Re: [pfSense] Bandwidth Mismatch between pfSense and Data Center Provider...

[Chuck Mariotti]

This is certainly possible, but the RRD GUI has a choice to display stats for 
WAN (Default) and LAN... selectin LAN essentially swaps the In/Out columns +/- 
a few gigs... 

We are running ntopng but it only has data for the last 12 days... the one 
webserver that is likely causing a lot of usage is reporting ~300GB used via 
ntopng... I assume that's total in/out.

-Original Message-
From: List  On Behalf Of Melvin Backus
Sent: May 23, 2018 7:47 PM
To: 'pfSense Support and Discussion Mailing List' 
Subject: Re: [pfSense] Bandwidth Mismatch between pfSense and Data Center 
Provider...

Is it possible these numbers are for both interfaces on the pfSense box? If so, 
do they include both inbound and outbound traffic for both? That would 
effectively double the true data transfer if traffic isn't being routed between 
other subnets / interfaces on the firewall.  I don't have RRD loaded so this is 
strictly speculation on a possible cause.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chuck Mariotti
Sent: Wednesday, May 23, 2018 1:57 PM
To: list@lists.pfsense.org
Subject: [pfSense] Bandwidth Mismatch between pfSense and Data Center 
Provider...

We've run into a data overage situation at a datacenter... We get charged a 
premium per GB over 500GB (yes I know, stupid). Their reporting system seems to 
indicate significantly less data usages vs pfSense's RRD reporting...
their billing system seems to be indicating overage similar to their 
reporting... Uploads seem to be growing significantly. Any idea why the pfSense 
box seems to be counting differently than the datacenter's metrics?
We need to track down where this usage is happened, but I know users have only 
grown ~5% over that same period of time.

Here are stats for each month:

JanuaryFebruary
March   April
May (to 23rd)
Datacenter (Upload/Download):   618.95GB/76.01GB
365.25/47.15GB799.92/79.81GB801.67/105.01GB
581.57/76.26GB
pfSense RRD (Upload/Download):1372.41GiB/148.91GiB
1388.65/149.60GiB   1697.71/152.24GiB
1706.53/200.86GiB   1177.95/139.55GiB


Any suggestions how or why there is a mismatch?

Regards,

Chuck
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Bandwidth Mismatch between pfSense and Data Center Provider...

[Chuck Mariotti]

We've run into a data overage situation at a datacenter... We get charged a 
premium per GB over 500GB (yes I know, stupid). Their reporting system seems to 
indicate significantly less data usages vs pfSense's RRD reporting... their 
billing system seems to be indicating overage similar to their reporting... 
Uploads seem to be growing significantly. Any idea why the pfSense box seems to 
be counting differently than the datacenter's metrics? We need to track down 
where this usage is happened, but I know users have only grown ~5% over that 
same period of time.

Here are stats for each month:

JanuaryFebruary  
March   April   
 May (to 23rd)
Datacenter (Upload/Download):   618.95GB/76.01GB  
365.25/47.15GB799.92/79.81GB801.67/105.01GB 
 581.57/76.26GB
pfSense RRD (Upload/Download):1372.41GiB/148.91GiB
1388.65/149.60GiB   1697.71/152.24GiB1706.53/200.86GiB  
 1177.95/139.55GiB


Any suggestions how or why there is a mismatch?

Regards,

Chuck
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems...

[Chuck Mariotti]

Okay, so I can create an offsite pfSense instance, import the file and run that 
command and likely see if it's points to specific errors.
Will try that.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Seb
Sent: August-17-15 12:25 PM
To: list@lists.pfsense.org
Subject: Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems...

When I ran that command, I got an error. It pointed me to an alias that it 
thought was a host list alias and that needed changing to a port list alias.
I do not know why 2.2.x treated it differently to 2.1.x though.

Kind regards, 

Seb 


 

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of A 
> Mohan Rao mohanrao83-at-gmail.com |pfSense/Allow + Forward to Syntec|
> Sent: 17 August 2015 16:18
> To: ; pfSense Support and Discussion Mailing List
> Subject: Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems...
> 
> Pls try with AMD64 Pfsense it works good at my pfSense server only 
> filter http not https...
> 
> Thanks
> 
> Mohan
> On Aug 17, 2015 6:26 PM, "Chuck Mariotti" 
>  wrote:
> 
> > Thanks, I had rebooted the server a few times trying to
> resolve. Is that
> > the same? On the reload with error, did it point to
> something specific?
> > I ask because I'm not sure how to debug this without taking
> everything
> > down all over again.
> >
> > Chuck
> >
> > -Original Message-
> > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Seb
> > Sent: August-17-15 6:40 AM
> > To: list@lists.pfsense.org
> > Subject: Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems...
> >
> > Maybe you had the same problem as me.
> >
> > Log in on ssh shell and then try running:
> > pfctl -f /tmp/rules.debug
> > This should reload the rules, but might throw an error..
> >
> > Kind regards,
> >
> > Seb
> >
> >
> >
> >
> > > -Original Message-
> > > From: List [mailto:list-boun...@lists.pfsense.org] On
> Behalf Of Chuck
> > > Mariotti cmariotti-at-xunity.com
> > > Sent: 15 August 2015 22:26
> > > To: pfSense Support and Discussion Mailing List
> > > Subject: Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems...
> > >
> > > I should point out that at one point there was a "DNS Rebind"
> > > message in the best browser for one of the sites
> internally (not sure
> > > if that's related).
> > >
> > > -Original Message-
> > > From: List [mailto:list-boun...@lists.pfsense.org] On
> Behalf Of Chuck
> > > Mariotti
> > > Sent: August-15-15 1:16 PM
> > > To: pfSense Support and Discussion Mailing List 
> > > 
> > > Subject: [pfSense] pfSense 2.1.5 to 2.2.4 update problems...
> > >
> > > I had a need to update to the latest pfSense. I had a replacement 
> > > machine with the latest 2.2.4. Took the config file from 2.1.5 and 
> > > restored it...
> > >
> > > It got stuck on the restoring packages and I eventually
> unlocked and
> > > just left it as-is.
> > >
> > > Swapped over the connection to the replacement and some internal 
> > > websites (https) stopped being available to the public...
> internally
> > > no problems.
> > >
> > > I looked quickly but could not find what was happening
> with a simple
> > > update. So I switched it back to the original.
> > >
> > > I reinstalled 2.1.5 on the replacement machine... restored the 
> > > config... switched it over and all worked perfectly.
> > >
> > > I ran the in-place update and it completed without issues
> (including
> > > packages)... but again, many internal sites not available to the 
> > > public side.
> > >
> > > Did I miss something in the upgrade method? There is a
> patch that was
> > > previously applied but I don't think it was related and
> it didn't say
> > > it was enabled.
> > >
> > > Fix SHA1 certs
> > >
> > > http://github.com/pfsense/pfsense/commit/fd750cd064a46f364a7e0
> > > 6c9fe27d46ce11cd09a.patch
> > >
> > > Unfortunately, I did not have much time to debug since
> there was an
> > > unrelated hardware failure which extended the appox downtime from 
> > > 5-10mins to about 3 hours So was mostly interesting
> it restoring
> > > things back to normal.
> > >
> > > To be honest, I don't know if it was both http(s) or ju

Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems...

[Chuck Mariotti]

Thanks, I had rebooted the server a few times trying to resolve. Is that the 
same? On the reload with error, did it point to something specific?
I ask because I'm not sure how to debug this without taking everything down all 
over again.

Chuck

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Seb
Sent: August-17-15 6:40 AM
To: list@lists.pfsense.org
Subject: Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems...

Maybe you had the same problem as me.

Log in on ssh shell and then try running:
pfctl -f /tmp/rules.debug
This should reload the rules, but might throw an error..

Kind regards, 

Seb


 

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chuck 
> Mariotti cmariotti-at-xunity.com
> Sent: 15 August 2015 22:26
> To: pfSense Support and Discussion Mailing List
> Subject: Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems...
> 
> I should point out that at one point there was a "DNS Rebind" 
> message in the best browser for one of the sites internally (not sure 
> if that's related).
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chuck 
> Mariotti
> Sent: August-15-15 1:16 PM
> To: pfSense Support and Discussion Mailing List 
> 
> Subject: [pfSense] pfSense 2.1.5 to 2.2.4 update problems...
> 
> I had a need to update to the latest pfSense. I had a replacement 
> machine with the latest 2.2.4. Took the config file from 2.1.5 and 
> restored it...
> 
> It got stuck on the restoring packages and I eventually unlocked and 
> just left it as-is.
> 
> Swapped over the connection to the replacement and some internal 
> websites (https) stopped being available to the public... internally 
> no problems.
> 
> I looked quickly but could not find what was happening with a simple 
> update. So I switched it back to the original.
> 
> I reinstalled 2.1.5 on the replacement machine... restored the 
> config... switched it over and all worked perfectly.
> 
> I ran the in-place update and it completed without issues (including 
> packages)... but again, many internal sites not available to the 
> public side.
> 
> Did I miss something in the upgrade method? There is a patch that was 
> previously applied but I don't think it was related and it didn't say 
> it was enabled.
> 
> Fix SHA1 certs
> 
> http://github.com/pfsense/pfsense/commit/fd750cd064a46f364a7e0
> 6c9fe27d46ce11cd09a.patch
> 
> Unfortunately, I did not have much time to debug since there was an 
> unrelated hardware failure which extended the appox downtime from 
> 5-10mins to about 3 hours So was mostly interesting it restoring 
> things back to normal.
> 
> To be honest, I don't know if it was both http(s) or just https only 
> that was not accessible... I think it was https but it's too late to 
> test it again. There is a NLBS serving up some of those sites if that 
> matters.
> 
> Any suggestions would be greatful.
> 
> Regards,
> 
> Chuck
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems...

[Chuck Mariotti]

I should point out that at one point there was a "DNS Rebind" message in the 
best browser for one of the sites internally (not sure if that's related).

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chuck Mariotti
Sent: August-15-15 1:16 PM
To: pfSense Support and Discussion Mailing List 
Subject: [pfSense] pfSense 2.1.5 to 2.2.4 update problems...

I had a need to update to the latest pfSense. I had a replacement machine with 
the latest 2.2.4. Took the config file from 2.1.5 and restored it...

It got stuck on the restoring packages and I eventually unlocked and just left 
it as-is.

Swapped over the connection to the replacement and some internal websites 
(https) stopped being available to the public... internally no problems.

I looked quickly but could not find what was happening with a simple update. So 
I switched it back to the original.

I reinstalled 2.1.5 on the replacement machine... restored the config... 
switched it over and all worked perfectly.

I ran the in-place update and it completed without issues (including 
packages)... but again, many internal sites not available to the public side.

Did I miss something in the upgrade method? There is a patch that was 
previously applied but I don't think it was related and it didn't say it was 
enabled.

Fix SHA1 certs

http://github.com/pfsense/pfsense/commit/fd750cd064a46f364a7e06c9fe27d46ce11cd09a.patch

Unfortunately, I did not have much time to debug since there was an unrelated 
hardware failure which extended the appox downtime from 5-10mins to about 3 
hours So was mostly interesting it restoring things back to normal.

To be honest, I don't know if it was both http(s) or just https only that was 
not accessible... I think it was https but it's too late to test it again. 
There is a NLBS serving up some of those sites if that matters.

Any suggestions would be greatful.

Regards,

Chuck
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfSense 2.1.5 to 2.2.4 update problems...

[Chuck Mariotti]

I had a need to update to the latest pfSense. I had a replacement machine with 
the latest 2.2.4. Took the config file from 2.1.5 and restored it...

It got stuck on the restoring packages and I eventually unlocked and just left 
it as-is.

Swapped over the connection to the replacement and some internal websites 
(https) stopped being available to the public... internally no problems.

I looked quickly but could not find what was happening with a simple update. So 
I switched it back to the original.

I reinstalled 2.1.5 on the replacement machine... restored the config... 
switched it over and all worked perfectly.

I ran the in-place update and it completed without issues (including 
packages)... but again, many internal sites not available to the public side.

Did I miss something in the upgrade method? There is a patch that was 
previously applied but I don't think it was related and it didn't say it was 
enabled.

Fix SHA1 certs

http://github.com/pfsense/pfsense/commit/fd750cd064a46f364a7e06c9fe27d46ce11cd09a.patch

Unfortunately, I did not have much time to debug since there was an unrelated 
hardware failure which extended the appox downtime from 5-10mins to about 3 
hours So was mostly interesting it restoring things back to normal.

To be honest, I don't know if it was both http(s) or just https only that was 
not accessible... I think it was https but it's too late to test it again. 
There is a NLBS serving up some of those sites if that matters.

Any suggestions would be greatful.

Regards,

Chuck
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] SG-4860 vs. support pricing question

[Chuck Mariotti]

If I can add to this question... are support incidents hardware specific? 
Meaning, if I purchase some hardware with 2 incidences... can I use those on 
other devices? 

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Adam Thompson
Sent: July-20-15 7:09 PM
To: pfSense support and discussion 
Subject: [pfSense] SG-4860 vs. support pricing question

I see the redundant SG-4860 bundle with shelf is now available on the pfSense 
store, and I also see that the 2440 and 4860 appear to be shipping now.  This 
is great! 


(I’m probably still waiting for the 2220, though, since it’s hard to justify 
anything else when I can’t get anything faster than DSL or Cable in this 
building.)


But I do have one issue/question/comment about the pricing of that bundle: 
there are still only 2 support incidents bundled.

It seems that if I bought two 4860s and tie-wrapped them to my own shelf, I’d 
wind up paying almost the same amount (maybe $75 more if I had to buy a new 
shelf) but would get 4 support incidents included with my purchase.


Also, the price for a 2-incident support pack is $399, but I can buy a SG-2220 
for only $299 and get the same # of support incidents.




Have I missed something?  Is this intentional?




-- 
-Adam Thompson
 athom...@athompso.net
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Access Point Recommendations?

[Chuck Mariotti]

I guess I should mention, the internet connections are usually 150Mbit+ ... so 
would need something in the n or a/c range preferably.
Lots of devices, laptops (hooked up to Ethernet but still wifi active when 
walking around).

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Paul Galati
Sent: July-17-15 10:50 AM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] Access Point Recommendations?

Probably get flamed for this but my experience has been positive.  Purchase a 
router that is capable of running Tomato, preferably Toastman or Shibby.  I 
still use a $15 ebay Linksys WRT54GL that is rock solid and with Tomato it 
includes built in OpenVPN software to connect to pfsense at the office.

Paul

On Jul 17, 2015, at 10:45 AM, Chuck Mariotti  wrote:

> We are having a number of issues with Engenius Access Points... they seems to 
> have the features we need but for some reason, connectivity is not reliable 
> (seems Mac related). As much time as I would like to spend debugging it, it 
> would be cheaper to replace.
> 
> Does anyone have any recommendations for small office access points?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Access Point Recommendations?

[Chuck Mariotti]

We are having a number of issues with Engenius Access Points... they seems to 
have the features we need but for some reason, connectivity is not reliable 
(seems Mac related). As much time as I would like to spend debugging it, it 
would be cheaper to replace.

Does anyone have any recommendations for small office access points?

Regards,

Chuck

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Gateway failures, how to access everything behind it still so that I can debug?

[Chuck Mariotti]

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates
Sent: June-18-15 4:25 PM
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] Gateway failures, how to access everything behind it 
still so that I can debug?

Chuck Mariotti wrote on Thu, Jun 18 2015 at 3:15 pm:

>   Are you asking how to connect into your rack from outside the data 
> center? pfSense does have a CARP feature where a second firewall can be set 
> up for failover.  It needs a few things like three WAN IPs for the routers 
> (1, 2, and shared), and three LAN IPs >(same), and they recommend a separate 
> interface on each for syncing.
>
>   If you're asking how to get to the servers, we plug a patch cable into 
> the switch in our rack...


Oddly, I am asking so that I can avoid this exact configuration...
CARP seems complicated... I am certain I can set it up, but it would require a 
lot of training for the other techs to be able to manage in a failure situation.
Also, I am trying to avoid this because the intention is that they would also 
being running as VM's... adding another layer of complication...
Combine that with VLANS and it isn't something I want to put in the hands of a 
simple tech at 4am...

My thoughts were to setup a simple VM of pfSense... give it physical port 
access, etc... set it up like a regular firewall.
Then, have it cloned nightly to another VM on another box... but not have it 
running... only in waiting to be powered up.
This other box would be physically hooked up to the same simple ports on the 
switch as the primary firewall.

If the firewall fails... then it should be a matter of making sure the problem 
firewall is powered down and powering up the clone.

The problem I had was, how do I get into the network behind the firewall so 
that I can power down the bad and power up the good clone?

Or is there a better/easier solution?

Chuck
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Gateway failures, how to access everything behind it still so that I can debug?

[Chuck Mariotti]

So a USB dongle into a Windows Laptop? Running what? Since I need to assume the 
firewall is down, the USB dongle into the firewall wouldn't work.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Josh Reynolds
Sent: June-18-15 4:19 PM
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] Gateway failures, how to access everything behind it 
still so that I can debug?

1 - 2nd provider is the preferred method
2 - straighttalk Sim / USB dongle
3 - good ole dialup modem terminal server -> serial

On Jun 18, 2015 12:15 PM, Chuck Mariotti  wrote:
>
> I have a datacenter, with a reliable connection. 
>
> If there is a gateway failure, how are people getting into their networks to 
> admin stuff still? I was thinking a basic laptop with Teamviewer and maybe a 
> 4G/LTE stick... but is that the correct way to go? 
>
>
>
> ___ 
> pfSense mailing list 
> https://lists.pfsense.org/mailman/listinfo/list 
> Support the project with Gold! https://pfsense.org/gold 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Gateway failures, how to access everything behind it still so that I can debug?

[Chuck Mariotti]

I have a datacenter, with a reliable connection.

If there is a gateway failure, how are people getting into their networks to 
admin stuff still? I was thinking a basic laptop with Teamviewer and maybe a 
4G/LTE stick... but is that the correct way to go?



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Running as a VM, multiple WAN subnets

[Chuck Mariotti]

I am starting this weekend to setup the same situation... So a simple failover 
situation requires that we have TWO public IP addresses then?
I am starting to second guess if it's smart to use a VLAN on a shared switch. 
If it fails, then I have more problems at multiple levels vs. a simple dumb 
switch.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

[Chuck Mariotti]

>You could try TCP for the OpenVPN if the phones will support it.  The vast 
>majority of your traffic will be UDP so you wont get the joy of TCP in TCP 
>exponential standoffs.
>
>Cheers
>Jon

The phones do support TCP (an option on a per line basis offers UDP/TCP).
Could you clarify what you mean by this exactly? A little bit confused...

It seems the OpenVPN connections are  up/down... so you are suggesting to 
switch the OpenVPN connection to TCP instead of UDP?
Keep the phone UDP?

The standoffs you suggest, are they the OpenVPN or the Phone data screwing up? 
Or both?

Chuck
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

[Chuck Mariotti]

Ya, I am testing that in lab now with an Asus rt-ac68u I have. Going to see 
what behavior is for disconnects, etc... Will also have to figure out how to 
remote into the phones and the rules, etc...

From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Odhiambo 
Washington
Sent: February-19-15 8:04 AM
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues



On 19 February 2015 at 14:51, Chuck Mariotti 
mailto:cmario...@xunity.com>> wrote:
>That's definitely the cable modem's NAT getting confused. If you can get the 
>phones to randomize their source ports on their OpenVPN traffic, that might 
>resolve. I'm not sure if that's possible on those phones. In stock OpenVPN, 
>specifying "lport 0" >in the config will make it choose a random port. I'm not 
>sure if that's configurable for the Yealink phones though. We disable that 
>automatically in our OpenVPN client export for Yealink because they didn't 
>support it at least up until recently.

>If you can change the modem to bridge mode to pass through the public IP to a 
>router of some sort that will properly handle that circumstance, it'll resolve 
>that. That might be hit or miss with consumer-grade routers. A completely 
>default pfSense >config will work fine in that circumstance, as it'll 
>randomize the source ports on its own so the phones don't have to.

I'm not sure installing a pfSense box is an option at the moment... will a 
consumer grade (Asus RT-AC68U as an example) be useful? Unless there is a "Just 
as good / same price pfSense with wifi AC).
I have one ASUS pulled from an installation... I guess another approach could 
be to use the consumer router to build the OpenVPN tunnel instead of the 
phones. Not sure if that's better or worse... will have to think that 
through... it's nice to see the phones popup on pfSense.


I would build the tunnel using other devices and just let the phones 
communicate. It's a lot easier that way.


--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

[Chuck Mariotti]

>That's definitely the cable modem's NAT getting confused. If you can get the 
>phones to randomize their source ports on their OpenVPN traffic, that might 
>resolve. I'm not sure if that's possible on those phones. In stock OpenVPN, 
>specifying "lport 0" >in the config will make it choose a random port. I'm not 
>sure if that's configurable for the Yealink phones though. We disable that 
>automatically in our OpenVPN client export for Yealink because they didn't 
>support it at least up until recently.

>If you can change the modem to bridge mode to pass through the public IP to a 
>router of some sort that will properly handle that circumstance, it'll resolve 
>that. That might be hit or miss with consumer-grade routers. A completely 
>default pfSense >config will work fine in that circumstance, as it'll 
>randomize the source ports on its own so the phones don't have to.

I'm not sure installing a pfSense box is an option at the moment... will a 
consumer grade (Asus RT-AC68U as an example) be useful? Unless there is a "Just 
as good / same price pfSense with wifi AC).
I have one ASUS pulled from an installation... I guess another approach could 
be to use the consumer router to build the OpenVPN tunnel instead of the 
phones. Not sure if that's better or worse... will have to think that 
through... it's nice to see the phones popup on pfSense.

Regards,

Chuck


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

[Chuck Mariotti]

>That's definitely the cable modem's NAT getting confused. If you can get the 
>phones to randomize their source ports on their OpenVPN traffic, that might 
>resolve. I'm not sure if that's possible on those phones. In stock OpenVPN, 
>specifying "lport 0" >in the config will make it choose a random port. I'm not 
>sure if that's configurable for the Yealink phones though. We disable that 
>automatically in our OpenVPN client export for Yealink because they didn't 
>support it at least up until recently.

>If you can change the modem to bridge mode to pass through the public IP to a 
>router of some sort that will properly handle that circumstance, it'll resolve 
>that. That might be hit or miss with consumer-grade routers. A completely 
>default pfSense >config will work fine in that circumstance, as it'll 
>randomize the source ports on its own so the phones don't have to.


Thanks Chris, I've emailed Yealink support but it seems they are "off" until 
mid-next week (Chinese New Year).
Not sure what to do, purchase a 3rd party router to see if solves the problem 
or if I should wait to see what Yealink's answer is first.

Reading up on the modem seems like bridge mode is a little problematic... maybe 
a call to the cable provider first to see options.

Thanks Again,

Chuck
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

[Chuck Mariotti]

>Think you forgot the logs. That should be enough of a summary to have a good 
>idea though.

>What's the firewall/router/NAT device on the network where the 3 phones 
>reside? That sounds like what could happen with a NAT device that doesn't 
>handle UDP well. Some consumer-grade routers and some NAT implementations 
>built into >DSL/cable modems can have problems handling long-lived UDP 
>connections especially where multiple devices are being NATed out to a single 
>destination IP and port.

And here is the log below... argh.
The devices are behind a 256Mbit cable modem... Any suggestions on how to 
resolve if that is the case? 3rd party router?

Feb 17 22:35:49 openvpn[78847]: Phone-Ext213/172.172.172.66:1086 
send_push_reply(): safe_cap=940
Feb 17 22:35:47 openvpn[78847]: MULTI_sva: pool returned IPv4=10.9.12.14, 
IPv6=(Not enabled)
Feb 17 22:35:47 openvpn[78847]: 172.172.172.66:1086 [Phone-Ext213] Peer 
Connection Initiated with [AF_INET]172.172.172.66:1086
Feb 17 19:50:44 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 
send_push_reply(): safe_cap=940
Feb 17 19:50:42 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 MULTI_sva: 
pool returned IPv4=10.9.12.18, IPv6=(Not enabled)
Feb 17 19:50:42 openvpn[78847]: 172.172.172.66:1194 [Phone-Ext212] Peer 
Connection Initiated with [AF_INET]172.172.172.66:1194
Feb 17 19:49:39 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [0]
Feb 17 19:49:37 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 TLS Auth 
Error: TLS object CN attempted to change from 'Phone-Ext212' to 'Phone-Ext211' 
-- tunnel disabled
Feb 17 19:49:37 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Auth 
Error: TLS object CN attempted to change from 'Phone-Ext211' to 'Phone-Ext212' 
-- tunnel disabled
Feb 17 19:49:31 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:49:27 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:49:25 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:49:20 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:49:18 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:49:18 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:49:18 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:49:15 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:49:09 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:49:05 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:49:05 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:49:01 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:48:57 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:48:55 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:48:50 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:48:48 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:48:48 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:48:48 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:48:45 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:48:44 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:48:39 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 16:35:45 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
send_push_reply(): safe_cap=940
Feb 17 16:35:42 openvpn[78847]: MULTI_sva: pool returned IPv4=10.9.12.18, 
IPv6=(Not enabled)
Feb 

[pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

[Chuck Mariotti]

I have 4 Yealink T46G phones, 3 on one network (problematic), 1 on a separate 
network... all phones are OpenVPNing into pfSense box at datacenter... then 
using a phone system through the OpenVPN connection.

The problematic location keeps having issues with phones not receiving calls or 
making calls... as well as call quality issues. Rebooting the phones solves the 
problems.

The OpenVPN logs contain a number of TLS Errors (TLS keys are out of sync)... 
as well as Auth/Decript errors (packet HMAC authentication failed). Logs are 
below. Can anyone shed some light on what might be happening here?

Regards,

Chuck

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Firewall Hardware/Setup for Datacenter...

[Chuck Mariotti]

Thanks… I am leaning that way I think… just trying to wrap my head around if it 
is worth trying to buy more ram + more storage (HW RAID) to make them ESXI 
worthy to run VMs, or if I should just keep it basic… the ESXI is tempting 
since I can at least make the secondary server do other stuff instead of just 
waiting for a failure on primary. Trying to think of a useful virtual machines 
to run that are not mission critical if a machine dies (since not raid), don’t 
have license to real-time replicate it on the VMWare side, but that might be 
useful for datacenter...



From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jason Whitt
Sent: February-05-15 3:23 PM
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] Firewall Hardware/Setup for Datacenter...

I would add that for "data center" workloads the apu's may not be the best 
choice ... Those 8 core atoms are plenty for multi 1gig feeds and the nic's are 
solid.


Sent from my iPhone

On Feb 5, 2015, at 12:38 PM, Jeremy Bennett 
mailto:jbenn...@hikitechnology.com>> wrote:
Jason is correct. Those Supermicro boxes are awesome. Be careful when ordering 
though... they want ECC memory.

The APUs from Netgate are nice too–the year of bundled support has already 
saved my bacon a number of times. Well worth the cost.

On Thu, Feb 5, 2015 at 9:19 AM, Jason Whitt 
mailto:jason.wh...@gmail.com>> wrote:
Ive ran as vm's using vmxnet3's as well as physical on these 
http://m.newegg.com/Product/index?itemnumber=16-101-837

Both are viable options.

Jason

Sent from my iPhone

On Feb 5, 2015, at 11:11 AM, Walter Parker 
mailto:walt...@gmail.com>> wrote:
I've used pfSense in a VM on my ESXi application server. This is mostly to 
firewall the Windows VMs from the Internet.

If you want fail-over, I'd suggest getting one of the new Netgate 
(http://store.netgate.com/NetgateAPU2.aspx or 
http://store.netgate.com/1U-Rack-Mount-Systems-C84.aspx) or pfSense 
(https://www.pfsense.org/hardware/#pfsense-store) embedded systems with an SSD. 
Then you can run a full install that supports package installs with a power 
budget of ~10-15 Watts for the APU units. Then you have a choice of getting a 
second HW unit for an additional $400 to $1000, or setting up pfSense in a VM 
(not on a separate VMware server, on an existing VM server).

The higher end HW systems on those pages are 8 core Atom systems built for run 
pfSense (of course, the power requirements will be in the 100W range). With an 
SSD, these systems should last for a long time with no issues.

How much firewall horsepower do you need? What are your constrains (time, 
money, space)?

P.S. You can run packages on embedded in 2.2, you just want to be careful not 
to run packages that would trash the SD card with too many writes.


Walter

On Thu, Feb 5, 2015 at 9:40 AM, Chuck Mariotti 
mailto:cmario...@xunity.com>> wrote:
Have been using pfSense for years at our datacenter, very happy with it running 
on old dedicate hardware with failover. The hardware is overdue to be retired 
and I’m wondering what people are doing/recommending for a datacenter setup. We 
want to use OpenVPN Server, IDS, dBandwidth, etc… so need to keep out option 
open for the ability to run packages... behind it we are running multiple 
servers and vCenter/ESXI servers.

What’s the go-to setup for a datacenter these days?

Do we stick with two dedicated boxes?
Since we pay for power, nice to have lower power… So do we go as low as using 
embedded hardware? It used to not be recommended for packages… still the case I 
assume?
So I’m leaning towards some of the newer SuperMicro Atom boxes (quad core, or 8 
core!!??! etc…).

But then I see so many people running pfSense in VMWare and I wonder if we 
should consider this. Then I think about the hardware needs and VMWare 
Licensing (would like to avoid)… and what else can I run on the hardware along 
side without hurting pfSense from running properly, etc…

If pfSense is setup to failover, that means the hardware can be cheap…. No RAID 
needed.
If dedicated, do I go with Hard Drives/SSD drives? USB? We need packages… can I 
run it off of USB stick then or do I still need HDD/SSD?

If setting up new hardware so can run pfSense as Virtual Machines… I would need 
two VM Hosts running pfSense as VM’s so would have the failover... What should 
we consider for the hardware in this case… should I go with RAID w/HDD/SSD on 
ESXI? If pfSense is setup for failover, do I really need RAID? But I assume I 
would need something reliable if I’m going to run other non-pfsense VMs on the 
same hardware… so I would need RAID w/HDD/SSD and it would need to be larger… 
what are other people running in datacenter setups along side the pfSense? I 
don’t want to put it onto our existing vCenter infrastructure, licensing/costs 
and isolation needed. Do I setup one hardware as basic, no RAID running ESXI 
and pfSense, and the other 

[pfSense] Firewall Hardware/Setup for Datacenter...

[Chuck Mariotti]

Have been using pfSense for years at our datacenter, very happy with it running 
on old dedicate hardware with failover. The hardware is overdue to be retired 
and I'm wondering what people are doing/recommending for a datacenter setup. We 
want to use OpenVPN Server, IDS, dBandwidth, etc... so need to keep out option 
open for the ability to run packages... behind it we are running multiple 
servers and vCenter/ESXI servers.

What's the go-to setup for a datacenter these days?

Do we stick with two dedicated boxes?
Since we pay for power, nice to have lower power... So do we go as low as using 
embedded hardware? It used to not be recommended for packages... still the case 
I assume?
So I'm leaning towards some of the newer SuperMicro Atom boxes (quad core, or 8 
core!!??! etc...).

But then I see so many people running pfSense in VMWare and I wonder if we 
should consider this. Then I think about the hardware needs and VMWare 
Licensing (would like to avoid)... and what else can I run on the hardware 
along side without hurting pfSense from running properly, etc...

If pfSense is setup to failover, that means the hardware can be cheap No 
RAID needed.
If dedicated, do I go with Hard Drives/SSD drives? USB? We need packages... can 
I run it off of USB stick then or do I still need HDD/SSD?

If setting up new hardware so can run pfSense as Virtual Machines... I would 
need two VM Hosts running pfSense as VM's so would have the failover... What 
should we consider for the hardware in this case... should I go with RAID 
w/HDD/SSD on ESXI? If pfSense is setup for failover, do I really need RAID? But 
I assume I would need something reliable if I'm going to run other non-pfsense 
VMs on the same hardware... so I would need RAID w/HDD/SSD and it would need to 
be larger... what are other people running in datacenter setups along side the 
pfSense? I don't want to put it onto our existing vCenter infrastructure, 
licensing/costs and isolation needed. Do I setup one hardware as basic, no RAID 
running ESXI and pfSense, and the other more robust setup (RAID, more memory).

I'm really interested in what people are using in production 
environments/datacenters.

Regards,

Chuck

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HP DL160 for pfSense in a datacenter

[Chuck Mariotti]

THIS > Also has the advantage that in the event of hardware failure, you 
can move the drives to any other system and still access the data - something 
that's not always an option if you're relying on a proprietary RAID layout.

Applies to a great many system builds... if you have the option of having spare 
parts and idle servers waiting to be swapped in at a moment's notice, go nuts 
with higher level RAID...  but mirror is simply easiest to recover should the 
controller or hardware die, with your data sitting on the drives.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Network Traffic Monitoring w/o Webgui

[Chuck Mariotti]

It's been a few years, but a simple windows version...

http://oss.oetiker.ch/mrtg/


From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Walter Parker
Sent: April-07-14 2:06 PM
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] Network Traffic Monitoring w/o Webgui

Sorry,

FOSS = Free/Open Source Software (what MRTG, Linux, FreeBSD, pfSense are, as 
different from what Microsoft or HP sell)

Cacti is a web based system, from http://www.cacti.net/, that uses the 
technology that powers MRTG to build a nice web based system that monitors 
network equipment. Unlike MRTG, which has to be configured by hand, Cacti 
allows you to add hosts through the web interface (like how pfSense does all 
the pf stuff through the web rather than requiring you to edit config files). 
It is pretty simple to setup, assuming you have a FreeBSD or Linux systems and 
can install the package or port.

I've used it on networks to monitor all of the traffic on the routers, on the 
servers and even on the switch ports (that requires a switch with SNMP 
counters, usually known as a "managed switch").

There are also commercial systems that do the same thing, but they quickly 
become expensive (1000's to 10,000's dollars) as the size of your network grows.


Walter



On Mon, Apr 7, 2014 at 10:47 AM, Brian Caouette 
mailto:bri...@dlois.com>> wrote:
What is Cacti? FOSS?


On 4/7/2014 1:42 PM, Walter Parker wrote:
I'd expect that you should be able to enable SNMP, set a non default password 
(please don't use public) and add a firewall rule to allow UDP on port 161 
to/from your mrtg server. I'd recommend using Cacti as your mrtg server (if you 
want a FOSS solution).


Walter

On Mon, Apr 7, 2014 at 10:23 AM, Brian Caouette 
mailto:bri...@dlois.com>> wrote:
What about using mrtg to graph the various interfaces? Does PF support this?


On 4/7/2014 12:54 PM, Jim Pingle wrote:
On 4/7/2014 12:29 PM, James Caldwell wrote:
Happy Monday list...

Does anyone have a preferred way of monitoring over all traffic throughput for 
various interfaces via shell/putty instead of having to remain logged in to the 
webgui?  I have several alix based appliances that have had their ISP 
connections upgraded and I am trying to remain outside the web interface as 
much as possible due to the load that it puts on the system.

Any thoughts or experience is appreciated.
The "iftop" package is great for this.

Install it from the GUI and then from the shell run it like so:

iftop -nNpPi vr0

(Serving suggestion, salt to taste)

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list



--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, 
well-meaning but without understanding.   -- Justice Louis D. Brandeis


___

List mailing list

List@lists.pfsense.org

https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list



--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, 
well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Yealink OpenVPN to asterisk

[Chuck Mariotti]

Thanks Jim,

I have removed the WAN2 VLAN... this busted stuff until I uninstalled the 
previous QoS Wizard Settings... it is still posting a Notice:
[ There were error(s) loading the rules: /tmp/rules.debug:50: syntax error - 
The line in question reads [50]: altq on hfsc bandwidth 9.5Mb queue { qInternet 
} ]
 
I then switched all existing Proxy ARP items to be Alias IP.

I setup an IP Alias for IPs from our SIP Trunk Provider.

Then re-ran the Traffic Shaping Wizard (Single WAN/Multi Lan). Chose a single 
LAN... went through the wizard.
I setup 28% for SIP Traffic...

At the screen for setting priority on various protocols, I did not see any 
option for OpenVPN... only IPSec/PPTP. I pretty much set everything to low... 
left http as normal.

So I got to step 3 but did not see an OpenVPN option.

On step 4, I went into Floating rules and I did not see any "OpenVPN" rules.

Any ideas?

Chuck



-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Jim Pingle
Sent: March-11-14 1:57 PM
To: pfSense support and discussion
Subject: Re: [pfSense] Yealink OpenVPN to asterisk

On 3/11/2014 12:09 AM, Chuck Mariotti wrote:
> The data center has a single Internet connection but with two separate 
> subnets (ran out of Ip addresses). This has been setup as WAN and WAN2.
> I set up qos on pfsense but not sure if right. The single connection is 
> 10Mbit... but I set up WAN1 AND WAN2 as 10Mbit... which I assume is wrong. 
> How do I set that correctly?

Don't use two interfaces for that. Add the second subnet to WAN using an IP 
Alias VIP if you need to use it that way. In addition to being a simpler config 
for the same result, it also eliminates any guessing about the QoS config.

> I am also a little lost... since the voice traffic is OpenVPN, how to I make 
> certain that it is the highest priority across the board?

You need to shape both things: SIP to your upstream trunk and OpenVPN.

1. Use PRIQ for the shaper type on WAN/LAN when using the wizard.
2. Activate the VoIP screen, use your upstream SIP trunk for prioritization, or 
maybe even an alias containing the SIP trunk and your PBX.
3. Raise the priority of OpenVPN on the wizard screen to Raise/Lower Other 
Protocols.
4. Adjust the resulting floating rules for OpenVPN to match all of your OpenVPN 
server port(s)

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://localhost.my.domain/mailman/listinfo/list

[pfSense] Yealink OpenVPN to asterisk

[Chuck Mariotti]

I have a asterisk box at a data center that has some high traffic websites. I 
also have am asterisk box there with a few Yealink T46G phones OpenVPNed into 
the presence box at the data center. I have a few asterisk boxes but this is 
the first client connection via openvpn.


I think the call quality takes a major hit when the websites get heavy traffic. 
I say this kind because I cannot pinpoint if that is the cause.

The data center has a single Internet connection but with two separate subnets 
(ran out of Ip addresses). This has been setup as WAN and WAN2.
I set up qos on pfsense but not sure if right. The single connection is 
10Mbit... but I set up WAN1 AND WAN2 as 10Mbit... which I assume is wrong. How 
do I set that correctly?

I am also a little lost... since the voice traffic is OpenVPN, how to I make 
certain that it is the highest priority across the board?


Chuck

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] VPN group restrictions

[Chuck Mariotti]

OpenVPN allows you to push routes to the client side… not sure if those routes 
can be bypassed (it other words, if it’s just a rule sent to the client only, 
or if the firewall actually enforces that rule as well).
I’m not sure about the grouping component. But you could define each user with 
specific routes.

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of jungleboogie0
Sent: February-13-14 5:55 PM
To: list@lists.pfsense.org
Subject: [pfSense] VPN group restrictions

Hi All,

Curious to know if pfsense supports the ability to setup groups of VPN accounts 
and then set restrictions on the groups.

Example:
groups 1, 2 3 each with 5 people in the group.

Those in group 1 can access servers a-c
those in group 2 can access servers d-g
etc

I know my explanation and terminology may barely be understandable so please 
let me know if you need further explanation.

Thanks,
jungle



--
---
inum: 883510009902611
sip: jungleboo...@sip2sip.info
xmpp: jungle-boo...@jit.si
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Easy way to Prioritize to a handful of WAN IPs?

[Chuck Mariotti]

Configuration of a single datacenter connection, with 2 x WANs defined (two 
separate public IP sets/subnets). Both equally important... just ran out of IPs.

We are experiencing an influx of traffic for a few servers that are starting to 
introduce some problems in some VOIP traffic at times... rather than purchasing 
more bandwidth (did this last previously), I think it's time to actually fix 
the issue at hand.

Simply put, there are a handful of public IP addresses (not ours) at a few VOIP 
providers that I want to have the highest priority over all other traffic 
in/out of the datacenter. What is the easiest way to do this?

In a related question, we have some phones connecting to the datacenter via 
OpenVPN connections. Do we have to worry about prioritizing that traffic as 
well or is OpenVPN traffic higher priority already... this doesn't seem to be a 
problem at the moment, but may as well ask now.

Regards,

Chuck
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Traffic tracking...

[Chuck Mariotti]

We host a number of websites at our datacenter and it has gotten to a point 
where we have a few high traffic sites that are doubling traffic every 2 to 3 
months... Part of the agreement for hosting is that the owner would handle any 
additional traffic costs beyond a point... that point has passed I am sure, but 
I am not sure on how to reliably track this traffic.

We have dedicated servers with dedicated IP addresses in most cases.

However, there are a few that share a single IP address but have multiple 
host-names... so www.xyz.com<http://www.xyz.com> and 
www.abc.com<http://www.abc.com> are on the same IP address.

Is there a way in pfSense that would allow me to report on traffic like this on 
a monthly basis?

Regards,

Chuck Mariotti

[Xunity_Ad]
13 Seymour Ave.
Toronto, Ontario
M4J 3T3
Office: 416-469-5008 x 222
Fax: 416-469-5009
cmario...@xunity.com<mailto:cmario...@xunity.com>
www.xunity.com<http://www.xunity.com/>

<>___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Legit HTTP Requests, lots... IP Spoof? Any way to shut it down?

[Chuck Mariotti]

>sounds like the scanning app or browser runs to the end of its life in 
>background on the mobiles
>and the urls getting updated in a regular cycle.
>either triggered by accessing new QR's or by accessing other webpages.

>any time scheme/pattern visible? means: only to specific times and than in a 
>bunch?
>if its an automated spoofing or something else malware related ther will 
>mostly a 24/7 pattern.
>if ppl. are working only daytime patterns should be visible. this can give you 
>a hint whats going on.

It doesn't appear to be a timeline pattern. We are sitting at about 5500+ urls 
over a 12 hour period.

That was my thought as well on the re-triggering of previous scans, etc... but 
it's too odd that it just started all of the sudden. We should be able to see a 
pattern.

Unrelated, but I recall a number of complaints with Apple's Podcast system, 
which they updated and it resulted in podcasts being downloaded multiple times 
from the podcaster's site (resulting in significant uptick in data usage). It 
almost feels like that. My other concern is that these people are likely 
mobile... if they are hitting a site, over and over again, it's hitting their 
data plan each time.

Chuck
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Legit HTTP Requests, lots... IP Spoof? Any way to shut it down?

[Chuck Mariotti]

< It's effectively impossible to blind spoof TCP, so since you're completing 
the TCP session you can be assured the traffic is really coming from where it 
claims to be.
<
< Is it a high rate from a smallish number of IPs, or a low rate from a large 
number? What specifically do the HTTP requests look like?
< Getting full packet captures and examining the REFERER and other parts of the 
HTTP request may at least lead you to an explanation of why it's happening and 
a better understanding of what's happening, at which point you can implement 
mitigation if necessary or < feasible.
< This doesn't sound like a deliberate attack, rather that someone did 
something to whatever you're hosting to cause this to happen, which is where 
the REFERER may lead you directly to the answer.
< ___


Thanks Chris... I am watching this happening still and we are still slack jawed 
on a resolution... 

The referrer when we capture it from the browser user agent via webserver log 
is blank... this is what we expect usually since the URL is in a print a 
publication encoded in a QR Code... What happens is that someone scans the QR 
Code, hits the page (updating the stats) and then is redirected to the final 
content elsewhere on another website. I am unable to see any referrer in 
wireshark packets on that web server, but I am by no means an expert using 
wireshark, it is possible I'm missing them. If correct, this implies that 
someone is either going straight to the URL manually (typing it in) or is 
scanning it in.

I agree with you that it seems like it is something that is not deliberate 
because the IP's are mostly all local, the browser agent is all iPhone with 
varying OS versions and Webkit versions...  (HTTP_USER_AGENT:Mozilla/5.0 
(iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like 
Gecko) Mobile/10B146) (I have lots more info if needed, just can't post 
public), so either it is phone specific OR the browser agents are forged... But 
as you said, impossible(?) to fake the IP address, so unsure why they would 
bother faking agents of the same general type (other than making it harder to 
block, but that was the purpose they should have mixed it up considerably with 
Android, etc...)

An example is that a "user" scans 13 unique codes within a matter of a couple 
of minutes (which is pretty aggressive... time between scans is below 40 
seconds). They seem to switch up the sessionID every ~8 attempts...
I should also point out that these are valid requests (they are not random 
generated URLs or guessing)... they are valid codes. So they are either really 
scanning paper OR they have a valid list of URLs they hit.

My feeling is that it's something wrong with handling the redirects in QR Code 
Scanning process which is somehow locking onto the URLs and hitting them over 
and over again... specifically on iPhone... I have installed a handful of 
scanners but am getting expected results... the developer disagrees that it is 
not deliberate... 

He feels it is a deliberate attack since it started several hours after the 
last website update (which was minor I am told), it is hitting valid codes only 
(with the exception of a deleted code that was used for testing only)... he 
implies that this deleted code would have NEVER been seen by the public or 
appear in print. He feels that the code was likely displayed on an 
administrator's page while creating the QR Codes (displaying a list of all 
encoded URLs)  on a compromised machine... the machine then  to captured these 
URLs from local cache and passed those codes to a central server and it 
instructed bots to start hitting them with traffic...

Any further ideas? I don't mind paying someone to help debug the situation, but 
I think the pfSense commercial support is limited to the firewall specifically, 
not the traffic that passes through it (I assume it would be a combo of pfSense 
captures and IIS Log Analysis).

Chuck


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Legit HTTP Requests, lots... IP Spoof? Any way to shut it down?

[Chuck Mariotti]

We are seeing a lot of http requests to legitimate URLs on our web server... 
the URLs are pages that do auto redirects to other content pages. The redirects 
are collecting site stats and the high number of requests are knocking the 
tracking stats out way out of whack compared to the norm. Essentially someone 
is pretending to browse our content, over and over again Throwing our stats 
into a mess.

The problem is that the 'culprit' appears to be from multiple IP addresses, 
mostly in our own city proximity and  using slightly different host headers... 
so they are trying hard to look like legitimate traffic...  it is next to 
impossible to differentiate between what is legit and what is fake (the only 
give away is the frequency of the pages visited and that the stats have jumped 
significantly). The IP addresses keep changing as well.

My knowledge of current spoof technics is limited, but I am under the 
impression that it's pretty hard to spoof an IP address for an http request. We 
are definitely serving up the pages and redirecting, so they are getting 
responses which implies that they are real computers doing this work.

At first look I see no way to stop this type of situation (still trying to 
figure out this).

Does anyone have any advice on how to handle something of this nature either on 
the webserver side or pfSense side? All suggestions are welcome.

Chuck
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] openVPN Bug?

[Chuck Mariotti]

>If you use the same certificate on two clients, it will do that.
>Or if you connect two clients to a shared key instance, it will do that.
>
>In the first case, you can check "Duplicate Connections" to allow multiple 
>people to connect from the same certificate, but that is highly discouraged.
>
>Use SSL/TLS and give each client their own certificate and you'll be much 
>better off.

Is there any complete walk-thru tutorials on how to properly set this up? I 
have an office of about 50 sales staff that eventually want to get VPN 
operational... I was looking at OpenVPN... the OpenVPN windows client seems to 
need to run as administrator which isn't an option in out case (maybe I'm 
missing something). I'm looking for the least path of resistance and best way 
to set this up.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] VLAN

[Chuck Mariotti]

>-Original Message-
>From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] 
>On Behalf Of Drew Lehman
>Sent: August-14-12 11:50 PM
>To: list@lists.pfsense.org
>Subject: [pfSense] VLAN
>
>I'm trying to do a guest wireless using a VLAN.  I have pfsense 2.01 and a HP 
>switch 2910AL.  I setup the VLAN on my LAN (192.168.10.x) port and have it set 
>>to offer DHCP (192.168.11.x).  I thought i was off that
>192.168.11.1 was an offered start address for the DHCP.  I set
>192.168.11.1 as the gateway address for the VLAN.  I setup a VLAN on the 
>switch with the same VLAN number and the WAP has a guest SSID using the same 
>>VLAN number.  Did I set this up correctly on the pfsense side?
>___
>List mailing list
>List@lists.pfsense.org
>http://lists.pfsense.org/mailman/listinfo/list

Try setting a wireless client  with a manual static IP address to verify if you 
can see the pfSense box and/or get outside... to eliminate it being just DHCP 
as the issue.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense hardware for a proxy, 1U w/ 12" depth

[Chuck Mariotti]

Thanks Vick,

The unit I'm using has two NICs built into the motherboard. One for WAN, One 
for LAN... IPKVM is shared on one of the ports. I've tried swapping the WAN/LAN 
IPKVM mapping, still no luck.

So maybe as you said, if I add physical NIC (3rd), then leave the IPKVM NIC 
free (just hooked up to the network), it would work. I will try to schedule a 
time to try this.

Chuck

-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Vick Khera
Sent: May-14-12 9:24 AM
To: pfSense support and discussion
Subject: Re: [pfSense] pfsense hardware for a proxy, 1U w/ 12" depth

On Thu, May 3, 2012 at 4:29 PM, Chuck Mariotti  wrote:
> Specifically... if I VPN into the firewall (PPTP), I can't seem to be able to 
> access the IP-KVM.
> If I remote into a machine behind the firewall...  then try access the IP-KVM 
> from that machine... it works fine.
>
> I posted this issue to the group but I've never been able to solve it. 
> Possibly something dumb I am doing but I haven't figured out what is wrong.

I've never been able to access the KVM IP address (on a Supermicro
motherboard) from the machine on which it is when they are sharing the NIC. If 
it has a dedicated KVM NIC then it is accessible.  But that uses up a switch 
port, so I don't do that.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense hardware for a proxy, 1U w/ 12" depth

[Chuck Mariotti]

I have used one of these (Supermicro SYS-5015A-EHF-D525), the only issue I have 
run into with the one I have, is that IP KVM for some reason isn't working as 
expected.

Specifically... if I VPN into the firewall (PPTP), I can't seem to be able to 
access the IP-KVM.
If I remote into a machine behind the firewall...  then try access the IP-KVM 
from that machine... it works fine.

I posted this issue to the group but I've never been able to solve it. Possibly 
something dumb I am doing but I haven't figured out what is wrong.

Chuck

-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Daniel Lloyd
Sent: May-02-12 7:37 PM
To: pfSense support and discussion
Subject: Re: [pfSense] pfsense hardware for a proxy, 1U w/ 12" depth

I have 2x 
http://www.supermicro.com/products/system/1U/5015/SYS-5015A-EHF-D525.cfm.
Should fit your depth limitation, I have yet to hit performance problems with 
it and know that others on the list use this system as well.

On Wed, May 2, 2012 at 4:08 PM, Ugo Bellavance  wrote:
> Hi,
>
> I'm looking for hardware to replace an ASA unit that only allows 5 
> concurrent VPN connections for road warrior by a pfsense unit.  
> However, I need to have a proxy on the server to have reports or logs 
> on who does what on the internet, so I need a hard drive.  Also, the 
> physical space that I have for this unit is 1U and about 12" of depth.
>
> I thought about soekris units, but anyone else has another idea?  The 
> other needs are quite simple, not that many internal users, no other VPN 
> tunnels.
>
> Thanks,
>
> Ugo
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Any suggestions on how filter in pfSense for SQL Injections?

[Chuck Mariotti]

Thanks Seth,

Yep, validation is the key in this case. Knock on wood, we should be good. We 
are also using filtering using URLScan on the web servers to stop this attack, 
but it would be nice to be able to quickly blanket the network if that's an 
option should something similar (copy cats) arise in the future.

Regards,

Chuck


From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Seth Mos
Sent: December-07-11 1:42 AM
To: pfSense support and discussion
Subject: Re: [pfSense] Any suggestions on how filter in pfSense for SQL 
Injections?

Hi,

Op 7 dec 2011, om 00:26 heeft Chuck Mariotti het volgende geschreven:


At our datacenter managed to not get hit. However, I guess I would like to ask 
for suggestions on how to stop this type of attack at the pfSense firewall and 
what/how to implement something that would allow us to manage such attacks.

There is no magic button that filters out sql injection attacks, without it 
tools like phpmyadmin would also instantly fail to work. These send sql queries 
via the web too in plain text. Since it's supposed to do that.

This is a application issue where people forgot or just never considered input 
validation.

The snort approach is not guaranteed to prevent this since people can be very 
crafty. It's hard to get right. Just make sure that you web apps are kept up to 
date. Ask your vendors about SQL injection attacks, demand this in writing 
facing penalties, install the next update they release shortly afterwards.

And if you have a datacenter you would better have a really good box to make 
sure that none of your HTTP traffic takes a hit from being processed through 
snort.

Some other IDS'es note the event, then block. Which can still leave you with a 
broken database if they succeed on the 1st shot. It also just blocks a IP, 
which is easily circumventable.

One can wish for the world.

Regards,
Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Any suggestions on how filter in pfSense for SQL Injections?

[Chuck Mariotti]

I have some clients that has been hit twice with the recent SQL injections that 
seem to be  ramping up.
See:
http://www.scmagazineus.com/new-mass-sql-injection-attack-could-be-forming/article/218069/
http://news.hitb.org/content/new-mass-sql-injection-attack-could-be-forming


At our datacenter managed to not get hit. However, I guess I would like to ask 
for suggestions on how to stop this type of attack at the pfSense firewall and 
what/how to implement something that would allow us to manage such attacks.


Regards,

Chuck M


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Q: pfSense 2.0 SMTP problems / relay and how to report utilization per desktop

[Chuck Mariotti]

After converting a network of computers to use a fairly popular 3rd party email 
service (not my decision unfortunately), users are experiencing very odd issues 
with email (POP and SMTP based). The 3rd party says we should try different 
ports, increase timeouts, etc...  and they sometimes take days to admit they 
themselves have an issue (after we have jumped through their hoops).

One of the issues is email taking a while to be sent out of the network to the 
3rd party SMTP servers... in many cases, items sit in Outlook... with 
recipients complaining that they received multiple copies of the same email.

Anyone have any advice on how to solve this problem?

My thought are:


1.   Is there an SMTP server that can run on pfSense 2.0? I would like to 
be able to monitor the queue, etc...  My hope is that the client computers 
would stop failing/timing out/multiple deliveries and that pfSense would just 
act as the active sender SMTP server. But I need to be able to manage it 
easily. Does anything exist?

2.   How can I monitor in real-time and after the fact on specific 
dates/times which of the end user desktop computers is utilizing the most 
traffic? Basically, I want to see if someone is downloading a large file, 
sending a huge attachment or who is streaming music, etc...

I do not have traffic shaping enabled... the reasoning is that the connection 
has bursting and it seems unpredictable on the busts speeds so I would prefer 
not to limit connection just to throttle it (unless of course, I'm not thinking 
this through correctly).

Any advice or suggestions?


Regards,

Chuck

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] OpenVPN road warrior how to for 2.0

[Chuck Mariotti]

It' not a "How to" but a quick video... of setting up. Not sure if it's "the 
right way" to do it but it worked for me.
http://www.youtube.com/watch?v=odjviG-KDq8

Now if only I could find out how to setup OpenVPN via pfSense to work with Snom 
phones.

Chuck

-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Nenhum_de_Nos
Sent: October-04-11 12:15 AM
To: list@lists.pfsense.org
Subject: [pfSense] OpenVPN road warrior how to for 2.0

hail,

is there any ?

I looked for it, but nothing :(

for 1.2.3 it works great, but I always get cert problem in 2.0 :(

if anyone knows any ;)

matheus

-- 
We will call you cygnus,
The God of balance you shall be

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

http://en.wikipedia.org/wiki/Posting_style
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list