to try installing one of the pfSense Squid packages on my home pfSense, play around with the config, etc. before setting it up for the project in question. I

Re: [pfSense] Squid version for pfSense 2.1

On 28/1/14 4:41 pm, Brian Caouette wrote: I'm running the 3.x over here with no problems. I haven't really noticed much of a performance gain however. I've been reading up on tweaking the settings but so far our hit rate has only been 1-2%. Thanks - I'll give that a try. In this context, it's

Re: [pfSense] MultiWAN with SSH

On 13/12/13 5:48 am, Walter Parker wrote: What do I need to do to get the firewall to use the COMCASTGW for responses to packets sent to the COMCAST interface? Unless you're using advanced outbound NAT, this should happen automatically. You said: I have a rule on the Comcast interface the

Re: [pfSense] MultiWAN with SSH

On 13/12/13 1:12 pm, Jim Pingle wrote: * Don't use interface groups or multi-interface floating rules for WAN rule I stand corrected. You learn something new every day :-) As an aside, is there any way to 'fix' this? On a system with 4 or 5 WANs, the ability to define inbound rules that

Re: [pfSense] Traffic Graph: Not reflecting reality?

We recently relocated and are waiting to get our primary connection installed, so in the mean time we're on a 3Mb/0.75Mb DSL line. However, pfSense often shows 6Mb/s coming out of the LAN during a download. Same problem here. I am not seeing incorrect traffic graphs in 2.1, and I am using

Re: [pfSense] Hardware requirements for gigabit wirespead

On 6/11/13 7:11 am, Thinker Rix wrote: Unfortunately the motherboards I plan to buy supports only the above-mentioned CPUs. - Pentium - 4th generation core i3 - Xeon E3-1200 v3 If your board supports a Core i3, it is *very* unlikely that it won't also support the i5 of the same generation

Re: [pfSense] Hardware requirements for gigabit wirespead

On 6/11/13 12:30 pm, Eugen Leitl wrote: Anyone running pfSense on a HP Microserver G8? I have - in the past - had it running on a G5 and a G6 if that's any help. One of our clients is using it on a G7. lspci on both mine show: Broadcom Corporation NetXtreme BCM5723 Gigabit Ethernet PCIe (rev

Re: [pfSense] Question on FW log entries

On 3/11/13 3:27 pm, Peder Rovelstad wrote: Just a quick question for anyone who cares to reply, something I can't figure out. I have the default LAN - Any rule active on the LAN interface, but I often see block entries such as those attached, in this case from my kid's iPad to Google. Other

Re: [pfSense] Hardware requirements for gigabit wirespead

On 24/10/13 5:30 pm, Thinker Rix wrote: I want to have: - full Gigabit wire speed between the DMZ and the LAN zone (i.e. 2x Gigabit at max) Would have thought you'd be fine here. - full 450Mbps between the WLAN and pfsense Even with 450Mbps *radios* I'd be amazed if you get more than

Re: [pfSense] Hardware requirements for gigabit wirespead

On 25/10/13 12:02 am, Thinker Rix wrote: Ok, I see. Does this change with a router that has a Gigabit-NIC to connect with pfSense, or isn't that the bottle neck? I've never encountered even a 100Mbps NIC being a wireless bottleneck at 2.4Ghz. The limitation is effective throughput through the

Re: [pfSense] Hardware requirements for gigabit wirespead

On 24/10/13 7:31 pm, Adam Thompson wrote: If I upgraded to a better-quality unit, or switched to licensed spectrum, I could probably eliminate the variability and increase speed simultaneously. Indeed, we have Ubiquiti kit running point to point links in the 5Ghz unlicensed spectrum (band C)

Re: [pfSense] naive suggestion: conform to US laws

On 11/10/13 2:37 pm, Seth Mos wrote: And which country would that be? I mean the Brittish MI4? tapped the Belgian telecom network for over a year to listen into the EU politicians... Who is this MI4 of whom you speak? :-) In very broad terms, UK to USA equivalents would be as follows: GCHQ =

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

I've deliberately stayed out of the political discussion, but interested in this more technical discussion… On 10 Oct 2013, at 14:50, Giles Coochey gi...@coochey.net wrote: 2. Cipher Selection - we're not all cryptoanalysts, so statements like 'trust the math' don't always mean much to us,

  1   2   >