Re: [pfSense] SSH Bruteforce

[Daniel]

I mean not on the pfsense itself.

I mean my network behind my pfsense which nicht not connected via NAT


Am 20.12.17, 13:27 schrieb "List im Auftrag von Maikel van Leeuwen" 
<list-boun...@lists.pfsense.org im Auftrag von maikel.van.leeu...@sentia.com>:


https://www.reddit.com/r/PFSENSE/comments/2xguy2/fail2ban_like_package/?st=jbf195y7=d11a08b6



Sentia logo <https://www.sentia.com>

*Maikel van Leeuwen*
Continuity Engineer
E-mail: maikel.van.leeu...@sentia.com <mailto:maikel.van.leeu...@sentia.com>
Tel.: +31 (0)88 4242 206
Preferred communication by e-mail

*Sentia* / Einsteinbaan 4 - 3439 NJ Nieuwegein / MediArena 7 - 1114 BC 
Amsterdam / Nederland
*https://www.sentia.nl*

This e-mail may contain information which is privileged or confidential. 
If you received this e-mail in error, please notify us immediately by 
e-mail or telephone and delete the e-mail without copying or disclosing 
its contents to any other person.

On 12/20/2017 01:25 PM, WebDawg wrote:
> Also make sure to use private key and public key
>
> On Dec 20, 2017 5:53 AM, "Daniel" <dan...@linux-nerd.de> wrote:
>
>> Hi there,
>>
>>
>>
>> anyone now how to prevent SSH Bruteforce attackes in my network?
>>
>> I wanted to have a Firewall which counts SSH Connections from the same IP
>> and when it reach the defined limit the IP will be block.
>>
>>
>>
>> I know I can change the SSH port but I also want to know is there is an
>> option to limit such kind of attacks.
>>
>>
>>
>> Cheers
>>
>>
>>
>> Daniel
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] SSH Bruteforce

[Daniel]

Hi there,

 

anyone now how to prevent SSH Bruteforce attackes in my network?

I wanted to have a Firewall which counts SSH Connections from the same IP and 
when it reach the defined limit the IP will be block.

 

I know I can change the SSH port but I also want to know is there is an option 
to limit such kind of attacks.

 

Cheers

 

Daniel 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] FRR and IPv6 Bug

[Daniel]

Hi there,

 

it seems i found a bug when using FRR with IPv6.

 

I enabed and configured a IPv6 BGP Peer but it seems that the GUI make a wrong 
IPv6 BGP peering config.

In s hip bgp sum I can see that IPv6 peers are configured but in sh ipv6 bgp 
sum (this it has to be) is shown: No IPv6 Unicast neighbor is configured

 

 

This happened because the FRR config puts all IPv6 related stuff in in IPv4 
Stack configuration.

Is there any way to to it correctly with the GUI or should I use raw config 
instead?

 

Cheers

 

Daniel

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] haproxy Update

[Daniel]

Hi there,

 

i updated HAProxa from Version 1.7.9 to 1.8 via GUI.

Afer upgrade haproxy seems not redirecting anymore.

Are they known issues with upgrading to version 1.8?

 

Cheers

 

Daniel

 

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] FRR restart prevention

[Daniel]

Hi there,

 

anyone know how to prevent FRR to restart every time when the config has chaned?

Problem can be dampeing for example are network unreachability.

 

Just as an Idea, use only somethink like that:

 

vtysh -e "sh ip bgp sum"

vtysh -e "clear ip bgp *"

And so on.

 

In this case you also can configure the BGP/OSPF deamon without any hard 
restarts are needed. It’s just a Hint to make it more better.

 

Cheers

 

Daniel

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] FRR restart prevention

[Daniel]

Hi there,

 

is there anyway to prevent the whole restart of FRR when the config has changed?

Problem is durin a restart the connectivity gets lost and when you do this a 
couple of time it could be that you network is flapping and maybe some 
providers user damping.

 

Cheers

 

Daniel

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Monitor BGP Sessions

[Daniel]

Hi there,

 

i run FRR on my PfSense boxes and I wanted to monitor all my BGP Sessions. As I 
see there are a lot tools for SNMP but it seems I need to get some MIBS which I 
need to download.

 

Is there anyway to load a larg list of all MIBS to Pfsense?

 

Cheers

 

Daniel

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] BGP and NAT

[Daniel]

Hi,

Problem was found by my self.
I just added to all Interfaces which are doing BGP the Outbound NAT rules.


Am 29.11.17, 13:48 schrieb "List im Auftrag von Daniel" 
<list-boun...@lists.pfsense.org im Auftrag von dan...@linux-nerd.de>:

Hi there,

 

i have a small problem. Actually i migrating to BGP Upstreams.

How does it work with NAT Rules?

 

Befor it was static all was fine:

 

Interface: WAN

Protocol: ANY

Source Network: 10.10.5.0/24

DEST: Any

 

Translation Adresse: IP-Address (some public IP from another Interface name)

 

When I start BGP  all Public IPs are working all NAT IPs are not able to 
reach the Internet anymore.

I think I need to change the NAT rules but which interface I need to change 
it to?

 

Only WAN is not correct because it can come from 2 different Upstreams. 
Maybe I have to choose the Public Interface where all my Public networks are 
located on?

 

Cheers

 

Daniel

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] BGP and NAT

[Daniel]

Hi there,

 

i have a small problem. Actually i migrating to BGP Upstreams.

How does it work with NAT Rules?

 

Befor it was static all was fine:

 

Interface: WAN

Protocol: ANY

Source Network: 10.10.5.0/24

DEST: Any

 

Translation Adresse: IP-Address (some public IP from another Interface name)

 

When I start BGP  all Public IPs are working all NAT IPs are not able to reach 
the Internet anymore.

I think I need to change the NAT rules but which interface I need to change it 
to?

 

Only WAN is not correct because it can come from 2 different Upstreams. Maybe I 
have to choose the Public Interface where all my Public networks are located on?

 

Cheers

 

Daniel

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

[Daniel]

I Updates 3 Firewalls all without any problems.



Am 26.11.17, 13:04 schrieb "List im Auftrag von Eero Volotinen" 
:

just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any
known issues?

it's not so complex setup, but running as our hq main firewall. so, some
ipsec and openvpn connections are running against it.



Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense ipv6 not working

[Daniel]

You also need to enbale it in the Setting.. tick te IPv6 Box.

Am 21.11.17, 19:38 schrieb "List im Auftrag von Steve Yates" 
:

Starting at the top level, do you have a firewall rule allowing ICMP for 
IPv6?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero 
Volotinen
Sent: Monday, November 20, 2017 1:01 PM
To: pfSense Support and Discussion Mailing List 
Subject: [pfSense] pfsense ipv6 not working

Hi List,

Running ipv6 with dhcpv6 from isp and it works on my laptop without pfsense,
but on pfsense shell, I cannot even ping other network addresses that gw:

ping6 fe80::208:20ff:fe4e:1c1b

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
fe80::208:20ff:fe4e:1c1b

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=0 hlim=64 time=0.573
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=2 hlim=64 time=0.578
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=3 hlim=64 time=0.518
ms


and when trying to ping google:



ping6 2a00:1450:4001:820::200e

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
2a00:1450:4001:820::200e

^C

--- 2a00:1450:4001:820::200e ping6 statistics ---

7 packets transmitted, 0 packets received, 100.0% packet loss

Wan configuration is using DHCPv6

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] quagga/bgp

[Daniel]

In this Case, FRR has a text box.
I will configure FRR via CLI and Post the config later to the GUI at the text 
box. This is how I will do this.
I tried it via GUI but this is wiered to configure it and a lot of “Clicking” (

Cheers

Daniel


Am 19.11.17, 05:34 schrieb "List im Auftrag von WebDawg" 
<list-boun...@lists.pfsense.org im Auftrag von webd...@gmail.com>:

That is on of the things I wish they would add, a configuration
interface that has all the pfsense txt for each config file so you can
mod it manually if needed.

On Fri, Nov 17, 2017 at 9:05 AM, Daniel <dan...@linux-nerd.de> wrote:
> Ahhh that sounds cool.
> But i dont want to configure FRR via Webinterface. I want to to is via 
CLI.
> Should this be also possible?
>
> Cheers
>
> Daniel
>
> Am 17.11.17, 15:58 schrieb "Jim Pingle" <li...@pingle.org>:
>
> On 11/17/2017 08:29 AM, Daniel wrote:
> > I don’t want to use openBGPd and I also don’t want to use FRR 
because I am completely new in FRR.
>
> If you know quagga, you know FRR. FRR is a fork of quagga and they 
work
> nearly the same. Most people probably won't know the difference, 
except
> that FRR will probably work better.
>
> Jim P.
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] quagga/bgp

[Daniel]

Here this,

 

is anyone using quagga with bgpd as a self installed package on pfsense?

I don’t want to use openBGPd and I also don’t want to use FRR because I am 
completely new in FRR.

My idea is to use quagga with bgpd daemon on pfsense.

 

Is there any problems?

 

Cheers

 

Daniel

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPv6 nat

[Daniel]

Hi there,

 

i added a privat ipv6 LAN on my pfsense which has to do NAT like on IPv4.

 

But it seems that NAT with ipv6 is not possible. Is there anyway or is it not 
possible to NAT IPv6 Connections?

 

root@web1:~# traceroute6 heise.de

traceroute to heise.de (2a02:2e0:3fe:1001:302::), 30 hops max, 80 byte packets

 1  fd12:38ce:2472:a35e::3 (fd12:38ce:2472:a35e::3)  0.071 ms  0.098 ms  0.087 
ms

 2  * * *

 3  * * *

 

I am not interested to use public IPv6-Addresses in my LAN

 

Cheers

 

Daniel

 

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Packetloss

[Daniel]

Hi there,

 

as some of you guys know i had a lot of packetloss. It is/was because the WAN 
Interface runs full of traffic.

 

Normaly behavour is the no packets gets droped. They get queued as I understand 
and the ping RTT increase extremely.

It seems I need to increase in TCP Buffer size.

 

Is there anyway in Pfsense to increase the Buffer Size?

 

Cheers

 

Daniel

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] CARP Interface doese not sync

[Daniel]

Hi there,

 

i run 2 Pfsense boxed which are connected directly on the Sync interface.

Pf1 Version is 2.4.1 and pf2 Version is 2.4.0

 

I created now CARP interfaces wich are not synced to pf1 automaticly. I get 
some XML errors (Syntax Error in XML)

Is there anyway to start the Sync process manually to check logs or so?

 

Cheers

 


Daniel

 

 

 

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Strange packetloss

[Daniel]

Yes both mashines complety the same.
I disabled actually everything. Packloss starts when traffic (20-30mbit) will 
pass the interface.

I am pretty sure there is something misconfigured on pfSense side.



Am 21.10.17, 00:09 schrieb "list-boun...@lists.pfsense.org im Auftrag von 
mad.scientist.at.la...@tutanota.com" <list-boun...@lists.pfsense.org im Auftrag 
von mad.scientist.at.la...@tutanota.com>:

are the 2 machines you have setup to firewall identical machines with 
identical ethernet interfaces set up the same way (i.e. offloading some packet 
processing to the card on one machine but not the other?  Could it be that one 
machine just can't keep up.  I assume you've reinstalled pfsense on the problem 
machine?  Is the slow machine clean?  as i'm sure you know many machines will 
reduce the clock speed if the cpu is getting too hot, the slow machine may just 
need a good cleaning.

mad.scientist.at.large (a good madscientist)
--
I find it ironic that at a time when Americans are concerned about violence 
and  Bullying in schools  and elsewhere that we would elect a Grand Poohbah 
who's a violent bully and hates everyone, including himself, as demonstrated by 
speech and action.  I've known 2 year olds that behaved more appropriately.  
Besides, there can be no rule of law when those in charge are contemptuous of 
the whole frame work on which our country is based .


20. Oct 2017 10:00 by dan...@linux-nerd.de:


> Hi Everyone,
>
>  
>
> actually i have an any/any rule applied on all my interfaces. This I did 
actually only for debugging issues.
>
> But I can see that packets still get blocked:
>
>  
>
> Oct 20 17:48:34 gw02 filterlog: 
5,,,100103,igb0,match,block,in,4,0x0,,56,64553,0,DF,6,tcp,52,93.220.211.99,212.168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
> Oct 20 17:48:34 gw02 filterlog: 
5,,,100103,igb0,match,block,in,4,0x0,,56,64554,0,DF,6,tcp,52,93.220.211.99,212.168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
> Oct 20 17:48:35 gw02 filterlog: 
5,,,100103,igb0,match,block,in,4,0x0,,55,37998,0,DF,6,tcp,52,109.44.1.50,212.168.31.112,34675,443,0,FA,1545664688,2414488008,40,,nop;nop;TS
>
> Oct 20 17:48:35 gw02 filterlog: 
5,,,100103,igb0,match,block,in,4,0x0,,56,64555,0,DF,6,tcp,52,93.220.211.99,212.168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
> Oct 20 17:48:36 gw02 filterlog: 
5,,,100103,igb0,match,block,in,4,0x0,,56,64556,0,DF,6,tcp,52,93.220.211.99,212.168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
> Oct 20 17:48:38 gw02 filterlog: 
5,,,100103,igb0,match,block,in,4,0x0,,56,64557,0,DF,6,tcp,52,93.220.211.99,212.168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
> Oct 20 17:48:42 gw02 filterlog: 
5,,,100103,igb0,match,block,in,4,0x0,,56,64558,0,DF,6,tcp,52,93.220.211.99,212.168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
>  
>
> Why? Normaly all traffic can pass the interfaces.
>
>  
>
> Main problem is that I have 1% packetloss when it pass the Intenet 
connection to my Upstream. I have a second firewall configured identical and 
here is no packetloss.
>
> I Changed all cables and so… I am absolutely without any glue what can 
cause such a problem.
>
>  
>
> Could it be a problem that I have serval different networks applied on 
one Interface without vlans?  
>
> I Realy don’t know what I can do. This issue is very hard and all thinks 
I already tested doesn’t not help to fix the issue.
>
>  
>
> Kernel Messages and logs also looking OK for me.
>
>  
>
> Maybe someone can help me out and give me some ideas
>
>  
>
> Cheers
>
>  
>
> Daniel
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! > https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Strange packetloss

[Daniel]

Nope it is not active on any interface.


Am 20.10.17, 18:39 schrieb "List im Auftrag von Ivo Tonev" 
<list-boun...@lists.pfsense.org im Auftrag von i...@tonev.pro.br>:

On each interface you have "Block bogon networks".

Is that option active ?

On Fri, Oct 20, 2017 at 2:00 PM, Daniel <dan...@linux-nerd.de> wrote:

> Hi Everyone,
>
>
>
> actually i have an any/any rule applied on all my interfaces. This I did
> actually only for debugging issues.
>
> But I can see that packets still get blocked:
>
>
>
> Oct 20 17:48:34 gw02 filterlog: 5,,,100103,igb0,match,
> block,in,4,0x0,,56,64553,0,DF,6,tcp,52,93.220.211.99,212.
> 168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
> Oct 20 17:48:34 gw02 filterlog: 5,,,100103,igb0,match,
> block,in,4,0x0,,56,64554,0,DF,6,tcp,52,93.220.211.99,212.
> 168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
> Oct 20 17:48:35 gw02 filterlog: 5,,,100103,igb0,match,
> block,in,4,0x0,,55,37998,0,DF,6,tcp,52,109.44.1.50,212.168.
> 31.112,34675,443,0,FA,1545664688,2414488008,40,,nop;nop;TS
>
> Oct 20 17:48:35 gw02 filterlog: 5,,,100103,igb0,match,
> block,in,4,0x0,,56,64555,0,DF,6,tcp,52,93.220.211.99,212.
> 168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
> Oct 20 17:48:36 gw02 filterlog: 5,,,100103,igb0,match,
> block,in,4,0x0,,56,64556,0,DF,6,tcp,52,93.220.211.99,212.
> 168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
> Oct 20 17:48:38 gw02 filterlog: 5,,,100103,igb0,match,
> block,in,4,0x0,,56,64557,0,DF,6,tcp,52,93.220.211.99,212.
> 168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
> Oct 20 17:48:42 gw02 filterlog: 5,,,100103,igb0,match,
> block,in,4,0x0,,56,64558,0,DF,6,tcp,52,93.220.211.99,212.
> 168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS
>
>
>
> Why? Normaly all traffic can pass the interfaces.
>
>
>
> Main problem is that I have 1% packetloss when it pass the Intenet
> connection to my Upstream. I have a second firewall configured identical
> and here is no packetloss.
>
> I Changed all cables and so… I am absolutely without any glue what can
> cause such a problem.
>
>
>
> Could it be a problem that I have serval different networks applied on one
> Interface without vlans?
>
> I Realy don’t know what I can do. This issue is very hard and all thinks I
> already tested doesn’t not help to fix the issue.
    >
>
>
> Kernel Messages and logs also looking OK for me.
>
>
>
> Maybe someone can help me out and give me some ideas
>
>
>
> Cheers
>
>
>
> Daniel
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold




-- 
Ivo R. Tonev
+55 61 98409-2642
i...@tonev.com.br
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Strange packetloss

[Daniel]

Hi Everyone,

 

actually i have an any/any rule applied on all my interfaces. This I did 
actually only for debugging issues.

But I can see that packets still get blocked:

 

Oct 20 17:48:34 gw02 filterlog: 
5,,,100103,igb0,match,block,in,4,0x0,,56,64553,0,DF,6,tcp,52,93.220.211.99,212.168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS

Oct 20 17:48:34 gw02 filterlog: 
5,,,100103,igb0,match,block,in,4,0x0,,56,64554,0,DF,6,tcp,52,93.220.211.99,212.168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS

Oct 20 17:48:35 gw02 filterlog: 
5,,,100103,igb0,match,block,in,4,0x0,,55,37998,0,DF,6,tcp,52,109.44.1.50,212.168.31.112,34675,443,0,FA,1545664688,2414488008,40,,nop;nop;TS

Oct 20 17:48:35 gw02 filterlog: 
5,,,100103,igb0,match,block,in,4,0x0,,56,64555,0,DF,6,tcp,52,93.220.211.99,212.168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS

Oct 20 17:48:36 gw02 filterlog: 
5,,,100103,igb0,match,block,in,4,0x0,,56,64556,0,DF,6,tcp,52,93.220.211.99,212.168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS

Oct 20 17:48:38 gw02 filterlog: 
5,,,100103,igb0,match,block,in,4,0x0,,56,64557,0,DF,6,tcp,52,93.220.211.99,212.168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS

Oct 20 17:48:42 gw02 filterlog: 
5,,,100103,igb0,match,block,in,4,0x0,,56,64558,0,DF,6,tcp,52,93.220.211.99,212.168.31.112,52498,80,0,FA,3467799626,3453635053,347,,nop;nop;TS

 

Why? Normaly all traffic can pass the interfaces.

 

Main problem is that I have 1% packetloss when it pass the Intenet connection 
to my Upstream. I have a second firewall configured identical and here is no 
packetloss.

I Changed all cables and so… I am absolutely without any glue what can cause 
such a problem.

 

Could it be a problem that I have serval different networks applied on one 
Interface without vlans?  

I Realy don’t know what I can do. This issue is very hard and all thinks I 
already tested doesn’t not help to fix the issue.

 

Kernel Messages and logs also looking OK for me.

 

Maybe someone can help me out and give me some ideas

 

Cheers

 

Daniel

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ICMP Rate Limit

[Daniel]

Hi,

not sure. Problem is - I have in my network packetloss and we started to change 
everything.
Cabling, Switches and so on. On the thing what we didn’t changed was the 
firewalls.

So I installed Smokeping on a Server which is behind the firewall. I configured 
to monitor WAN und LAN interface with ICMP and here I see some loss.
All other internal Hosts has no loss just both Firewalls. Traffic which is 
routed thought the Firewall is just few Mbits – So not overloaded or so.

I thing, or my opinion is that pfSense has some ICMP limitations which shows me 
loss but this is just a case of some limitations.
But more funny is – I see the same loss on both Firewalls.


Am 17.10.17, 14:25 schrieb "List im Auftrag von ibrahim uçar" 
<list-boun...@lists.pfsense.org im Auftrag von ucribra...@gmail.com>:

Hi Daniel,

I hope that I did understand you :). You should go to System > Advanced >
Firewall & NAT > at the bottom of this tab, you will see state timeouts.
There is ICMP timeout. If it's not that you're talking about, let me know.




--

*İbrahim UÇAR*

Blogger |  https://lifeoverlinux.com <http://lifeoverlinux.com>

    On Tue, Oct 17, 2017 at 3:22 PM, Daniel <dan...@linux-nerd.de> wrote:

> Hi there again,
>
>
>
> just wanted to know if pfSense has per default any ICMP rate Limitations
> installed?
>
> Problem is I see some small loss in WAN/LAN interface but actually I have
> a any/any rules.
>
> I see this on both firewalls I have installed.
>
>
>
> Cheers
>
>
>
> Daniel
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Clear interface stats

[Daniel]

Hi there,

 

is there any way to clear the interface counters?

I had same errors on my LAG Interface ( in/out 0/10283) somethink link this.

I just wanted to clear that counters that it is 0/0 again.

 

I read something with netstat –iz ?

 

Cheers

 

Daniel

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfSense virtualisation

[Daniel]

Hi there,

 

i thing about to remove my 2 Hardware Firewalls and virtualize them with KVM on 
different Host-Servers.

Has anyone experience with that and does it make sense to be more flexible?

Or do you think I am absolutely crazy? Or maybe Just one Hardware and one 
virtual?

 

Cheers

 

Daniel

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Interface Errors

[Daniel]

One other question regarding LAG:

None
This protocol is intended to do nothing: it disables any traffic without 
disabling the lagg interface itself.

This means it will not allow any traffic. So in clear: Interface is not 
reachable anymore?

Cheers

Daniel 


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Interface Errors

[Daniel]

Hi There,

 

i have a LAG Interface which has actually only one NIC included.

I was looking on the Interface Stats and I see a lot off errors:

 

In/Out Error: 0/131935

 

Is there any way to debug this errors and reset the counters?

 

Cheers

 

Daniel

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] bandwithd

[Daniel]

Afer rebooting the firewall it should work.
Dont know why ;)


-- 
Grüsse
 
Daniel

Am 31.08.17, 22:47 schrieb "List im Auftrag von Steve Yates" 
<list-boun...@lists.pfsense.org im Auftrag von st...@teamits.com>:

For what it's worth we installed this package yesterday and had no issues.  
All we did was Enable BandwidthD, and set "Subnet(s) for Statistics Collection" 
to LAN.

I noticed the package installation does have a warning at the end that no 
one is maintaining bandwidthd (the FreeBSD package, I think) anymore.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel
Sent: Tuesday, August 22, 2017 5:15 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] bandwithd

Hi there,

i installed BandwithD thought the Package Manager. After setup BandwithD I 
got an error when I try to access bandwithD:

Fatal error: Call to undefined function read_package_configurationfile() in 
/usr/local/www/guiconfig.inc on line 1053 Call Stack: 0. 226984 1. {main}() 
/usr/local/www/diag_bandwidthd.php:0 0.0243 3592344 2. add_package_tabs() 
/usr/local/www/diag_bandwidthd.php:29 PHP ERROR: Type: 1, File: 
/usr/local/www/guiconfig.inc, Line: 1053, Message: Call to undefined function 
read_package_configurationfile()

Is there any known issue? I am looking for an issue to Count traffic for 
each IP.

    --
Grüsse

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] bandwithd

[Daniel]

Hi there,

i installed BandwithD thought the Package Manager. After setup BandwithD I got 
an error when I try to access bandwithD:

Fatal error: Call to undefined function read_package_configurationfile() in 
/usr/local/www/guiconfig.inc on line 1053 Call Stack: 0. 226984 1. {main}() 
/usr/local/www/diag_bandwidthd.php:0 0.0243 3592344 2. add_package_tabs() 
/usr/local/www/diag_bandwidthd.php:29 PHP ERROR: Type: 1, File: 
/usr/local/www/guiconfig.inc, Line: 1053, Message: Call to undefined function 
read_package_configurationfile()

Is there any known issue? I am looking for an issue to Count traffic for each 
IP.

--
Grüsse

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] massive CARP Failover

[Daniel]

https://www.dropbox.com/s/pq953p0wbsfseu7/Screenshot%202017-06-08%2011.19.07.png?dl=0

Yes i am sure ;)


-- 
Grüsse
 
Daniel

Am 08.06.17, 01:12 schrieb "List im Auftrag von Espen Johansen" 
<list-boun...@lists.pfsense.org im Auftrag von pfse...@gmail.com>:

Are you sure you disabled IGMP completely?

On Wed, Jun 7, 2017, 16:44 Mark Wiater <mark.wia...@greybeam.com> wrote:

>
>
> On 6/7/2017 10:10 AM, Daniel wrote:
> > Hi,
> >
> > the Sync interface is connected directly without a Switch.
> > But Carp is running WAN/LAB for example.
>
> Let's go back to your original email, this behavior can be duplicated
> with different software, it's not a pfSense issue. Is that right? Both
> Sophos UTM and something on Linux both exhibit something similar?
>
> CARP sends broadcast traffic to 224.0.0.18. The device that you
> configured as the primary will send a packet every second by default,
> for each carp ip address, on the relevant interface.
>
> If the secondary does not receive these packets, it starts sending it's
> own, with a higher priority and assumes ownership of the CARP addresses.
>
> When the primary device is again available, it starts sending higher
> priority CARP packets. The secondary receives those, stops sending it's
> CARP packets and reverts to a backup role, because it knows that the
> primary is back up and functional.
>
> All that said, if your devices keep flipping back and forth, I'd guess
> that you don't see these carp packets at the backup device.
>
> tcpdump -ni wan|lan CARP
>
> on the backup device will tell a lot.
>
> Any chance you've got the wan and lan of the primary firewall going to
> the opposite switches as the secondary?
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] massive CARP Failover

[Daniel]

Hi,

the Sync interface is connected directly without a Switch.
But Carp is running WAN/LAB for example.


-- 
Grüsse
 
Daniel

Am 07.06.17, 16:04 schrieb "List im Auftrag von Espen Johansen" 
<list-boun...@lists.pfsense.org im Auftrag von pfse...@gmail.com>:

I assume you did a pfsync (HA) interface on each firewall? If so did you
connect this directly without going thru the switch? A direct connection is
prefered for the sync interface. Also make sure that if you do direct
connection then use a 6ft cable first to connect them. Some interfaces have
issues if the cable is too short.

Ivo Tonev: When you bild redundant firewalls you also want redundant
switches. This is the normal approach.


On Wed, Jun 7, 2017, 15:52 Ivo Tonev <i...@tonev.pro.br> wrote:

> Can tou send network diagram? Why 2 switches? How they are connected?
>
> There are any feature like Cisco's arp inspection?
>
> Em 7 de jun de 2017 10:45, "Daniel" <dan...@linux-nerd.de> escreveu:
>
> > Both are Physical.
> >
> > --
> > Grüsse
> >
> > Daniel
> >
> > Am 07.06.17, 14:34 schrieb "List im Auftrag von Ivo Tonev" <
> > list-boun...@lists.pfsense.org im Auftrag von i...@tonev.pro.br>:
> >
> > Firewalls are virtual or physical servers?
> >
> > On Wed, Jun 7, 2017 at 9:12 AM, Daniel <dan...@linux-nerd.de> wrote:
> >
> > > Hi,
> > >
> > > Firewall on the Switch is the latest installed.
> > > The Switch is just simple installed. No VLANS actually just IGMP
> > disabled.
> > > Carp has for sure 3 IPs. 2 Dedicated for each Server and one CARP
> > (Virtual
> > > Failover per Subnet)
> > >
> > >
> > > --
> > > Grüsse
    > > >
> > > Daniel
> > >
> > > Am 06.06.17, 00:04 schrieb "List im Auftrag von Ugo Bellavance" <
> > > list-boun...@lists.pfsense.org im Auftrag von u...@lubik.ca>:
> > >
> > > On 2017-06-02 08:13 AM, Daniel wrote:
> > > > Hi there,
> > > >
> > > > i run 2 pfsense Firewalls. I tried to use CARP but it will
> > turn over
> > > every 1-2-3 hours.
> > > > Sometimes it is so fast the pf1 is master and pf2 has the
> > routes. In
> > > this case I need to reboot the both Servers.
> > > >
> > > > After I tried a lot id ont find any solutions. I took a
> > different
> > > brand (Sophos UTM) and here is the same behave.
> > > > So I think this could be a network problem.
> > > >
> > > > Is there any important thinks which must be enabled or
> > disabled in
> > > the Switch?
> > > > Or need the Switch some special configurations?
> > > >
> > > > When I use Linux with Bondig it also switch the NICs very
> > often.
> > > >
> > > > We use 2 Switches from Netgear JGS524Ev2
> > > >
> > > > Mayme someone has some experience with it?
> > >
> > > Can you give us more information? You do have 3 IP addresses
> per
> > > interface? How is your switch configured? Any tagged vLANs
> > involved? Is
> > > the switch's firmware up to date?
> > >
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > >
> > >
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> >
> >
> >
> >
> > --
> > Ivo R. Tonev
> > +55 61 98409-2642
> > i...@tonev.com.br
> > ___
> > pfSense mailing list
> > https://lists.pf

Re: [pfSense] massive CARP Failover

[Daniel]

Both are Physical.

-- 
Grüsse
 
Daniel

Am 07.06.17, 14:34 schrieb "List im Auftrag von Ivo Tonev" 
<list-boun...@lists.pfsense.org im Auftrag von i...@tonev.pro.br>:

Firewalls are virtual or physical servers?

On Wed, Jun 7, 2017 at 9:12 AM, Daniel <dan...@linux-nerd.de> wrote:

> Hi,
>
> Firewall on the Switch is the latest installed.
> The Switch is just simple installed. No VLANS actually just IGMP disabled.
> Carp has for sure 3 IPs. 2 Dedicated for each Server and one CARP (Virtual
> Failover per Subnet)
>
    >
> --
> Grüsse
>
> Daniel
>
> Am 06.06.17, 00:04 schrieb "List im Auftrag von Ugo Bellavance" <
> list-boun...@lists.pfsense.org im Auftrag von u...@lubik.ca>:
>
> On 2017-06-02 08:13 AM, Daniel wrote:
> > Hi there,
> >
> > i run 2 pfsense Firewalls. I tried to use CARP but it will turn over
> every 1-2-3 hours.
> > Sometimes it is so fast the pf1 is master and pf2 has the routes. In
> this case I need to reboot the both Servers.
> >
> > After I tried a lot id ont find any solutions. I took a different
> brand (Sophos UTM) and here is the same behave.
> > So I think this could be a network problem.
> >
> > Is there any important thinks which must be enabled or disabled in
> the Switch?
> > Or need the Switch some special configurations?
> >
> > When I use Linux with Bondig it also switch the NICs very often.
> >
> > We use 2 Switches from Netgear JGS524Ev2
> >
> > Mayme someone has some experience with it?
>
> Can you give us more information? You do have 3 IP addresses per
> interface? How is your switch configured? Any tagged vLANs involved? 
Is
> the switch's firmware up to date?
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold




-- 
Ivo R. Tonev
+55 61 98409-2642
i...@tonev.com.br
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] massive CARP Failover

[Daniel]

Hi,

Firewall on the Switch is the latest installed.
The Switch is just simple installed. No VLANS actually just IGMP disabled.
Carp has for sure 3 IPs. 2 Dedicated for each Server and one CARP (Virtual 
Failover per Subnet)


-- 
Grüsse
 
Daniel

Am 06.06.17, 00:04 schrieb "List im Auftrag von Ugo Bellavance" 
<list-boun...@lists.pfsense.org im Auftrag von u...@lubik.ca>:

On 2017-06-02 08:13 AM, Daniel wrote:
> Hi there,
> 
> i run 2 pfsense Firewalls. I tried to use CARP but it will turn over 
every 1-2-3 hours.
> Sometimes it is so fast the pf1 is master and pf2 has the routes. In this 
case I need to reboot the both Servers.
> 
> After I tried a lot id ont find any solutions. I took a different brand 
(Sophos UTM) and here is the same behave.
> So I think this could be a network problem.
> 
> Is there any important thinks which must be enabled or disabled in the 
Switch?
> Or need the Switch some special configurations?
> 
> When I use Linux with Bondig it also switch the NICs very often.
> 
> We use 2 Switches from Netgear JGS524Ev2
> 
> Mayme someone has some experience with it?

Can you give us more information? You do have 3 IP addresses per 
interface? How is your switch configured? Any tagged vLANs involved? Is 
the switch's firmware up to date?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] massive CARP Failover

[Daniel]

Hi there,

i run 2 pfsense Firewalls. I tried to use CARP but it will turn over every 
1-2-3 hours.
Sometimes it is so fast the pf1 is master and pf2 has the routes. In this case 
I need to reboot the both Servers.

After I tried a lot id ont find any solutions. I took a different brand (Sophos 
UTM) and here is the same behave.
So I think this could be a network problem.

Is there any important thinks which must be enabled or disabled in the Switch?
Or need the Switch some special configurations?

When I use Linux with Bondig it also switch the NICs very often.

We use 2 Switches from Netgear JGS524Ev2

Mayme someone has some experience with it?

--
Grüsse

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Found a Bug?

[Daniel]

Hi,

no i think not. When I wanted to add a route by hand it says that it already 
exists.
So I am absolutely confused why this can happen.

-- 
Grüsse
 
Daniel

Am 18.05.17, 15:12 schrieb "List im Auftrag von WebDawg" 
<list-boun...@lists.pfsense.org im Auftrag von webd...@gmail.com>:

Ahh.  I missed that part.  Sorry about that.

I wonder why it loses config?  Does it delete and rewrite on shutdown?

On Tue, May 16, 2017 at 4:43 AM, Daniel <dan...@linux-nerd.de> wrote:

> Hi,
>
> as i already wrote – Suricata Logs. The Problem is not that the disc is
> filling up – the problem is that the config disappears
>
    >
> --
> Grüsse
>
> Daniel
>
> Am 16.05.17, 01:59 schrieb "List im Auftrag von WebDawg" <
> list-boun...@lists.pfsense.org im Auftrag von webd...@gmail.com>:
>
> On Mon, May 15, 2017 at 3:24 PM, Daniel <dan...@linux-nerd.de> wrote:
>
> > Hi there,
> >
> > it seems i found a bug. 2 times i run in the same Problem.
> > Harddisk in my PfSense went to 100% Disk usages. (suricata logs)
> > After booting in rescue mode and deleted 100GB Logs the pfSense
> loses the
> > whole configuration and I needed to reinstall the whole Server and
> restore
> > a backup.
> >
> > This was happened 2 times with the same behavior. Disk went full –
> > configuration got lost.
> >
> > Cheers
> >
> > Daniel
> >
> > ___
> >
> >
> Did you look at the log to see what is filling up the log space?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Found a Bug?

[Daniel]

Hi,

yes, as i said it was from Suricata.


-- 
Grüsse
 
Daniel

Am 16.05.17, 20:27 schrieb "List im Auftrag von Ryan Coleman" 
<list-boun...@lists.pfsense.org im Auftrag von ryan.cole...@cwis.biz>:

Did you check the logs to see what was filling them? Sounds like a bad 
configuration of something, probably Squid.


> On May 15, 2017, at 3:53 AM, Daniel <dan...@linux-nerd.de> wrote:
> 
> Hi there,
> 
> it seems i found a bug. 2 times i run in the same Problem.
> Harddisk in my PfSense went to 100% Disk usages. (suricata logs)
> After booting in rescue mode and deleted 100GB Logs the pfSense loses the 
whole configuration and I needed to reinstall the whole Server and restore a 
backup.
> 
> This was happened 2 times with the same behavior. Disk went full – 
configuration get lost.
> 
> Cheers
> 
> Daniel
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Found a Bug?

[Daniel]

Hi,

as i already wrote – Suricata Logs. The Problem is not that the disc is filling 
up – the problem is that the config disappears 


-- 
Grüsse
 
Daniel

Am 16.05.17, 01:59 schrieb "List im Auftrag von WebDawg" 
<list-boun...@lists.pfsense.org im Auftrag von webd...@gmail.com>:

On Mon, May 15, 2017 at 3:24 PM, Daniel <dan...@linux-nerd.de> wrote:

> Hi there,
>
> it seems i found a bug. 2 times i run in the same Problem.
> Harddisk in my PfSense went to 100% Disk usages. (suricata logs)
> After booting in rescue mode and deleted 100GB Logs the pfSense loses the
> whole configuration and I needed to reinstall the whole Server and restore
> a backup.
>
> This was happened 2 times with the same behavior. Disk went full –
> configuration got lost.
>
> Cheers
>
> Daniel
>
> ___
>
>
Did you look at the log to see what is filling up the log space?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Found a Bug?

[Daniel]

Hi there,

it seems i found a bug. 2 times i run in the same Problem.
Harddisk in my PfSense went to 100% Disk usages. (suricata logs)
After booting in rescue mode and deleted 100GB Logs the pfSense loses the whole 
configuration and I needed to reinstall the whole Server and restore a backup.

This was happened 2 times with the same behavior. Disk went full – 
configuration get lost.

Cheers

Daniel

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Found a Bug?

[Daniel]

Hi there,

it seems i found a bug. 2 times i run in the same Problem.
Harddisk in my PfSense went to 100% Disk usages. (suricata logs)
After booting in rescue mode and deleted 100GB Logs the pfSense loses the whole 
configuration and I needed to reinstall the whole Server and restore a backup.

This was happened 2 times with the same behavior. Disk went full – 
configuration got lost.

Cheers

Daniel

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HAproxy URL Redirect

[Daniel]

Hi,

this ACLs is what i want.
Could you provide me some examples how to do?

http://foobar.com needs to be redirect to https://bar.com


-- 
Grüsse
 
Daniel

Am 05.05.17, 23:53 schrieb "List im Auftrag von PiBa" 
<list-boun...@lists.pfsense.org im Auftrag von pba_...@yahoo.com>:

Hi Daniel,
For https its not possible without serving a valid certificate for the 
requested domain or requirering the user to click through warnings..
Setup acme package for all your domains together with haproxy and get 
the certs for free (assuming publicly reachable sites) .?.

Other than that you can use acl's to match foo/foobar hostnames and then 
perform a action to redirect..

Regards,
PiBa-NL

Op 5-5-2017 om 21:48 schreef Daniel:
> Hi there,
>
> i have a hopefully a quick questions ;)
>
> I have serval Domains and just one SSL Certificate. I bought a 
Certificate for bar.com
>
> Now I have foo.com and foobar.com on the same Loadbalancer (HAProxy on  
pfSense)
> I just wanted to Redirect all URLs to bar.com. How can I setup this rule?
>
> --
> Grüsse
>
> Daniel
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] HAproxy URL Redirect

[Daniel]

Hi there,

i have a hopefully a quick questions ;)

I have serval Domains and just one SSL Certificate. I bought a Certificate for 
bar.com

Now I have foo.com and foobar.com on the same Loadbalancer (HAProxy on  pfSense)
I just wanted to Redirect all URLs to bar.com. How can I setup this rule?

--
Grüsse

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Daily Mail from pfSense

[Daniel]

Hi,

there is a package wich is called Mail Report.
Is it possible to generate a daily mail with Graphs? As i understand it seems 
that i am only able to send log files.

Cheers

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Documentation about acme

[Daniel]

Hey,

HA found a way to to it in pfSense Webgui. Not very comfortable  but it should 
work:

Create Domain -> User DNS manuel -> Run issue -Y it will show you want to put 
in your DNS (Record and TXT entry)
Update DNS and renew ;)

Voila:

[Thu Feb 16 19:57:06 CET 2017] Verifying:cluster.dus.fcse.io 
<http://cluster.dus.fcse.io/>
[Thu Feb 16 19:57:10 CET 2017] Success
[Thu Feb 16 19:57:10 CET 2017] Verify finished, start to sign.
[Thu Feb 16 19:57:11 CET 2017] Cert success.

And the main Goal is - Its an internal IP ;)

But now it seems that the acme gui stores all certs in /tmp/
Now i need to know how i can import these Certs to pfsense :-(
I thought its doing automatically 

Cheers

daniel


> Am 16.02.2017 um 19:48 schrieb Arthur Wiebe <arthur.wi...@nerdsonsite.com>:
> 
> OK yeah I am using the DNS method on a load balancer as well but using this 
> https://github.com/lukas2511/dehydrated 
> <https://github.com/lukas2511/dehydrated> instead which could be used on 
> pfsense as well, you'd just have to configure it all from the CLI manually.
> 
> On Thu, Feb 16, 2017 at 1:33 PM Daniel <dan...@linux-nerd.de 
> <mailto:dan...@linux-nerd.de>> wrote:
> Hi,
> 
> sounds cool but did not fit my needs.
> I run domain www.blabla.de <http://www.blabla.de/> on my firewall on a public 
> IP which points to haproxy.
> So i cant redirect port in this case.
> 
> It seems the best an easiest way for me is to use DNS. 
> I can chosse PowerDNS which we are using. But it seems that it is the 
> commercial Service from PowerDNS.
> But in any case DNS seems to correct solution for me but never used it before.
> 
> Cheers
> 
> Daniel 
> 
> 
>> Am 16.02.2017 um 19:14 schrieb Arthur Wiebe <arthur.wi...@nerdsonsite.com 
>> <mailto:arthur.wi...@nerdsonsite.com>>:
>> 
>> Hey Daniel, I did write this 
>> https://blog.artooro.com/2017/02/16/quick-easy-lets-encrypt-setup-on-pfsense-using-acme/
>>  
>> <https://blog.artooro.com/2017/02/16/quick-easy-lets-encrypt-setup-on-pfsense-using-acme/>
>>  let me know if that works for you or if you have any feedback.
>> 
>> On Thu, Feb 16, 2017 at 12:56 PM Daniel <dan...@linux-nerd.de 
>> <mailto:dan...@linux-nerd.de>> wrote:
>> Hi there,
>> 
>> is there any Documentation and configuration Examples for acme to manage it 
>> via the GUI?
>> 
>> For Example local DocRoot or DNS Setup or what ever. I use PowerDNS but i 
>> didnt know what for Information he wants to have to update the zones.
>> 
>> Cheers
>> 
>> Daniel
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list 
>> <https://lists.pfsense.org/mailman/listinfo/list>
>> Support the project with Gold! https://pfsense.org/gold 
>> <https://pfsense.org/gold>
>> -- 
>> Arthur Wiebe | +1 519-670-5255 <tel:(519)%20670-5255>
> 
> -- 
> Arthur Wiebe | +1 519-670-5255

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Documentation about acme

[Daniel]

Hi there,

is there any Documentation and configuration Examples for acme to manage it via 
the GUI?

For Example local DocRoot or DNS Setup or what ever. I use PowerDNS but i didnt 
know what for Information he wants to have to update the zones.

Cheers

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] BandwithD

[Daniel]

Ok so i can also use bandwithD on a separate Server and push data with softlowd 
from pfsense ;)

 
> Am 16.02.2017 um 15:41 schrieb Ivo Tonev <i...@tonev.pro.br>:
> 
> It was removed. You can use netflow with netflow colector in another server.
> 
> Em 16 de fev de 2017 12:20, "Daniel" <dan...@linux-nerd.de> escreveu:
> 
>> Hi there,
>> 
>> is it possible that bandwithD is removed from the Packages?
>> I wanted to install it and i cant see it anymore.
>> 
>> Is there any other way or any other way to track Traffic per IP?
>> 
>> Cheers
>> 
>> Daniel
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] BandwithD

[Daniel]

Hi there,

is it possible that bandwithD is removed from the Packages?
I wanted to install it and i cant see it anymore.

Is there any other way or any other way to track Traffic per IP?

Cheers

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Inbound HAProxy or Load Balancer

[Daniel]

Hi there,

i try to get an internal load balancer running.
I Setup HA proxy with an public IP: 123.123.123.123 and i have 2 webservers: 
10.0.3.99 and 10.0.3.98.
When i connect from outside of 10.0.3.0/24 it works as expected but when i try 
to use make a connection from the internal lan 10.0.3.0/24 i got no response.

I read somethink about NAT reflection but i didnt understand how to configure 
it correctly.

Could someone give me an expample how to configure inbound load balancing with 
HA proxy oder load balancer?

Cheers

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP random Failover

[Daniel]

Nope,

Both Servers are dedicated Hardware Firewalls. I think it can be a network 
problem or a Switch Problem.
I will plan a new network Setup and will prepare some NIC bondings.


> Am 04.02.2017 um 22:32 schrieb Matt . <yamakasi@gmail.com>:
> 
> Are it virtual Machines ? if so, is Macspoofing enabled ?
> 
> 2017-02-04 20:23 GMT+01:00 Daniel <dan...@linux-nerd.de>:
>> Hi There,
>> 
>> anyone can help me to debug my CARP problem?
>> My Problem is that my CARP interfaces randomly toggle from Master to Backup 
>> and serval seconds later it toggles back to Master.
>> Sometimes its so faulty that the IP is after some switches not reachable 
>> anymore.
>> 
>> Maybe there is a command how i can proof the connections or something like 
>> that.
>> 
>> Cheers
>> 
>> Daniel
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] CARP random Failover

[Daniel]

Hi There,

anyone can help me to debug my CARP problem?
My Problem is that my CARP interfaces randomly toggle from Master to Backup and 
serval seconds later it toggles back to Master.
Sometimes its so faulty that the IP is after some switches not reachable 
anymore.

Maybe there is a command how i can proof the connections or something like that.

Cheers

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Acme SSL Certificates

[Daniel]

I Found something here:

Fatal error: Uncaught exception 'RuntimeException' with message 'Couldn't 
create directory to expose challenge: ' in /usr/local/pkg/acme/acme.inc on line 
523
But i am absolutly without any glue how to fix it.

Any suggestions?

Cheers



> Am 04.02.2017 um 14:45 schrieb Daniel <dan...@linux-nerd.de>:
> 
> Hi there,
> 
> yesterday i saw the new package ACME on pfSense. So i installed it and wanted 
> to try it.
> I have a Domain which is handled with haproxy.
> 
> But it seems that i am not able to generate certificates. Anyone can explain 
> me what i need to do in the GUI or is there a good and howto how to use it?
> 
> Cheers
> 
> Daniel
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Acme SSL Certificates

[Daniel]

Hi there,

yesterday i saw the new package ACME on pfSense. So i installed it and wanted 
to try it.
I have a Domain which is handled with haproxy.

But it seems that i am not able to generate certificates. Anyone can explain me 
what i need to do in the GUI or is there a good and howto how to use it?

Cheers

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Strange Blocking

[Daniel]

Hi there,

i have a strange problem.
I have some Virtual Servers with IPs, One is Extern and one is intern.

After i added the internal ip it gets blocked by pfSense but i have no glue why:


Oct  9 22:56:52 gw01 filterlog: 
5,16777216,,100103,igb2,match,block,in,4,0x0,,64,12726,0,DF,6,tcp,40,10.0.3.63,10.0.3.254,5998,53487,0,RA,0,2253571189,0,,
Oct  9 22:56:52 gw01 filterlog: 
5,16777216,,100103,igb2,match,block,in,4,0x0,,64,12729,0,DF,6,tcp,40,10.0.3.63,10.0.3.254,1021,53487,0,RA,0,2253571189,0,,
Oct  9 22:56:52 gw01 filterlog: 
5,16777216,,100103,igb2,match,block,in,4,0x0,,64,12727,0,DF,6,tcp,40,10.0.3.63,10.0.3.254,8180,53487,0,RA,0,2253571189,0,,
Oct  9 22:56:52 gw01 filterlog: 
5,16777216,,100103,igb2,match,block,in,4,0x0,,64,12734,0,DF,6,tcp,40,10.0.3.63,10.0.3.254,2190,53487,0,RA,0,2253571189,0,,
Oct  9 22:56:52 gw01 filterlog: 
5,16777216,,100103,igb2,match,block,in,4,0x0,,64,12732,0,DF,6,tcp,40,10.0.3.63,10.0.3.254,1503,53487,0,RA,0,2253571189,0,,

On the LAN Device i have an ANY/ANY Rule. On WAN/DMZ Rule i have a Source Any - 
Dest 10.0.3.0/24 allow Rule (for debugging)

Anyone have an Idea?

Cheers

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Freeradius after upgrade hangs

[Daniel Eschner]

HI there,

i installed a brand new pfSense and load a old Backup File.
Everthinks works fine but Freeradius hangs:

I still display: 

[8/8] Installing pfSense-pkg-freeradius2-1.7.3_1...
[8/8] Extracting pfSense-pkg-freeradius2-1.7.3_1: .. done
Saving updated package information...
overwrite!
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_install_command()…

Since 2 hours, should it be normal?

Cheers

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] add Blocking in suricata just for some IPs

[Daniel Eschner]

that was just an example what i can see in kibana with suricata,
i see a lot of more thinks in my dashboard ;) for example compromised websites 
and so in.


> Am 21.06.2016 um 00:17 schrieb Steve Yates <st...@teamits.com>:
> 
> pfBlockerNG blocks by country, which is what your image showed.
> 
> One caveat to country blocking is Microsoft has started using IPv4 blocks 
> allocated to it in other countries for its Azure service, since they ran out.
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner
> Sent: Monday, June 20, 2016 4:41 PM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: Re: [pfSense] add Blocking in suricata just for some IPs
> 
> pfblocker is a L7 IDS/IPS Protection?
> 
> 
> 
>> Am 20.06.2016 um 22:26 schrieb Ducky BUNG <ducky.b...@gmail.com>:
>> 
>> Use pfblocker package for this.
>> 
>> 
>> 
>> On 06/20/2016 08:27 PM, Daniel Eschner wrote:
>>> Hi to everyone,
>>> 
>>> is it possible to add blocking mode just to some IPs from a /24 Network?
>>> I want to run that in test mode to see who much false positiv i will see ;)
>>> 
>>> Cheers
>>> 
>>> Daniel
>>> 
>>> 
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>> 
>> 
>> -- 
>> Markets can remain irrational longer than you can remain solvent.
>> 
>>  John Maynard Keynes
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] add Blocking in suricata just for some IPs

[Daniel Eschner]

pfblocker is a L7 IDS/IPS Protection?



> Am 20.06.2016 um 22:26 schrieb Ducky BUNG <ducky.b...@gmail.com>:
> 
> Use pfblocker package for this.
> 
> 
> 
> On 06/20/2016 08:27 PM, Daniel Eschner wrote:
>> Hi to everyone,
>> 
>> is it possible to add blocking mode just to some IPs from a /24 Network?
>> I want to run that in test mode to see who much false positiv i will see ;)
>> 
>> Cheers
>> 
>> Daniel
>> 
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> 
> -- 
> Markets can remain irrational longer than you can remain solvent.
> 
>  John Maynard Keynes
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] add Blocking in suricata just for some IPs

[Daniel Eschner]

And this way shouldnt work because i want that the source gets blocked.
Pass-Lists a only for Source IPs.
So i wouldnt like to block my own network ;)

Lets say that Suricata just check the traffic just for serval IPs from a 
network.
I am sure i saw such kind of configuration.



> Am 20.06.2016 um 20:31 schrieb Steve Yates <st...@teamits.com>:
> 
>   You should be able to go the other direction and set up a  pass list 
> that allows everything but these IPs.  Remember to add the pass list to the 
> interface though.
> 
>   However if you just enable the alerting and select to not automatically 
> block the bad traffic that may be easier.
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner
> Sent: Monday, June 20, 2016 1:28 PM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: [pfSense] add Blocking in suricata just for some IPs
> 
> Hi to everyone,
> 
> is it possible to add blocking mode just to some IPs from a /24 Network?
> I want to run that in test mode to see who much false positiv i will see ;)
> 
> Cheers
> 
> Daniel
> 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] add Blocking in suricata just for some IPs

[Daniel Eschner]

Just alerting is enabled

but not sure if it works like i which ;)
i Build me a Dashboard in kibana 
https://www.dropbox.com/s/ty6rfrd6y5z3gqd/Screenshot%202016-06-20%2020.37.26.png?dl=0
 
<https://www.dropbox.com/s/ty6rfrd6y5z3gqd/Screenshot%202016-06-20%2020.37.26.png?dl=0>
But i dont see what is getting blocked ;)

Its just for information ;)


> Am 20.06.2016 um 20:31 schrieb Steve Yates <st...@teamits.com>:
> 
>   You should be able to go the other direction and set up a  pass list 
> that allows everything but these IPs.  Remember to add the pass list to the 
> interface though.
> 
>   However if you just enable the alerting and select to not automatically 
> block the bad traffic that may be easier.
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner
> Sent: Monday, June 20, 2016 1:28 PM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: [pfSense] add Blocking in suricata just for some IPs
> 
> Hi to everyone,
> 
> is it possible to add blocking mode just to some IPs from a /24 Network?
> I want to run that in test mode to see who much false positiv i will see ;)
> 
> Cheers
> 
> Daniel
> 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] PFSense and Kibana

[Daniel Eschner]

Hi there,

i run Suricata on a pfSense. I Try to build some Dashboards. For the First 
everthing seems running but it seems i have Problems with domains like 
linux-nerd.de 
In the Dashboard its shown as linux
All Domains or attacks or wha ever with - in the Word get broken.
In Geo i have the same Problem. United-States are United and States ;)

Is it a Kibana bug or is it more a Dashboard think?
Anyone have have the same issues with the actual Kibana/Logstash/Filebeat?
As you can see in the Pictures its normaly autodiscover.marmor-otto.de 
 and not 2 different Domains ;) Same with 
Useragents an so on.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] CARP

[Daniel Eschner]

Hi there,

i have a lot CARP switches a Day. Mostly 1-2 Times a day.
Is there anyway to debug that Problem? because is causes my Network.
The CARP interface mostly didnt come up correctly that some parts of my 
networks are not reachable.
Maybe is there a way to configure CARP that is is not so sensible?

Cheers

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Snort or Suricata

[Daniel Eschner]

> 
> 
> How do you have Snort configured to differentiate between incoming and
> outgoing traffic?

Mhh, dont configured anythink. Just put the rules in my WAN interface. Maybe i 
have to spend more time and read more documentation on it

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Kibana ELK Stack logging

[Daniel Eschner]

i fixed everything by my self ;)

Its working now ;)



> Am 31.05.2016 um 16:23 schrieb Koray AGAYA <hackinde...@gmail.com>:
> 
> Hi daniel
> 
> How can I help yours for ELK
> 30 May 2016 23:27 tarihinde "Daniel Eschner" <dan...@linux-nerd.de> yazdı:
> 
>> Hi all,
>> 
>> is anyone here using Kibana with ELK Stack in actual Versions?
>> I cant get it running and maybe someone can help me out ;)
>> 
>> Cheers
>> 
>> Daniel
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Kibana ELK Stack logging

[Daniel Eschner]

Hi all,

is anyone here using Kibana with ELK Stack in actual Versions?
I cant get it running and maybe someone can help me out ;)

Cheers

Daniel

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] problems captive portal after upgrade from 2.2.6 to 2.3

[Daniel Soto]

hi 

Regrettably after of update to 2.3.1 we continue with the same issue. the 
portal captive don´t redirect to web page after authenticate. 

- Mensaje original -

De: "NABEEL HASAN" <nab...@hotmail.com> 
Para: list@lists.pfsense.org 
Enviados: Lunes, 2 de Mayo 2016 20:47:35 
Asunto: Re: [pfSense] problems captive portal after upgrade from 2.2.6 to 2.3 

Same problem with me, even refreshing on mobile devices does not do any good. I 
revert back to 2.2.6 

 
From: List <list-boun...@lists.pfsense.org> on behalf of daniel soto 
<daxo...@gmail.com> 
Sent: Monday, April 18, 2016 4:21 PM 
To: list@lists.pfsense.org 
Subject: [pfSense] problems captive portal after upgrade from 2.2.6 to 2.3 

i have update to 2.3 ( a fantastic job) but in my case when i login in 
captive portal, the browser no redirect to web page ,i need update (F5) the 
web browser and then i have access to web page. 

i have tryed with iexplore, firefox, opera, chrome and with alls the web 
browser the results is the same 


thanks 
___ 
pfSense mailing list 
https://lists.pfsense.org/mailman/listinfo/list 
Support the project with Gold! https://pfsense.org/gold 
___ 
pfSense mailing list 
https://lists.pfsense.org/mailman/listinfo/list 
Support the project with Gold! https://pfsense.org/gold 



-- 







Daniel Soto 

Dep. Comunicaciones U.A.X 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Routing Question

[Daniel Eschner]

Hi there,

can anyone tell me how is it possible to route a Public Network thought a 
Transfer-Network?
When i create a (Gateway rule) i get errors :-(

I dont want to use NAT or somethink like that.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Routing Issue

[Daniel Eschner]

When i delete the Route everything works fine but the /25 is handled that as a 
Privat Network:

 traceroute -i igb1 web.de
traceroute: Warning: web.de has multiple addresses; using 82.165.229.138
traceroute to web.de (82.165.229.138), 64 hops max, 40 byte packets
 1  lee.de (212.168.31.129)  0.442 ms  0.366 ms  0.324 ms
 2  r1ffm.de.vianw.net (212.168.1.221)  4.573 ms  4.814 ms  4.766 ms
 3  xe-5-3-2-0.fra-006-score-1-re0.interoute.net (89.202.134.177)  7.794 ms  
5.978 ms  10.017 ms



> Am 10.05.2016 um 22:12 schrieb Daniel Eschner <dan...@linux-nerd.de>:
> 
> Let my try to explain it completely ;)
> 
> i configured something like that in my first Router.
> I think CARP etc. is not the problem here:
> 
> 
> WAN (wan)   -> igb0   -> v4: 212.168.31.131/29
> FCSE_PUB (lan)  -> igb1   -> v4: 212.168.31.2/25
> HA_SYNC (opt1)  -> igb3   -> v4: 10.0.0.1/24
> 
> The /29 Network is just a transfer-Net for the /25 Subnet.
> So i have to route the /25 thought the /29. In my Case it should be the .130 
> (CARP IP)
> 
> I configured openVPN-Server to listen on one IP from the /25 Network (.1 CARP 
> IP)
> VPN-Clients get a IP from 10.0.1.0/24 Network - that should be fine anyway.
> 
> Connection etc. is working but when i make connections thought the VPN i will 
> always see the IP from the WAN Interface but /25 are Public IPs so i want to 
> have the  (.1 CARP IP) show on remote Servers like google.com and so on.
> In Linux i just can setup the next hop like:
> 
> ip r a 212.168.31.2/25 via 212.168.31.130 dev igb0
> 
> When it set the route with route add 212.168.31.0/25 212.168.31.130
> i am not able to reach anythink.
> 
> NAT is not needed i think because we use public IPs. So thats the reason why 
> i am confused.
> 
> traceroute -i igb1 web.de
> traceroute: Warning: web.de has multiple addresses; using 82.165.229.138
> traceroute to web.de (82.165.229.138), 64 hops max, 40 byte packets
> 1  * * *
> 2  * * *
> 
> 
> On the Router-Site from my ISP all traffic to the /25 is routed to the .130 
> on my site.
> 
> 
> 
>> Am 10.05.2016 um 21:57 schrieb Steve Yates <st...@teamits.com>:
>> 
>> I'm a bit confused whether the /25 is your LAN subnet or another interface.  
>> The OpenVPN tunnel network has to be a subnet that is on no other interfaces 
>> including the remote PC's LAN.  For example we have our data center using a 
>> /29 for WAN, a /25 for LAN, 10.20.1.0/24 for PFSYNC, and 192.168.199.0/24 
>> for OpenVPN.  192.168.199.0/24 is just used to route packets from the remote 
>> PC to behind the router.
>> 
>> You wrote "/130" for the CARP WAN alias...I'm assuming that's a typo and 
>> should be "/29" like the others.
>> 
>> --
>> 
>> Steve Yates
>> ITS, Inc.
>> 
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel 
>> Eschner
>> Sent: Tuesday, May 10, 2016 2:32 PM
>> To: list@lists.pfsense.org
>> Subject: [pfSense] Routing Issue
>> 
>> Hi there,
>> 
>> i try to configure 2 PFsense Firewalls as the Following Setup:
>> 
>> My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following:
>> 
>> x.x.x.131/29 PF1
>> x.x.x.132/29 PF2
>> x.x.x.130/130 CARP Interface (Redundant)
>> 
>> After that i added x.x.x.2/25 and to another interface and created also a 
>> CARP Interface with IP 1 (default gateway for Clients)
>> 
>> Now i want to route the /25 thought the .130 IP for example that openvpn 
>> have the IP from the /25 network.
>> When i establish a BPN Connection it shows me always the IP .131
>> 
>> Can it be changed for example change Outbound NAT or so that the .1 is shown 
>> in the Interface?
>> All IPs are Public IPs
>> 
>> Hope you understand what i mean ;)
>> 
>> Cheers
>> 
>> Daniel
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Routing Issue

[Daniel Eschner]

Let my try to explain it completely ;)

i configured something like that in my first Router.
I think CARP etc. is not the problem here:


WAN (wan)   -> igb0   -> v4: 212.168.31.131/29
FCSE_PUB (lan)  -> igb1   -> v4: 212.168.31.2/25
HA_SYNC (opt1)  -> igb3   -> v4: 10.0.0.1/24

The /29 Network is just a transfer-Net for the /25 Subnet.
So i have to route the /25 thought the /29. In my Case it should be the .130 
(CARP IP)

I configured openVPN-Server to listen on one IP from the /25 Network (.1 CARP 
IP)
VPN-Clients get a IP from 10.0.1.0/24 Network - that should be fine anyway.

Connection etc. is working but when i make connections thought the VPN i will 
always see the IP from the WAN Interface but /25 are Public IPs so i want to 
have the  (.1 CARP IP) show on remote Servers like google.com and so on.
In Linux i just can setup the next hop like:

ip r a 212.168.31.2/25 via 212.168.31.130 dev igb0

When it set the route with route add 212.168.31.0/25 212.168.31.130
i am not able to reach anythink.

NAT is not needed i think because we use public IPs. So thats the reason why i 
am confused.

traceroute -i igb1 web.de
traceroute: Warning: web.de has multiple addresses; using 82.165.229.138
traceroute to web.de (82.165.229.138), 64 hops max, 40 byte packets
 1  * * *
 2  * * *


On the Router-Site from my ISP all traffic to the /25 is routed to the .130 on 
my site.



> Am 10.05.2016 um 21:57 schrieb Steve Yates <st...@teamits.com>:
> 
> I'm a bit confused whether the /25 is your LAN subnet or another interface.  
> The OpenVPN tunnel network has to be a subnet that is on no other interfaces 
> including the remote PC's LAN.  For example we have our data center using a 
> /29 for WAN, a /25 for LAN, 10.20.1.0/24 for PFSYNC, and 192.168.199.0/24 for 
> OpenVPN.  192.168.199.0/24 is just used to route packets from the remote PC 
> to behind the router.
> 
> You wrote "/130" for the CARP WAN alias...I'm assuming that's a typo and 
> should be "/29" like the others.
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner
> Sent: Tuesday, May 10, 2016 2:32 PM
> To: list@lists.pfsense.org
> Subject: [pfSense] Routing Issue
> 
> Hi there,
> 
> i try to configure 2 PFsense Firewalls as the Following Setup:
> 
> My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following:
> 
> x.x.x.131/29 PF1
> x.x.x.132/29 PF2
> x.x.x.130/130 CARP Interface (Redundant)
> 
> After that i added x.x.x.2/25 and to another interface and created also a 
> CARP Interface with IP 1 (default gateway for Clients)
> 
> Now i want to route the /25 thought the .130 IP for example that openvpn have 
> the IP from the /25 network.
> When i establish a BPN Connection it shows me always the IP .131
> 
> Can it be changed for example change Outbound NAT or so that the .1 is shown 
> in the Interface?
> All IPs are Public IPs
> 
> Hope you understand what i mean ;)
> 
> Cheers
> 
> Daniel
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Routing Issue

[Daniel Eschner]

Hi there,

i try to configure 2 PFsense Firewalls as the Following Setup:

My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following:

x.x.x.131/29 PF1
x.x.x.132/29 PF2
x.x.x.130/130 CARP Interface (Redundant)

After that i added x.x.x.2/25 and to another interface and created also a CARP 
Interface with IP 1 (default gateway for Clients)

Now i want to route the /25 thought the .130 IP for example that openvpn have 
the IP from the /25 network.
When i establish a BPN Connection it shows me always the IP .131

Can it be changed for example change Outbound NAT or so that the .1 is shown in 
the Interface?
All IPs are Public IPs

Hope you understand what i mean ;)

Cheers

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] problems captive portal after upgrade from 2.2.6 to 2.3

[daniel soto]

i have update to 2.3 ( a fantastic job) but in my case when i login in
captive portal, the browser no redirect to web page ,i need update (F5) the
web browser and then i have access to web page.

i have tryed with iexplore, firefox, opera, chrome and with alls the web
browser the results is the same


thanks
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfSense + OpenLDAP + OpenVPN + OTP (RADIUS?)

[Daniel Lopes de Carvalho]

Hello All!

I'm trying to implement a solution to replace my current VPN server and 
would like your help. I don't have much knowledge about pfSense.


Today I have a virtualized Linux server with OpenVPN, where the 
authentication of external users is done by SSL certificates and OTP 
library (http://motp.sourceforge.net/). The database for these users is 
controlled by a TXT file, which stores the username, secret, PIN, etc. I 
also have another Linux server with OpenLDAP + Kerberos for 
authentication of internal network users.


I would like to know if it possible to configure pfSense to authenticate 
VPN users via LDAP using OTP.


I could set up a VPN service in pfSense using LDAP as backend. I also 
could use RADIUS + OTP as VPN backend. But I'm unsure of how to put it 
all together.


If possible, I must use a RADIUS schema for LDAP? RADIUS is the only way 
of using the OTP in pfSense?



Thanks and best regards

Daniel

--
Daniel Lopes de Carvalho
http://www.unisim.cepetro.unicamp.br
dan...@cepetro.unicamp.br
19 3521-1221

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense IP stack crashing.

[Daniel Soto]

do you have configurate limiters? 

https://redmine.pfsense.org/issues/4310 


- Mensaje original -

De: "Bryant Zimmerman"  
Para: "pfSense Support and Discussion Mailing List"  
Enviados: Jueves, 15 de Octubre 2015 20:04:51 
Asunto: Re: [pfSense] pfSense IP stack crashing. 

WebDawg 

I am using an industrial 4GB USB DOM. It is less than 3 years old so I am 
surprised that it could be the issue, but hey it's technology so I should not 
be surprised. 

Thanks 

Bryant 


 
From: "WebDawg"  
Sent: Thursday, October 15, 2015 1:55 PM 
To: "pfSense Support and Discussion Mailing List"  
Subject: Re: [pfSense] pfSense IP stack crashing. 
On Thu, Oct 15, 2015 at 7:45 AM,  wrote: > Hmh, 
> > 3 things you could try come up to my mind. > > 1. I'd try another SD-Card 
(if you are using nanoBSD, my guess is, that > you use an SD-Card?). Put the 
Master in permanent maintenance mode and shut > it down, take out the SD-Card 
and check for errors. Even if there are none, > copy the card and use the new 
one. > 2. Freezing normally could mean bad memory. Did you try a live CD and a 
> mem stress test for at least 24 hours? If not, do that too. > 3. Unusual and 
also very unlikely but maybe your box got hacked somehow? > Turn on the remote 
logging feature and log your messages to another > syslogd-Server and see what 
you get when the system gets unresponsive. > > HTH, > > Jens Simmoleit > Senior 
Linux Systems Administrator > > infoscore Profile Tracking GmbH > part of 
arvato Financial Solutions > Kaistrasse 7 > 40211 Düsseldorf > > Phone: +49 211 
50 66 51- 88 > Fax: +49 211 50 66 51- 93 > Mobile: +49 160 97 80 46 94 > > 
Better yet, can you post the specs/detailed hardware of the system? Is it SD or 
CF media? ___ pfSense mailing list 
https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! 
https://pfsense.org/gold 

___ 
pfSense mailing list 
https://lists.pfsense.org/mailman/listinfo/list 
Support the project with Gold! https://pfsense.org/gold 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] upgrading

[Daniel Rauer]

‎This should answer your questions: 
https://doc.pfsense.org/index.php/Upgrade_Guide

 

 
 
 
 
Von: Curtis Maurand
Gesendet: Donnerstag, 10. September 2015 17:30
An: pfSense Support and Discussion Mailing List
Betreff: [pfSense] upgrading



This has probably been covered, but I'm about to do an upgrade from 
1.2.3 to the current release.  Would it be better for me to do a full 
install, then restore the various configs that I need?  NAT, PPTP, 
Rules, etc?

Thanks for any advice you can give me before I start.

--Curtis

-- 
Best Regards
Curtis Maurand
Principal
Xyonet Web Hosting
mailto:cmaur...@xyonet.com
http://www.xyonet.com

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Fwd: captive portal doesn´t work after upgrade to 2.2

[daniel soto]

hi.
first of all to thank for the fabulous work that the team pfsense .


My problem is this , after upgrading to version 2.2 from 2.1.5 .
access to captive portal does not work.

My configuration is as follows .

the captive portal runs on a dedicated interface with a virtual ip carp ,
which use as gateway users.

I have seen that the ip virutal carp is not added to ipfw rules that
facilitate access to the login page

this are the ipfw rules that actually i can see

65310 allow ip from any to { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 }
in
65311 allow ip from { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 } to any
out
65312 allow icmp from { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 } to
any out icmptypes 0
65313 allow icmp from any to { 255.255.255.255 or 10.128.0.7 or 10.128.0.7
} in icmptypes 8

the first ip 10.128.0.7 should be 10.128.0.2 wich is the ip virtual carp

10.128.0.2 --- ip virtual carp

10.128.0.7 --- phisycal ip interface

I tried to manually put the rules and it works perfectly , but of course,
this process should be automatic.


also I have seen that:



before in version 2.1.5

em3: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0
mtu 1500
options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM
ether xx:xx:xx:xx:xx:xx
inet 10.128.0.7 netmask 0x broadcast 10.128.0.255
media: Ethernet autoselect (1000baseT full-duplex)
status: active

lan_vip15: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500
inet 10.128.0.2 netmask 0x
carp: MASTER vhid 15 advbase 1 advskew 200


now in version 2.2

em3: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0
mtu 1500
options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM
ether xx:xx:xx:xx:xx:xx
inet 10.128.0.7 netmask 0xff00 broadcast 10.128.0.255
inet 10.128.0.2 netmask 0xff00 broadcast 10.128.0.255 vhid 15
nd6 options=21PERFORMNUD,AUTO_LINKLOCAL
media: Ethernet autoselect (1000baseT full-duplex)
status: active
carp: BACKUP vhid 15 advbase 1 advskew 0


this is a possible cause of this issue.

before in ipfw_context

captive: em3,lan_vip15,


now in ipfw zone list

captive: em3,


any comment would be fantastic.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] captive portal doesn´t work after upgrade to 2.2

[daniel soto]

hi.
first of all to thank for the fabulous work that the team pfsense .


My problem is this , after upgrading to version 2.2 from 2.1.5 .
access to captive portal does not work.

My configuration is as follows .

the captive portal runs on a dedicated interface with a virtual ip carp ,
which use as gateway users.

I have seen that the ip virutal carp is not added to ipfw rules that
facilitate access to the login page

this are the ipfw rules that actually i can see

65310 allow ip from any to { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 }
in
65311 allow ip from { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 } to any
out
65312 allow icmp from { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 } to
any out icmptypes 0
65313 allow icmp from any to { 255.255.255.255 or 10.128.0.7 or 10.128.0.7
} in icmptypes 8

the first ip 10.128.0.7 should be 10.128.0.2 wich is the ip virtual carp

10.128.0.2 --- ip virtual carp

10.128.0.7 --- phisycal ip interface

I tried to manually put the rules and it works perfectly , but of course,
this process should be automatic.


also I have seen that:



before in version 2.1.5

em3: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0
mtu 1500
options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM
ether xx:xx:xx:xx:xx:xx
inet 10.128.0.7 netmask 0x broadcast 10.128.0.255
media: Ethernet autoselect (1000baseT full-duplex)
status: active

lan_vip15: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500
inet 10.128.0.2 netmask 0x
carp: MASTER vhid 15 advbase 1 advskew 200


now in version 2.2

em3: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0
mtu 1500
options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM
ether xx:xx:xx:xx:xx:xx
inet 10.128.0.7 netmask 0xff00 broadcast 10.128.0.255
inet 10.128.0.2 netmask 0xff00 broadcast 10.128.0.255 vhid 15
nd6 options=21PERFORMNUD,AUTO_LINKLOCAL
media: Ethernet autoselect (1000baseT full-duplex)
status: active
carp: BACKUP vhid 15 advbase 1 advskew 0


this is a possible cause of this issue.

before in ipfw_context

captive: em3,lan_vip15,


now in ipfw zone list

captive: em3,


any comment would be fantastic.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] captive portal doesn´t work after upgrade to 2.2

[Daniel Soto]

- Mensaje reenviado -



good morning. 
first of all to thank for the fabulous work that the team pfsense . 


My problem is this , after upgrading to version 2.2 from 2.1.5 . 
access to captive portal does not work. 

My configuration is as follows . 

the captive portal runs on a dedicated interface with a virtual ip carp , which 
use as gateway users. 

I have seen that the ip virutal carp is not added to ipfw rules that facilitate 
access to the login page 

this are the ipfw rules that actually i can see 

65310 allow ip from any to { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 } in 
65311 allow ip from { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 } to any out 
65312 allow icmp from { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 } to any 
out icmptypes 0 
65313 allow icmp from any to { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 } in 
icmptypes 8 

the first ip 10.128.0.7 should be 10.128.0.2 wich is the ip virtual carp 

10.128.0.2 --- ip virtual carp 

10.128.0.7 --- phisycal ip interface 

I tried to manually put the rules and it works perfectly , but of course, this 
process should be automatic. 


also I have seen that: 



before in version 2.1.5 

em3: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 
1500 
options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM 
ether xx:xx:xx:xx:xx:xx 
inet 10.128.0.7 netmask 0x broadcast 10.128.0.255 
media: Ethernet autoselect (1000baseT full-duplex) 
status: active 

lan_vip15: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 
inet 10.128.0.2 netmask 0x 
carp: MASTER vhid 15 advbase 1 advskew 200 


now in version 2.2 

em3: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 
1500 
options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM 
ether xx:xx:xx:xx:xx:xx 
inet 10.128.0.7 netmask 0xff00 broadcast 10.128.0.255 
inet 10.128.0.2 netmask 0xff00 broadcast 10.128.0.255 vhid 15 
nd6 options=21PERFORMNUD,AUTO_LINKLOCAL 
media: Ethernet autoselect (1000baseT full-duplex) 
status: active 
carp: BACKUP vhid 15 advbase 1 advskew 0 


this is a possible cause of this issue. 

before in ipfw_context 

captive: em3,lan_vip15, 


now in ipfw zone list 

captive: em3, 


any comment would be fantastic. 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] captive portal doesn´t work after upgrade to 2.2

[Daniel Soto]

good morning. 
first of all to thank for the fabulous work that the team pfsense . 


My problem is this , after upgrading to version 2.2 from 2.1.5 . 
access to captive portal does not work. 

My configuration is as follows . 

the captive portal runs on a dedicated interface with a virtual ip carp , which 
use as gateway users. 

I have seen that the ip virutal carp is not added to ipfw rules that facilitate 
access to the login page 

this are the ipfw rules that actually i can see 

65310 allow ip from any to { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 } in 
65311 allow ip from { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 } to any out 
65312 allow icmp from { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 } to any 
out icmptypes 0 
65313 allow icmp from any to { 255.255.255.255 or 10.128.0.7 or 10.128.0.7 } in 
icmptypes 8 

the first ip 10.128.0.7 should be 10.128.0.2 wich is the ip virtual carp 

10.128.0.2 --- ip virtual carp 

10.128.0.7 --- phisycal ip interface 

I tried to manually put the rules and it works perfectly , but of course, this 
process should be automatic. 


also I have seen that: 



before in version 2.1.5 

em3: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 
1500 
options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM 
ether xx:xx:xx:xx:xx:xx 
inet 10.128.0.7 netmask 0x broadcast 10.128.0.255 
media: Ethernet autoselect (1000baseT full-duplex) 
status: active 

lan_vip15: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 
inet 10.128.0.2 netmask 0x 
carp: MASTER vhid 15 advbase 1 advskew 200 


now in version 2.2 

em3: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 
1500 
options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM 
ether xx:xx:xx:xx:xx:xx 
inet 10.128.0.7 netmask 0xff00 broadcast 10.128.0.255 
inet 10.128.0.2 netmask 0xff00 broadcast 10.128.0.255 vhid 15 
nd6 options=21PERFORMNUD,AUTO_LINKLOCAL 
media: Ethernet autoselect (1000baseT full-duplex) 
status: active 
carp: BACKUP vhid 15 advbase 1 advskew 0 


this is a possible cause of this issue. 

before in ipfw_context 

captive: em3,lan_vip15, 


now in ipfw zone list 

captive: em3, 


any comment would be fantastic. 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense hardware for a proxy, 1U w/ 12 depth

[Daniel Lloyd]

I have 2x 
http://www.supermicro.com/products/system/1U/5015/SYS-5015A-EHF-D525.cfm.
Should fit your depth limitation, I have yet to hit performance
problems with it and know that others on the list use this system as
well.

On Wed, May 2, 2012 at 4:08 PM, Ugo Bellavance u...@lubik.ca wrote:
 Hi,

 I'm looking for hardware to replace an ASA unit that only allows 5
 concurrent VPN connections for road warrior by a pfsense unit.  However, I
 need to have a proxy on the server to have reports or logs on who does what
 on the internet, so I need a hard drive.  Also, the physical space that I
 have for this unit is 1U and about 12 of depth.

 I thought about soekris units, but anyone else has another idea?  The other
 needs are quite simple, not that many internal users, no other VPN tunnels.

 Thanks,

 Ugo

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 802.1X VLAN function and switch support

[Daniel Davis]

Sorry, it is in the wiki on the FreeRadius site.

Regards,

Daniel Davis

-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of bsd
Sent: Thursday, 15 December 2011 7:10 PM
To: pfSense support and discussion
Subject: Re: [pfSense] 802.1X VLAN function and switch support


Le 15 déc. 2011 à 01:20, Daniel Davis a écrit :

 This is generally supported on nearly all reasonable managed switches these 
 days (not always on the el-cheapo 'web-managed' switches). The switch really 
 doesn't do much other than forward authentication requests and then act on 
 the authorisation response. As long as the authentication server (NAC) can 
 return the correct IETF attributes such as Tunnel-Type, Tunnel-Medium-Type 
 and Tunnel-Private-Group-Id it will generally work.

Ok, I guess I'll have to give It a try with the switch I am using.

 This is all supported by FreeRadius and well documented in the wiki with 
 example configs for numerous different switch manufacturers.

I am sorry but I can not find any link about this specific topic in the 
doc.pfsense.org section or in the dev section - can you be more specific ? 

Which wiki are you refering to ? 


Thanks for your reply. 

 
 Regards,
 
 Daniel Davis
 
 
 -Original Message-
 From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] 
 On Behalf Of bsd
 Sent: Thursday, 15 December 2011 7:47 AM
 To: pfSense support and discussion
 Subject: [pfSense] 802.1X VLAN function and switch support
 
 Hi, 
 
 I am bit off topic for the pfSense list, but since I want to be compliant 
 with the FreeRadius package deployed on the pfSense system. I guess It is ok 
 to ask that question here. 
 
 
 I want FreeRadius to provide distinct VLANs to each of my clients based on 
 the parameters defined in the FreeRadius settings. I am not certain that a 
 lot of switches are compatible with this function, most of them provide 
 802.1X authentication, but can they automatically set the VLAN once the 
 client has authenticated ? 
 
 Can they provide a default VLAN for failed auth? 
 
 
 As stated on the package, the switch should understand the following 
 parameters : 
 
 Tunnel-Type = VLAN
 Tunnel-Medium-Type = IEEE-802
 Tunnel-Private-Group-ID = My_ID
 
 
 Any feed back on implementing this VLAN attribution feature with FreeRadius 
 and xxx switch will be welcome. 
 
 Switch brands supporting this feature is also of interest. 
 
 
 Thanks. 
 
 
 --
 - Grégory Bernard Director -
 --- www.osnet.eu ---
 -- Your provider of OpenSource appliances --
 --
 OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 
 --
 This message has been scanned for viruses and dangerous content by 
 mail.lasseters.com.au, and no infections were found.
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


--
- Grégory Bernard Director -
--- www.osnet.eu ---
-- Your provider of OpenSource appliances --
--
OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


--
This message has been scanned for viruses and dangerous content by 
mail.lasseters.com.au, and no infections were found.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 802.1X VLAN function and switch support

[Daniel Davis]

This is generally supported on nearly all reasonable managed switches these 
days (not always on the el-cheapo 'web-managed' switches). The switch really 
doesn't do much other than forward authentication requests and then act on the 
authorisation response. As long as the authentication server (NAC) can return 
the correct IETF attributes such as Tunnel-Type, Tunnel-Medium-Type and 
Tunnel-Private-Group-Id it will generally work. This is all supported by 
FreeRadius and well documented in the wiki with example configs for numerous 
different switch manufacturers.

Regards,

Daniel Davis


-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of bsd
Sent: Thursday, 15 December 2011 7:47 AM
To: pfSense support and discussion
Subject: [pfSense] 802.1X VLAN function and switch support

Hi, 

I am bit off topic for the pfSense list, but since I want to be compliant with 
the FreeRadius package deployed on the pfSense system. I guess It is ok to ask 
that question here. 


I want FreeRadius to provide distinct VLANs to each of my clients based on the 
parameters defined in the FreeRadius settings. I am not certain that a lot of 
switches are compatible with this function, most of them provide 802.1X 
authentication, but can they automatically set the VLAN once the client has 
authenticated ? 

Can they provide a default VLAN for failed auth? 


As stated on the package, the switch should understand the following parameters 
: 

Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = My_ID


Any feed back on implementing this VLAN attribution feature with FreeRadius and 
xxx switch will be welcome. 

Switch brands supporting this feature is also of interest. 


Thanks. 


--
- Grégory Bernard Director -
--- www.osnet.eu ---
-- Your provider of OpenSource appliances --
--
OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


--
This message has been scanned for viruses and dangerous content by 
mail.lasseters.com.au, and no infections were found.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 3G USB Modem installation on PFSENSE

[Daniel Llewellyn]

On Tue, Dec 6, 2011 at 17:35, Nabeel Hasan nab...@hotmail.com wrote:
 After it I just use ICS on USB Modem connection and
 select interface of newly created interface from VMware network editor. In
 Pfsense I just used that interface as wan2 and select DHCP option which got
 its IP from ICS. Now it is working fine for me.

I may be entirely missing the point here, but isn't a prime reason for
using pfSense to avoid having Windows hosts and other
non-security-enhanced operating systems from facing the Internet
unprotected? I completely fail to understand the reason for having
Windows+ICS in addition to pfSense, especially when pfSense is
_behind_ the Windows box and therefore not firewalling the WAN link.

-- 
Regards,
    The Honeymonster aka Daniel Llewellyn
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Multiple IPSEC Mutual PSK + Xauth Tunnels

[Daniel Davis]

Bump... any ideas?

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Daniel Davis
Sent: Wednesday, 2 November 2011 3:09 PM
To: 'pfSense support and discussion'
Subject: [pfSense] Multiple IPSEC Mutual PSK + Xauth Tunnels

We have a situation where all our iOS users connect via IPSEC VPN for remote 
access. This works great and is very stable. What we want to achieve however is 
for certain clients to have access only to certain networks (different sets of 
firewall rules and phase 2 tunnels for different groups of users). I believe 
that to do this we would need to be able to have multiple Phase 1 tunnel 
definitions with Mutual PSK + Xauth as the authentication method, however this 
is not available as an option if I manually add another Phase 1 tunnel. Is this 
possible to achieve with PfSense 2?

Thanks,

Daniel

--
This message has been scanned for viruses and dangerous content by 
mail.lasseters.com.au, and no infections were found.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing CheckPoint Firewall-1 with pfSense

[Daniel Davis]

 but once it is working it works well, NAT reflection works fine and 
see the wiki for automated backups 
(http://doc.pfsense.org/index.php/Remote_Config_Backup). The VPN options are 
excellent so I don't think you'll have any issues there. IPv6 is still not 
supported but this was not an issue in our case.

As you will find out, the free support provided on the mailing list is often 
better than the help you get from most CCSP's.

Good luck.

Regards,

Daniel

 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 
 --
 This message has been scanned for viruses and dangerous content by
 mail.lasseters.com.au, and no infections were found.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Forwarding an external port according to user

[Daniel Davis]

David,

Whilst this is not as secure as a real VPN, you could possibly use something 
like OpenVPN ALS (Previously Adito). It is a remote access over SSL solution 
that allows your users to somewhat securely connect to work resources without 
needing to install a VPN client or open insecure ports on your firewall. Your 
users will log in to the OpenVPN ALS page and authenticate using their 
credentials (it can authenticate against LDAP, AD etc.), they will then get a 
portal page which will show the resources you have given them access to (This 
can be RDP, VNC etc). When they open a resource it will launch a Java client 
and tunnel the connection over SSL.

Some things to note though is that the project is dead and the last released 
version has some significant known security flaws, however, it will still be 
vastly more secure than just forwarding VNC traffic through your firewall.

Regards,

Daniel Davis


 -Original Message-
 From: list-boun...@lists.pfsense.org [mailto:list-
 boun...@lists.pfsense.org] On Behalf Of David Brown
 Sent: Tuesday, 25 October 2011 12:14 AM
 To: pfSense support and discussion
 Subject: Re: [pfSense] Forwarding an external port according to user
 
 On 24/10/2011 15:53, Vassilis V. wrote:
 
 
  David Brown wrote on 10/24/2011 02:34 PM:
 
  Using a VPN is certainly a possibility - our road warriors who use
 a
  laptop as a main computer use a VPN (OpenVPN), and I use a VPN from
 my
  home machine regularly to access everything in the network here.
 Where
  VPNs are the right solution, they are what we use.
 
  But I see two disadvantages of VPNs. They give too much access.
  Obviously firewall rules can be added to limit access in some ways,
 but
  it is somewhere between difficult and impossible to get the right
  balance between security and functionality here. How do I set up
  firewalls that lets the user access company files on a server from
 their
  home machine without also opening these files to whatever malware
  they've installed? I can proscribe rules and regulations for
 computers
  on the company network, I can monitor them for suspicious behaviour,
 and
  do regular checks. But I can't do that for people's home computers.
 I
  can do so on a limited basis for a few users, especially for those
 with
  company laptops that they use from home or outside, but it is not
  scalable in general.
 
  I cant agree that VPN's give too much access. The way the VPN in
 pfsense
  is configured, it gives exactly the amount of access that you allow.
  Having a VPN connection that allows only to connect to port 5900 on a
  certain PC is a piece of cake. If you want to offer samba to your
 users,
  you shouldnt really port forward the ports to WAN. Even if you limit
 the
  source IP it feels somehow wrong to do it :) But its more of a
 general
  question if you want to give them access to samba or not, the tool
 you
  want to use (port forward or VPN) doesnt matter.
 
 
 I agree that samba over WAN feels wrong - it's only an option I'm
 vaguely considering, and just mentioning here as another example.  An
 alternative example, as well as VNC, would be RDP for Windows remote
 desktop protocol (though I prefer VNC as it is more cross-platform).
 
 I understand that you can specify exactly the rules you want in pfSense
 for VPN access.  But it can only restrict traffic based on the IP
 address and other such criteria - my point about having too much access
 is there is no way to restrict it by the type of originating program.
 Perhaps you are one of the lucky few who only has to deal with *nix
 type
 systems, but I have to assume that employees home machines and home
 networks are full of malware (except for the few that I've checked, and
 know that they are kept reasonably secure).  So if a home machine has
 access over a VPN to files on a company server, then so does all the
 malware they have installed.  With VNC only, I avoid that (although
 keyloggers are still a potential issue).
 
 Of course, if I do try out samba over the WAN, the same thing applies
 there as with VPN access.
 
 
 
  The other disadvantage of a VPN is that the we use a lot of
 specialised
  software - people can't easily install it on their home machines.
 They
  may also need different sorts of access to different machines -
 trying
  to get routine and firewalling rules that allow this over a VPN
 without
  being too permissive is hard.
 
  I didnt clearly describe the solution I proposed, they would still
 use
  VNC to work on their work PC. They would just tunnel it through the
 VPN
  and have only access to port 5900 on their PC.
 
 
 Ah, okay.  That's one way to handle it that I'm already considering.
 
 Of course, this also means that users would need to install and
 configure OpenVPN on their home machines.  It's not hard, but it is an
 extra step.
 
 With pure VNC, I can also look at using the VNC java client - if I
 put
 that on a server somewhere, then it makes it possible for people

Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN

[Daniel Llewellyn]

On Thu, Oct 13, 2011 at 16:03, Tim Nelson tnel...@rockbochs.com wrote:
 I would expect it to work this way also. However, I've removed the OPT 
 interfaces corresponding to the OpenVPN servers. Next, I've added one rule to 
 'Allow all traffic, any protocol, any source, any destination, etc' the 
 OpenVPN tab in the firewall rules page. This should allow all traffic from 
 all clients. However, even after saving, then clearing the state table, I'm 
 not able to pass traffic over any of the OpenVPN links.

 I should mention, this system was upgraded from 1.2.1 to 2.0-RELEASE. Also, I 
 did *not* uninstall any packages prior to the upgrade (read the upgrade notes 
 afterwards... :/ ). Does this have any relevance? Should I reinstall this 
 system from scratch, then recreate each VPN server/interface? Maybe just 
 delete all the VPN servers, and start fresh?

which direction are you trying the connectivity?

the rules on the openvpn tab are for connections coming from the
remote system to the pfSense box. If you want to connect out from
local boxes to the remote system over the vpn then you need
appropriate rules on the relavent interface (such as lan) to allow the
traffic.

-- 
Regards,
    The Honeymonster aka Daniel Llewellyn
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Traffic shaping query

[Daniel Davis]

Hi all.

I am in the process of replacing a Fortinet firewall with a nice shiny pfSense 
virtual appliance and am trying to plan our traffic shaping/qos but I'm having 
trouble getting my head around it.

We currently have 11 LAN segments and a single WAN. We are not really 
interested in shaping/prioritising the inter-LAN traffic, just inbound and 
outbound WAN traffic. My idea so far is to simply use limiters for inbound 
traffic (as we cannot influence the order that packets arrive from the ISP so 
HFSC does not seem any better for this purpose, just more complicated) and use 
HFSC to prioritize and shape outbound traffic. This configuration means I only 
need to create one set of limiters for inbound traffic (as opposed to a set of 
queues for each interface with HFSC) and one set of HFSC queues on the WAN 
interface for outbound traffic. We have a 10Mb/10Mb connection which is shared 
between users internet access, web/dns/mail hosting and guest internet access, 
so I really want to get my QoS right to make the most of this connection.

The configuration I am thinking of implementing is:

Inbound traffic (Downloads)
3Mbit Limiter (For all data requested by the outside world, i.e. served 
by us)
Priority traffic (e.g. VoIP traffic  DNS requests) highest 
weighting
Standard traffic (e.g. FTP, HTTP requests) medium weighting
Low Priority traffic (e.g. SMTP, POP3  IMAP connections) 
lowest weighting
7Mbit Limiter (For all data served by external systems, i.e. requested 
by us)
Priority traffic (e.g. VoIP traffic, DNS requests) highest 
weighting
Standard traffic (e.g. VPN, Remote Desktop, FTP, HTTP) medium 
weighting
Low Priority traffic (e.g. SMTP, POP3, IMAP etc.) low weighting
Penalty traffic (everything else not classified above) lowest 
weighting

Outbound traffic (Uploads)
9700Kbit Root Class (97% of Max WAN upload)
Ack Traffic - Priority 7, Bandwidth 15%, Qlimit 500, Realtime 
10%
DNS Traffic - Priority 6, Bandwidth 5%, Realtime 5%
Served Traffic (e.g. traffic sent by our servers) - Priority 6, 
Bandwidth 50%, Upperlimit 80%, Realtime 50%
VoIP - Priority 6, Bandwidth 10%, Upperlimit (35% 30ms 
10%), Realtime 10%
RDP/VNC - Priority 5, Bandwidth 20%, Upperlimit (50%, 
200, 10%), Realtime 15%
HTTP/HTTPS/FTP - Priority 4, Bandwidth 50%, Realtime 
(75%, 1, 40%)
Mail - Priority 3, Bandwidth 20%, Realtime 10%
Client Traffic (e.g. Client uploads, VoIP traffic, VPN traffic 
etc.) - Priority 5, Bandwidth 20%, Upperlimit 50%, Realtime 25%
VoIP - Priority 6, Bandwidth 10%, Upperlimit (35% 30ms 
10%), Realtime 20%
RDP/VNC - Priority 5, Bandwidth 30%, Upperlimit (50%, 
200, 10%), Realtime 15%
HTTP/HTTPS/FTP - Priority 4, Bandwidth 50%, Realtime 
(75%, 1, 40%)
Mail - Priority 3, Bandwidth 10%, Realtime 10%
Unclassified Traffic (Anything that wasn't caught by the above 
rules) - Priority 3, Bandwidth 10%, Upperlimit 30%, Realtime 10%

Does anyone see any problems with this configuration? Feel free to shoot me 
down in flames if this won't work for any reason, I want to get this right.

Cheers,

Daniel



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] cannot access gui

[Daniel Davis]

Nelson,

If you can get to the console you can choose option 11 - Restart 
webConfigurator, this will restart the web interface services without affecting 
other services.

Cheers,

Daniel
 
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Nelson Serafica
Sent: Wednesday, 5 October 2011 11:41 AM
To: list@lists.pfsense.org
Subject: [pfSense] cannot access gui

pfsense has been up for almost 5 months now. Then, yesterday we are not able to 
access the gui anymore though everything is doing fine such as rules and port 
forwarding. The last change I'm doing with the gui is the DHCP mapping and then 
suddenly, I cannot access anymore the gui. I'm accessing it thru https. I tried 
also connecting from the private network but still no luck. Is there a command 
I can execute on the shell? As much as possible I don't want to restart the 
pfsense server. There could be a service somewhere (apache/lighthttpd?) that I 
could restart. I haven't tried to start the ssh cause I though I wouldn't have 
any issue on the GUI. Guess I need to enable ssh. But before anything else, I 
need to fix the gui access.

Any suggesstions? TIA

-- 
This message has been scanned for viruses and dangerous content by 
mail.lasseters.com.au, and no infections were found. 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list