Re: [pfSense] Squid transparent with SSL interception - CA certificate problem

2018-02-06 Thread Alex Threlfall 
They may be hard coded to look at only their own CA to prevent MiM attacks,
or use their own certificate store (for a similar behaviour).

Alex.

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto
> Carna
> Sent: 06 February 2018 13:32
> To: pfSense Support and Discussion Mailing List 
> Subject: [pfSense] Squid transparent with SSL interception - CA
certificate
> problem
> 
> People, I've setup a transparent Squid proxy for WiFi clients. I'm using
SSL
> interception so I had to generate a CA private certificate (generated from
> pfSense certificate manager tab).
> 
> But when I add this CA private certificate to several Android an Iphone
> devices in order to proxify and filter SSL applications, some of the
Android
> devices don't work correctly: Facebook an Instagram don't load the
profiles
> and Mercadolibre doesn't open the menu. In the other Android and Iphone
> devices, everything works OK.
> 
> Can this problem be related to the CA certificate (maybe I have to use a
given
> digest algorithm and key lenght) or is this an Android intrinsec problem
> depending of OS version???
> 
> Thanks a lot.
> 
> ROBERT
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense virtualisation

2017-10-11 Thread Alex Threlfall 
Or have appropriate OOB access to the hypervisor via a iDrac or similar.

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Watson
> Kamanga
> Sent: 11 October 2017 14:11
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] pfSense virtualisation
> 
> Same  here , always have your hypervisor on the switch/router  gateway and
> not on the firewall .
> 
> Regards
> 
> Watson.
> 
> On 10/11/17, 3:02 PM, "List on behalf of Rafael Aquino"  boun...@lists.pfsense.org on behalf of raf...@lk6.com.br> wrote:
> 
> Hi there...
> 
> I run pfsense on ESXi and even on BHYVE. Works perfect.
> 
> But I enforce what was already said: You need to have another way to
> access your environment besides the firewall.
> 
> Best regards!!!
> 
> Rafael Aquino
> LK6 - www.lk6.com.br
> 
> 
> 
> - Mensagem original -
> > De: "Randy Bush" 
> > Para: "Daniel" 
> > Cc: "pfSense Support and Discussion Mailing List"

> > Enviadas: Quarta-feira, 11 de outubro de 2017 2:49:42
> > Assunto: Re: [pfSense] pfSense virtualisation
> 
> > fwiw, i run pfsense as a firewall on ganeti/kvm.
> >
> > randy
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense Routing - VPN's

2014-05-18 Thread Alex Threlfall 
Interesting, we're not using OpenVPN at present, just the built in IPSEC
stuff in pfSense, what benefits are there in switching to OpenVPN?

So our main branch is say 10.0.4.0, and the other branches are 10.0.5.0,
10.0.7.0, 10.0.2.0 and 10.0.3.0, all /24's - would using this methodology
require me to re-ip the main branch?

--
Alex Threlfall
Cyberprog New Media
www.cyberprog.net


 -Original Message-
 From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife
 Sent: 16 May 2014 07:55
 To: pfSense Support and Discussion Mailing List
 Subject: Re: [pfSense] pfSense Routing - VPN's
 
 This is exactly what we do.
 
 We make the hub the OpenVPN server, and the spokes the clients because
 the hub IP is static, and we can manage all of the OpenVPN listeners on
one
 instance.
 
 If your whole network is a /16, and each spoke is a /24, all you need is a
route
 directive on each of the spokes for the entire /16.  In OpenVPN Advanced
 route 192.168.0.0 255.255.0.0;
 
 You don't need any routing directives on the 'hub' because the addition of
 each connection will take care of that.
 
 With respect to rules:
 We find it best to make the first rule on the hub's OpenVPN interface
this:
 Any source/port NOT destined for THIS hub subnet is allowed to pass.
That
 way each branch can manage their ingress policy privately because the hub
 will just route anything not destined for its subnet.
 
 We also find it best to set up DNS forwarders to the spoke networks, i.e.
 Hub: mybranch.mycompany.com dns dips are at 192.168.11.1.  Spokes can
 dip the hub if so configured which can in turn dip OTHER spokes if so
 configured.  Inverse lookups work too.  For example, add a dns forwarder
of
 10.168.192.in-addr.arpa to allow inverse lookups in the spoke in the
subnet
 192.168.10.0/24
 
 It's been rock-solid for many years now!
 
 Good luck.
 
 
 
 
 
 
 On 5/16/2014 1:16 AM, A Mohan Rao wrote:
 
 
   its very simple...!
   first u have to configure a main vpn site to site vpn server at your
 main branch then u can easily configure a b c etc.
   with share key and tunnel network.
 
 
   On Fri, May 16, 2014 at 2:53 AM, Alex Threlfall a...@cyberprog.net
 wrote:
 
 
   Hi All,
 
 
 
   I currently have a number of sites which
have VPN's
 between them, with each site having a VPN to one another. This is becoming
 harder to manage, we currently have 5 sites, (6 if you include my home)
and
 it would make sense to me to adopt more of a star architecture with a
central
 site.
 
 
 
   However, I can't work out how to configure
this! Each
 site has it's own /24 of private address, and I have a central branch. How
can I
 configure things so that the if branch B needs to get to branch C, it
knows
 that it must go via branch A?
 
 
 
   Branch A has the best connectivity - bonded
FTTC's,
 so would make sense as well as it being our hub branch for the stock
 control system also.
 
 
 
   Any advice would be appreciated!
 
 
 
   --
 
   Alex Threlfall
 
   Cyberprog New Media
 
   www.cyberprog.net
 
 
 
 
 
   ___
   List mailing list
   List@lists.pfsense.org
   https://lists.pfsense.org/mailman/listinfo/list
 
 
 
 
 
 
   ___
   List mailing list
   List@lists.pfsense.org
   https://lists.pfsense.org/mailman/listinfo/list
 



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] pfSense Routing - VPN's

2014-05-15 Thread Alex Threlfall 
Hi All,

 

I currently have a number of sites which have VPN's between
them, with each site having a VPN to one another. This is becoming harder to
manage, we currently have 5 sites, (6 if you include my home) and it would
make sense to me to adopt more of a star architecture with a central site.

 

However, I can't work out how to configure this! Each site
has it's own /24 of private address, and I have a central branch. How can I
configure things so that the if branch B needs to get to branch C, it knows
that it must go via branch A?

 

Branch A has the best connectivity - bonded FTTC's, so would
make sense as well as it being our hub branch for the stock control system
also.

 

Any advice would be appreciated!

 

--

Alex Threlfall

Cyberprog New Media

www.cyberprog.net

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list