Re: [pfSense] SIP Port forwarding - will the SIP Proxy help me with this?

[Jon Gerdes]

You could create an alias for the inbound IPs for SIP/RTC and limit the
 source on the NAT rule with that alias.  Then your WebRTC users will
be unaffected because their src/dst/port triplet will not match that
NAT.

https://www.twilio.com/docs/api/voice/sip-interface - see IP address
whitelist.

Cheers
Jon

On Sat, 2018-03-10 at 21:19 -0500, Moshe Katz wrote:
> I have an installation with a single public IP address that uses an
> Asterisk PBX connected to a Twilio SIP Trunk. The provider does not
> offer
> additional IP addresses.
> 
> Right now, in order for the SIP audio to work, I need to forward UDP
> ports
> 1-2 to the PBX since Twilio says media can come on any of
> those
> ports.
> However, this breaks the ability of other users on that connection to
> use
> WebRTC media because WebRTC uses that same port range for media.
> 
> The only real information that I have found discussed in the past is
> about
> using sipproxd in the case of having multiple SIP devices inside the
> firewall to allow all of them to use port 5060 (SIP signaling) and
> have the
> firewall rewrite the SIP traffic for each one.
> 
> However, I can't seem to find any information about my use-case of a
> single
> SIP device and not having to forward the ports for the media.
> Can sipproxd help me with that?
> Any other ideas?
> 
> Thanks,
> Moshe
> 
> --
> Moshe Katz
> -- kohenk...@gmail.com
> -- +1(301)867-3732
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering

[Jon Gerdes]

Roberto

We all need to have a deep think about what https *really* *really*
means.  

* The aim of SSL/TLS is to ensure confidentiality from one point to
another

* In a browser, there is a trust store of Certification Authorities and
 a SSL/TLS certificate that is signed by a CA is trusted if signed by a
trusted CA

At this point, you could substitute a certificate from another CA,
using splice.

* There are standards such as HPKP - https://developer.mozilla.org/en-U
S/docs/Web/HTTP/Public_Key_Pinning .  

This is why you cannot subvert Google and other sites that take
additional steps to ensure that no one is attempting to break the
promise that SSL/TLS is designed for.

If I put up a website and I want to guarantee that the connection
between my website and the end user is secure then I would not be happy
if I found out that someone was breaking that link.  Using splice is an
attempt to break that link.

Have a deep think about what you are trying to do - whatever it is.

Cheers
Jon




On Fri, 2017-11-03 at 10:47 -0400, Yaroslav Samoylenko wrote:
> Public or private CA, the issue will persist.
> 
> On Nov 3, 2017 8:39 AM, "Roberto Carna" <robertocarn...@gmail.com>
> wrote:
> 
> > OK Jon, thanks for your time and explanation.
> > 
> > So a last qustion please: now I put in Squid of pfSense a private
> > CA
> > certificate...is it the same if I put a public CA certificate? Will
> > I
> > experience the same HTTPS behaviour related to Chrome and Firefox?
> > 
> > Thanks a lot again.
> > 
> > ROBERTO
> > 
> > 2017-11-02 20:47 GMT-03:00 Jon Gerdes <gerd...@blueloop.net>:
> > > Roberto
> > > 
> > > NFF: Product working as designed
> > > 
> > > When you use splice, you are doing a Man In The Middle (MitM)
> > > attack on
> > > your own users.  Chrome is a Google product and they have enabled
> > > https
> > > ://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning and other things
> > > to
> > > detect this sort of thing.
> > > 
> > > This could be seen as an abuse by Google https://www.troyhunt.com
> > > /bypas
> > > sing-browser-security-warnings-with-pseudo-password-fields/ or
> > > you
> > > could consider that end users should have an expectation of
> > > privacy by
> > > default.  For example, what if your users do on line banking
> > > through
> > > your proxy?  You could easily grab usernames and passwords and
> > > other
> > > personal details or worse if you abuse the trust that SSL/TLS
> > > should
> > > allow.
> > > 
> > > Think very hard about the implications of attempting to break the
> > > contract that SSL/TLS is designed to provide - end to end
> > > encryption
> > > with no tampering and guaranteed privacy.
> > > 
> > > Cheers
> > > Jon
> > > 
> > > 
> > > 
> > > 
> > > On Thu, 2017-11-02 at 12:00 -0300, Roberto Carna wrote:
> > > > People, I have pfSEnse 2.4 with Squid and Squidguard.
> > > > 
> > > > I enable HTTP transparent proxy and SSL filtering with Splice
> > > > All.
> > > > 
> > > > From our Android cell phones, if we use Firefox TO NAVIGATE
> > > > everything
> > > > is OK, but if we use Chrome we can't go to Google and some
> > > > other
> > > > HTTPS
> > > > sites.
> > > > 
> > > > We reviewed firewall rules, NAT and denied target categories
> > > > and
> > > > everything seems OK.
> > > > 
> > > > What can be the problem with Chrome ???
> > > > 
> > > > Thanks a lot,
> > > > 
> > > > ROBERTO
> > > > ___
> > > > pfSense mailing list
> > > > https://lists.pfsense.org/mailman/listinfo/list
> > > > Support the project with Gold! https://pfsense.org/gold
> > > 
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > 
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> > 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering

[Jon Gerdes]

Roberto

NFF: Product working as designed

When you use splice, you are doing a Man In The Middle (MitM) attack on
your own users.  Chrome is a Google product and they have enabled https
://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning and other things to
detect this sort of thing.

This could be seen as an abuse by Google https://www.troyhunt.com/bypas
sing-browser-security-warnings-with-pseudo-password-fields/ or you
could consider that end users should have an expectation of privacy by
default.  For example, what if your users do on line banking through
your proxy?  You could easily grab usernames and passwords and other
personal details or worse if you abuse the trust that SSL/TLS should
allow.

Think very hard about the implications of attempting to break the
contract that SSL/TLS is designed to provide - end to end encryption
with no tampering and guaranteed privacy.

Cheers
Jon




On Thu, 2017-11-02 at 12:00 -0300, Roberto Carna wrote:
> People, I have pfSEnse 2.4 with Squid and Squidguard.
> 
> I enable HTTP transparent proxy and SSL filtering with Splice All.
> 
> From our Android cell phones, if we use Firefox TO NAVIGATE
> everything
> is OK, but if we use Chrome we can't go to Google and some other
> HTTPS
> sites.
> 
> We reviewed firewall rules, NAT and denied target categories and
> everything seems OK.
> 
> What can be the problem with Chrome ???
> 
> Thanks a lot,
> 
> ROBERTO
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] raise ulimit

[Jon Gerdes]

Daniel

Please could you post the exact message you get from HA Proxy and where
you found it.

You might want to read these:

https://cbonte.github.io/haproxy-dconv/1.7/management.html#5

https://www.freebsd.org/doc/handbook/configtuning-kernel-limits.html

Cheers
Jon



On Sat, 2017-10-21 at 22:04 +0200, Daniel wrote:
> Hi,
> 
>  
> 
> haprox ask me to rais tot he ulimit. After googleing I don’t find any
> wat how to in Tuneables.
> 
> Anyone an idea how to increase the ulimit
> 
>  
> 
> Cheers
> 
>  
> 
> daniel
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense virtualisation

[Jon Gerdes]

On Tue, 2017-10-10 at 14:16 -0700, Walter Parker wrote:
> On Tue, Oct 10, 2017 at 12:57 PM, Doug Lytle 
> wrote:
> 
> > > > > Or do you think I am absolutely crazy? Or maybe Just one
> > > > > Hardware and
> > 
> > one virtual?
> > 
> > Quite a few of my firewalls are virtualized using ESXI and have
> > done so
> > for a few years now.
> > 
> > Doug
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> > 
> 
> I run my ESXi boxes with pfSense as the firewall. It has worked well
> for
> years. I'd recommend that over standalone HW firewalls.
> 
> 
> Walter
> 

I do all of the above and then some.  You need to decide what is
required and use the various technologies according to your budget,
performance requirements, risk requirements and continuity
requirements.

So:

* Virt: works very well on VMware (probably others - can't comment)
* Continuity through upgrades: Needs HA with CARP => you must have at
least three IPs per WAN link

If you can manage at least three IPv4s per external link then it does
not really matter whether you use physical or VM these days unless you
need an extreme IPSEC throughput.

If you do go the two VM route, then make sure they run on two different
hosts at all times.  With VMware Enterprise Plus you can create
affinity rules in DRS. 

My work systems are physical these days, and are blindingly quick on
pretty old hardware - a pair of Dell R320s with a lot of network cards.
   They have a pair of NICs on board and you can fit at least two quad
GB NICs in them.  I effectively use them as layer three switches n
router n firewall with a GUI and a lot more.  VoIP calls and
IPSEC/OpenVPN tunnels etc carry on regardless on upgrades/reboots of
the nodes.

On other sites I have deployed a single pfSense box as a VM.  Upgrades
need down time but you can snapshot it first for a backout if it goes
wrong.  Backups needed.  On single VM hosts eg one esxi with pfsense
router as a VM, you can't remotely, safely do nearly any changes.  I've
banned this model.

Some sites have a single physical box - APU2 based in most cases.
Backups.  Also a stock of replacement boxes.

Cheers
Jon
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multi-WAN and HA. Established connections through a not default gateway are broken when I disable CARP in the master unit.

[Jon Gerdes]

On Wed, 2017-09-27 at 00:12 +0200, dayer wrote:
> Hi everyone,
> 
> 
> I'm getting this behavior and I can't find the reason. I've test the
> same
> scenario with pfSense 2.3.4 and 2.4.0-RC and I've posted in the
> forums
> without reply[1].
> I'm not sure if it's a configuration error or a bug, and I would
> prefer
> confirm with someone expert.
> 
> Briefly, when there're established connections through a not default
> gateway (e.g. GW2 configured according to a firewall rule) and I
> change the
> master unit (e.g. disabling CARP in Pfsense1, master previously),
> these
> connections are broken.
> Pfsense2, now master unit, try to routes these traffic through GW1
> (instead
> of GW2) and using the WAN2 HA IP for outbound NAT. That is not right.
> Although I if close and retry the connections (like a SSH client),
> the new
> connections are routed according to the rule, through GW2, like
> Pfsense1
> has done when it was the master unit.
> 
> I know pfSense can't filter traffic from the firewall itself, and
> it's like
> the established connections would be traffic from the firewall itself
> also
> in those states.
> 
> Does anyone know this behavior? There is no solution?
> 
> 
> Regards,
> 
> 
> 
> [1]:
> https://forum.pfsense.org/index.php?topic=136739.msg749477#msg749477


If I had to guess: Are you using a CARP address for outbound NAT?  If
not then the connections *will* break on failover.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] LAN routing through multi-hopping IPSec setup

[Jon Gerdes]

Thank you for a clear and concise description of your problem.

Cheers
Jon



On Wed, 2017-05-03 at 09:48 -0400, Eleuterio Contracampo wrote:
> Thank you Jon. It works!
> 
> -EC
> 
> On Wed, May 3, 2017 at 6:48 AM, Jon Gerdes <gerd...@blueloop.net>
> wrote:
> 
> > EC
> > 
> > Add an additional Phase 2 entry on each set of tunnels:
> > 
> > pf2 -> pf1 = tunnel A
> > pf2 -> pf3 = tunnel B
> > 
> > Add a Phase 2 on tunnel A for local 192.168.40/24 to remote
> > 192.168.44/24
> > 
> > Add a Phase 2 on tunnel B for local 192.168.44/24 to remote
> > 192.168.40/24
> > 
> > Add firewall rules to taste.
> > 
> > Cheers
> > Jon
> > 
> > 
> > On Tue, 2017-05-02 at 17:45 -0400, Eleuterio Contracampo wrote:
> > > Hello everyone,
> > > 
> > > I have the following setup:
> > > 
> > > PFsense1 (LAN1: 192.168.40.0/24)
> > > PFsense2 (LAN2: 192.168.41.0/24)
> > > PFSense3 (LAN3: 192.168.44.0/24)
> > > 
> > > I've got two MPLS lines connecting PFSense2<->PFSense1<->PFSense3
> > > (PFSense1
> > > is the center of the star topology). I use IPSec tunnels on top
> > > of
> > > MPLS
> > > links.
> > > 
> > > I'm able to get from LAN1 to LAN2 and from LAN1 to LAN3 via IPSec
> > > tunnels.
> > > 
> > > I need to make LAN2 and LAN3 visible to each other. Is it
> > > possible to
> > > do it
> > > via IPSec links?
> > > 
> > > I've tried adding an additional Phase 2 entry at PFSense1 posing
> > > as
> > > if LAN3
> > > were local, and adding the corresponding Phase 2 entry at
> > > PFSense2 to
> > > tell
> > > LAN2 to route packets destined to LAN3 via that newly added Phase
> > > 2
> > > sub-tunnel against PFSense1. Packets do arrive to PFSense1 but
> > > don't
> > > progress any further despite having static routes indicating
> > > howto
> > > get to
> > > LAN3. I hope I'm clear about the problem.
> > > 
> > > If it were not possible to do it via IPSec routing, is there any
> > > other
> > > solution different than NAT+static routes?
> > > 
> > > Thanks in advance!
> > > -EC
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > 
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> > 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] LAN routing through multi-hopping IPSec setup

[Jon Gerdes]

EC

Add an additional Phase 2 entry on each set of tunnels:

pf2 -> pf1 = tunnel A
pf2 -> pf3 = tunnel B

Add a Phase 2 on tunnel A for local 192.168.40/24 to remote
192.168.44/24

Add a Phase 2 on tunnel B for local 192.168.44/24 to remote
192.168.40/24

Add firewall rules to taste.

Cheers
Jon


On Tue, 2017-05-02 at 17:45 -0400, Eleuterio Contracampo wrote:
> Hello everyone,
> 
> I have the following setup:
> 
> PFsense1 (LAN1: 192.168.40.0/24)
> PFsense2 (LAN2: 192.168.41.0/24)
> PFSense3 (LAN3: 192.168.44.0/24)
> 
> I've got two MPLS lines connecting PFSense2<->PFSense1<->PFSense3
> (PFSense1
> is the center of the star topology). I use IPSec tunnels on top of
> MPLS
> links.
> 
> I'm able to get from LAN1 to LAN2 and from LAN1 to LAN3 via IPSec
> tunnels.
> 
> I need to make LAN2 and LAN3 visible to each other. Is it possible to
> do it
> via IPSec links?
> 
> I've tried adding an additional Phase 2 entry at PFSense1 posing as
> if LAN3
> were local, and adding the corresponding Phase 2 entry at PFSense2 to
> tell
> LAN2 to route packets destined to LAN3 via that newly added Phase 2
> sub-tunnel against PFSense1. Packets do arrive to PFSense1 but don't
> progress any further despite having static routes indicating howto
> get to
> LAN3. I hope I'm clear about the problem.
> 
> If it were not possible to do it via IPSec routing, is there any
> other
> solution different than NAT+static routes?
> 
> Thanks in advance!
> -EC
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Hardware compatibility

[Jon Gerdes]

Jimmy

You really do get what you pay for.  I doubt that you have bothered to
quantify your time and effort in getting some low powered beastie up
and running.

Cost your personal time at say £20 per hour (say 25USD) - that's pretty
reasonable.  Now think about your options.  There are quite a few ready
made low power systems with pfSense pre-installed - no need to go off
piste.

As a rule of thumb for a decent home setup (*) I would personally think
in terms of around £300-500.  That will get you a decent APU2 based
pfSense box, an eight port PoE (netgear) switch and a one or two
Ubiquiti APs for wifi.  Obviously you'll need some cables and back
boxes etc as well.

If you are serious about doing it right you will need decent gear.  If
£500 (620USD) sounds a bit mad then cost your time dealing with
.

Please don't try to do the lowest common denominator thing unless you
really have to - it will end in tears: yours.

Cheers
Jon

(*) You'll need a few VLANs - LAN, WAN, THINGS, KIDS, SEWER (for
devices that should never see the light of day eg IP Cameras 




On Wed, 2017-04-05 at 21:21 +, Eric Landry wrote:
> I know it's a bit more expensive than the Pi devices, but there are a
> few moderately priced open source router devices out there. A few
> months ago, I purchased a Protectli barebones firewall device for
> $200 USD, and it has worked great for my SOHO use. Of course, you'll
> have to provide your own RAM & MSATA, but it's much cheaper than some
> of the other pfsense-compatible devices out there.
> 
> If anyone knows of any other pfsense devices available for $300 or
> less, I'd be interested to know.
> 
> Thanks!
> Eric
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of list-
> requ...@lists.pfsense.org
> Sent: Wednesday, April 5, 2017 12:00 PM
> To: list@lists.pfsense.org
> Subject: List Digest, Vol 792, Issue 1
> 
> Send List mailing list submissions to
>   list@lists.pfsense.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>   https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.pfse
> nse.org_mailman_listinfo_list=DQICAg=euGZstcaTDllvimEN8b7jXrwqOf-
> v5A_CdpgnVfiiMM=BioQ-
> tK_j6bZDXyoL9QCfXogohZu413H1b_1nigONCE=fLvlCIvF0J9lKHwupGM_FNrMgYbZ
> T8rvC5Akc4cnAWI=1vHR7aehqoVdbTvP72enoUJowrmtz72f4nGRzKIir_0=
> or, via email, send a message with subject or body 'help' to
>   list-requ...@lists.pfsense.org
> 
> You can reach the person managing the list at
>   list-ow...@lists.pfsense.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of List digest..."
> 
> 
> Today's Topics:
> 
>    1. Hardware compatibility (Jimmy PIERRE)
>    2. Re: Hardware compatibility (Luiz Otavio O Souza)
> 
> 
> ---
> ---
> 
> Message: 1
> Date: Wed, 5 Apr 2017 10:45:40 +0200
> From: Jimmy PIERRE  A__jimmypierre.rouen.france-
> 40gmail.com=DQICAg=euGZstcaTDllvimEN8b7jXrwqOf-
> v5A_CdpgnVfiiMM=BioQ-
> tK_j6bZDXyoL9QCfXogohZu413H1b_1nigONCE=fLvlCIvF0J9lKHwupGM_FNrMgYbZ
> T8rvC5Akc4cnAWI=bgvOUSE3JzPom5xS4SfdVfZae4zwH64-C_ZAzvVXqPI= >
> To: pfSense Support and Discussion Mailing List
>   
> Subject: [pfSense] Hardware compatibility
> Message-ID:
>   

Re: [pfSense] Netgate Firmware

[Jon Gerdes]

Topic: SG-2440 bios upgrade: 

https://forum.pfsense.org/index.php?topic=127418.msg703237#msg703237


On Mon, 2017-03-20 at 19:49 -0500, Richard A. Relph wrote:
> OK, now you guys have me curious…
> 
> I have a Netgate SG-2440 purchased directly from Netgate. I’ve
> received no emails. I don’t frequent the forums. But I am aware of an
> “alleged” chip issue, which I believe my unit is susceptible to.
> 
> Can someone provide a link to a relevant forum thread?
> 
> Thanks,
> Richard
> 
> 
> > On Mar 20, 2017, at 7:37 PM, Jon Gerdes <gerd...@blueloop.net>
> > wrote:
> > 
> > I understand where you are coming from but I don't think the
> > occasional
> >  note from vendors of pfSense kit that covers issues with high
> > importance (to users as well as vendors) could be classified as
> > spam on
> > the pfSense list. 
> > 
> > There are a lot of Netgate users here and Netgate gear has a bit of
> > a
> > focus, OS-wise.  
> > 
> > In this particular case the issue is not confined to Netgate gear
> > and
> > spelling it out here can't do any harm that I can foresee.  
> > 
> > You may prod users of other hardware platforms to investigate
> > whether
> > they they have the affected chips in their systems.  That can't be
> > a
> > bad thing provided the note is presented in a reasonably generic
> > way
> > but obviously you could mention specific products that you know are
> > affected from your range or perhaps a short note pointing Netgate
> > users
> > to a URL for more info.
> > 
> > Cheers
> > Jon
> > 
> > 
> > 
> > On Mon, 2017-03-20 at 19:15 -0500, Jim Thompson wrote:
> > > I tend to be careful about spamming the pfSense list with things
> > > that
> > > aren't directly related to pfSense.
> > > 
> > > Jim
> > > 
> > > On Mon, Mar 20, 2017 at 7:13 PM, Jon Gerdes <gerd...@blueloop.net
> > > >
> > > wrote:
> > > > It might be worth putting a press release style post here as
> > > > well
> > > > anyway.
> > > > 
> > > > Your mailing list may not be perfect and some people have a
> > > > nasty
> > > > habit
> > > > of registering things with their own email address instead of a
> > > > group
> > > > address/alias and then moving on.  Thir account gets deleted
> > > > and
> > > > that
> > > > box that does something for the internets stops working and it
> > > > could
> > > > have been fixed by a timely firmware update.
> > > > 
> > > > To be fair, there is quite a lot of chat on the forums about
> > > > this
> > > > and
> > > > any interested pfSenser should be hanging out there as well as
> > > > here.
> > > > 
> > > > 
> > > > 
> > > > On Mon, 2017-03-20 at 18:57 -0500, Jim Thompson wrote:
> > > > > we only sent it to customers of affected units.
> > > > > 
> > > > > On Mon, Mar 20, 2017 at 5:43 PM, WebDawg <webd...@gmail.com>
> > > > > wrote:
> > > > > > Is there any other list for netgate firmware updates?  I
> > > > > > just
> > > > > > received a
> > > > > > notification from sales@pfsense about netgate firmware
> > > > > > updates
> > > > > > but
> > > > > > it was
> > > > > > not sent to this list?
> > > > > > ___
> > > > > > pfSense mailing list
> > > > > > https://lists.pfsense.org/mailman/listinfo/list
> > > > > > Support the project with Gold! https://pfsense.org/gold
> > > > > 
> > > > > ___
> > > > > pfSense mailing list
> > > > > https://lists.pfsense.org/mailman/listinfo/list
> > > > > Support the project with Gold! https://pfsense.org/gold
> > > > 
> > > > ___
> > > > pfSense mailing list
> > > > https://lists.pfsense.org/mailman/listinfo/list
> > > > Support the project with Gold! https://pfsense.org/gold
> > > 
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > 
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Netgate Firmware

[Jon Gerdes]

I understand where you are coming from but I don't think the occasional
  note from vendors of pfSense kit that covers issues with high
importance (to users as well as vendors) could be classified as spam on
the pfSense list. 

There are a lot of Netgate users here and Netgate gear has a bit of a
focus, OS-wise.  

In this particular case the issue is not confined to Netgate gear and
spelling it out here can't do any harm that I can foresee.  

You may prod users of other hardware platforms to investigate whether
they they have the affected chips in their systems.  That can't be a
bad thing provided the note is presented in a reasonably generic way
but obviously you could mention specific products that you know are
affected from your range or perhaps a short note pointing Netgate users
to a URL for more info.

Cheers
Jon



On Mon, 2017-03-20 at 19:15 -0500, Jim Thompson wrote:
> I tend to be careful about spamming the pfSense list with things that
> aren't directly related to pfSense.
> 
> Jim
> 
> On Mon, Mar 20, 2017 at 7:13 PM, Jon Gerdes <gerd...@blueloop.net>
> wrote:
> > It might be worth putting a press release style post here as well
> > anyway.
> > 
> > Your mailing list may not be perfect and some people have a nasty
> > habit
> > of registering things with their own email address instead of a
> > group
> > address/alias and then moving on.  Thir account gets deleted and
> > that
> > box that does something for the internets stops working and it
> > could
> > have been fixed by a timely firmware update.
> > 
> > To be fair, there is quite a lot of chat on the forums about this
> > and
> > any interested pfSenser should be hanging out there as well as
> > here.
> > 
> > 
> > 
> > On Mon, 2017-03-20 at 18:57 -0500, Jim Thompson wrote:
> > > we only sent it to customers of affected units.
> > > 
> > > On Mon, Mar 20, 2017 at 5:43 PM, WebDawg <webd...@gmail.com>
> > > wrote:
> > > > Is there any other list for netgate firmware updates?  I just
> > > > received a
> > > > notification from sales@pfsense about netgate firmware updates
> > > > but
> > > > it was
> > > > not sent to this list?
> > > > ___
> > > > pfSense mailing list
> > > > https://lists.pfsense.org/mailman/listinfo/list
> > > > Support the project with Gold! https://pfsense.org/gold
> > > 
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > 
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Netgate Firmware

[Jon Gerdes]

It might be worth putting a press release style post here as well
anyway.  

Your mailing list may not be perfect and some people have a nasty habit
of registering things with their own email address instead of a group
address/alias and then moving on.  Thir account gets deleted and that
box that does something for the internets stops working and it could
have been fixed by a timely firmware update.

To be fair, there is quite a lot of chat on the forums about this and
any interested pfSenser should be hanging out there as well as here.



On Mon, 2017-03-20 at 18:57 -0500, Jim Thompson wrote:
> we only sent it to customers of affected units.
> 
> On Mon, Mar 20, 2017 at 5:43 PM, WebDawg  wrote:
> > Is there any other list for netgate firmware updates?  I just
> > received a
> > notification from sales@pfsense about netgate firmware updates but
> > it was
> > not sent to this list?
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Unexplained reboots

[Jon Gerdes]

If it has an iLO then that may provide some insights in its logs and
possibly a crash screen if there is one.  They quite often default to
"ASR" when they decide the OS watchdog has died

Configure syslog to ship all logs to a remote machine.  Make sure all
clocks are in sync

Does pfSense offer up a crash dump after the reboot?

Finally, patch it ie the BIOS etc.  I can't remember but I'm pretty
sure the G7s can do it from their built in F10 software


On Mon, 2016-10-24 at 21:39 +0200, mayak wrote:
> Hi All,
> 
> I have an HP-Dl380G7 with 24G and 2 processors -- ridiculous
> hardware, gut I got it for free. It's got 2 power supplies and is
> sitting in a data center.
> 
> This morning around 11:00 CET, it just rebooted, and has now done it
> again at around 21:00.
> 
> The hardware is has a few years on it, but was rarely used and is in
> excellent condition.
> 
> What can I do to help figure out what is happening?
> 
> Many Thanks
> 
> M
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 502 Bad Gateway

[Jon Gerdes]

On Tue, 2016-07-05 at 13:19 -0400, Bill Arlofski wrote:
> Hi everyone...
> 
> I noticed after one of the recent upgrades to the 2.2.x "RELEASE"
> series
> everything works perfectly fine for a while but then, I get "502 Bad 


--- snip 

> 
> So, I am suspecting that the php-fpm process is dying (forgot to run
> a ps
> command before restarting it).
> 
> Right now, /tmp/php_errors.txt is a zero byte file but I suspect that
> may be
> due to the restart of php-fpm due to its timestamp. I will take a
> look at this
> file the next time the gui dies.
> 
> 
> Is there anything I can do to increase debugging to help identify why
> this
> process is dying?
> 
> Additional info:  Typically I have a Firefox tab "idling" on the
> dashboard
> page which includes the "Traffic Graphs" widget with 4 graphs,
> Autoscale=Follow and 1 second updates.
> 

Bill

I maybe off target here but the IPSEC widget used to cause php-fpm
daemon to die after a few days.  

I haven't looked into it since but removing that widget fixed it for me
on two pfSenses.

Cheers
Jon



 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense and Kibana

[Jon Gerdes]

On Sat, 2016-06-18 at 11:07 +0200, Daniel Eschner wrote:
> Hi there,
> 
> i run Suricata on a pfSense. I Try to build some Dashboards. For the
> First everthing seems running but it seems i have Problems with
> domains like linux-nerd.de 
> In the Dashboard its shown as linux
> All Domains or attacks or wha ever with - in the Word get broken.
> In Geo i have the same Problem. United-States are United and States
> ;)
> 
> Is it a Kibana bug or is it more a Dashboard think?
> Anyone have have the same issues with the actual
> Kibana/Logstash/Filebeat?
> As you can see in the Pictures its normaly autodiscover.marmor-
> otto.de  and not 2 different
> Domains ;) Same with Useragents an so on.

Daniel

This question is not really appropriate here.  The Elastic forums are
where you discuss problems with Kibana (and Elasticsearch, Beats,
Logstash etc)

I would love to help you here but you don't really give any useful
 detail and this is the wrong place.

The ELK stack is a massive piece of work and I have personally spent
weeks if not months getting to grips with it.  I suggest you do the
same if you want to use it in any meangingfull way.  That means reading
all the documentation that Elastic supply - and there is lots of it and
pretty well written.  Then you will want to do a *lot* of experiments
until you get it to work the way you want it to.

Cheers
Jon

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Planning upgrade from 2.0.1-RELEASE to 2.2.6-RELEASE

[Jon Gerdes]

On Wed, 2016-01-27 at 00:04 -0500, Ugo Bellavance wrote:
> Hi,
> 
> We're in the process of planning the upgrade of our main site's
> pfSense 
> firewall. It is currently running 2.0.1-RELEASE and we want it to be
> at 
> the latest version.  It is running in a VMWare VM (amd64).

As it is a VM you can try before you buy!  Clone the VM.  Create some
new vSwitches but don't attach them to physical NICs.  Create yourself
a virtual workstation for a client if you like.  You could also deploy
one or more "little" pfSenses to emulate the internet and even put
client machines behind them.  I use the System Rescue CD to create
multiple workstations with minimum effort that have a GUI, browser and
lots of tools available.

Now do the upgrade and test the functionality.  If you really are
worried about anything spend plenty of time on this.

When your maintenance window arrives, dump a copy of the config, have a
copy of the install .iso available, snapshot the VM first, update it
and off you go.  Back out the snapshot after a few days, don't leave it
there.

I and many others here have lots of VMware VM pfSense machines.  My
main work one started life on vSphere 4 as pfSense 1.2.something and is
now bang up to date.

Cheers
Jon
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.6 and IPv6 RA

[Jon Gerdes]

On Fri, 2016-01-22 at 12:15 +0100, Antonio Prado wrote:
> On 1/22/16 11:02 AM, Seth Mos wrote:
> > > on a fresh installed box, IPv4 configured on 2 NICs (WAN and
> > > LAN), IPv6
> > > not configured, pfSense starts advertising itself as IPv6 gateway
> > > on LAN
> > > using its link-local address (fe80::/64).
> > > 
> > > That's not the correct behavior I guess.
> > > 
> > > Is it a bug?
> > 
> > No, that sounds about right, it advertises itself as the gateway.
> 
> well, let me disagree.
> when a router (pfSense) has RA disabled (as previously stated in my
> message), it simply should not per RFC 4861.

I've just skimmed through RFC 4861 and couldn't see this.  I then
grepped "disable" (three instances) and I think I found what you mean:
Section 6.2.2:

"The term "advertising interface" refers to any functioning and enabled
interface that has at least one unicast IP address assigned to it and
whose corresponding AdvSendAdvertisements flag is TRUE.  A router MUST
NOT send Router Advertisements out any interface that is not an
advertising interface."

That leads us to look into "AdvSendAdvertisements" and also wonder
whether "at least one unicast IP address assigned" is IPv6 only or
includes v4: Section 2.4:

"address - an IP-layer identifier for an interface or a set of
 interfaces.
"

So that's clear!

I started to follow up on AdvSendAdvertisements but it's also a bit
random.

The standard is a bit wooley. 

What is the fault you are actually trying to fix?

Cheers
Jon




> in other words, nevertheless pfSense 2.2.6 has no IPv6 configured
> (i.e.
> no v6 address on interfaces, RA disabled), it advertises itself as
> IPv6 gw.
> 
> let me know
> thank you
> --
> antonio
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Latency issues with 2.2.25 Release

[Jon Gerdes]

On Wed, 2015-11-11 at 07:47 -0800, Wade Blackwell wrote:
> Good morning list,
>I recently upgraded to *2.2.5-RELEASE * (amd64) on a VMware
> stack
> and noticed that my Wan latency shot up by about 100ms rtt. Nothing
> else on
> the box had changed. I reverted to a pre-upgrade snapshot and the
> latency
> went back down to 10-12 ms rtt. Anyone seen anything like this with
> the
> update to 2.2.5?
> 
> -W
> 
> Wade Blackwell

Wade

I have several 2.2.5 upgrades from earlier versions.  Here's one:

[2.2.5-RELEASE][r...@pf1.blueloop.net]/root: ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=54 time=8.658 ms

The above is in a VMware 5.5 (current patch level) ESXi host on a four
node cluster.  The ESXis are a bit variable in power but it makes no
difference to the RTT

So, are you absolutely sure nothing else changed?  Same host, exactly
the same network path at your end, no funny workloads at the same time
as your upgrade?  No other changes?  Did you leave a VM snapshot
running?  Backups? etc etc.

Have a look at your rrd graphs on the reverted system and see if there
is a pattern that matches the time you did the upgrade.

Incidentally, what version did you back rev to?  Also how are you
measuring WAN RTT time?  What is your WAN anyway?

There are a lot of questions to answer before you can diagnose a fault
in an OS upgrade ...

If you have a spare WAN IP, clone the pfSense VM give it a WAN IP and a
separate VLAN to play with.  You can detatch the vNICs and use the
console to avoid address conflicts.  

Put a test client VM on the test VLAN.  Upgrade the pfSense box and see
how you go.  You can torture the clone to your hearts content until you
get to the bottom of the problem.  If you don't have a spare external
IP you can always put the clone "behind" the live one - ie put its WAN
on your LAN.  Remove NAT on the clone and add a static route on the
real one for your test VLAN via the clone.

If you have a virty setup - use it!

Cheers
Jon
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN and TOTP?

[Jon Gerdes]

On Mon, 2015-10-05 at 22:22 +0200, Olivier Mascia wrote:
> Dear all,
> 
> Have you heard of any support (add-on?) for time based one time
> passwords support in OpenVPN?  Along the lines of RFC6238 so it could
> be used with Google Authenticator, Microsoft Authenticator, and the
> countless alike mobile Apps.  Would be interesting to get users to
> use their credentials plus a TOTP when connecting to remote access
> OpenVPN setups. In addition (or not) of certificates.
> 
> On the same train, I'd really like our admins to have to use a TOTP
> in addition to login/password when connecting to pfSense for
> administration.
> 
OVPN can use RADIUS.  So now you need to research wiring TOTP up to
RADIUS but that will be a lot easier because there will be lots of
vendors with pre cast offerings and no doubt a slew of free software
alternatives.  

If you have Win 2008+ which is pretty likely then that has a lot built
in already.  Wack a NPS role on a DC and follow one of the howtos on
the wiki to get RADIUS working with pfSense and OpenVPN and then fold
in TOTP afterwards.  You also have Free Radius to play with. pfSense
has a package for that which might be worth looking into.

Cheers
Jon
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Using pfSense with an external proxy appliance

[Jon Gerdes]

On Thu, 2015-09-03 at 09:53 -0500, Erik Anderson wrote:
> Hello,
> 
> Shortly I'm going to need to deal with a situation I've never had to
> sort out before - using pfSense to redirect outbound HTTP(S) from
> clients to an iPrism proxy/filter appliance.
> 
> We're running pfsense v2.2.4.
> 
> Is this possible to do with pfSense in a transparent manner? Or will I
> be forced to reconfigure each client to go through the proxy?
> 
> I've had a search through the forum and mailing list archives, and
> haven't seen anything on this topic.
> 
> Thank you!
> Erik

Eric

You *may* be able to use NAT to do this (basically the opposite to the
way you do inbound NAT for systems from the internet to internal):

Create an alias for a list of ports eg 80, 443

Firewall -> NAT: Port Forward

If LAN
Proto TCP
Src addr 
Src ports any
Dest addr any
Dest ports 
Redirect target IP 
Redirect target port 

Cheers
Jon
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus = 1024 Bits (Logjam)

[Jon Gerdes]

On Wed, 2015-08-19 at 08:45 -0400, Ted Byers wrote:
 On Wed, Aug 19, 2015 at 4:38 AM, Jon Gerdes gerd...@blueloop.net wrote:

  Finally, although it is good practice to scan your gear I trust you
  usually have a firewall rule that prohibits access to the web
  configurator console except from a few sources.  Also the port you
  should have shuffled off to a non default.
 
 Well, the port is shuffled off to something higher than 5.
 
 I'd have preferred to have set this port to accept connections only
 from my IP and that of my colleague, but while I have a fixed IP
 address, he does not.
 
  Cheers
  Jon

Ted

Perhaps your colleague needs a VPN then if they are unable to get a
fixed IP address.  OpenVPN is ideal for this and dead easy to set up.

I understand it is a bit of an extra layer of faff but if you are going
to the trouble of worrying about DH params on the SSL certificate then
you clearly take security seriously.  Controlling access to the web
admin console (and ssh) is part of the basics ... 

Cheers
Jon
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus = 1024 Bits (Logjam)

[Jon Gerdes]

On Tue, 2015-08-18 at 23:04 -0400, Ted Byers wrote:
 On our latest penetration test, our pfsense machines were flagged as having
 a SSL/TLS Diffie-Hellman Modulus = 1024 Bits, allegedly making it
 vulnerable to Logjam.  This is for the web server on the pfsense machine,
 used to administer it.
 
 I do not, at present, care about the wherefore and why.
 
 All I want to know is where and how the size of the Diffie-Hellman modulus
 is configured, and what do I change in order to have that set to,say, 2048
 bits.
 
 Thanks
 
 Ted
 

Which version of pfSense?

You can import your own certificate signed externally with whatever
parameters you like and I notice that if I try and generate a new one in
certificate manager (on 2.2.4), it defaults to a key length of 2048 bits
and SHA256.

Finally, although it is good practice to scan your gear I trust you
usually have a firewall rule that prohibits access to the web
configurator console except from a few sources.  Also the port you
should have shuffled off to a non default.

Cheers
Jon
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Improving OpenVPN performance

[Jon Gerdes]

On Wed, 2015-07-01 at 15:16 +0100, Chris Bagnall wrote:
 Greetings list,
 
 I'm trying to improve OpenVPN performance on a site-to-site link I have 
 between 2 pfSense boxes.
 
 I am currently only getting around 7Mbps each way via the OpenVPN 
 tunnel, measured by running iperf back and forth between Linux servers 
 at each end behind the pfSense.
 
 In each case, tunnel throughput is between 7 and 7.5Mbps.

Chris

Your first job is to establish a real baseline.  That is: How fast can
you really move data between the two sites without any tunnels?  You may
have to be creative with NATting and other tricks to get a system at
each end to see the other.

Once you have a proper figure to work towards then introduce OpenVPN or
IPSEC or whatever.

If your ~18Mbps is a real measured figure then consider:  UDP vs TCP,
MTU, TUN vs TAP.  You don't mention what you are using already.

Cheers
Jon

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Clock errors

[Jon Gerdes]

On Sun, 2015-06-28 at 14:14 -0400, Brian Caouette wrote:
 
 Update of the clock problem. I've corrected the time zone as was 
 mentioned by another list member. Apparently there was a glitch with 
 the .3 update. Although the time on the dash board is correct the 
 logs all have bad times in them.
 
 
 Brian Caouette(207) 212-6560

I responded in the neg to your original post.  Just verified that my
timezone stayed as the original - Europe/London.  Also both the dash
widget and my logs stayed constant.

I can't see anything here: 
https://redmine.pfsense.org/projects/pfsense/search?issues=1q=timezone

Can you give any more hints as to any specifics like what your timezone
was set to before the upgrade and what it turned into afterwards?

Cheers
Jon
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

[Jon Gerdes]

On Fri, 2015-02-20 at 06:03 +, Chuck Mariotti wrote:
 You could try TCP for the OpenVPN if the phones will support it.  The vast 
 majority of your traffic will be UDP so you wont get the joy of TCP in TCP 
 exponential standoffs.
 
 Cheers
 Jon
 
 The phones do support TCP (an option on a per line basis offers UDP/TCP).
 Could you clarify what you mean by this exactly? A little bit confused...
 
 It seems the OpenVPN connections are  up/down... so you are suggesting to 
 switch the OpenVPN connection to TCP instead of UDP?
 Keep the phone UDP?
 
 The standoffs you suggest, are they the OpenVPN or the Phone data screwing 
 up? Or both?
 
 Chuck
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

Chuck

TCP, for example, an RDP session or ssh within a TCP tunnel *can* show
horrible performance because TCP has a built in standoff mechanism
(can't remember the name).  If you have TCP within TCP then the effect
of both trying to fix up a dodgy connection can quickly cause an
exponential standoff.  This will manifest itself as the tunnel seeming
to freeze for 5-20 seconds and then carrying on.

As you would be putting UDP traffic which is fire and forget through a
TCP OpenVPN the above effect wont happen.  However because OVPN would
use TCP then it will cause the NAT session to be held open, which may
fix the problem that you are having.

So, change the OpenVPN server to listen on TCP (same port if you like).
Also change the firewall rule on WAN for TCP and change the phones to
connect using TCP.

Cheers
Jon
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

[Jon Gerdes]

On Wed, 2015-02-18 at 06:38 +, Chuck Mariotti wrote:
 That's definitely the cable modem's NAT getting confused. If you can get the 
 phones to randomize their source ports on their OpenVPN traffic, that might 
 resolve. I'm not sure if that's possible on those phones. In stock OpenVPN, 
 specifying lport 0 in the config will make it choose a random port. I'm 
 not sure if that's configurable for the Yealink phones though. We disable 
 that automatically in our OpenVPN client export for Yealink because they 
 didn't support it at least up until recently.
 
 If you can change the modem to bridge mode to pass through the public IP to 
 a router of some sort that will properly handle that circumstance, it'll 
 resolve that. That might be hit or miss with consumer-grade routers. A 
 completely default pfSense config will work fine in that circumstance, as 
 it'll randomize the source ports on its own so the phones don't have to.
 
 
 Thanks Chris, I've emailed Yealink support but it seems they are off until 
 mid-next week (Chinese New Year).
 Not sure what to do, purchase a 3rd party router to see if solves the problem 
 or if I should wait to see what Yealink's answer is first.
 
 Reading up on the modem seems like bridge mode is a little problematic... 
 maybe a call to the cable provider first to see options.
 
 Thanks Again,
 
 Chuck

Chuck

You could try TCP for the OpenVPN if the phones will support it.  The
vast majority of your traffic will be UDP so you wont get the joy of TCP
in TCP exponential standoffs.

Cheers
Jon
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multi-WAN port forwarding

[Jon Gerdes]

On Thu, 2015-02-12 at 21:13 +, Tiernan OToole wrote:
 Thanks for the tip Chris (Doh!) but tried setting it to UDP and still no 
 luck...
 
 --Tiernan
 
 -Original Message-
 From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris L
 Sent: Thursday 12 February 2015 20:36
 To: pfSense Support and Discussion Mailing List
 Subject: Re: [pfSense] Multi-WAN port forwarding
 
 SIP is UDP, not TCP.
 
  On Feb 12, 2015, at 12:33 PM, Tiernan OToole tier...@tiernanotoole.ie 
  wrote:
  
  Morning all.
   
  I have a question I hope someone can help me with.
   
  I have my PFSense server with 3 WAN connections, load balanced and I need 
  to start forwarding ports, specifically SIP ports. I have done port 
  forwarding on port 80, and it works grand, but doing the same steps with 
  5060, not so much…
   
  The steps I took was:
   
  Firewall/NAT, Add, interface = WAN1, proto TCP, src addr and port are both 
  *, dest = WAN1 address, dst port 5060, nat IP (internal ip of the voip 
  box), nat ports 5060
   
  Did this for each WAN connection and again for other ports… but the VoIP 
  firewall checker is still telling me the ports aint open… What am I doing 
  wrong?
   
  It works on port 80! Why not SIP?!
   
  Thanks.
   
  --Tiernan

Start by making sure that traffic is actually hitting the rule.  Enable
logging on the rule and/or run a packet capture on the pfSense box with
the interface set to the WAN link, proto UDP port 5060.

You could also do a pcap on the LAN interface with the IP of the PBX to
see both directions.  Install Wireshark obn your PC to look deeply into
the pcap (download button)

Once you get SIP to work which is usually pretty easy, then you get to
diagnose why you get one way audio (RTP).  Hopefully that wont happen.
Symmetric RTP is your friend here ...

Another thing to watch out for is SIP ALGs upstream of the pfSense and
making sure that your VoIP system knows its external IP address.

Cheers
Jon 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] issues registering Cisco VoIP phone through pfSense

[Jon Gerdes]

 
 I can get the soft phone on the workstation to work through the
 firewall to register to the asterisk server  and make call to the LAN
 phone but cannot get the cisco phone to work to do the same.  I have
 tried also turning on SIProxd and nothing changes.  Any help would be
 much appreciated
 
Investigate Symmetric RTP.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] issues registering Cisco VoIP phone through pfSense

[Jon Gerdes]

On Sun, 2015-02-01 at 17:56 +, Jon Gerdes wrote:
  
  I can get the soft phone on the workstation to work through the
  firewall to register to the asterisk server  and make call to the LAN
  phone but cannot get the cisco phone to work to do the same.  I have
  tried also turning on SIProxd and nothing changes.  Any help would be
  much appreciated
  
 Investigate Symmetric RTP.

Whoops, sorry - that is unlikely to help.  One possibility is to get the
second phone that isn't working to use a different port eg 5061 for SIP.

Your ASCII art got munged up somewhere (probably by my mail client) so
it is hard to see what is going on.

Cheers
Jon
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] issues registering Cisco VoIP phone through pfSense

[Jon Gerdes]

On Sun, 2015-02-01 at 18:20 +, Jon Gerdes wrote:
 On Sun, 2015-02-01 at 17:56 +, Jon Gerdes wrote:
   
   I can get the soft phone on the workstation to work through the
   firewall to register to the asterisk server  and make call to the LAN
   phone but cannot get the cisco phone to work to do the same.  I have
   tried also turning on SIProxd and nothing changes.  Any help would be
   much appreciated
   
  Investigate Symmetric RTP.
 
 Whoops, sorry - that is unlikely to help.  One possibility is to get the
 second phone that isn't working to use a different port eg 5061 for SIP.
 
 Your ASCII art got munged up somewhere (probably by my mail client) so
 it is hard to see what is going on.

OK - do you really need NAT?  It looks as though you are NATing from WAN
to LAN but this is not needed.

Assuming that everything in the diagram is all that we need to worry
about:

* Set advanced NAT (done already I think)
* Remove all NAT rules - inbound and outbound

For this sort of thing you should never need a SIP proxy or anything
else for that matter.  Just some holes for SIP and RTP.

Cheers
Jon
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2 Packages

[Jon Gerdes]

On Fri, 2015-01-30 at 15:07 -0500, Brian Caouette wrote:
 Where is a good place to monitor for package updates for 2.2? I had to
 revert back to 2.1.5 after a fatal error shut me down.

Talk to the lists, forums, IRC (probably somewhere).  The core distro
has a pretty good changelog and bug tracker but the other bits -
packages - can be a bit random.  For those you generally have to rely on
the community.  

The whole point of the extra packages is to provide additional
functionality but on a volunteer basis.  You can't expect the core devs
to cover say Asterisk or Squid (unless they fancy it)  Let's face it,
keeping the core stuff working properly is pretty much like herding cats
as it is.

What caused the revert, ie what package, we can't help you unless you
provide some clues?

Cheers
Jon
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] NetFlow analysis tools

[Jon Gerdes]

On Thu, 2015-01-15 at 17:08 +0100, b...@todoo.biz wrote:
 Hello, 
 
 I would like to know which flow-tools you are using in conjunction with 
 pfflowd / netflow 
 
 I am particularly interested in GUI back-end. 
 
 If you have any good pointer, that would really be helpful. 
 
 
 
 Sincerely yours. 

Softflowd - Logstash receiver - Redis - Logstash indexer -
Elasticsearch - Kibana

Logstash has a Netflow input and then I use the GeoIP and DNS filters to
augment the data, finally in Kibana I plot the flows on a map from the
GeoIP.  That single report has told me an awful lot.

For example someone came to our office and had a SSL VPN of some sort,
they also use an external web proxy.  Before they fired up the VPN their
flows were going through European IPs.  As soon as the VPN was started,
their 443/tcp flows instantly switched to the US.  When the VPN was shut
down it moved back to Europe.  Coincidence - perhaps.  I couldn't do
much more testing in the time available.

Cheers
Jon


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Migrating from /32 + /29 to just /29

[Jon Gerdes]

On Fri, 2014-06-13 at 18:13 +0100, Brian Candler wrote:
 On 12/06/2014 23:06, Jon Gerdes wrote:
  My new ISP only provides a /29 from which WAN always gets the first one
  via PPPoE.
 
  I put the second address from the /29 onto an interface and the
  remaining four onto my externally facing systems.
 You should be able to use the same IP address for both WAN and LAN 
 (Cisco calls this 'unnumbered': your PPP interface is using the IP 
 address from another interface)
 
 192.0.2.1 = WAN interface of firewall
 
 192.0.2.1/29 = LAN interface of firewall
 192.0.2.2..6 = other devices
 
 This saves the provider burning a /32 for the WAN (or even a /30 
 point-to-point subnet, old skool)
 
 Regards,
 
 Brian.

Brian

Thanks for giving me the technical term and after some Googling, several
systems support unnumbered interfaces but it seems not pfSense out of
the box, unless I am missing something.

I can't see a way of getting WAN to come up without an address and
setting LAN as in your example does not work - you get the quite
reasonable error address in use.

I am pretty happy with losing one address to get this working but I
might submit a feature request for this unless someone can point me into
how to do it.  Even OpenWRT can do this:
http://patchwork.openwrt.org/patch/4181/ (good description, links and
code there)

Cheers
Jon
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Migrating from /32 + /29 to just /29

[Jon Gerdes]

I have recently decided to change ISP.  The old one provides a /32 for
WAN via PPPoE and a routed /29 block of 8 (6 usable) from which I put
the first one on an interface and the remaining 5 on systems so they get
an externally routeable IP but with pfSense protection.  This is pretty
much how IPv4 was supposed to be before NAT was invented.

My new ISP only provides a /29 from which WAN always gets the first one
via PPPoE.

I put the second address from the /29 onto an interface and the
remaining four onto my externally facing systems.

I moved a web server over to the new scheme and it works fine,
internally, externally and over an IPSEC VPN so it all looks good.

As far as I can tell, the only downside is I lose another address to act
as the gateway.

Can anyone spot any flaws with this method or is it a general practice?

Cheers
Jon

PS My real motivation for this is to avoid having to go back to split
horizon DNS again which would mean resurrecting BIND and a complicated
views setup - the horror!


Blueloop Ltd

Jon Gerdes | Senior Consultant

Blueloop House
Ilchester Road
Yeovil
Somerset BA21 3AA

Tel: 01460271055
Web: www.blueloop.net



Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA 
Registered England  Wales - 3981322

CONFIDENTIAL INFORMATION
This e-mail and any files attached with it are confidential and for the sole 
use of the intended recipient(s). If you are not the intended recipient(s) you 
are prohibited from using, copying or distributing this or any information 
contained in it and should immediately notify the sender and delete the message 
from your system.

Internet communications are not secure and Blueloop Limited is not responsible 
for unauthorised use by third parties nor for alteration or corruption in 
transmission. Furthermore, while Blueloop Limited have taken reasonable 
precautions to minimise the risk of software viruses, it cannot accept 
liability for any damage which you may suffer as a result of such viruses, and 
we therefore recommend you carry out your own virus checks on receipt of any 
e-mail.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Migrating from /32 + /29 to just /29

[Jon Gerdes]

On Thu, 2014-06-12 at 23:23 +0100, Chris Bagnall wrote:
 On 12/6/14 11:06 pm, Jon Gerdes wrote:
  As far as I can tell, the only downside is I lose another address to act
  as the gateway.
  Can anyone spot any flaws with this method or is it a general practice?

 Certainly assigning the first IP in a /29 to the PPPoE client is fairly
 standard practice in the UK (which I see you are). My $dayjob is an ISP
 and assigning the first IP to the PPPo{A|E} client is our normal config
 for anything from a /30 down to a /27.

Being on the receiving end of many ISPs that does seem to be standard
practice apart from AAISP and TalkTalk Business (except when the wind
changes direction and EFM is involved!)

  I put the second address from the /29 onto an interface and the
  remaining four onto my externally facing systems.

 I believe (though haven't tried it in anger with the post-2.0 pfSense
 versions - I recall doing it years ago with a 1.2.x version) you can use
 an OPT interface for your WAN (instead of the default WAN interface),
 then bridge LAN and OPT1, thus only 'losing' one of your IPs to the
 firewall rather than two.

I like the sound of that - I now recall reading about that technique
ages ago but had forgotten about it.  I can still play before committing
to the final config.

 (it's nice to be able to use a true /29 range if you can, but with RIPE
 IPv4 allocations as tight as they are these days, hang onto yours for
 dear life :-) )

Many ISPs are still doling them out like sweeties for a few quid one off
fee.  It's not sustainable.

Thanks for the quick response.

Cheers
Jon


Blueloop Ltd

Jon Gerdes | Senior Consultant

Blueloop House
Ilchester Road
Yeovil
Somerset BA21 3AA

Tel: 01460271055
Web: www.blueloop.net



Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA 
Registered England  Wales - 3981322

CONFIDENTIAL INFORMATION
This e-mail and any files attached with it are confidential and for the sole 
use of the intended recipient(s). If you are not the intended recipient(s) you 
are prohibited from using, copying or distributing this or any information 
contained in it and should immediately notify the sender and delete the message 
from your system.

Internet communications are not secure and Blueloop Limited is not responsible 
for unauthorised use by third parties nor for alteration or corruption in 
transmission. Furthermore, while Blueloop Limited have taken reasonable 
precautions to minimise the risk of software viruses, it cannot accept 
liability for any damage which you may suffer as a result of such viruses, and 
we therefore recommend you carry out your own virus checks on receipt of any 
e-mail.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] PFSense OpenVPN General Q

[Jon Gerdes]

On Tue, 2014-04-15 at 10:34 -0500, Kevin Boatswain wrote:
 Hello all,
 I am in the process of switching out all of the certificate on my home
 pfsense box.
 In the past I have used a real CA for the web-interface and an PFSense
 Internal CA for the OpenVPN Config.
 Any of you that use PFSense in Corporate Environments do you use a
 real CA for OpenVPN or are many of you still using the Internal CA for
 OpenVPN Traffic?

IMNSHO an internal CA is always preferable to a commercial one for real
security - assuming it is set up correctly.

Ideally you have a root CA that never sees a network and is a bare bones
system that only creates intermediate CAs and nothing else and is
usually stored shutdown and cloned offsite.  You transfer the newly
minted intermediate CA's cert out by hand (I allow myself to use a USB
drive that has been newly formatted - you can go too far!)

My PFs gets an intermediate CA from the root and at least I know that is
unlikely to be the weakest link and the intermediates can be revoked and
a CRL generated by root to that effect.

I also shuffle access to the web interface to another port and only ever
allow access to it from particular IPs - never open to the world at
large.

Its only a small amount of extra fiddling but closes off a reasonably
large number of potential problems, including as it turns out working
towards mitigating some of the fallout from Heartbleed: My root CA has
never seen the internet.

I don't for a minute believe that I can keep the 5is out or any other
well funded state agency or a sufficiently well motivated cracker but
I'm buggered if script kiddies will get past me.

Cheers
Jon


Blueloop Ltd

Jon Gerdes | Senior Consultant

Blueloop House
Ilchester Road
Yeovil
Somerset BA21 3AA

Tel: 01460271055
Web: www.blueloop.net



Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA 
Registered England  Wales - 3981322

CONFIDENTIAL INFORMATION
This e-mail and any files attached with it are confidential and for the sole 
use of the intended recipient(s). If you are not the intended recipient(s) you 
are prohibited from using, copying or distributing this or any information 
contained in it and should immediately notify the sender and delete the message 
from your system.

Internet communications are not secure and Blueloop Limited is not responsible 
for unauthorised use by third parties nor for alteration or corruption in 
transmission. Furthermore, while Blueloop Limited have taken reasonable 
precautions to minimise the risk of software viruses, it cannot accept 
liability for any damage which you may suffer as a result of such viruses, and 
we therefore recommend you carry out your own virus checks on receipt of any 
e-mail.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPSEC bug in 2.1

[Jon Gerdes]

 
 There exists an IPSEC bug in pfSense 2.1
 
 When the router's modem is restarted, the IPSEC tunnel fails to come back
 up.
 
 This bug is documented in the following places by numerous people:
 
 https://redmine.pfsense.org/issues/3321 
 http://forum.pfsense.org/index.php/topic,69235.0.html 
 http://forum.pfsense.org/index.php/topic,68776.0.html 
 http://forum.pfsense.org/index.php/topic,67929.0.html 
 http://forum.pfsense.org/index.php/topic,67625.0.html 
 
 Regards,
 Christian Borchert

Christian

I run an awful lot of IPSEC tunnels and I generally don't get the problem you 
describe in your trouble ticket which is not the same as the fault that is 
barely described in the first forum posting you link.  The rest are TL;DR for 
me.

Please try disabling DPD at both ends and set the address that you ping to any 
address other than those on the other end's router  - that address doesn't even 
have to exist, it just has to be within the remote subnet but not one that is 
bound to the router doing the IPSEC.

Incidentally your report in Redmine does not describe what the other end 
actually is - is it another pfSense box or something else?

Cheers
Jon

Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA
Registered England  Wales - 3981322

CONFIDENTIAL INFORMATION
This e-mail and any files attached with it are confidential and for the sole 
use of the intended recipient(s).  If you are not the intended recipient(s) you 
are prohibited from using, copying or distributing this or any information 
contained in it and should immediately notify the sender and delete the message 
from your system.

Internet communications are not secure and Blueloop Limited is not responsible 
for unauthorised use by third parties nor for alteration or corruption in 
transmission.  Furthermore, while Blueloop Limited have taken reasonable 
precautions to minimise the risk of software viruses, it cannot accept 
liability for any damage which you may suffer as a result of such viruses, and 
we therefore recommend you carry out your own virus checks on receipt of any 
e-mail.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] SIP problems.

[Jon Gerdes]

I use these parameters which seem to work regardless of where the phone is (NAT 
or VPN)

nat=yes for all devices whether internal (VPN) or external
Set the RTP ports to the same as the Asterisk server or make the server range a 
superset of the device's ranges
Enable symmetric RTP
Enable keep alives on the phones - some may have a NAT keep alive option

Make sure you have defined your localnet on Asterisk for each internal 
subnet.  I usually put  10.0.0.0/255.0.0.0 172.16.0.0/255.240.0.0 and 
192.168.20.0/255.255.0.0 in on all Asterisks I configure - it covers most 
eventualities.

Hope this helps

Cheers
Jon


 
 i have nat=no set for those devices since it's over a tunnel (i've tried
 yes and strict as well i think).
 my RTP range is 1-2 on the asterisk device. (and they are allowed
 through the firewall)
 at the moment i'm using a snom m9 (RTP range 49152-65534)
 but i've seen the same issues with a aastra 480 (rtp 3000-3003)
 and a digium d50 (not sure on the RTP ports)
 
 Should any of this matter over a OpenVPN tunnel? or only over NAT?
 
 I'm not just losing voice btw (which i assume is the RTP), I'm loosing all
 connectivity (which I'm assuming means my Sip session is down).
 
 
 On Mon, Oct 14, 2013 at 5:12 AM, Jon Gerdes gerd...@blueloop.net wrote:
 
 Are you using symmetric RTP?  if not, try that along with a keep alive
 option.  As the RFC for it states it should be a default - shame it isn't
 on many systems. it fixes a lot of snags for me.

 I have a phone - Cisco 504G - on my desk that can go weeks without
 making/taking a call and yet just works.  The PBX  - Asterisk 11 - for it
 is over 50 miles away, behind  pfSense  2.1 (formally 2.0.{1,2,3}), at one
 stage over IPSEC and now simply NATted.

 Your problem is almost certainly the phone setting up an RTP port at
 registration and then assuming it can carry on using it.  The state goes at
 one end or the other and then calls fail.  By using symmetric RTP you
 effectively fix the RTP port at both ends and the state will properly keep
 alive - at both ends, PBX and phone.

 Also make sure that your RTP port range is the same at both ends.  There
 are many range defaults depending on manufacturer.  Asterisk defaults to
 1-2 (check /etc/astyerisk/rtp.conf) but Cisco for example does not.

 So:
 Get the RTP ranges fixed up
 Use symmetric RTP
 Use keep alives

 Cheers
 Jon



 
  Already tried that, I think they are pinged every 30sec from the asterisk
  side.
 
 
  On Thu, Oct 10, 2013 at 10:05 AM, Vick Khera vi...@khera.org wrote:
 
  Can you configure your phones to use do a keepalive ping? It sounds like
  the states are timing out.
 
 
 
  On Wed, Oct 9, 2013 at 5:44 PM, palesius . pales...@gmail.com wrote:
 
  To take a break from all the NSA talk...
 
  I'm having some trouble routing traffic over an openvpn tunnel between
  two pfsense firewalls. Asterisk server on one end, a couple of
 different
  phones on the other side.
 
  It was working fine when we had monowall on both ends. (W/ipsec tunnel)
  Since changing to pfsense it will register with the server just fine
 but
  will lose it's connection anywhere from a few minutes to hours later.
 
  I've tried both ipsec and openvpn tunnels and have pretty much the same
  result. I know mono and pfsense use a diffrerent firewall engine, is
 there
  something obvious I should set/change to fix this.
 
  I had kind of dropped the issue a few months ago but wanted to take
  another stab at it. I'll try to do some packet captures but don't have
 any
  at the moment. Just hoping there is some easy general fix for getting
 SIP
  working that someone else has already discovered.
 
  ___
  List mailing list
  List@lists.pfsense.org 
  http://lists.pfsense.org/mailman/listinfo/list 
 
 
 
  ___
  List mailing list
  List@lists.pfsense.org 
  http://lists.pfsense.org/mailman/listinfo/list 
 
 



 Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA
 Registered England  Wales - 3981322

 CONFIDENTIAL INFORMATION
 This e-mail and any files attached with it are confidential and for the
 sole use of the intended recipient(s).  If you are not the intended
 recipient(s) you are prohibited from using, copying or distributing this or
 any information contained in it and should immediately notify the sender
 and delete the message from your system.

 Internet communications are not secure and Blueloop Limited is not
 responsible for unauthorised use by third parties nor for alteration or
 corruption in transmission.  Furthermore, while Blueloop Limited have taken
 reasonable precautions to minimise the risk of software viruses, it cannot
 accept liability for any damage which you may suffer as a result of such
 viruses, and we therefore recommend you carry out your own virus checks on
 receipt of any e-mail.

 ___
 List mailing list
 List

Re: [pfSense] SIP problems.

[Jon Gerdes]

Are you using symmetric RTP?  if not, try that along with a keep alive option.  
As the RFC for it states it should be a default - shame it isn't on many 
systems. it fixes a lot of snags for me.

I have a phone - Cisco 504G - on my desk that can go weeks without 
making/taking a call and yet just works.  The PBX  - Asterisk 11 - for it is 
over 50 miles away, behind  pfSense  2.1 (formally 2.0.{1,2,3}), at one stage 
over IPSEC and now simply NATted.

Your problem is almost certainly the phone setting up an RTP port at 
registration and then assuming it can carry on using it.  The state goes at one 
end or the other and then calls fail.  By using symmetric RTP you effectively 
fix the RTP port at both ends and the state will properly keep alive - at both 
ends, PBX and phone.

Also make sure that your RTP port range is the same at both ends.  There are 
many range defaults depending on manufacturer.  Asterisk defaults to 
1-2 (check /etc/astyerisk/rtp.conf) but Cisco for example does not.   

So:  
Get the RTP ranges fixed up
Use symmetric RTP
Use keep alives

Cheers
Jon 



 
 Already tried that, I think they are pinged every 30sec from the asterisk
 side.
 
 
 On Thu, Oct 10, 2013 at 10:05 AM, Vick Khera vi...@khera.org wrote:
 
 Can you configure your phones to use do a keepalive ping? It sounds like
 the states are timing out.



 On Wed, Oct 9, 2013 at 5:44 PM, palesius . pales...@gmail.com wrote:

 To take a break from all the NSA talk...

 I'm having some trouble routing traffic over an openvpn tunnel between
 two pfsense firewalls. Asterisk server on one end, a couple of different
 phones on the other side.

 It was working fine when we had monowall on both ends. (W/ipsec tunnel)
 Since changing to pfsense it will register with the server just fine but
 will lose it's connection anywhere from a few minutes to hours later.

 I've tried both ipsec and openvpn tunnels and have pretty much the same
 result. I know mono and pfsense use a diffrerent firewall engine, is there
 something obvious I should set/change to fix this.

 I had kind of dropped the issue a few months ago but wanted to take
 another stab at it. I'll try to do some packet captures but don't have any
 at the moment. Just hoping there is some easy general fix for getting SIP
 working that someone else has already discovered.

 ___
 List mailing list
 List@lists.pfsense.org 
 http://lists.pfsense.org/mailman/listinfo/list 



 ___
 List mailing list
 List@lists.pfsense.org 
 http://lists.pfsense.org/mailman/listinfo/list 





Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA
Registered England  Wales - 3981322

CONFIDENTIAL INFORMATION
This e-mail and any files attached with it are confidential and for the sole 
use of the intended recipient(s).  If you are not the intended recipient(s) you 
are prohibited from using, copying or distributing this or any information 
contained in it and should immediately notify the sender and delete the message 
from your system.

Internet communications are not secure and Blueloop Limited is not responsible 
for unauthorised use by third parties nor for alteration or corruption in 
transmission.  Furthermore, while Blueloop Limited have taken reasonable 
precautions to minimise the risk of software viruses, it cannot accept 
liability for any damage which you may suffer as a result of such viruses, and 
we therefore recommend you carry out your own virus checks on receipt of any 
e-mail.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list