Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
The last version from 2.3.x is 2.3.5 u can stick with latter u can test 2.4.2 upgrade. On Sun, Nov 26, 2017 at 4:04 AM, Eero Volotinenwrote: > just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any > known issues? > > it's not so complex setup, but running as our hq main firewall. so, some > ipsec and openvpn connections are running against it. > > > > Eero > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- LIving the dream... ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] SquidGuard Allow facebook/company url only?
Hi. I'm trying to figure out how to allow our users just access Facebook company site: www.facebook.com/My-Company/ I add in Target Categories the url above, I select the Target as whitelist in our users, but SG is not accepting my url, I have try different inputs like: www, .facebook different settings, but checking squid log I got this: ERROR: URL-rewrite produces invalid request: GET ERR HTTP/1.1 My SG log I had this: facebook.com:443 Request(RH/blk_BL_socialnet/-) equezada CONNECT REDIRECT For some reason my Target Whitelist is not working because SG jump and go to the socialnet block and done, block our users. RH { pass FB whitelist !in-addr !blk_BL_anonvpn !blk_BL_porn !blk_BL_socialnet blk_BL_searchengines all redirect http://192.168.100.2:80/sgerror.php?url=403%20Sitio%20Prohibido%20para%20el%20departamento%20de%20RH=%a=%n=%i=%s=%t=%u log block.log } We don't want them to access social sites just our company-site inside facebook. Is possible? Pfsense 2.3.5, thanks. -- LIving the dream... ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Voucher system inside FreeRadius?
Hi. I'm working with CP, the voucher system can this info be genenerate with FRadius2 and save the info in a DB like MySQL. The ides is to go enterprise +500 users. Some is doing this now with the current voucher system with ot without fradius? Running pfsense 2.1.4. -- LIving the dream... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Per-user bandwidth restriction by voucher roll?
Hi. Is possible to setup Per-user bandwidth restriction by voucher roll? Maybe I want to sell, 7 days voucher for VIP users and other with normal bandwidth. Thanks. -- LIving the dream... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Per-user bandwidth restriction by voucher roll?
On Fri, Jul 11, 2014 at 9:24 AM, A Mohan Rao mohanra...@gmail.com wrote: With capative portal it works good. There u can very easily set per user through mac binding set bandwidth. Thanks Mohan Rao On Jul 11, 2014 9:50 PM, Alberto Moreno ports...@gmail.com wrote: Hi. Is possible to setup Per-user bandwidth restriction by voucher roll? Maybe I want to sell, 7 days voucher for VIP users and other with normal bandwidth. Thanks. -- LIving the dream... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list In a Hotel by example, is impossible to manage MAC's. Don't u think? LIving the dream... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Per-user bandwidth restriction by voucher roll?
On Fri, Jul 11, 2014 at 9:52 AM, A Mohan Rao mohanra...@gmail.com wrote: So u can use traffic shaping! On Jul 11, 2014 10:11 PM, Alberto Moreno ports...@gmail.com wrote: On Fri, Jul 11, 2014 at 9:24 AM, A Mohan Rao mohanra...@gmail.com wrote: With capative portal it works good. There u can very easily set per user through mac binding set bandwidth. Thanks Mohan Rao On Jul 11, 2014 9:50 PM, Alberto Moreno ports...@gmail.com wrote: Hi. Is possible to setup Per-user bandwidth restriction by voucher roll? Maybe I want to sell, 7 days voucher for VIP users and other with normal bandwidth. Thanks. -- LIving the dream... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list In a Hotel by example, is impossible to manage MAC's. Don't u think? LIving the dream... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list More complex the setup, if this works for general cp maybe we can do something to make it work by voucher will a good bonus... -- LIving the dream... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] traffic shaping doubts about floating rules?
Once we setup TS on pfsense(2.1.3), the wizard create some floating rules. Now, we have the option in the firewall-rules-LAN, to create our rule and specify if we want to use some Ackqueue/Queue/ What difference we have if setup here or with floating rules? And what is the meaning of those fields? Thanks. -- LIving the dream... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] captive portal https any success?
I had finally made this works. Squid help me, most sites that use https like paypal.com, they don't just have 1 domain, once u get connected u see a lot of domains/ip that appear related to the domain, I just start adding them to Allowed IP or Allowed hostname. Some of them work with IP, others with hostnames, others need both. But is working, thanks!!! On Tue, Jul 23, 2013 at 5:30 PM, Alberto Moreno ports...@gmail.com wrote: Hi Chris. Went u say certificate errors u mean that ugly message that appear in the browser went u access sites with certificates not register? Will be great to see this working, maybe for me is not a problem, if works. Wondering how other open/commercial products handle this? Thanks Chris. On Tue, Jul 23, 2013 at 4:55 PM, Chris L c...@viptalk.net wrote: On Jul 23, 2013, at 9:19 AM, Alberto Moreno ports...@gmail.com wrote: Just wondering. I'm running pfsense 2.0.3, does anyone have any success history with pfsense and https pages like https://facebook.com? I want to allow under cp some pages without auth, like facebook and others. But u know that fb change to https:// but once a user type facebook the browser point to https:// which is good but the browser won't load the page. U see pfsense logs and u see the connection but is all. The long history is that pfsense cp does not allow that because the developers need to do a hack is what I understand I'm not a developer. Some one have been able to allow fb without auth under pfsense? Does only pfsense suffer this or is general for other products? Someone had try to fix this? Thanks. It's not that a hack is necessary. Nobody can redirect an https page to a captive portal signon without the user being presented with certificate errors. At least not without a lot of https proxying and a root certificate installed in the client browser. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- LIving the dream... -- LIving the dream... ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] captive portal https any success?
Just wondering. I'm running pfsense 2.0.3, does anyone have any success history with pfsense and https pages like https://facebook.com? I want to allow under cp some pages without auth, like facebook and others. But u know that fb change to https:// but once a user type facebook the browser point to https:// which is good but the browser won't load the page. U see pfsense logs and u see the connection but is all. The long history is that pfsense cp does not allow that because the developers need to do a hack is what I understand I'm not a developer. Some one have been able to allow fb without auth under pfsense? Does only pfsense suffer this or is general for other products? Someone had try to fix this? Thanks. -- LIving the dream... ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] captive portal https any success?
Hi Chris. Went u say certificate errors u mean that ugly message that appear in the browser went u access sites with certificates not register? Will be great to see this working, maybe for me is not a problem, if works. Wondering how other open/commercial products handle this? Thanks Chris. On Tue, Jul 23, 2013 at 4:55 PM, Chris L c...@viptalk.net wrote: On Jul 23, 2013, at 9:19 AM, Alberto Moreno ports...@gmail.com wrote: Just wondering. I'm running pfsense 2.0.3, does anyone have any success history with pfsense and https pages like https://facebook.com? I want to allow under cp some pages without auth, like facebook and others. But u know that fb change to https:// but once a user type facebook the browser point to https:// which is good but the browser won't load the page. U see pfsense logs and u see the connection but is all. The long history is that pfsense cp does not allow that because the developers need to do a hack is what I understand I'm not a developer. Some one have been able to allow fb without auth under pfsense? Does only pfsense suffer this or is general for other products? Someone had try to fix this? Thanks. It's not that a hack is necessary. Nobody can redirect an https page to a captive portal signon without the user being presented with certificate errors. At least not without a lot of https proxying and a root certificate installed in the client browser. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- LIving the dream... ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Captiev Portal+Freeradius2, Amount Of Time not working.
I setup a centos box running 5.x with freeradius, I setup freeradius for user time stuff, I setup pfsense-CP and point to this machine, I start my test and... failed. The same issue, the counter is not doing they job. Now this could be related to pfsense-cp module or freeradius? On Sat, Nov 3, 2012 at 10:36 AM, Alberto Moreno ports...@gmail.com wrote: Hi. Is enable!!! On Fri, Nov 2, 2012 at 6:53 AM, Ermal Luçi ermal.l...@gmail.com wrote: On Thu, Nov 1, 2012 at 6:17 AM, Alberto Moreno ports...@gmail.comwrote: Hi. I have been trying to figure out how to setup pfsense 2.0.1 captive portal+freeradius2, I want to enable the Amount of Time feature. I had read the doc about this, but maybe I miss something. The thing is that if I test in the console I can see FreeRADIUS give to me the info right. What is the problem? From what i see you fail to enable radius session-timeout(Use radius session timeout attribute) on the CP config page. Went I add a user example: user1 psw1 Amount of Time=15 user2 psw2 Amount of Time=3 user3 psw3 Amount of Time=20 CP always close the connection before time, check logs: 20:14:1220:19:41 user1 real time: 5 minutes 20:30:3020:33:00 user2 real time: 3 minutes 20:35:2820:42:16 user3 real time: 7 minutes U can see the problem. Now, lets see FR2 user settings: user1 Cleartext-Password := psw1, Max-Daily-Session := 900 user2 Cleartext-Password := psw2, Max-Daily-Session := 180 user3 Cleartext-Password := psw3, Max-Daily-Session := 1200 I had test each user with radtest and I see my settings good, check: radtest user1 user1 172.16.1.1 100 secret Sending Access-Request of id 48 to 172.16.1.1 port 1812 User-Name = user1 User-Password = psw1 NAS-IP-Address = 192.168.50.1 NAS-Port = 100 Message-Authenticator = 0x rad_recv: Access-Accept packet from host 172.16.1.1 port 1812, id=48, length=26 Session-Timeout = 900 Looks good, right? This is my radiusd.conf: /usr/local/etc/raddb/radiusd.conf prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run libdir = ${exec_prefix}/lib/freeradius-2.1.12 pidfile = ${run_dir}/radiusd.pid db_dir = ${raddbdir} name = radiusd #chroot = /path/to/chroot/directory #user = freeradius #group = freeradius ### ### Is not present in freeradius 2.x radiusd.conf anymore but it was in 1.x ### ### delete_blocked_requests = no### ### usercollide = no### ### lower_user = no ### ### lower_pass = no ### ### nospace_user = no ### ### nospace_pass = no ### ### max_request_time = 30 cleanup_delay = 5 max_requests = 1024 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes listen { type = auth ipaddr = 172.16.1.1 port = 1812 } listen { type = acct ipaddr = 172.16.1.1 port = 1813 } log { destination = syslog file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes msg_goodpass = msg_badpass = } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } ### disbale proxy module. In most environments we do not need to proxy requests to another RADIUS PROXY server #proxy_requests = yes #$INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_queue_size = 65536 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf ### Dis-/Enable sql.conf INCLUDE #$INCLUDE sql.conf ### Dis-/Enable sql/mysql/counter.conf INCLUDE #$INCLUDE sql/mysql/counter.conf #$INCLUDE sqlippool.conf } instantiate { exec expr daily weekly monthly forever expiration logintime ### Dis-/Enable sql instatiate #sql } $INCLUDE policy.conf $INCLUDE sites-enabled/ Clients.conf /usr/local/etc/raddb/clients.conf client cp { ipaddr = 172.16.1.1 proto = udp secret = secret-key
Re: [pfSense] Captiev Portal+Freeradius2, Amount Of Time not working.
Hi. Is enable!!! On Fri, Nov 2, 2012 at 6:53 AM, Ermal Luçi ermal.l...@gmail.com wrote: On Thu, Nov 1, 2012 at 6:17 AM, Alberto Moreno ports...@gmail.com wrote: Hi. I have been trying to figure out how to setup pfsense 2.0.1 captive portal+freeradius2, I want to enable the Amount of Time feature. I had read the doc about this, but maybe I miss something. The thing is that if I test in the console I can see FreeRADIUS give to me the info right. What is the problem? From what i see you fail to enable radius session-timeout(Use radius session timeout attribute) on the CP config page. Went I add a user example: user1 psw1 Amount of Time=15 user2 psw2 Amount of Time=3 user3 psw3 Amount of Time=20 CP always close the connection before time, check logs: 20:14:1220:19:41 user1 real time: 5 minutes 20:30:3020:33:00 user2 real time: 3 minutes 20:35:2820:42:16 user3 real time: 7 minutes U can see the problem. Now, lets see FR2 user settings: user1 Cleartext-Password := psw1, Max-Daily-Session := 900 user2 Cleartext-Password := psw2, Max-Daily-Session := 180 user3 Cleartext-Password := psw3, Max-Daily-Session := 1200 I had test each user with radtest and I see my settings good, check: radtest user1 user1 172.16.1.1 100 secret Sending Access-Request of id 48 to 172.16.1.1 port 1812 User-Name = user1 User-Password = psw1 NAS-IP-Address = 192.168.50.1 NAS-Port = 100 Message-Authenticator = 0x rad_recv: Access-Accept packet from host 172.16.1.1 port 1812, id=48, length=26 Session-Timeout = 900 Looks good, right? This is my radiusd.conf: /usr/local/etc/raddb/radiusd.conf prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run libdir = ${exec_prefix}/lib/freeradius-2.1.12 pidfile = ${run_dir}/radiusd.pid db_dir = ${raddbdir} name = radiusd #chroot = /path/to/chroot/directory #user = freeradius #group = freeradius ### ### Is not present in freeradius 2.x radiusd.conf anymore but it was in 1.x ### ### delete_blocked_requests = no### ### usercollide = no### ### lower_user = no ### ### lower_pass = no ### ### nospace_user = no ### ### nospace_pass = no ### ### max_request_time = 30 cleanup_delay = 5 max_requests = 1024 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes listen { type = auth ipaddr = 172.16.1.1 port = 1812 } listen { type = acct ipaddr = 172.16.1.1 port = 1813 } log { destination = syslog file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes msg_goodpass = msg_badpass = } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } ### disbale proxy module. In most environments we do not need to proxy requests to another RADIUS PROXY server #proxy_requests = yes #$INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_queue_size = 65536 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf ### Dis-/Enable sql.conf INCLUDE #$INCLUDE sql.conf ### Dis-/Enable sql/mysql/counter.conf INCLUDE #$INCLUDE sql/mysql/counter.conf #$INCLUDE sqlippool.conf } instantiate { exec expr daily weekly monthly forever expiration logintime ### Dis-/Enable sql instatiate #sql } $INCLUDE policy.conf $INCLUDE sites-enabled/ Clients.conf /usr/local/etc/raddb/clients.conf client cp { ipaddr = 172.16.1.1 proto = udp secret = secret-key require_message_authenticator = no max_connections = 16 shortname = cp nastype = other ### login = !root ### ### password = someadminpass ### U had seen the users config file. For the GUI I will add the images of the screens, any tip please let me know, appreciated your time, thanks!!! -- LIving the dream