[pfSense] transparent proxy gunzips
I turned the pfsense squid on as a transparent proxy solely for the purpose of making use of its web cache. Downloading a .tar.gz file then results in the file being silently unpacked by squid: wget -S http://.../...tar.gz The file is saved with name .tar.gz but is actually just a .tar. This is repeatable until using --no-cache once. After that the file saved by wget remains a .tar.gz. Is this expected behaviour? It's somewhat inconvenient. Thanks, Volker -- Volker Kuhlmann http://volker.dnsalias.net/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Packages are being installed in the background (pfSense 2.0.1)
On Fri 24 Feb 2012 21:45:15 NZDT +1300, Jürgen Echter wrote: i had to re-setup my firewall and restored my config. all went well so far, but i can't edit anything because i have on every screen a pic which says 'packages are being reinstalled in the background'. this is on since a few hours. Old thread, but I see this every time I reload a pfsense config. It's impossible to say when the package relaoding is actually finished, it shouldn't possibly take as long as it does and it seems the package lock isn't cleared. You can go to the backup/restore page, on the bottom is a button to clear the package lock. What Iw ould like to know is how to prevent the package reloading after restoring a config when there are no package changes. Thanks, Volker -- Volker Kuhlmann http://volker.dnsalias.net/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Installing pfsense via PXE
I have started to install everything via PXE because it's just too convenient, but pfsense is eluding me. Using pxelinux and label pfsense menu label Install pfSense kernel memdisk initrd iso/pfSense-LiveCD-2.0.3-RELEASE-i386-20130412-1022.iso.gz starts to run, but then fills the screen with binary gobbledegook. Not too surprising on a system with 256MB RAM. There is http://forum.pfsense.org/index.php?/topic,4185.0.html but its main reference is to http://tenzen.dnsalias.net/soekris which was said to be excellent, but was on a home box for 6 months in 2007 and the guy put in a robots.txt preventing archive.org access. Not useful... The only relevant info I can find on pfsense.org is http://doc.pfsense.org/index.php/NetBoot_Embedded_(soekris) Essentially it sets up a PXE boot of boot/pxeboot and changes the pfsense install media files to mount an NFS filesystem to boot from, if I read it correctly. This solution has the downside that my DHCP server is pfsense, which doesn't allow to give per-host DHCP options like specifying the file to load and run. It can only be done globally, and there I configured pxelinux because it does everything else for me. (Correct me if the pfsense DHCP server can serve options like filename or root-path on a per-host basis.) Is anyone able to tell what the pxelinux menu.c32 options should be to start the pfsense installation, by whatever means? I'd prefer ftp, but nfs if must be (it's a pain, basically). Are there other instructions I have missed? Thanks muchly, Volker -- Volker Kuhlmann http://volker.dnsalias.net/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Running pfsense in virtualbox
To test some pfsense function I installed 2.0.3 in virtualbox. In VB, em0 is configured bridged and used as WAN, em1 is host-only. Traffic through both interfaces and the VB-host is working fine. On the VB host (pfsense LAN): vboxnet0 Link encap:Ethernet HWaddr 0A:00:27:00:00:00 inet addr:10.1.1.1 Bcast:10.1.1.255 Mask:255.255.255.0 In pfsense, WAN is configured as dhcp and picks up a suitable IP address. The webconfig is accessible through the host's vboxnet0. In pfsense, dnsmasq doesn't work - nothing is resolved. /etc/resolv.conf contains 127.0.0.1, and the 2 servers I configured. Traffic is OK - telnet 203.97.30.185 80 works as expected. dig @localhost google.com doesn't resolve anything. I conclude that dnsmasq is not functional inside virtualbox, making pfsense config testing impossible. Is it possible to beat dnsmasq into shape to work inside VB? find / | grep dnsm doesn't find any config files. The only VB postings on the forum is from 2009 and deals with issues VB has with itself. Thanks, Volker -- Volker Kuhlmann http://volker.dnsalias.net/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] OpenVPN package failure
It seems OpenVPN was listed as a package with a newer version available (like 2.0.3 instead of 2.0.1?), but I can't verify because pfsense doesn't run under virtualbox for me. When re-installing that package, package installation failed (extra files re client export I think). Now the package is not installed (so can't be uninstalled), nor is it available (so can't be installed). The OpenVPN client-export package is now uninstalled, although it was installed before. Fresh install of 2.0.3. Is this epxected behaviour? I gather openvpn isn't usually a pfsense package, but the package update mechanism was used to upgrade it from the version from the ISO image. Thanks, Volker -- Volker Kuhlmann http://volker.dnsalias.net/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Running pfsense in virtualbox
On Sat 18 May 2013 13:24:52 NZST +1200, Jim Pingle wrote: Why host only? That may not let it go out. It doesn't need to on LAN. DNS queries are resolved from WAN, and that is bridged in VB, and DNS servers on the Internet can be queried by dig on pfsense correctly. The VB interface used for pfsense-LAN is host-only, and it works fine for the webconfigurator. I had removed the RFC-private and bogon blocks from WAN too. I conclude that dnsmasq is not functional inside virtualbox, making pfsense config testing impossible. Not true, I do almost all of my testing locally here with pfSense in VirtualBox and it has zero issues. That's what I was expecting, but fact is dig @localhost on pfsense does nothing, but web servers on the Internet can be reached (by their IP), and dig@8.8.8.8 google.com works. Any issues you're seeing are likely with the network config or NIC config, VM resources, etc, but not VirtualBox in general or pfSense. Hmm, where do I look? 512MB RAM, default pfsense config, no packages ought to be enough. I use bridged NICs for WANs and then Internal Network setups for the LAN side. My VB config is the same except I have host-only for LAN. As the webconfig traffic goes in and out OK I see no problems here. How/where is dnsmasq configured to pick its servers from? There are so few postings about VirtualBox because in general there aren't many/any issues with it. It works fine. Well damn it, after the windows-solution (aka reboot) it works fine now. Hmmm. There isn't anything I can think of that I changed, I changed very little from the default. Looks like dnsmasq need a restart for some reason. Never mind. Thanks muchly Jim, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Fri 11 Apr 2014 07:23:52 NZST +1200, Jim Thompson wrote: pfSense release 2.1.2 is now available. Thank you for all the quick work! May I ask though why this isn't simultaneously posted on pfsense-announce and pfsense-security-announce? In particular, if the security-announce list was to be used as a reliable source of critical information, posting the 2.1.2 release announcement with the heartbleed fix is not optional??? Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Fri 11 Apr 2014 09:27:07 NZST +1200, Jim Thompson wrote: It was posted on announce@, but it seems that I’m moderated there. This is why my 2.1.1 release announcement was also held. I’ve pushed the message through. Setup glitches. Thanks! security@ is for posting SAs Uhhmm, IMHO I don't really care what it's called, the relevant criteria for the user is whether I need to know about it. I would welcome an announcement list that mentions all security-related issues I need to be aware of when using pfsense, so that list can be monitored without the clutter of daily discussions. Like the Linux distro security lists, they're well organised with no irrelevant drivel. To be honest, any security announcement list that doesn't mention the kind of problem like heartbleed looks like a complete waste of time to me! Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Fri 11 Apr 2014 12:11:06 NZST +1200, Jeremy Porter wrote: The security@ email list is brand new. Its so we can announce issues like Heartbleed. People can filter on it etc. Any security issues we become aware of will be announce here, as security advisories. Perhaps it would be useful to clarify the intended use/purpose of the lists, at https://lists.pfsense.org/mailman/listinfo Write a paragraph if needed, it doesn't have to be a one-liner for each list. Is the intended purpose of the SAs to notify of a problem, to point users to a fix, or both? I am having the Linux distro security lists in mind[1], and there postings summarise the problem, point to the background, and state that the user needs to do X to deal with it. Only security-relevant issues are posted, not general bug fixes. I would find this method ideal for pfsense too because the noise is low. It should include problems with packages too - those not using the package don't need to read on. I do think all the actions the user needs to do (usually upgrades) need to be posted. If a fix is NA at the time of the problem notification then you need to post twice. Perhaps I am mistaken about the pfsense fix for the heartbleed bug - but if the required, or even only recommended, fix is to upgrade to pfsense 2.1.2 then that must be posted on the security-announce@ too. The idea, well my idea, would be to only have to follow security-announce@ and from that to be sure that no security-relevant action is missed. The discussion list doesn't need that prority. The email list and page, we just started working on last week, prior to finding out about this, so we push them ahead along with the fixed version of pfsense. Thanks for that! And thanks too for all the work to fix this openssl problem! I think we'd be happy to host a security-discusse@ mailing list if people want that. Not for me. The normal discussion list should be fine. I was trying to raise the point of security announcements, not security itself. Thanks again, Volker [1] Specifically, opensuse-security-announce http://lists.opensuse.org/ -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Fri 11 Apr 2014 18:43:18 NZST +1200, Ryan Coleman wrote: He gave you an option to subscribe to the list. You seem to have missed the point I was making: critical security fixes (the 2.1.2 release in this case, unless I am misunderstanding) were not posted to security-announce@. The posting to announce@ only happened, because of initial setup problems, after I pointed out it was missing. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense Book (Buechler / Pingle)
On Sun 13 Apr 2014 22:11:41 NZST +1200, Thinker Rix wrote: I own a hard copy of the pfSense book by Chris and Jim and have two questions about it: 1. As a buyer of the hard copy, am I eligible to receive a gratis PDF-version of the book, too? Probably not. I remember the authors saying that they didn't have the rights for the electronic version. Moot point, because... 2. Is there any ETA for the hard copy version of the new edition? You are aware that it's available as an electronic version under the gold program? Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Interface yoyo
Ever since upgrading to pfsense 2.1 I have been let down by it. It looks like there are multiple issues and I am trying to separate them. One is system suicide by memory gobbling - but it's been a little tricky to find out why exactly. It's a system with 512MB RAM, 768M swap. Mobo Ethernet, Intel system, some old P-III job. inphy0: i82562EM 10/100 media interface PHY 1 on miibus1 inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow Realtek NIC (unused) rlphy0: RealTek internal media interface PHY 0 on miibus0 rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto Sun 4-port Ethernet NIC hme0: Sun HME 10/100 Ethernet mem 0x4600-0x46007fff irq 21 at device 0.1 on pci3 miibus2: MII bus on hme0 ukphy0: Generic IEEE 802.3u media interface PHY 1 on miibus2 ukphy0: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto hme0: [ITHREAD] [and 3 more of these] Because of physical location a Brother HL5350DN printer is plugged into one of the hmeN ports directly. (Using a crossover cable makes no difference.) What happens next is the printer's hme interface goes up and down every few seconds. There are continuous hotplug events too. A gazillion php processes are spawned. Swap space is used. The system can't respond fast enough any more and other interfaces go down/up as well. Swap space runs out. Php etc get killed. A killall php on the pfsense system gives temporary reprieve. Essentially, if someone turns the printer on pfsense dies. Everything was running fine on the same hardware with 2.0 and I don't think swap space was ever used. I have squid and squidguard running on it too, but turning those off only changes how fast pfsense dies. The ntop package was installed and running as well, but top -osize told me it was using 200M RAM on start so it got uninstalled. Perhaps freebsd changed, and the php code can't handle it and goes into run-away memory consumption. How can I get this pfsense box back into the same reliable and dependable system it used to be before 2.1? Any suggestions appreciated. Happy to provide more info too - but where do I start looking? Thanks muchly, Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface yoyo
On Sun 20 Apr 2014 19:46:41 NZST +1200, Bryan D. wrote: I reported this issue with the HME's a while ago (it's nasty!): bug #3481 -- https://redmine.pfsense.org/issues/3481 Executive summary: replace the NIC with a different model. Too bad, they used to work very well and virtually never die. Confirm on (almost) all counts. I moved the printer to an rl driver port and the problem disappeared. top reports 350MB free memory. The same problem exists with the wifi AP connected to an hme driver port. Turning the AP off then on kills pfsense. I'll update the report. The number of spawned php processes that kill the system however look like a pfsense problem to me and the php code should prevent itself from meltdown. Or does freebsd really require php for handling interface hotplug events? As in, a basic minimal freebsd system does not work without php installed? Thanks for the hint Bryan. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Interface options for pfsense
I've been running pfsense for many years (and been very happy with it) on scrapped PCs with a Sun 4-port Ethernet PCI card because I need 5 Ethernet ports. Now freebsd dieing on the hme driver effectively turns those cards into scrap and I'm stuck. What are alternatives now? Are there any other 4-port cards that are supported by pfsense in practice (not just in theory), that are also affordable? The power consumption (and box volume) of scrapped PCs is not optimal, and I've been looking at moving to a small single-board. Soekris was always underpowered and overpriced IMHO, and PCEngines underpowered, until they released the exciting APU series recently. They all only have 3 Ethernet ports though, which is the stopper here. What mPCIe Ethernet cards are supported by pfsense that people can recommend? Are there any USB Ethernet adapters that actually work with pfsense? Reliably? I am looking for reports from those who have tried, not the freebsd supported HW list - that list is too long and not really trustworthy (I have a USB wifi adapter which runs for 10min then makes pfsense kernel panic). The frequently recommended option of using VLANs may look good for larger commercial networks, but just buying a VLAN capable switch costs more than a suitable pfsense box and brings the power budget of the combination to the same level as a scrapped PC - with the latter winning hands down on cost. TIA for any suggestions, Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface yoyo
On Mon 21 Apr 2014 09:54:49 NZST +1200, Jim Pingle wrote: Apply this patch with the system patches package, see if it's maybe hitting a bug similar to what was happening with OpenVPN (rc.newwanip was being fired from rc.linkup repeatedly... something made it fall into a loop) Thanks Jim! Doing now. rc.newwanip is featuring heavily in syslog with the problematic interfaces. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface yoyo
hme2 2014-04-21T10:48:51.420720+12:00 pfsense dhcpd: DHCPOFFER on 10.x.x.x to 00:15:77:xx:xx:xx via hme2 2014-04-21T10:48:51.48+12:00 pfsense dhcpd: DHCPDISCOVER from 00:15:77:xx:xx:xx via hme2 2014-04-21T10:48:51.445521+12:00 pfsense dhcpd: DHCPOFFER on 10.x.x.x to 00:15:77:xx:xx:xx via hme2 2014-04-21T10:48:51.468608+12:00 pfsense dhcpd: DHCPREQUEST for 10.x.x.x (10.x.x.y) from 00:15:77:xx:xx:xx via hme2 2014-04-21T10:48:51.469644+12:00 pfsense dhcpd: DHCPACK on 10.x.x.x to 00:15:77:xx:xx:xx via hme2 2014-04-21T10:48:54.150566+12:00 pfsense php: rc.linkup: Hotplug event detected for WIFI(opt2) but ignoring since interface is configured with static IP (10.x.x.y ) 2014-04-21T10:48:54.250548+12:00 pfsense check_reload_status: Linkup starting hme2 2014-04-21T10:48:54.250548+12:00 pfsense kernel: hme2: link state changed to DOWN 2014-04-21T10:48:54.381451+12:00 pfsense check_reload_status: rc.newwanip starting hme2 2014-04-21T10:48:56.381420+12:00 pfsense kernel: hme2: link state changed to UP 2014-04-21T10:48:56.407443+12:00 pfsense check_reload_status: Linkup starting hme2 -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface options for pfsense
On Mon 21 Apr 2014 10:51:13 NZST +1200, Stefan Baur wrote: Thanks muchly for the tip, Stefan! There is no 'doze in the house and on no account will I add a Billy-dependency to my infrastructure. Any manufacturer too stupid to make their stuff controllable by open source software can sell elsewhere. Period. The GS108T-200 is the one with a web-based config tool http://www.netgear.com/business/products/switches/smart/GS108Tv2.aspx#tab-techspecs ? (Not easy to find on their website - searching only finds their useless software.) Max 12W power consumption looks good. Not ideal though, because VLANs are more complex and error prone, American propriatory network equipment doesn't seem like a good choice any more, and that model appears to be no longer for sale where I live. I'll keep it in mind though - thanks. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface yoyo
On Tue 22 Apr 2014 01:28:08 NZST +1200, Jim Pingle wrote: Thanks Jim! Some other setting appears to be causing the link on the NIC to bounce up and down when configured. We added some extra checks before resetting the MAC to prevent that sort of thing from being a problem though, but it's possible that the HME NIC is resetting its link when some _other_ setting is being applied. If you have any special configuration on the NIC (spoofed MAC, custom MTU, specific link speed, etc) it would help to know. No other such setting that I can see. Here is the config part: interfaces lan enable/ ifhme0/if ipaddr10.x.a.z/ipaddr subnet24/subnet media/ mediaopt/ descr![CDATA[LAN]]/descr /lan opt1 ifhme1/if descr![CDATA[DMZ]]/descr enable/ spoofmac/ ipaddr10.x.b.z/ipaddr subnet24/subnet /opt1 opt2 descr![CDATA[WIFI]]/descr ifhme2/if enable/ spoofmac/ ipaddr10.x.c.z/ipaddr subnet24/subnet /opt2 ... /interfaces I just had another runaway after adding a mac/ip in the wifi interface's dhcp server. Confirmed with trivial test of adding another test entry to the dhcp server. Arrrghh. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface yoyo
On Tue 22 Apr 2014 15:56:52 NZST +1200, Volker Kuhlmann wrote: I just had another runaway after adding a mac/ip in the wifi interface's dhcp server. Confirmed with trivial test of adding another test entry to the dhcp server. I should have mentioned that the pfsense syslog (sent to a syslog server) does not contain the interface yoyo for one (or more) of the hme interfaces, but a memory runaway occurred nevertheless. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface options for pfsense
On Tue 22 Apr 2014 00:04:47 NZST +1200, Vick Khera wrote: Now freebsd dieing on the hme driver effectively turns those cards into scrap and I'm stuck. What are alternatives now? Just curious, if you insert a small hub/switch between your printer and the NIC does that fix it? No it won't. One of the hmeX ports is connected to my LAN switch. Pulling that briefly blows up the pfsense box. A sufficient condition to kill the pfsense system is for an interface to briefly lose physical connection (or for the connected device to be turned off). The same results from pfsense's web gui restarting interfaces, e.g. from changing dhcp server settings. IOW pfsense 2.1 with hme driver is totally unusable. I am kind of forced to replace the hardware now. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface options for pfsense
On Wed 23 Apr 2014 05:02:59 NZST +1200, Jim Thompson wrote: Are there any USB Ethernet adapters that actually work with pfsense? Reliably? I am looking for reports from those who have tried, not the freebsd supported HW list - that list is too long and not really trustworthy (I have a USB wifi adapter which runs for 10min then makes pfsense kernel panic). WiFi isn't recommended until at least pfSense 2.2, if then. OK, thanks Jim, good to know. Do you mean this to apply to USB wifi only? There are cheap mPCIe atheros-based wifi cards for the PCEngine APU board. Are they known to be reliable? You can pick up the 8 port HP switches (e.g. 1810-8G aka J9802A) for less than $100 these days. No fan, so noise-free. 8W maximum. Yes, thank you for mentioning that - I had seen that yesterday and their power specs had escaped me when I looked at them previously (some of those similar models do guzzle it). That's my plan B, but I really don't like to use VLANs when I can avoid the clutter and complexity (more bugs, more time spent). A pfsense box with more ports is much easier. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] squidguard blacklist absent after upgrade
Quick note for those using squidguard with a blacklist: After upgrading from pfsense 2.1.2 to 2.1.3, squidguard is running, but the blacklist is absent in the BUI and needs to be reloaded manually. If one doesn't notice that there is possibly less filtering being performed than expected. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] php error on login screen
Warning: Invalid argument supplied for foreach() in /etc/inc/util.inc on line 838 You are accessing this router by an IP address not configured locally, which may be forwarded by NAT or other means. If you did not setup this forwarding, you may be the target of a man- in-the-middle attack. That is after upgrading to 2.1.3. I can also no longer log in to the web gui. pfsense warns about a DNS rebinding attack and to use an IP address instead. With an IP address it says An HTTP_REFERER was detected other than what is defined in System - Advanced (https://x.x.x.x/). You can disable this check if needed in System - Advanced - Admin. Which would be all good, if one could log in to change it. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] php error on login screen
On Mon 05 May 2014 18:34:28 NZST +1200, Lars Wuerfel wrote: Hi Lars, I had this some time ago, when I defined a virtual IP (IP alias) to my LAN Interface, and then tried to login to this virtual IP. When I pointed the browser to the real IP, login was possible. That makes sense and is an easy explanation. Did you define IP aliases, and your DNS is pointing to an alias IP? No. There may be name mismatches between the pfsense host's name and the CN of the web GUI cert. All alternative names for the LAN IP address used to access the web gui are listed in - advanced - alternate host names. It did not used to be a problem so maybe security was beefed up again in 2.1.3. I created new certs for the web gui and put cert exceptions into the browsers. It worked, until yesterday. The rebinding warning is shown only some of the time, no idea why. The main reason I mentioned it is that use the IP address to log in does not in fact provide a path for remedial action. It's a bit fishy to me, but I'm also still having problems with the hme driver (on course for replacement) which may interact. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Web GUI certs
The web GUI uses a default auto-generated cert, which (as expected) causes browser errors. An improved aproach would be to generate a CA, a key, and to load the CA into the browser. That way I can be assured to not accidentally OK the wrong connection, and it tests my understanding of the cert system in pfsense. I can't get it to work quite the way I prefer: * accept all XXX.site host names * accept the IP address * accept any IP address in the subnet When creating the certs, only the CN field seems to have some significance, and then only for the server cert. For the CA, any free text is accepted. For the server cert I select type: server, but CNs of *.site *.pfsense.site pfsense.site Only the CN of pfsense.site makes the browser not complain with https://pfsense.site/, but https://10.x.x.x/ still gives an error. Entering an alternative name of 10.x.x.x when creating the server cert does nothing. I get the same results with firefox and konqueror, however openssl s_client -connect .. -verify -CApath /etc/ssl .. does not complain (I installed the CA cert into /etc/ssl/certs/). Other websites seem to have no problems with wildcard name certificates valid for *.site. What exactly should I be putting into the pfsense cert manager to get a similar effect? And make the browser accept the IP address(es) too? pfsense 2.1.3 Thanks muchly, Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] syslog server IP/name
https://pfsense/diag_logs_settings.php Has 3 fields for syslog servers. Says IP addresses must be entered. Does accept names (corresponding entry exists in DHCP server or DNS forwarder). Either the comment is wrong, or error checking is absent (intentionally or accidentally). Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] php error in squidguard
https://pfsense.localdomain/pkg_edit.php?xml=squidguard_acl.xmlid=0 pfsense 2.1.3, squidguard 1.4_4 pkg v.1.9.6 (both latest) Select Groups ACL tab. None are defined. Click the + icon. Page says: Order Warning: Invalid argument supplied for foreach() in /usr/local/www/pkg_edit.php on line 570 Select the new position for this ACL item. ACLs are evaluated on a first-match source basis. The drop-down is empty. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Squidguard package creates buggy config file
squidguard 1.4_4 pkg v.1.9.6 creates this config file:
The rule for Groups ACL for host1 is disabled.
/usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf
src host1 {
ip 10.1.1.1
log block.log
}
src host2 {
ip 10.1.1.2
log block.log
}
acl {
host2 {
pass ...
log block.log
}
default {
...
log block.log
}
}
Problems:
1) src host1 is defined, but has no ACL. Squidguard treats this silently as
pass all!!
Solution: Write the config lines but comment them out, or don't write the lines
belonging to disabled rules to the config file.
This is a critical failure for something that is supposed to give protection.
2) The BUI has a column Disabled in the Groups ACL tab. For disabled rules
it says on.
Please make this clearer and say yes.
Of course, currently disabled means all access control disabled, not rule
disabled!
3) Inside the acl{} block only the default{} part is allowed to have a log
statement. For each of the host2{} blocks containing a log statement an error
like this is generated:
2014-06-02 22:36:51 [51713] logfile not allowed in acl other than default
The pfsense bug tracker doesn't seem to be for pfsense packages, in lieu
of a better place I post it here.
Volker
--
Volker Kuhlmann
http://volker.top.geek.nz/ Please do not CC list postings to me.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface options for pfsense
On Mon 21 Apr 2014 22:46:57 NZST +1200, Christoph Hanle wrote: Are there any USB Ethernet adapters that actually work with pfsense? Reliably? I am looking for reports from those who have tried, not the freebsd supported HW list - that list is too long and not really trustworthy (I have a USB wifi adapter which runs for 10min then makes pfsense kernel panic). Tested with 2.0.3 and stable in production usage: Digitus 3015 (RTL 8150 chipset) and Digitus-10050 (MCS7832 chipset). Obtained one which says RTL8152 under Linux (works off the shelf): Bus 010 Device 003: ID 0bda:8152 Realtek Semiconductor Corp. On pfsense 2.1.3 dmesg says ugen1.2: Realtek at usbus1 But even after adding if_rue_load=YES to /boot/loader.conf.local and rebooting with the adapter plugged in nothing much in dmesg gives any hint of the presence of another interface. -- RTL8152 no good with pfsense 2.1.3. I can't find RTL8150 any more. Does anyone have an Ethernet USB adapter working under pfsense 2.1? Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dependencies on older packages?
On Wed 11 Jun 2014 22:41:55 NZST +1200, Brian Candler wrote: pkg_add: warning: package 'libidn-1.22' requires 'libiconv-1.13.1_2', but 'libiconv-1.14_1' is installed pkg_add: warning: package 'libidn-1.22' requires 'gettext-0.18.1.1', but 'gettext-0.18.3' is installed pkg_add: warning: package 'wget-1.13.4_1' requires 'libiconv-1.13.1_2', but 'libiconv-1.14_1' is installed pkg_add: warning: package 'wget-1.13.4_1' requires 'gettext-0.18.1.1', but 'gettext-0.18.3' is installed There are several other packages (and/or pfsense packages?) that trigger the same warnings. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] filterdns killing pfsense
The second time within two days now my pfsense has shot itself. So far I worked out this: filterdns opens an unlimited number of files (approx 10753). (Only one filterdns process is running!) Squid 2.7.9 pkg v.4.3.4 starts logging httpAccept: FD 51: accept failure: (23) Too many open files in system without rate limit (bad design). The log file grows until the disk is full. My Internet goes offline, which is when I notice the problem. Recovery is possible by removing the oversized log file and killing filterdns. pfSense 2.0.5 running on APU1 board. Why is this suddenly starting to happen? The only change I've had recently is that the internal SSD failed and got replaced with a 2.5 SATA spinning platter. Thanks muchly, Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] filterdns killing pfsense
On Mon 24 Nov 2014 19:24:55 NZDT +1300, Nishant Sharma wrote: Thanks. I have observed this happening when there are infected machines in the network that incessantly send web requests. This causes squid to query filterdns which fills all the states and new connections are slow to open. Have a look on state table and you will see most of them from 127.0.0.1 to 127.0.0.1:53. There is no abnormality in the state table. For the first occurrance of this problem used-states peaked at 170 (RRD, 1 week, 1h average), for the second at 120 (RRD, 1 day, 5 minutes average). For the first time I checked this in the web interface at the time, the second time I couldn't get a web login. The access log shows a client doing web browsing with a request rate of up to something like 20/second for the first. That's normal, pages loading all their CDN and adcr.p references. No activity for the second time(!) in the log, but that seems a bit low. I had increased the squifguard processes from the default 5 to 20 (had to hack the php) to avoid warnings about insufficient processes. Immediate measure can be not to use dns-forwarder as DNS for the firewall. Sift through squid access log to find out infected machines and sanitise them. No infected machines present. It is entirely possible that my ISP had DNS or general congestion at the time. However I expect pfsense not to shoot itself when its Internet connection is less than perfect. As a quick measure I have moved squid + squidguard logs to a different filesystem and changed process limits from kern.maxfiles: 12328 kern.maxfilesperproc: 11095 to kern.maxfiles: 15000 kern.maxfilesperproc: 3000 And squid needs its logging sorted: uniq cache.log cache.log-uniq wc -l cache.log* 98234680 cache.log 64153 cache.log-uniq So I am still looking for the cause of this suicidal pfsense box. Any pointers gratefully accepted. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] APU and SSD: full install or NanoBSD
On Thu 30 Oct 2014 00:12:05 NZDT +1300, Odette Nsaka wrote: I'm going to switch from MMC/SD to SSD on APU. Good move. Does anyone have any suggestion or experience? Are SSD drives on PC engines shop reliable to make a full install or do you suggest to stay on NanoBSD install? Full of course, come on, you've got a pretty decent PC with heaps of RAM. Not exactly embedded-sized, save the VGA output you never need anyway, and the power consumption. Nano is for rock-bottom hardware specs, which the APU is not. Thinking SSDs are the way to go I put in a PC Engines SSD (good price, afterall) with updated firmware as soon as it became available in mid/late May, and added squid and squidguard for my own protection. Bad idea. Pfsense locked dead for the first time in early Sep, got pretty hot too (does the CPU clock/power control fail with disk IO errors?). Bottom line, squid and SSD are not a good combo. The new SSDs from PC Engines with physon controller are much better, good SMART support too, but my plan is to run pfsense of the SSD and locate the squid cache and log files on a 2.5 spinning platter. With PC Engines' special SATA cable it might still all fit into the case. pfsense 2.1.5 Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] APU and SSD: full install or NanoBSD
On Thu 27 Nov 2014 04:41:42 NZDT +1300, compdoc wrote: Bottom line, squid and SSD are not a good combo. Ive used several SSDs over the years running pfSense and linux and windows OSes. Work just like hard drives, except might actually be more reliable. From the discussion in this thread it's clear that only good-quality expensive SSDs can be counted on, and that they have to be several times over-sized, adding more to the cost. Best is not to write to them too then, if possible. ;-) It's a lot of expense compared to the cost of an APU board. Smaller spinning disks in good shape are frequently free from upgrade leftovers. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] System and Help menu still stack together
On Sat 06 Dec 2014 09:17:12 NZDT +1300, Przemysław Pawełczyk wrote: I'm back with the same problem when Help item is stacked below System option in top menu. Yes that has been annoying me too for years, it makes the system menu inaccessible. It happens if the browser decides to render things differently than on the developers' screens. Mostly this happens if the browser window is too small because e.g. the screen is too small, but also happens when using a different font to increase legibility. At the same time there is a large stupid grey area on the right side for a complete waste of space. Try temporarily reducing the browser text size (ctrl-scrollwheeldown) to access the system menu. Or try one of the other themes (System-General) if you're lucky enough to get there. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Aliases are auto-deleted
I have some aliases containing FQDNs instead of IP addresses (very useful feature). However they keep on being removed from the pf rules. For example an alias of type networks contains IP addresses, IP networks, and domain names. When I check with pfctl -t aliasname -T show Only the IP addresses and networks show, the IP addresses for the domain names are missing. Adding the name to the table works: pfctl -t aliasname -T add domain.net But it disappears from the table within seconds. This alias is referenced by 2 rules. If I create a test alias with one of the domain names in question the table stays as it should, or at least pfctl -t test -T show shows that. This table is not referenced by any rule. I can't rely on pfsense operating properly like this. It's a bit like putting a lock on a door that unknown to anyone only locks before noon. What's the cause of this behaviour, and how do I fix it? It used to work, but that may have been 2.1.3. I just reinstalled 2.1.5 again to check if that fixes things, but it doesn't. The problem occurs on a freshly installed system. Thanks muchly, Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Aliases are auto-deleted
I found the problem. My ISP changed the WAN gateway to be mostly non-responsive to pings. But only mostly, so pfsense plays yoyo with it. Aliases containing FQDN entries are removed from pf tables (pfctl -T show -t aliasname) at the start of any rule or alias change, related to the alias with FQDNs or not, they effectively disappear permanently while playing yoyo. It takes an exorbitant time for them to be re-added when they should be added as part of a rule reload or not be removed in the first place. The fix in this case is to ping an ISP host behind the gateway (which isn't actually down), or to disable WAN gateway monitoring (I am not sure what it actually does when there is only a single ISP). Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Aliases are auto-deleted
On Wed 10 Dec 2014 01:30:49 NZDT +1300, Chris Bagnall wrote: Yes I was wondering about (basically useless) rate limiting too. I used the ISP's web server. Or use one of the top 10 companies' one, or one of the big CDNs. For single WAN pinging 1/s doesn't quite make sense to me either so I increased the numbers. (nearly all our pfSense deployments are multi-WAN, so disabling gateway monitoring isn't a solution here, alas) Is this why gateway monitoring is active by default? I'd have guessed most pfsense installs to be single WAN. What would gw monitoring be useful for then? Nothing could be done about the Internet going offline. Thanks, Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Aliases are auto-deleted
On Wed 10 Dec 2014 07:39:36 NZDT +1300, Ryan Clough wrote: I, too, am using aliases which do not retain domain names or IP addresses. I opened https://redmine.pfsense.org/issues/4087 What happens is that a rule reload, which can be triggered by many things e.g. interface yoyo (see WAN gw) or applying alias or rule changes, clears all the FQDN alias entries from the tables used by pf, and then fails to put them back in. They are added again some time later, but I don't know what some time is, several minutes at least. Meanwhile the user interface is showing these entries as being part of the running rule set when they are silently not. I consider that to be a security problem - the running rule set is not the configured one. This is at least the case for host and network type aliases (I don't use and therefore didn't check url or url table types). Chris says it's fixed for 2.2. Perhaps this ticket: https://redmine.pfsense.org/issues/3939 (Nost recent comment says it may not yet be fully resolved.) Apply patch https://redmine.pfsense.org/projects/pfsense/repository/revisions/d9b05eb490ab4d31a132c3e993bd560933eadd8c/diff/etc/inc/filter.inc?format=diff (chunk #2 manually because it fails) It seems to work however comments in #3939 say it's incomplete so better only do it if desperation is big. let me know. I have attached a screenshot of pfSense Firewall-Aliases and a screenshot of the pfctl command showing the the table does not exist. The pfctl man page mentions possible rule optimisations removing tables. pfsense uses pfctl -o basic. Consider whether this may be a factor in your case. Edit /etc/inc/filter.inc to -o none. Cheers, Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN connects fine, no internet
did you configure tunnelblick to send *all* traffic to the vpn? if so, you have to add allow rules to the openvpn interface to permit that traffic, and probably set up a NAT on there as well. If the network the client is connecting from (e.g. while travelling) is in any way not totally trustworthy it would be prudent to at least route the DNS traffic through the tunnel, if not all traffic. The VPN should protect from all MITM attacks and snooping between the VPN client and server. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Aliases are auto-deleted
On Thu 11 Dec 2014 01:51:32 NZDT +1300, Vick Khera wrote: If you're using my DNS zone to generate a block list for my IPs I can make those names return anything I want and get through anyway. I use hostnames in rules to permit my home office (which has a dynamic IP) to administer the office firewall via the public interface. I control the dynamic dns, so it is a safe thing to do. Generally, however, I agree with you that it is giving control to someone else. It is still useful. And it depends on whether it's used in white or blacklist. In whitelists the behaviour of pfsense 2.1 causes a DoS. DoSs seem to be considered a security problem, e.g. the current openvpn problems don't get anyone any access but can cause a DoS, and everyone is quick to fix it. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.2 Release Candidate now available!
Would you like tickets or a quick problem list here? 2.2-RC (amd64) built on Thu Dec 11 03:41:41 CST 2014 FreeBSD 10.1-RELEASE-p1 (In virtualbox 4.2.6) squid3 installs, but doesn't start. From system log: php-fpm[89961]: /pkg_edit.php: The command '/usr/pbi/squid-amd64/local/sbin/squid -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf' returned exit code '1', the output was 'Shared object libmd5.so.0 not found, required by squid' squidGuard-squid3 doesn't install: [...] Downloading squidGuard-squid3 and its dependencies... Checking for package installation... Downloading https://files.pfsense.org/packages/10/All/squidguard-squid3-1.4_4-amd64.pbi ... (extracting) ERROR: No digital signature! If you are *SURE* you trust this PBI, re-install with --no-checksig option. of squidguard-squid3-1.4_4-amd64 failed! Installation aborted.Removing package... [...] Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN connects fine, no internet
On Fri 12 Dec 2014 06:19:37 NZDT +1300, Karl Fife wrote: The VPN should protect from all MITM attacks and snooping between the VPN client and server. This is a great idea, but I find that routing all traffic through VPN causes problems in marginal (lossy or congensted) networks. I'm curious to know if others have also had this pain point, and whether you've had any success by simply sending VPN over TCP. What you are seeing is the additional overhead of the VPN, both in encapsulation and in delay. There is no way around that. I expect tcp to be even worse (but able to detect missing packets). That's the price you pay. Ideally I'd like to have flexible and user-friendly control over what data goes over the VPN and which DNS is used. It happens that one has to look up some hosts of the provider and can't tunnel the DNS, which is always annoying. It is possible that other VPNs, in particular IPsec, have lower overheads. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] FQDN alias update failure
pf tables can be populated from FQDNs through pfsense aliases. However the FQDNs are not re-evaluated and pf tables are not updated after applying changes to the aliases or filter rules, creating confusion when setting up rules. The update only happens eventually when the filterdns background process gets around to it. Is there a way to run a command that does an update immediately, while the problem is being fixed? filterdns is run as /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1 and expects a config file as minimum argument. However it always starts up a new instance that keeps running. Is it possible to tell it to terminate after one update iteration, or do I need to write a script that kills it after 10 seconds? Thanks. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FQDN alias update failure
On Tue 23 Dec 2014 00:30:39 NZDT +1300, Renato Botelho wrote: Every time alias is changed, a HUP signal is sent do filterdns [1], and it triggers it to read config again and update aliases. Thanks for the tip. However a kill -HUP `cat /var/run/filterdns.pid` doesn't seem to cause an immediate update of aliases. filterdns seems to wait until the end of the current interval before doing anything. It would do the same with sending HUP (changing aliases as already done that). Could you let me know the steps to have multiple filterdns instances running? I couldn’t reproduce it here. Trivial, just run it: /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1 This incantation is run by pfsense. Doing the same from the command line starts up a new instance of filterdns each time. It also updates aliases immediately. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid not logging traffic
On Tue 17 Feb 2015 10:33:21 NZDT +1300, Walter Parker wrote: In Realtime, you can use the dashboard app. The pfsense dashboard? I don't think so. traffic going through a particular interface is not so interesting. For plugins, BandwidthD and Darkstat have some information. Unfortuntely the info is of no value. I am not interested in any traffic volume between LAN, DMZ, WIFI, LAN2, etc. I am only interested in the traffic going through WAN, and with which *internal* host. The above packages can only tell me which *Internet* sites had how much traffic through WAN, but that side of the connection is of no interest to me. I want to know which of my clients have created the traffic for which I have to pay my ISP, so I can work out which flatmate has to pay for it, or fix the computer with a problem that wastes my money. I realise those in the USA and a few other countries don't have this problem, but it sure exists where I live and I'm sure it's not the only country. In any case it's good to know what gobbles up resources, even if they're free. I've used netflow on other systems to get this sort of information, but for pfSense you would have to setup a second box that ran the netflow visualizer to see the traffic information from one of the netflow plugins. Copying a file onto another computer to look at its content isn't too much of a problem. Do you know of a good tutorial that lists the software needed, and basic config for each part? Thanks, Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Squid not logging traffic
On Tue 17 Feb 2015 06:15:46 NZDT +1300, Brian Caouette wrote: I also notice it doesn't log torrents. Is there a way to tell it to log everything I don't know about lightsquid. Squid is a web cache and I'm not sure it is even able to deal with anything but http. If you look at its config file you see that it only deals with a short list of ports in the first place, and is not involved in the rest at all. You are looking for an application filter (like squid is for http). pfsense is mainly a packet filter, those packages are already add-ons. so I can get an accurate picture of what each device on the network is using? With pfsense, short answer: no. This is my longest standing problem with pfsense. It is not able to tell me which LAN device caused how much WAN traffic. There may be half a dozen different add-on packages but all are of no use here (for different reasons). I'd really like to hear that I missed something... Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Squid not logging traffic
On Tue 17 Feb 2015 12:27:34 NZDT +1300, Walter Parker wrote: For the real time monitor, if you switch from WAN to LAN, you can see who is doing spikes. For the other items, you can see how much bandwidth each internal IP addresses has used in one of those packages. Unless you have servers in a DMZ outside of the firewall or are doing some sort of traffic reflection to internal hosts, all traffic to/from a desktop to the firewall is traffic to the internet. We probably have a different idea of network topology. E.g. the wifi is on a different network (I don't trust wireless) to the LAN. Then I grab a laptop, connect it to wifi, and transfer 1GB with a desktop, LAN fileserver, or whatever. All this traffic goes through pfsense, but not through WAN, and is of no interest in finding out which LAN/wifi/etc host had how much traffic to the Internet (through WAN). bytes/s is of not much interest to me either, total bytes per day/week/month is. The problem with the pfsense bandwidth packages (all of them) is that they're interface based. They tell me how much traffic each host connected to interface A contributed to the traffic through A. What I want to know is how much traffic each host connected to interface A, B, C contributes to traffic through *D*. This is of interest to anyone charged by volume by their ISP. The netflow setup looks like the only contender for this, but it does nothing by itself and the whole setup looks a bit involved. I'll make another effort when I get the time. Open source on Linux only for me though, unless it is on pfsense. Thanks for thinking of the screenshots but I don't think they'd add much to your description. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Reject action for non-TCP/UDP packets
What happens exactly in pfsense with a reject-action rule with protocol any and a packet that is neither TCP nor UDP? Does this rule reject TCP+UDP packets, and deny others? Or is there a chance non TCP/UDP packets could be passed? Is this different for pfsense 2.1 and 2.2? IPv4 and IPv6? This is kind of crucial, and needs a reliable answer if one doesn't want to back it all up with another deny rule. pfsense changed too, in 2.1 such rule could not be created https://redmine.pfsense.org/issues/2452 but it can on 2.1.5. Thanks, Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] squid and squidguard versions
Would someone please be able to shed some light on the difference between the squid3 and squid3-dev packages for 2.1.5? And what is the difference between the squidGuard, squidGuard-squid3, and squidGuard-devel packages for pfsense 2.2? Which one should one use with squid3 (on 2.2)? It would be really useful if someone could update the descriptions that show up on https://pfsense.localdomain/pkg_mgr.php for all these packages. Thanks muchly, Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2 Packages
On Sat 31 Jan 2015 20:02:44 NZDT +1300, A Mohan Rao wrote: I also revert back to 2.1.5 or 2.1. Its pretty good. At present i m facing only squid guard service not starting problem. You need to start giving better info. Which package versions? Have you even looked at the logs? They usually tell you why something doesn't start. For example squidguard 1.4_4 pkg v.1.9.9 is broken with squid 2 because it uses squid directives only available in squid 3. A look in the logs and config files shows this easily. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Squid not logging traffic
On Mon 16 Feb 2015 03:53:55 NZDT +1300, Brian Caouette wrote: I just noticed squid is not logging all traffic. The last few nights I've used plex on my roku connected to my friends server. The only thing showing in light squid Are you talking about squid or light squid? Aren't they different packages? Squid logs the number of bytes transferred, which means it can write the log entry only after the connection is closed the time stamps seems to be the one of when the log entry was written, not when the connection was opened. When is a streaming connection closed? Perhaps more to the point, what port does the stream use? Is it one handled by squid in the first place? Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Squid guard
On Wed 04 Feb 2015 02:22:49 NZDT +1300, Brian Caouette wrote: What's the best way to handle custom sgerror.php pages with squidguard? Any time the package updates my custom page is over written. Copy your own sgerror.php to sgerror-local.php, make your changes, and point to it with the URL that can be configured in the BUI for that purpose? Btw contrary to the help text for setting the redirect mode, the internal error page ( /sgerror.php ) is accessible with squidguard set to int error page as long as the web configurator is accessible, because it is served by the same web server (lighttpd). However if the web configurator is running on https, a redirect from http to https occurs (directly pointing to https does not work). With https certificate warnings result. /usr/local/pkg/squidguard_configurator.inc needs several changes to it, but it's not difficult. That however will disappear with the next package update too. Squidguard isn't yet a stable pfsense package... Sent from my U.S. Cellular® Smartphone I couldn't care less, even if I tried very hard. ;-) Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Design Best Practice Question
On Sun 08 Mar 2015 02:44:45 NZDT +1300, Tim Hogan wrote: I like your idea with using 1:1 NAT but just one question; If you use SSL with the certificate on the web server, will the 1:1 NAT mess with that? No. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] serial port sadness
On Thu 26 Feb 2015 07:19:04 NZDT +1300, Jim Pingle wrote: http://www.amazon.com/gp/product/B00AHYJWWG Yes useful for many occasions. However as a first step having a two bucks gender bender and trying with and without will put the straight/null issue to rest. You'll still need if if the flashing gadget indicates as such. Smaller/cheaper than having two different cables too. FTDI chip, too. Or what the Chinese make of that ;-) Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Remote syslog logging keeps stopping
I noticed that after a re-install of 2.2.2 (with sections of config file from 2.1.5 and several reboots) syslog to remote was not sending any data. The settings at https://fw.site/diag_logs_settings.php were all correct (Remote Syslog Servers, IP address) and just saving the page sends syslog data from pfsense to a remote host. Now there is no syslog data again. Saving the above page as is makes it flow out again. I conclude that under some condition(s) pfsense stops sending syslog data to a remote host. What might those conditions be, and where do I start looking? The last line logged is ...T02:57:57.142885+12:00 xx syslogd: sendto: Operation not permitted pfsense has been up since well before that. TIA, and thanks for fixing that useless syslog format!! Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
On Fri 26 Jun 2015 14:54:38 NZST +1200, Brian Caouette wrote: Anyone else notice the clock is broke on 2.2.3? Anything time related is seriously off. Agreed. It's broken in 2.2.4 too. At least the upgrade to 2.2.4 did not change the time zone (Pacific/Auckland) for me. I can no longer tell for the upgrade to 2.2.3. Time synchronisation does not happen. I configured 2 time servers, both reachable, and the system time is wrong. pfsense # ntpdate -qu 0.pfsense.pool.ntp.org time.paradise.net.nz server 130.217.226.50, stratum 1, offset -11.124288, delay 0.05031 server 103.239.8.22, stratum 1, offset -11.124315, delay 0.03931 server 203.96.152.12, stratum 3, offset -11.120111, delay 0.04111 24 Aug 12:13:24 ntpdate[95005]: step time server 103.239.8.22 offset -11.124315 sec 11 seconds difference does not happen if NTP is working. uptime 23 days. Hardware is PCEngines APU1. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
On Mon 24 Aug 2015 14:11:22 NZST +1200, Brady, Mike wrote: I think that the INIT states indicate that you are not in fact synced. Yes, I took that for granted. But why? ntpdate to the same servers connects fine. Default pfsense config - well I added one time server and enabled ntpq. It looks like ntpd can't talk to the servers, but why, when ntpdate works fine? Both running on pfsense. OK found it. Under access restrictions, the option Disable all except ntpq and ntpdc queries (default: disabled). must NOT be ticked! The default is ticked. This seems to prevent ntpd altogether from talking to the time servers. That looks like a bug. Could you compare your config, please? What does ntpq -n -c peers show? Same. You can shorten peers all the way to pe. I would also suggest that you have at least 3 servers configured to sync against. Point taken, but it depends on how important it is (have another time server), and it's not the issue here. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
On Mon 24 Aug 2015 16:22:04 NZST +1200, Brady, Mike wrote: It is not ticked on any (three) of the machines that I have just looked at. This is not something that I would have ever changed. Perhaps my memory is wrong and I did change mine. Why have an advanced option that stops the whole thing from working? Perhaps it's for locally connected clock sources. Sorry, I meant ntpq -n -c ass. ind assid status conf reach auth condition last_event cnt === 1 40532 8011 yesno nonerejectmobilize 1 2 40533 8011 yesno nonerejectmobilize 1 Yes, thanks muchly. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access Point Recommendations?
Does anyone have any recommendations for a/ac models, AP only, as is only radio, no router/switch stuff? Dumb is good, I use pfsense already and don't need more complexity in closed-source buggy devices. Single-RJ45 perfect, as soon as there are LAN and WAN ports the problems start (like everyone thinking the only secure way to configure the AP is over the wifi!). Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] 2.2.5 squidGuard fails to start
After squid and squidguard updates it is neccessary to re-download the blacklist before attempting to restart squid/guard. Done. When applying the squidguard config https://xxx/pkg_edit.php?xml=squidguard.xml=0 An error results and squid isn't running. No change after several iterations of squid and squidguard config saving, followed by a reboot. cache.log contains 2015-11-11 17:59:23 [27438] logfile not allowed in acl other than default 2015-11-11 17:59:23 [27438] logfile not allowed in acl other than default 2015-11-11 17:59:23 [27438] logfile not allowed in acl other than default 2015-11-11 17:59:23 [27438] logfile not allowed in acl other than default 2015-11-11 17:59:23 [27438] logfile not allowed in acl other than default This is a long-standing bug of an incorrect squidguard config being generated. Attempting to start squid succeeds. Saving the squidguard config (which recreates SG config and restarts squid) fails. Attempting to start squid succeeds. Saving the squidguard config fails. Starting squidguard fails. Starting squid succeeds. Not really good :-(( Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] rsync shell glob problem
There is an unexpected problem with rsync on pfsense 2.2.4:
rsync -auvAHRi pfsense:'{/root,/etc}' dir -n
rsync: link_stat "/root/{/root,/etc}" failed: No such file or directory (2)
rsync -auvAHRi pfsense:'/{root,etc}' dir -n
rsync: link_stat "/{root,etc}" failed: No such file or directory (2)
Logging in as user root on pfsense.
It occurs with both
rsync version 3.1.1 protocol version 31
rsync version 3.1.0 protocol version 31
on the client side.
I can't find anything in the rsync docs that says this should not work.
On pfsense in root's tcsh this works:
ls -d /{root,etc}
/etc/root
There is a workaround with newer rsyncs, but what is the cause of this
not owrking on pfsense (works on Linux)?
Thanks,
Volker
--
Volker Kuhlmann is list0570 with the domain in header.
http://volker.top.geek.nz/ Please do not CC list postings to me.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] squid/squidguard updates broken on 2.2.4
On Wed 30 Sep 2015 01:43:42 NZDT +1300, Jonathan Filogna wrote: > cd /var/squid > rm -rf cache/ > mkdir cache/ > chown proxy:proxy cache/ > squid -zX > /usr/local/etc/rc.d/squid.sh start That also obliterates all the cache content. I managed to keep it by only re-creating the missing directories and getting squid to re-create the cache index. And there isn't an answer yet for why this cache part has been deleted, or is being deleted repeatedly after upgrade. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] squid/squidguard updates broken on 2.2.4
I upgraded to the new packages: squid3 0.3.4 squidGuard 1.9.15 which were offered. No more web browsing... squid fails on startup, with pfsense attempting to restart every minute and cache.log growing to tons of MB fast. The critical entry is right at the top: 2015/09/29 08:31:20 kid1| ERROR: /var/squid/cache/09: (2) No such file or directory FATAL: Failed to verify one of the swap directories, Check cache.log for details. Run 'squid -z' to create swap directories if needed, or if running Squid for the first time. Squid Cache (Version 3.4.10): Terminated abnormally. Recovery is possible with copy cache/0F to cahce/09, then delete all files it contains stop squid (not so easy... be fast) delete swap.state wait < 1 minute for squid to be restarted It appears I may not be the only one with this problem: https://forum.pfsense.org/index.php?topic=9.msg557150#msg557150 The problem appears not to be with pfsense 2.2.4 but with the most recent squid/squidguard package updates. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VPN client
On Fri 11 Dec 2015 07:56:46 NZDT +1300, Robert Obrinsky wrote: > To me, it sounds like you want a fully meshed VPN solution and you > should be able to set that up. How about ssltunnel for point-to-point connections between LANs? The number of tunnels would not reduce if you need to access all by all, but your redundancy might be easier and it seems a bit overkill to run an openVPN server with all the routing capabilities when a simple encrypted connection would do. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2.5 squidGuard fails to start
On Wed 18 Nov 2015 04:09:41 NZDT +1300, Brian Caouette wrote: > I can confirm I have see this a well. Started with the 2.2.x series. > Happens with almost every reboot or upgrade of package. > re-downloading the blacklist fixes it until the next cycle. For me it started with 2.2.5 and di not happen with 2.2.[234]. The package updates of squid3 0.4.3 and squidguard 1.9.17 within the last few days fix it. Thanks! Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Two queries from intending new user
On Wed 18 Nov 2015 06:14:16 NZDT +1300, Bret Busby wrote: The short answer is no and no. > Does installing pfSense, especially, using the "Quick/Easy Install > option", allow for installation so as to allow for multiple boot > options (being able to choose an alternative boot option)? pfsense is a turn-key system requiring its own dedicated hard disk, which gets wiped during "easy install". Perhaps, in theory, you could transplant an existing installation into a new partition, but you'd really have to know what you're doing. I don't think Linux can create or write freebsd filesystems, reading them might work. > The second query is thus; from what I understand, the "pfSense Default > Configuration" has "LAN is configured with a static IPv4 address of > 192.168.1.1/24". Is it possible, with the "Quick/Easy Install option", > to retain the current LAN configuration No. pfsense is not aware of any other firewalls' configuration files. Start from scratch. You can change the LAN interface's IP address somewhere during easy install IIRC, it's on the console at the end of installation. HTH, Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] USB3 to ethernet adaptor
On Tue 03 May 2016 01:57:55 NZST +1200, WebDawg wrote: > If you can skip the USB stuff and enable vlans...in my opinion it is worth > it. I disagree. While it'll work, its security is nowhere near the same. It depends on the VLAN switch's firmware being bugfree (we all know about how likely that is), it adds complexity, and it mixes physically separate networks together on one cable. Perhaps it might be acceptable to merge networks of the same security level, merging LAN and WAN networks doesn't sound like a good idea to me. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] USB3 to ethernet adaptor
On Fri 27 May 2016 04:53:12 NZST +1200, RB wrote: > > http://seclists.org/fulldisclosure/2016/Jan/77 > > > > http://seclists.org/fulldisclosure/2016/Mar/25 > > I see, but that has nothing to do with the security of the VLAN > implementation, rather of the switch as a whole. Uhhmm, very moot point. They can't even make a secure switch, how secure their VLAN is becomes irrelevant. And the switch manufacturer couldn't care less about fixing anything - what's your trust value in the VLAN implementation? How different are other manufacturers? > Nor does it mean we avoid using an entire technology because there > "might" be vulnerabilities in what has otherwise remained a stable and > useful paradigm for decades. As "stable and useful" a paradigm as the Internet was before Snowden? > The question of VLAN jumping remains open, in my mind. An > appropriate, well-configured switch fabric should have no problem True - as you say, "should", but it's utopic. Which means reducing critical firmware entirely increases security a lot. No matter where you buy your VLAN, it doesn't come close to the security of an extra port on the firewall you already trust. VLAN is just being lazy. > vulnerabilities in its management software notwithstanding. This is a laughable argument! You can only use the whole. You're arguing it's safe to use a (potentially!) safe fragment of VLAN firmware that by necessity is embedded in whatever management, of which you know it's a piece of rubbish. I'm increasingly getting the impression that network device manufacturers only ever fix anything if there is sufficient public backlash to make it financially worth fixing - no other reason to fix anything exists. The logical conclusion is that such "technology" is unsafe. VLAN switch with 100% open source firmware please... Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] USB3 to ethernet adaptor
On Wed 04 May 2016 02:33:36 NZST +1200, WebDawg wrote: > https://www.freebsd.org/releases/10.3R/hardware.html#usb In my epxerience the freebsd supported-hardware list is pretty lousy, both in terms of its length and of its quality. The fact that some piece of HW is listed as supported does not mean that the driver will actually work (kernel panics every few minutes for stuff listed as fully supported!), let alone that the driver is available in pfsense. I have used an adapter with AX88772A for 2y to connect a wifi AP and it has been reliable, with pfsense 2.2.x. Only 100M but that was good enough for me at the time. Really cheap too, US$12 shipped: http://www.aliexpress.com/item/Free-shipping-New-USB-2-0-Ethernet-10-100Mbps-RJ45-Network-Lan-Adapter-Card-WinXP-PC/1121354645.html The RTL8152 is complete rubbish on freebsd / pfsense 2.1, 2.2 (plug in and go on Linux). Apparently the driver has been improved but I have not yet retested. Dunno MCS7832 based ones. > ASIX Electronics AX88178A/AX88179 USB Gigabit Ethernet adapters (axge(4) Thanks for that info! But the amaplonkers can't even ship that to New Zealand, and it's still only USB2.0 thus aliexpress is a fraction of the price, and they can actually ship it too. > You would want USB 3.0 support if you want to support Gigabit speeds. I > never got to get that far into USB testing. Despite the negativity, I'd be highly interested in hearing more about these too. So far no-one has spoken up - who has tested one of these? WHICH CHIPSET? (Only the chipset info matters, the manufacturer is pretty much irrelevant.) Regardless, there is one other problem with pfsense. If you pull the adapter out, or it breaks, and you reboot, pfsense doesn't even boot any longer. So on an APU board you go connect a serial cable and diddle around with interface assignments, where pfsesne decides to sit instead of running with a missing interface. Quite a ridiculous design IMHO! Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Continuous crashes on a couple of 2.2.6 amd64
On Thu 18 Feb 2016 03:11:48 NZDT +1300, Odette Nsaka wrote: > All other pfsense I have (nanobsd, x86, amd64), all on version 2.2.6 are > working fine. So all your pfsense boxes are working fine except for the one that crashes? Have you checked its hardware (memory, disk)? Can you load its config onto different hardware and swap that into place temporarily to see of the problems disappear? Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] transparent squid proxy
I am finding that the transparent web proxy does not work - or to be more precise, the transparent part works, the proxy part does not. What IP filter rules do I have to add, and which must I not add? My understanding of "transparent proxy" is that TCP connections to ports 80, 443 are forcefully routed through squid. Also, if squid is not running I don't want it to be bypassed, I want the connection to fail, so I am alerted to the problem. When squid is stopped all connections seem to be passed though. If I explicitly tell wget to use http://pfsense:3128 as proxy the request does go through squid/squidguard. However I'd also like this to be enforced. pfsense 2.2.6, squid3 Thanks muchly, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Lightning strike
On Tue 26 Jul 2016 09:41:37 NZST +1200, Karl Fife wrote: > Interesting how it failed: The fried port 'simply' broke > connectivity for the interface's LAN segment. Everything else > continued to work. I kinda didn't believe the report that Internet > was out for the one LAN, since the other was not. I don't think this is that unusual or surprising. You get the same effect if you plug in a real POTS line into an Ethernet port... > After some > testing, I found the system would not come up after reboot because > it had gone into port reassignment mode since the config made > reference to a non-existent interface. I find this really really annoying of pfsense! Especially for headless systems. Hey, why run with only one interface and some functionality missing when one can run with functionality of zero point zero instead? > Can anyone tell me what's component is typically fried in this > scenario? Is it the NIC controller chip itself? I'm guessing it's > not, rather I'm guessing it's just the big, blocky Ethernet > Isolation transformer/amplifier that's been fried. It is a safe bet that the Ethernet transformer (the "magnetics" part) is fried. A fried transformer does not mean the Ethernet chip is OK; it is possible to get the chip's I/O lines act as fuses (now blown) without affecting adjacent I/O lines for other ports. It all depends on the how much energy went in. Obviously it wasn't as much as to blow the chip's top off, as in one of the slide photos! It is actually hard to desolder multi-pin throughole components. You can attempt to cut surface mount pins one by one with a scalpel etc. Ensure not to put mechanical strain on any other component!! Ideally, not on the dead component either to reduce the risk of damaging PCB tracks. Once the dead bit falls off, unsolder the pin remainders one by one. Then solder a new component on with a steady hand. Remove any solder bridges you manage to create before powering up... Spare transformers are probably cheap, but you have to get an equivalent (functionality, pin location) one. After that, assuming you made no mistake, you may still have to replace the Ethernet chip too. Dunno re ease of purchase and price. The jack itself has no components that can blow, except for the LEDs. They're not essential for functionality, worst case you disconnect them if they have shorted. You attempt all of this only after you have declared the unit a write off, especially if you haven't done it before. You then have a unique learning opportunity. At all times you must ensure an electrostatic free environment and observe all ESD protection rules, or you risk (invisibly!) destroying other chips, or worse, damaging them so they go out of spec but at first sight still "work". Outsourcing is a possibility, but it may only be enconomic if the Ethernet chip is OK. HTH, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Wifi
On Fri 15 Jul 2016 16:58:34 NZST +1200, Alexandre Paradis wrote: > You could put a regular nic, then plug a regular home wifi router (with > dhcp disabled) on one of the lan port. This is probably the best bet. It makes the location of the AP (antenna position) independent of the location of the pfsense hardware. Putting a wifi card into a pfsense box has all sorts of problems, missing/useless Freebsd wifi drivers being a big one. It doesn't seem soeasy to find a reliably good AP though, at least for a resonable budget. Vodafone New Zealand gave out Netcomm NP805N do-it-all home rubbish^H^H^Hrouters. Yes you can disable dhcp on the wifi side, but the thing is too dumb to forward wifi dhcp requests to pfsense so Net-no-comm's only use is as a dust-collector. I have a USB wifi AP running (Tenda W322U), well sort of. pfsense/freebsd's driver isn't very good and doesn't run the hardware at full speed (54M only). Then make sure the USB thingie is always plugged in and doesn't fail, because if it isn't present, pfsense doesn't even boot any more... so you can't even fix the rules or plug a new one in. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Lightning strike
On Wed 27 Jul 2016 13:40:16 NZST +1200, Chris Buechler wrote: > > I find this really really annoying of pfsense! Especially for headless > > systems. Hey, why run with only one interface and some functionality > > missing when one can run with functionality of zero point zero instead? > > Because any fall back there is potentially unsafe. Say you have > igb0-igb5, and igb2 dies. Now your igb3 is igb2, igb4 is igb3, etc. > Any assumptions you make about what's correct are potentially > dangerous, and likely to be wrong. We've had discussions around that > in greater depth multiple times over the years. Any way you do it has > edge case bugs, is dangerous and/or wouldn't be right anyway. So the root cause of the problem is not to be able to bind pfsense interfaces to ports (whether this is the OS's fault or not is not something a user cares about). In my case the USB interface runs the wifi. I can do without that easily. But not getting access to pfsense on the LAN port on a headless APU-4 because the USB dongle is unplugged, dead, or whatever and therefore my wifi may be offline sure does look braindead to me. Sorry. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense 2.3.2-p1 RELEASE Now Available
On Fri 14 Oct 2016 11:21:10 NZDT +1300, Jim Pingle wrote: > There are no installers for 2.3.2-p1. You have to install 2.3.2 and > update to patch 1 once it's installed. Ah, I see, that's why pre-2.3.2 doesn't offer it as an update either. I haven't noticed this situation having existed before, would it be useful to mention it inthe release note? Thanks Jim, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Lightning strike
On Fri 14 Oct 2016 11:25:12 NZDT +1300, Walter Parker wrote: > Problem is that all of the current OS do this sort of renumbering (I'd have > to check, but I think it could be a hardware/driver issue). IIRC Linux > systems have had this sort of problem in even greater measure than the > BSDs. The plug and play nature of USB has caused issues for most systems > (drive letter changes on Windows, device name changes on Linux, even BSD > has started doing this). The brain dead here is problem that extends to the > PC industry as a whole. Totally with you there on PC industry intelligence! > PFSense is subject bad decisions that were made > decades ago by other companies without enough vision. The automapping ideas > in hardware were not properly thought out and software didn't think it > though either. Sure, pfsense can do little about dumb OS things, and swapping interfaces randomly is a major security problem. But pfsense could still do much better. Does a disappearing USB interface renumber Ethernet interfaces? Does a disappearing reX driver interface renumber the ueX interfaces? I didn't think so, so it should be possible to remove those that will/could be renumbered and run with the rest, without getting surprises other than missing interfaces or failing to boot. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Lightning strike
On Fri 14 Oct 2016 16:41:22 NZDT +1300, Jim Thompson wrote: > > Does a disappearing reX driver interface renumber the ueX interfaces? > > On FreeBSD? no. On a linux system? LIkely. I am unsure whether that is still so for Linux, there seem to have been changes there but I haven't looked at it as it's been inconsequential to me. But pfsense runs on freebsd so linux behaviour has no relevance here. > Let's say you had one re(4) and two em(4) devices. Let's assume for now > you have: > > em0: WAN > em1: LAN > re0: OPT1 > > Case 0: > em0 gets fried in such a way that it doesn't enumerate on the bus. We are > left with: > em1: LAN > re0: OPT1 > What should pfSense do in this instance? Run! No change of interface assignments to ports. Ignore missing interfaces. The way you are presenting this anyway. > Case 1: > em1 gets fried in such a way that it doesn't enumerate on the bus. We are > left with: > em0: WAN > re0: OPT1 > What should pfSense do in this instance? Run with re0:OPT1 only. Ignore missing interfaces. > Case 2: > re0 gets fried in such a way that it doesn't enumerate on the bus. We are > left with: > em0: WAN > em1: LAN > What should pfSense do in this instance? Run. No change of interface assignments to ports. Ignore missing interfaces. > Case 3: > pfSense is operating in a dual-WAN mode > em0: WAN0 > em1: WAN1 > re0: LAN > > em0 gets fried in such a way that it doesn't enumerate on the bus. We are > left with: > em1: WAN1 > re0: LAN > What should pfSense do in this instance? Run with re0:LAN only. Ignore missing interfaces. > Case 4: > pfSense is operating in a dual-WAN mode > em0: WAN0 > em1: WAN1 > re0: LAN > > em1 gets fried in such a way that it doesn't enumerate on the bus. We are > left with: > em0: WAN0 > re0: LAN > What should pfSense do in this instance? Run with re0:LAN only. Ignore missing interfaces. > Case 5: > pfSense is operating in a dual-WAN mode > em0: WAN0 > em1: WAN1 > re0: LAN > > re0 gets fried in such a way that it doesn't enumerate on the bus. We are > left with: > em0: WAN0 > em1: WAN1 Run with em0: WAN0, em1: WAN1 only. Ignore missing interfaces. > Now let's say you have a 2440, with 4 igb(4) interfaces > > igb0: WAN0 > igb1: WAN1 > igb2: LAN > igb3: OPT1 All interfaces are igbX. No interfaces left that don't get shuffled around. Stop. All your remaining cases are the same. > Now, having described the desired behavior for pfSense in each case, > generalize an algorithm for up to 8 interfaces of > the same device type, 8 different device types, or a mix of device types, that > behaves correctly in each case. > > Pseudo-code will do for now. I had already given it in my previous email. It doesn't give improvement in all cases, but in those which are safe. You'll need to store user-chosen mappings of interfaces to ports. That's already done. The current situation sucks. A user of a router appliance is not primarily interested in as to why it sucks. But Espen Johansen gave the solution: Don't touch primary OS-port names or their braindead implementation. Create aliases based on MAC address. Access port exclusively through alias name. Fix pfsense(!!) to keep rules assigned to no interface accessible from the BUI, so the user can manually re-assign them in bulk, instead of enforcing a click-me-stupid orgy or XML file hacking. Aliases to emX, reX, igbX etc names are a matter of today's intelligence in OS implementation. No more excuses for decades old decisions. :-) Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 3 hard locks this week... any ideas?
On Fri 02 Sep 2016 13:33:35 NZST +1200, compdoc wrote: > As for me, these days I install only SSDs in desktop systems that run > 24/7, and also use them as boot drives for servers. Over the years I > have had only one SSD fail, and it did show pending sectors in SMART. That's not my observation with SSDs. Which SSD models do you use? Or better, how do you select your SSDs? That's be really good to know from those doing well there. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 3 hard locks this week... any ideas?
On Fri 02 Sep 2016 10:14:59 NZST +1200, Todd Russell wrote: > I will just run level 2 SpinRite on the SSD to force the drive to read > every spot, which should trigger the error correction if that is happening. Ehh, you use what for that? Toss spinrite into the bit bucket as suggested. Log into your pfsense (or any unix!), obtain root priviledges, and run dd bs=16k if=/dev/yourdisk of=/dev/null Use what you have!! Why install extra cr^H^H^Hstuff? dd *always* works as exected. Change buffer size as you see fit, and add an option to prevent block buffering (if supported by bsd and if it works like linux). > plenty experience with that scourge. :/ I did use the diagnostics in the > web gui to check the SMART info and it didn't say anything out of the > ordinary, but I have seen at least 2 Samsung SSDs over the years lose data > with no warning and no errors in SMART. The SMART info is effectively a status collected over time. Sectors going bad without detectable warning by necessitiy don't give SMART a chance. Ditto disks that fail suddenly and catastrophically. SMART is not a fix-all, but is is very very usful in many cases. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] About SSL Filtering: Squid and Squidguard.
On Tue 09 May 2017 23:14:37 NZST +1200, José Gregorio Díaz Unda wrote: > It looks like I should use PFS only as a firewall and DNS resolver, and > setup independently DHCP and Squid. The DHCP server in pfsense is very good. With squid and squidguard I am less than impressed. It is more secure to run a web proxy on a different host than the firewall. If you want MITM filtering, pfsense is probably the easiest to set up because theoretically it's only a few clicks. I think there was a package for getting letsencrypt certs, if you trust them, you don't then need to import certs into all your clients. > May be Squid/Squidguard in a "solo-mode" are less complex to setup to > filter SSL. Or I should find a different alternative for Proxy/SSLFiltering. The best choice depends on what you want. The pfsense squidguard interface is not a time saver, some short strategic scripts in your own setup will probably be way faster in the long run. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] About SSL Filtering: Squid and Squidguard.
On Tue 09 May 2017 03:34:06 NZST +1200, José Gregorio Díaz Unda wrote: > Has somebody setup well SSL Filtering in PFSense? Yes, or at least I tried to. Because there are substantial problems with MITM methods I tried simpler URL filtering. It looks like that'd be sufficient for you. Configure browsers with an appropriate proxy script to use pfsense:3128 for both http and https as proxy. Squidguard can only filter on the host part of the URL for https, because the rest is hidden by ssl. Transparent mode is a disappointment, because it does not ensure traffic goes through squid/squidguard, as you observed. Pfsense is also fail-unsafe(!) - any issue with squid or sqidguard bypasses the proxy, disabling all filtering, which I find rather unsatisfactory. Or whatever the exact reason is some traffic bypasses squid/squidguard, I haven't found it yet. Turning transparency off and inserting a block rule for direct http/https seems to be safest. Also, squid bypasses squidguard when it detects a malfunction with it - OK for a cache, pretty much no good for a filtering proxy implementing policies. There are bugs in the handling of filter expressions in squidguard, allowing some URLs to pass that should be blocked! Plus the SG config file generation in pfsense is broken (creates illegal/non-functional configs), but no-one was interested in fixing it although I submitted a patch years ago. It'd also be handy if pfsense was able to serve the browser proxy script and squidguard error pages, but in the desirable configuration it's not, though serving the error pages does seem to work partially anyway. HTH, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HTTP/HTTPS filtering with Pfsense+Squid+Squidguard for cell phones
On Fri 13 Oct 2017 08:15:20 NZDT +1300, Adam Cage wrote: > This is useful to filter facebook, twitter, gmail and other HTTPS sites, > just taking into account the URL ??? What can't I block for example ??? Look at squidguard rules - they're in 3 sections: hosts only, URLs, and general regexp. With http all 3 of them work (within the bugginess of squidguard and pfsense anyway). With https the URL is encrypted, except for the host name part. I.e. the SSL connection to the server is established on the host part only, and the client sends the full URL only over the SSL connection once established. So you have 2 options for https: 1) Full MITM attack, requiring client cert installs on all clients so that the clients establish encrypted connections with the key of your attack server (aka firewall) instead, and you have a chance of inspecting the content. 2) Inspect on host name only, that part is not encrypted. As everything is moving to http it's becoming seriously difficult to use squidguard as outgoing filter to get rid of all the shitvertising and privacy invading user tracking rubbish (which wastes my time, bandwidth and money for absolutly zero gain to me). Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Tue 13 Feb 2018 10:09:41 NZDT +1300, Marco wrote: > I'm not really used to debugging with pfSense, especially the > logging features. What's the best way to check if that packet is > blocked by pfSense somehow? Rules only log when the logging flag is ticked. Even then I dislike to rely on rules always logging when I need them to. I'd suggest you use the packet capture function of pfsense. Limit to the port(s) in question and it shows the traversing packets. It's reliable. Run it on the pfsense intrface connected to your server. The symptoms you describe (pfsense can see the server, a WAN host can't) could be explained by a messed up routing table on the server. The server can send packets back to the pfsense box because that IP is on its own interface's IP space as far as the server is concerned, but any WAN host would hit the server's gateway setting - if that is absent or wrong the server reply goes nowhere. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
