Yes, get them now. If you don’t then they’ll go to someone else and you won’t
be able to expand in a contiguous block. Using CARP implies that you care
about reliability during edge cases and partial failures. If so, then you need
to do it right and use 3 IPs where you want 1 carp. 3 on upli
Bridging will disable firewall and DHCP on modem, this should be expected.
If it works, then you’re using it just fine. I have my DMZ hosts like that on
a separate network on OPT1 with their own IP range and 1:1 nat rules. It feels
more segregated that way to me than the bridging firewall scen
Set your servername in apache/whatever, you’re all good. The servername needs
to match the cert, the IP doesn’t matter and shouldn’t be handed out anywhere.
> On 2015, Mar 7, at 8:44 AM, Tim Hogan wrote:
>
> Ed,
>
> I like your idea with using 1:1 NAT but just one question; If you use SSL
>
On the subject of bridging vs routing for firewall: If you require layer 3 to
get to your guarded hosts, then you only have to think about rules in layer 3.
If you bridge, then you may have to think about arp spoofing, multicast, IPX,
etc. So if you’re bridging, you may be presenting a much l
Same here. No firewall logs on remote syslog. Local firewall logs, yes.
Other logs (dhcp, dns, system) all fine. I’ve never seen firewall rules make
it to the remote syslog, though I may only have started trying in 2.1.5.
i386, full install on msata SSD, soekris 6501-50.
ED.
> On
Oh, I see how it is. We’re self resolving problems now. Fine. My problem was
my syslog was silently ignoring all pf: messages, so it was a syslog issue and
not a pfsense issue. Fixed. My apologies for the noise on the list.
ED.
> On 2015, Mar 19, at 3:46 PM, ED Fochler wr
Is your skew set to 0 on your primary router’s CARP interfaces?
ED.
> On 2015, Mar 23, at 3:50 PM, Steve Yates wrote:
>
> Just ran into an odd scenario in my testbed...if pfSense (router1) is in a VM
> (Parallels Cloud/Virtuozzo), and I run "service network restart" on the host
> for
Steve,
I have explicit multicast, network to network, and proto PFSYNC allow
rules on my dedicated CARP interface, which MAY be unnecessary. And I remember
the skew number being very picky, working correctly only in the 0 & 100
setting. At some point my CARP interfaces stopped getting
What you’re describing is NAT reflection, and the reason you’re getting
redirected from :80 to :443 is because you’re actually hitting the PFSense web
interface. PFSense is running a web server and by default it will forward you
from port 80 to port 443 and offer a self-signed cert.
I think wh
You may be getting overruled by the self protecting hidden rules of pfsesne.
System -> Advanced -> [Admin Access] -> Anti-lockout
Alternatively, Services -> DNS Forwarder -> host overrides … could point
internal machines to the DMZ address instead of the outside address when they
lookup the nam
I’m still running 2.1.5 as the 2.2 series has not been happy on my soekris
boxes. Will test again soon.
I’ve also stopped seeing any performance benefit from the hifn encryption card
for any of my uses. Perhaps you see different, but the only supported
encryption on that card (aes-cbc) is no
If you set up CARP, then you don’t manage outages at 4am, you manage them when
you get in to work because no services went out.
If you hate CARP, then just do HA Sync to a running backup VM with the uplink
and downlink disconnected. Then your emergency procedure is to reboot the
primary, or en
FTP is a nasty beast. There’s active, passive, and extended passive
connections. You may need a client that does extended passive (epsv?) to work
properly. Standard passive will hand back the server’s IP & data port over the
control connection, so unless PFSense is altering the packets as the
10.20.*.* really shouldn’t be on your wan, that’s not routable. Also,
214*256+167=54951, outside the range you say you dictated in the conf
(49500-52500)
I don’t think PFSense is going to provide you an ftp proxy, both because you’re
not using port 21, and this document:
https://doc.pfsense.o
Yeah, that sounds like the right path. Original post mentioned DOM, which I
don’t understand. I don’t know that spin-rite has any value on SSD. I would be
inclined to do a fresh OS install and import the configuration to eliminate
data bit rot and hacking of the OS as possible problems. I ha
Limiters work on 2.2.4, I’m using them. But I didn’t upgrade, I created the
limiters on 2.2.4. Are you asking if limiters work? Or are you just noting
that they don’t cleanly upgrade? If you create them through the GUI and link
them in with the firewall rules, do they work now?
ED.
> Decision Sciences International Corporation
> <http://www.decisionsciencescorp.com/>
> <http://www.decisionsciencescorp.com/>
>
> On Sun, Dec 13, 2015 at 5:29 PM, ED Fochler
> wrote:
>
>> Limiters work on 2.2.4, I’m using them. But I didn’t upgrade, I cre
There is also extended passive, which is much better than old standard passive
as it is ipv6 friendly and less likely to get wrongly proxied. So different
clients from the same network to the same server may negotiate differently and
present different results.
The next step would be to grab tr
My experience has been that intel nics are bad in the 10G space, especially
under BSD. I’ve had good luck with Myricom and Chelsio on BSD, though I
haven’t used either specifically on PFSense.
> On 2016, Feb 18, at 1:29 PM, Rainer Duffner wrote:
>
>
>> Am 18.02.2016 um 19:13 schrieb Walter
.
ED.
> On 2016, Feb 19, at 11:54 AM, Giles Davis wrote:
>
> On 19/02/2016 16:19, ED Fochler wrote:
>> My experience has been that intel nics are bad in the 10G space, especially
>> under BSD. I’ve had good luck with Myricom and Chelsio on BSD, though I
&
> On 2016, Apr 24, at 7:05 PM, Olivier Mascia wrote:
>
> Why is there a box to enter the remote system username, when it is useless
> and has to be 'admin' anyway?... :)
It seems to be an incomplete feature upgrade, as the admin user has always been
usable and it was intended to have other us
Yep, still that way in 2.3 release.
> On 2016, Apr 24, at 11:21 PM, Steve Yates wrote:
>
> I posted about that when I discovered it a year ago. It seems silly to have
> a field that is ignored and something else used instead. Is that still in
> 2.3 that way? It seems like it would be easy
On a modern intel system, the intel chip itself (or AMD) has AES128 or better
implemented in hardware. I get ~700Mb on sftp on my macbook air 2012 like
that, so those numbers are exactly where I’d expect the CPU to be maxed out
doing AES128 or AES256 encryption. That’s what hardware accelerati
Unless your ISP is involved, you’re not going to do link aggregation or BGP.
I’m guessing you’re doing NAT on both of these WAN connections, and not just
routing. In this case I would recommend separating traffic by user, or by
port/protocol.
I had a DSL and T1 arrangement a while ago and f
>
> On 2016, May 11, at 1:48 AM, FrancisM wrote:
>
> Is there any plugins from pfsense to do this kind of configuration just
> like reverse proxy. this is the scenario. I only have 1 public IP address...
> I know I can achieve this using other ports (higher ports) to mapped to my
> internal loca
Karl,
There are numerous other similar answers to be found, but here’s mine:
Get away from CF if you can. The modern performance and wear leveling work is
in sata and DOM, those are better devices. Abandon the nano-BSD and just find
the miscellaneous checkbox to put /tmp and /var in ra
>
> In particular, I see the Intel S35x0 ~80GB for $60. Do you know if the
> reliability is in the same league as the s3700 series, it would be an easy
> choice given the high cost of downtime in a remote install. Any experience
> with that series of devices in particular?
>
I have a pile o
I agree. I typically ssh in as root and tcpdump to get a more interactive view
of the network, but packet capture should give you the same data. You should
be seeing traffic even if it is rejected or dropped by your firewall rules. If
you’re not seeing ping, it’s not showing up at your interf
For clarity, that’s just the order in which PF works. It does NAT translation
to incoming traffic as a concept before it applies filter rules. It’s unusual
in the world of firewall mechanisms, but it works just fine. It also allows
you to explicitly allow traffic in to your port-forwarded des
I have a similar situation and I solved it with limiters. I'm also a fan of
limiters to ensure fair sharing of uplink bandwidth by internal users. I
haven't tried changing system tunables though, so that solution may be better.
Nothing is sent through the limiter until you create a rule that c
Richard,
I agree with Eero, VLANs are real security. It will require time and
effort and maybe some additional equipment. If it helps you sleep at night,
it's worth it. You might start with just IP groupings and rules though.
I have an admin network that only has a couple of computer
31 matches
Mail list logo