Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN
Hi Tim! I havent been using pfsense for very long, but under Firewall-Rules you should have a tab "OpenVPN". Try putting there some rules, it works for me. Setting up an extra interface used to be done in older pfsense version, no idea if its still valid. Maybe someone more experienced can give some info on that. Hope it helps! Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN
Tim Nelson wrote on 12.10.2011 23:37: > > Ah yes, that does in fact work, thanks. However, I like the idea of having > each VPN appear as a separate OPT for ease of rule configuration. Is it safe > to say this is not the way it was intended to work and all rules must be > placed on the OpenVPN interface? > > --Tim Thats a question that interests me too. I used to have a "dev tunX" option in each client/server I had configured and a separate interface for each. That did indeed make configuration easier as one could configure the rules more easy. Defining a source is now more difficult if its coming through the VPN as there might be many different IP ranges behind a connection. Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN
Jim Pingle wrote on 12.10.2011 23:55: > In 2.0 each interface is renamed in a unique way so you do not need dev > tun or any similar entries in the options. > > You can assign the interfaces if you want (set an IP type of 'none' on > them) and filter individually if you want, too. > > I run with two of mine assigned and 3+ more unassigned and have no issues. Hi Jim Thank you for the info! Would the rules on the assigned tabs have priority over the unassigned OpenVPN Tab? Or is the unassigned Tab bypassed as long as there is a assigned one? I noticed the unique renaming, is it also stable? E.g. ovpns1 will always be the same server as written in () next to it? Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN
Most of the times I have had trouble with the routing and not with the firewall rules. Check if the client has the correct gateway set for the LAN subnet and check if the "push route" is added correctly. A traceroute from the client can help you see if the packets are being send through the VPN tunnel. If it is actually the firewall blocking, you should be able to see the block in the firewall log. Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware recommendation
Hello Luis! I have a similar installation at home and I have been using a Supermicro X7SPE-HF with a D510 Atom processor. The CPU power is pure overkill but I love the IPMI feature, it has saved me many times and helps me monitor it. Some recommendations are: - Depending where the firewall will be in your house, you might not want any PSU or other fans working 24/7. My barebone is not "loud", but the PSU fan is not silent either. - As it was also suggested, dont focus too much on the build-in WiFi. You will pay a good amount of extra money for it and you will probably end up with a less-than-ideal spot where the firewall/wlan AP will be. So just make sure you have an extra NIC for the Wireless interface and put a wireless router there. - Support the companies that support pfsense. If you find the hardware that best suits you, see if the companies from the link have what you need. By supporting them you help pfsense. Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Forwarding an external port according to user
Hello David! You seem to be very over complicating things :) If I understand you correctly, you want to have your users authenticate themselves in order to have limited access to the work network and offer them certain services there. You already mentioned your solution but dismissed it! What you want to set up and would solve all your problems with high security is a VPN. Your workers connect to the VPN (There are clients for every OS), and immediately they have access to "their" PC at work. No need to open individual ports for VNC, SMB etc. If you want each user to only be able to connect to his own PC, have every user get a fixed IP (described in the book) and then set up rules in the OpenVPN tab so that each IP can only access certain PC's. The added benefit of a VPN is that the traffic is encrypted and each user must authenticate himself with certificates (or/and username/password). Hope it helps! Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Forwarding an external port according to user
David Brown wrote on 10/24/2011 02:34 PM: Using a VPN is certainly a possibility - our "road warriors" who use a laptop as a main computer use a VPN (OpenVPN), and I use a VPN from my home machine regularly to access everything in the network here. Where VPNs are the right solution, they are what we use. But I see two disadvantages of VPNs. They give too much access. Obviously firewall rules can be added to limit access in some ways, but it is somewhere between difficult and impossible to get the right balance between security and functionality here. How do I set up firewalls that lets the user access company files on a server from their home machine without also opening these files to whatever malware they've installed? I can proscribe rules and regulations for computers on the company network, I can monitor them for suspicious behaviour, and do regular checks. But I can't do that for people's home computers. I can do so on a limited basis for a few users, especially for those with company laptops that they use from home or outside, but it is not scalable in general. I cant agree that VPN's give too much access. The way the VPN in pfsense is configured, it gives exactly the amount of access that you allow. Having a VPN connection that allows only to connect to port 5900 on a certain PC is a piece of cake. If you want to offer samba to your users, you shouldnt really port forward the ports to WAN. Even if you limit the source IP it feels somehow wrong to do it :) But its more of a general question if you want to give them access to samba or not, the tool you want to use (port forward or VPN) doesnt matter. The other disadvantage of a VPN is that the we use a lot of specialised software - people can't easily install it on their home machines. They may also need different sorts of access to different machines - trying to get routine and firewalling rules that allow this over a VPN without being too permissive is hard. I didnt clearly describe the solution I proposed, they would still use VNC to work on their work PC. They would just tunnel it through the VPN and have only access to port 5900 on their PC. With VNC, both these issues are solved, since they are effectively working on their company desktops. Obviously running VNC over a VPN would improve the security, since everything is encrypted, and it would be possible to set that up. In particular, it would be easier to set OpenVPN rules to say only port 5900 is allowed, than to try to give all the required firewall rules to let users get local access from home machines to the company systems. Exactly! :-) And it would be alot easier to configure/expand/maintain/monitor in the future But encrypting VNC over a VPN is not really necessary - it is probably easier to use UltraVNC (or any other VNC with encryption built-in). It is also not much of a security issue since most employees have the same ISP as the company - there is very little possibility of eavesdropping or other attacks. I also use VNC alot but personally I wouldnt do it in the "open" via a port forward. There might be some fancy software that offers "encryption" but personally I prefer to tunnel it through a VPN for security reasons. I trust OpenVPN with certificates far more than UltraVNC with "encryption". Having OpenVPN installed on the home PC really isnt a problem, even for Windows users. You can have ready-to-deploy zip files with the config and the certificates ready for each user. They wouldnt have to remember any passwords and via the firewall rules you could make sure they only have access to the VNC port. Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Double WAN with same GW
Hi! The only difference to having different GW for each WAN is that with the same GW you need to specify a differnet monitor IP for one of the WAN interfaces. The rest of the configuration stays the same. Choose your monitor IP carefully though, if that IP ever stops responding or has a bad connection, your pfsense will assume that your WAN interface is down. Vassilis b...@todoo.biz wrote on 09.07.2012 13:25: > Hello, > > > I have seen couple of threads about dual WAN bound to the same GW. > > I wanted to know if there was a "proper" way of dealing with this ? > And what you suggested ? > > > The idea is to set up a "Gateway Group" and be able to define various > load balancing policies… (Policy based routing) + (2 Tier 1 links) > > > Any info about the specific "manipulation" we might have to do in this > case are very welcome ! Even if It is to let me know that this is > impossible to do ! > > > Sincerely yours. > > G.B. > > –– > -> Grégory Bernard Director <- > ---> www.osnet.eu <--- > --> Your provider of OpenSource appliances <-- > –– > OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] arp: unknown hardware address format (0x0103)
Hello! I have been seeing the following message in my system log, being repeated every 20-30 seconds: kernel: arp: unknown hardware address format (0x0103) The NIC with those errors has some wireless AP's connected to it. After some searching I couldnt find any definite answer about the message, is it a broken cable somewhere, is it a bug, can I ignore it, can I get rid of the messages? Hopefully to help the search I attach a tcpdump output with the exact same timestamp as the message in the system log. Its not always the same MAC address and they are always present when the error occurs. Thank you! Vassilis (I X'ed out the last digits) tcpdump -exxn -s 0 -i em1 arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 14:59:01.171411 64:a7:69:42:XX:XX > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: [|ARP] 0x: 0103 0002 6f8c 0f09 6a94 052c 8006 70fe o...j..,..p. 0x0010: c0a8 0694 4a7d 848b cf1b 0050 b477 e721 J}.P.w.! 0x0020: 546a b0b4 5018 403d fb06 5a0d Tj..P.@=Z. 0x: 64a7 6942 0806 0103 0x0010: 0002 6f8c 0f09 6a94 052c 8006 70fe c0a8 0x0020: 0694 4a7d 848b cf1b 0050 b477 e721 546a 0x0030: b0b4 5018 403d fb06 5a0d ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bandwidth limiter
Jeremy Martijn wrote on 05.11.2012 12:42: > Good morning, > > > > I have a question regarding the bandwidth limiter on pfsense. > > Im going to describe the current situation and what I have done so far. > > > > I want to limit every user on the network to a 20Mbit/s down/10Mbit/s > upload speed and the whole network should have a 100Mbit/s download and > upload speed. > > > > Limiter made Limit_In at 20Mbit/s and Limit_Out on 10Mbit/s. > > > > Firewall Rule on the LAN, with Interface LAN, Protocol TCP/UDP, Source > type LAN subnet and In/Out set to Limit_Out and Limit_In. > > > > When I do a speedtest I get the 20/10 speed as I have configured it, but > what I’m doubting of is this speed now set per user or for the LAN > subnet? What will happen if more users connect to the LAN subnet? > > > > And if I want to limit the Whole bandwidth speed of the pipe to > 100Mbit/s, how would I need to make a rule for that? > > > > Uplink is 100Mbit’s > > Speed per user 20Mbit/s download 10Mbit’s upload on LAN subnet. > > > Thanks in advance. > > > > Sincerely yours, > > > > Jeremy Martijn > > > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > Hi Jeremy for the per-user limiter, check the Mask setting: If 'source' or 'destination' is chosen, a dynamic pipe with the bandwidth, delay, packet loss and queue size given above will be created for each source/destination IP address encountered, respectively. This makes it possible to easily specify bandwidth limits per host. If you want to limit the whole subnet too, I guess you would need to make a different rule at a higher priority. Hope it helps! Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Openvpn site to site problem
Hi! Try this: pfsense2 - server: Tunnel network: 10.0.8.0/30 (no need for /24 on site2site) pfsense1 - client: Tunnel network: 10.0.8.0/30 (You can even keep it empty) Keeping or removing the remote network on the client side shouldn't be important, the difference being that if you keep it, you should see an error message that the route that has already been pushed by the server is re-issued by the client. hope it helps! Vassilis Cristian Del Carlo wrote on 19.12.2012 14:09: > Hi, > > thanks for your help. > > My firewall rules are in both pfsense: > Action: Pass > Interface : Openvpn > Protocol: Any > Source: Any > Destionation: Any > > This are my routing from firewall ( without public ip ): > > pfsense 1 - client: > 10.0.8.1 link#10UH 0 15 ovpnc2 > 10.0.8.2 link#10UHS 00lo0 > 192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2 > 192.168.9.0/24 link#2 U 0 37598040em1 > > pfsense 2 - server: > 10.0.8.1 link#9 UHS 00lo0 > 10.0.8.2 link#9 UH 0 72 ovpns1 > 192.168.8.0/24 link#2 U 0 229122em1 > 192.168.8.1link#2 UHS 00lo0 > 192.168.9.0/24 10.0.8.2 UGS 01 ovpns1 > > Could be a routing problem? > > > 2012/12/19 WolfSec-Support : >> Hi, >> >> do you have special rules in VPN tunnel ? >> make sure to open OpenVPN ruleset as necessary >> >> this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels >> >> but per default normally tunnel is open any<>any >> >> br >> stephan >> >> >> ___ >> List mailing list >> List@lists.pfsense.org >> http://lists.pfsense.org/mailman/listinfo/list >> > > > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Multi-WAN network access
Hello Walter, I dont see you mentioning allowing Gateway Switching from the advanced menu. Under System-Advanced-Miscellaneous you have the option to allow the default gateway switching. Without that, once a WAN is down, the system will still try to send the packets through the default gateway, even if that gateway is down. Vassilis Walter Parker wrote on 05.12.2013 00:57: > Hi, > > I've got a pfSense router with a WAN connection that has 4 interfaces: > > WAN - A 200 mbs connection. This is on a /20 subnet and the other side > is the default route. > LAN - This is a static routed /24 network from the company providing the > 200 mbs WAN connection > COMCAST - This is a static routed /28 network from Comcast. > > I set the WAN interface with a route back to Provider A, and the COMCAST > interface with a route back to the Comcast gateway address. I created > two gateway groups, one that the WAN network as Tier1 and COMCAST as > Tier2, and another that COMCAST as Tier2 and the WAN network as Tier2. > The instructions on the wiki say firewall rules must be add changed to > use these groups rather than the system routing. I tried changed the > allow all route to use the gateway group (rather than the default of *), > but this didn't seem to route packets out the COMCAST link when the WAN > link was down. > > I did a little bit of testing: I used the ping test and was able to ping > the outside world when using WAN as the interface, but when I changed > the interface to COMCAST, I could only ping the Comcast gateway (as if > the packets would not route). From an external host, I was able to do an > ICMP ping to the COMCAST interface, but was not able to do a UDP ping or > make a TCP connection. > > Questions: > > I think I missed a step in the whole "add a firewall rule for the > gateway group" process, which seem more like a "solution left as > exercise for the reader", what do I need to do to get gateway groups > working on the firewall? > > When using ping, when I pick the interface, does it work like a Cisco, > where the source IP is the interface address and the next hop router > would be interface's router, in this case the Comcast gateway? > > When I have squid running a bound to the LAN interface, I'd like the > system use which ever WAN/COMCAST interface is currently up and working. > I want that to be the WAN interface unless it is down. > > When the WAN interface is down, I'd like to be able to ssh/https to the > COMCAST interface address to see what is gong wrong. Can I set up the > system to work like this? > > > Thank you for any ideas as to what I might has done wrong, > > > Walter > > > > > > > -- > The greatest dangers to liberty lurk in insidious encroachment by men of > zeal, well-meaning but without understanding. -- Justice Louis > D. Brandeis > > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] States Issue with Asterisk behind pfSense
Hannes Werner wrote on 26.09.2014 16:51: > thank you very much Giles, but unfortunately it doesn't help. > > anyone here who is using asterisk behind pfSense on a dynamic IP WAN > successfully? > Hello Hannes! I have also used asterisk behind a dynamic PPPoE WAN. I had the exact same issues that the bug report is describing. I tried different ways to get it to work and I found that some solutions work with some providers, but fail at others. There seems to be alot of black magic involved when configuring SIP to work in such a configuration :) What worked best was to set nat=no and externip=. I had also not done any port forwards whatsoever on pfsense, outgoing NAT was set to automatic. I certainly cannot explain why it was working that way! Hope it helps! Vassilis ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] States Issue with Asterisk behind pfSense
ADSL over PPPoE with constant changing IPs is the standard in some countries, we do not have such connections because we chose them and we like the challenge.. Reading again the whole bug report, there seems to be alot of people affected by this and Tom De Coninck has made alot of effort to figure out what might be the issue. In the last post of Tom, he comes to a very exact conclusion: "I think this proves that pfsense not only needs to kill states on 'WAN DOWN' , but also on 'WAN UP'. I can't see how it could work otherwise" Has this been implemented? Could this be implemented? Do the pfsense dev's need some more info? Can we help with testing? Vassilis Hannes Werner wrote on 26.09.2014 22:53: > Thanks Vassilis, > > I've these settings already - without any success. > > On Fri, Sep 26, 2014 at 9:03 PM, Vassilis V. wrote: >> >> >> Hannes Werner wrote on 26.09.2014 16:51: >>> thank you very much Giles, but unfortunately it doesn't help. >>> >>> anyone here who is using asterisk behind pfSense on a dynamic IP WAN >>> successfully? >>> >> >> Hello Hannes! >> >> I have also used asterisk behind a dynamic PPPoE WAN. I had the exact >> same issues that the bug report is describing. >> >> I tried different ways to get it to work and I found that some solutions >> work with some providers, but fail at others. There seems to be alot of >> black magic involved when configuring SIP to work in such a configuration :) >> >> What worked best was to set nat=no and externip=. >> I had also not done any port forwards whatsoever on pfsense, outgoing >> NAT was set to automatic. >> >> I certainly cannot explain why it was working that way! >> >> >> Hope it helps! >> Vassilis >> ___ >> List mailing list >> List@lists.pfsense.org >> https://lists.pfsense.org/mailman/listinfo/list > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Limit bandwith pr user / ip
Thank you Chris! Since I am interested in this too, are there any tricks when you want to do the same but you have a multi-WAN setup, or ,probably even worse, a multi-WAN setup with different WAN bandwidth? Thank you all! Vassilis ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list