[pfSense] Is this a state of the art DNS Resolver setup?

2018-05-25 Thread Antonio
Hi folks,

I come across this post
https://airvpn.org/topic/27460-opinion-best-solution-against-dns-leak-on-pfsense/
which provides what I think (although I'm no expert here) is an elegant
solution to those that have VPNs setup on pfSense.

The reason being that:

a) it prevents DNS leaks

b) it doesn't forward DNS requests over the VPN tunnel and keeps DNS
requests closed to indiscrete eyes


However, then last post (go558a83nk
) on the thread may have a
point about distance to the CDN?

What are your thoughts?


-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Diagnosing DNS Resolver SERVFAIL issues

2018-05-24 Thread Antonio
Hi,

I've been happily using the "Outgoing Network Interfaces" set to my VPN
interface to prevent DNS leaks and its been working pretty well until
today when all of a sudden it stopped resolving DNS requests. In fact,


[fri may25, 03:04 ][user@1:~]nslookup www.google.com
Server: 192.168.2.1
Address:    192.168.2.1#53

** server can't find www.google.com: SERVFAIL


192.168.2.1 is my pfSense box hooked to DSL modem. As soon as I set
"Outgoing Network Interfaces" to my WAN, then it all works again.
However, this means that although my traffic is vehicle through VPN, the
DNS Resolver is routing requests via ISP instead of VPN. I don't
understand how all of a sudden the VPN server stopped allowing DNS
requests to be passed from my pfSense maching. Does this seem plausible
and how do you think I can diagnose this? The is no way i can get ubound
to work unless i set "Outgoing Network Interfaces" to WAN. This was not
the case until yesteday.

Any clues?

Thanks

-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Introducing flexibility of traffic routing when VPN is configured

2018-05-24 Thread Antonio
Hi,

a while ago I successfully manage to setup a VPN connect on pfSense. I
was a great success as it took me a while to get it working. I followed
the guide here:
https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/#additional.

I have a wired network on 192.168.0.0 where I have my desktop and other
wired devices. Then i have a wireless network 192.168.1.0 where a access
point is connected to the pfSense router.

Now, with time, I've realised that its not very flexible in that I'm
having to manually disable rules etc. to get things working and then
re-activate them to switch usage. I want to make things a but more
flexible without losing functionality.

In the above guide, under "Additional steps to route WAN through
tunnel", where you create the firewall rule to route the traffic from
the created alias (192.168.0.0/24) through the VPN tunnel, this rule
works well when I want to route traffic from my desktop (on the
192.168.0.0 network) to the internet, whether through the VPN or through
normal ISP.

However, this is preventing me from pinging my mobile phones on the
192.168.1.0 network. In fact, as soon as I disable the alias rule above,
I can ping my mobiles but then I can't browser the internet from my
desktop on the 192.168.0.0 network. This is leading me to having to
disable/re-enable the rule everytime I have to swith between having to
reach my mobile or having to reach the internet from the desktop. This
alias is not stopping me from pinging the desktop from my mobile. I
guess the tutorial was set up non-complex usage in mind. But how can i
make this a but more flexible so that internt traffic can go down the
VPN and local traffic between different LANs are not affected?

I hope I've explained my problem well enough.

Many thanks

-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Rebuilding confidence

2018-05-20 Thread Antonio Leding
Richard,

One thing to take a look at would be Security Onion.  I use this in concert 
with my other security gear as a means by which to analyze all traffic coming 
in\out of my network.  That analysis drives several follow-on activities such 
as Snort tuning, forensics, etc.

Re: wifi, check out Mikrotik.  I did an eval about 6 months ago that included 
MT, Ubiquity, Dlink, Linksys, etc. - about 5 vends in all.  I do agree the 
Ubiquity line is solid but it is a bit costly when compared to some other 
options such as MT.  The latter is far and away the best value especially when 
considering their wireless performance.  I need to also state there is a bit of 
a learning curve there but once you dig in and get the hang of it, it’s not an 
issue at all.  MT devices also have have a very comprehensive feature set.

Let me know if you have any other questions re: this stuff...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Log suppressed lets

2018-05-20 Thread Antonio Leding
Hello pfSense community,

Anyone else see value in having suppressed alerts sent to syslog?  If so, is it 
appropriate to send the request to the dev pfSense list or via some other 
system (i.e. forums, etc.)?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] DNS configurazione under VPN

2018-05-06 Thread Antonio
After messing around for much of the weekend and reading a bit here and
there I have made one small step to achieving my goal. Basically, I am
able to bound the DNS Resolver to the VPN interface by selecting it
under "Outgoing Network Interfaces". This all traffic goes through the
VPN tunnel, including DNS queries. Infact, when I go on dnsleaktest.com,
I do not have any leaks and this is very positive.

The only problem is that when the VPN link fails, then I cannot resolve
DNS queries anymore on my LAN devices. So, what I need to do now, is
understand how I can achieve this automatically, i.e. when the VPN link
comes up, it tells the DNS Resolver to route through the VPN tunnel;
when the VPN link is down, it tells the DNS Resolver to route the DBS
queries through the LAN interface. Any suggestions?

Thanks

Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

Il 03/05/2018 20:29, Antonio ha scritto:
> Hi folks,
>
> I'm trying to understand why I get DNS leaks. I am connecting to VPN
> italian server from UK and when I go to www.dnsleaktest.com, the main
> page says I'm connecting from Italy but then, when I do the advanced or
> standard tests, these say I'm located in the UK.
>
> I have:
>
> 2.4.3-RELEASE (amd64)
> built on Mon Mar 26 18:02:04 CDT 2018
> FreeBSD 11.1-RELEASE-p7
>
> Installed on a mini PC that is connected via WAN on a DLS modem (setup
> in pass through mode, not router mode). pfSense is acting as a DNS
> Resolver even though I have have OpenDNS set in the GENERAL tab (I
> believe these are not being used because I'm connected via DNS
> Resolver). Would it be best to configure pfSense as DNS FOrwarder?
> ALthough I'm not sure that this is going to resolve my DNS leak problem.
> All clients are confirgured with a DNS set to the IP of the pfSEnse
> machine. Any suggestions on what is the best way to configure DNS on
> pfSense where occasionally I fire up my OpenVPN connection?
>
> Many thanks
>

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Mastering DNS Resolver and tweaking behaviour with VPN

2018-05-06 Thread Antonio
Correct, no windows for me.

Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

Il 06/05/2018 20:01, Lorenz Schori ha scritto:
> Hi,
>
> On Sun, 6 May 2018 09:47:17 +0100
> Antonio <m...@geotux.it> wrote:
>
>> I can across that website yesteday and although I have pfSense 2.4.3
>> installed (I believe it ships OpenVPN 2.4.4), I get that the option is
>> not supported although it could be that the server onthe other end is
>> not supporting it?
>>
>> "Options error: Unrecognized option or missing or extra parameter(s)
>> in /var/etc/openvpn/client1.conf:46: block-outside-dns (2.4.4)"
> I should have mentioned that this is a windows-specific option and you
> should push it to your clients (unless of course you do not have any
> windows clients).
>
> Cheers,
> Lorenz

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Firewall rules on OpenVPN interface

2018-05-06 Thread Antonio
Hi,

I was wondering is the "*Block private networks and loopback addresses*"
and "*Block bogon networks*" shoudl be ticked for the interface I have
created for my OpenVPN client?

Do I need to allow incoming requests on that interface? I copied the
configuration from the internet to connect to my VPN provider but it
gave no detail around these options. You would expect the link to be
secure and I guess the only risk is if the VPN provider sends requests
to my internal network?

Thanks

-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Mastering DNS Resolver and tweaking behaviour with VPN

2018-05-06 Thread Antonio
Hi Lorenz,

I can across that website yesteday and although I have pfSense 2.4.3
installed (I believe it ships OpenVPN 2.4.4), I get that the option is
not supported although it could be that the server onthe other end is
not supporting it?

"Options error: Unrecognized option or missing or extra parameter(s) in
/var/etc/openvpn/client1.conf:46: block-outside-dns (2.4.4)"

Cheers

Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

Il 06/05/2018 09:29, Lorenz Schori ha scritto:
> Hi,
>
> Only covering b).
>
> On Sun, 6 May 2018 03:30:32 +0100
> Antonio <m...@geotux.it> wrote:
>
>> b) *OpenVPN Clients* - this seems to be a new option that wasn't
>> covered in Marks video. Nor is there reference to this in the pfSense
>> book.
> This was introduced in 2.4.3. see:
> https://redmine.pfsense.org/issues/6847
>
> It basically makes it easy to connect to OpenVPN clients in the field
> from your LAN using the name from their client certificate. This is the
> exact opposite most people are doing with their VPNs.
>
>> Is this the magic setting that forces DNS resolver to route DNS
>> querries through the VPN tunnel?
>> **Although from the description in
>> pfSense this doesn't look like what I'm after.**
> There is actually a magic feature in OpenVPN >= 2.3.9
> See: https://dnsleaktest.com/how-to-fix-a-dns-leak.html
>
> Not sure whether this works for every client OS though. I recommend to
> test this thoroughly if your security / security of your clients depends
> on it.
>
> Cheers,
> Lorenz

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Mastering DNS Resolver and tweaking behaviour with VPN

2018-05-05 Thread Antonio
Hi,

I've just come across the excellent tutorial videos of Mark Furneaux
 on Youtube. I
did the DNS video where he covered unbound. There are a couple of things
I can't still workout and that are not in the pfSense book:

a) *DNS Query Forwarding* - what was the purpose of Mark covering
namebench to measure DNS performance (even going to the length of
filling int he results in the General Setup page) if the DNS servers you
put in this page are only used when you tick this feature? (which I
understand you shouldn't do anyway as its less secure ...?)


b) *OpenVPN Clients* - this seems to be a new option that wasn't covered
in Marks video. Nor is there reference to this in the pfSense book. Is
this the magic setting that forces DNS resolver to route DNS querries
through the VPN tunnel?**Although from the description in pfSense this
doesn't look like what I'm after.*
*


I'm still trying to understand why I get DNS leaks and I'm wondering
whether the resolver is getting the ISP DNS server from the modem and
then using it to resolve DNS queries. Is this possible? I think I need
to understand how to get the DNS resolver to pass the DNS requests
through the VPN tunnel when this is up but I just can't figure out how.


I look forward to hearing from you pfSense experts.


Thanks

-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] DNS configurazione under VPN

2018-05-03 Thread Antonio
Hi folks,

I'm trying to understand why I get DNS leaks. I am connecting to VPN
italian server from UK and when I go to www.dnsleaktest.com, the main
page says I'm connecting from Italy but then, when I do the advanced or
standard tests, these say I'm located in the UK.

I have:

2.4.3-RELEASE (amd64)
built on Mon Mar 26 18:02:04 CDT 2018
FreeBSD 11.1-RELEASE-p7

Installed on a mini PC that is connected via WAN on a DLS modem (setup
in pass through mode, not router mode). pfSense is acting as a DNS
Resolver even though I have have OpenDNS set in the GENERAL tab (I
believe these are not being used because I'm connected via DNS
Resolver). Would it be best to configure pfSense as DNS FOrwarder?
ALthough I'm not sure that this is going to resolve my DNS leak problem.
All clients are confirgured with a DNS set to the IP of the pfSEnse
machine. Any suggestions on what is the best way to configure DNS on
pfSense where occasionally I fire up my OpenVPN connection?

Many thanks

-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Access Point config: separating guest from permissible users

2018-03-10 Thread Antonio
Interesting! Does this mean that by disabling the WAN port on the DD-WRT
device and getting it to act as switch, then the pfSense router device
actually sees multiple network domains on the same LAN port? I guess
this is probably due to the fact that I don't understand VLANs ...

Currently, I have LAN port on pfSense device set to 192.168.2.2 and WAN
port on DD-WRT set on 192.168.2.3. The wireless network is set on
192.168.3.X.

From what I understand from your guide, it would seem that you have
created virtual wireless networks (wl0.1, wll0.2) in STEP 2, then you
activate VLAN 5 and 15 and assign them to the WLAN port, then you create
the bridges which tells DD-WRT to assign wl0.1 to VLAN 15 via bridge 1
and wl0.2 to VLAN 5 via bridge 2. Correct? This seems to be quite
powerfull but I guess the art is actually happening on the router
(pfSense) where you have to craft the firewall rules correctly or the
there could be problems. Is this where jmitchel's answer can help?

Thanks for your help both, much appreciated.
Antonio

--
Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.


Il 11/03/2018 01:47, Moshe Katz ha scritto:
> The most reliable way to do it is to set up two VLANs for your
> wireless, with your Home network on one of them and your Guest network
> on the other, and to configure the firewall rules in pfSense for the
> LAN-LAN traffic.
>
> DD-WRT officially supports VLAN tagging (802.1q), but it only works on
> some hardware. On other hardware, you need to use "Port-based" VLANs,
> which would probably require an additional LAN port to be configured
> on your pfSense.
> Here are instructions for "Port-based" VLAN configuration, with an
> example that uses three
> networks: 
> https://community.spiceworks.com/how_to/32549-ddwrt-multiple-ssids-with-vlans
>
>
> NOTE: I do not currently have hardware that is running DD-WRT at home,
> so I am writing this from memory (and from links to resources I have
> used in the past).
>
> Also, note that you don't need to use the separate 2.4Ghz and 5Ghz
> radios in order to do this. Most hardware supports running multiple
> SSIDs (a.k.a. WiFi network names) on a single band, so you could have
> both of your WiFi networks on both bands - 5Ghz for performance and
> 2.4Ghz for longer range. Most modern dual-band devices will
> automatically pick the best oft eh two signals.
>
> --
> Moshe Katz
> -- mo...@ymkatz.net <mailto:mo...@ymkatz.net>
> -- +1(301)867-3732
>
> On Sat, Mar 10, 2018 at 6:54 PM, Antonio <m...@geotux.it
> <mailto:m...@geotux.it>> wrote:
>
> Hi pfSense experts,
>
> I was hoping you could help me with a config questions. I have pfSense
> configured as main routed for my network. The WAN is connected to DSL
> modem, one LAN on a ethernet switch and another LAN port on a Netgear
> R8000 with dd-wrt installed. One of the cool features of the R8000 is
> that it has two seperate wireless networks: 2.4GHz and 5GHz.
>
> I wanted to use one for guest and only allow access to internet while
> the other for permitted users (family members) that would also have
> access to the local network. How am I going to achieve this on pfSense
> though? is it a matter of closing access to local network for all IPs
> coming from the AP except those I want to permit (family devices)
> or is
> there a simpler way of doing this i.e. VLANs?
>
> I look forward to your reponse.
>
> Thank you
>
> --
>
>
> Respect your privacy and that of others, don't give your data to
> big corporations.
> Use alternatives like Signal (https://whispersystems.org/) for
> your messaging or
> Diaspora* (https://joindiaspora.com/) for your social networking.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> <https://lists.pfsense.org/mailman/listinfo/list>
> Support the project with Gold! https://pfsense.org/gold
>
>

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Access Point config: separating guest from permissible users

2018-03-10 Thread Antonio
Hi pfSense experts,

I was hoping you could help me with a config questions. I have pfSense
configured as main routed for my network. The WAN is connected to DSL
modem, one LAN on a ethernet switch and another LAN port on a Netgear
R8000 with dd-wrt installed. One of the cool features of the R8000 is
that it has two seperate wireless networks: 2.4GHz and 5GHz.

I wanted to use one for guest and only allow access to internet while
the other for permitted users (family members) that would also have
access to the local network. How am I going to achieve this on pfSense
though? is it a matter of closing access to local network for all IPs
coming from the AP except those I want to permit (family devices) or is
there a simpler way of doing this i.e. VLANs?

I look forward to your reponse.

Thank you

-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Open ports with OpenVPN tunnel

2018-01-01 Thread Antonio
Hi,

Its the rules that are under the heading "Additional steps to route WAN
through tunnel" at the bottom of this page:

https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/

Regards

Antonio


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

Il 01/01/2018 21:50, Chris L ha scritto:
> What are the Firewall > Rules on your OpenVPN tab and the OpenVPN assigned 
> interface tab for the ExpressVPN connection?
>
>
>> On Jan 1, 2018, at 1:48 PM, Antonio <m...@geotux.it> wrote:
>>
>> Hi,
>>
>> I recently managed to get  pfSense to run a OpenVPN connection with my VPN 
>> provider (ExpressVPN). All traffic is routed through this VPN tunnel via my 
>> pfSense device.
>>
>> I randomly use ShieldsUp to test my ports and see if they are dropping 
>> requests. All fine when the VPN tunnel is down. I then ran the ShieldsUp 
>> (https://www.grc.com/x/ne.dll?bh0bkyd2)
>> test when the VPN tunnel was up and to my surprise I found that when I run 
>> the ShieldUp against the IP i get off "What my IP" (which presumably is the 
>> IP of the VPN server which I'm connecting to) there are a few open ports: 
>> 80, 81, 443.
>>
>> I' assuming that as these are the open ports of the VPN server that is 
>> allowing me to connect, its not reflecting the configuration of OpenVPN on 
>> my pfSense device, correct? Apologies, this may be a bit OT but I thought I 
>> would check that its not a pfSense related issue before I knock on 
>> ExpressVPN's door. Presumably, this is the way OpenVPN works ...
>>
>>
>> Regards
>>
>> -- 
>>
>>
>> Respect your privacy and that of others, don't give your data to big 
>> corporations.
>> Use alternatives like Signal (https://whispersystems.org/) for your 
>> messaging or 
>> Diaspora* (https://joindiaspora.com/) for your social networking.
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Open ports with OpenVPN tunnel

2018-01-01 Thread Antonio
Hi,

I recently managed to get  pfSense to run a OpenVPN connection with my VPN 
provider (ExpressVPN). All traffic is routed through this VPN tunnel via my 
pfSense device.

I randomly use ShieldsUp to test my ports and see if they are dropping 
requests. All fine when the VPN tunnel is down. I then ran the ShieldsUp 
(https://www.grc.com/x/ne.dll?bh0bkyd2)
 test when the VPN tunnel was up and to my surprise I found that when I run the 
ShieldUp against the IP i get off "What my IP" (which presumably is the IP of 
the VPN server which I'm connecting to) there are a few open ports: 
80, 81, 443.

I' assuming that as these are the open ports of the VPN server that is allowing 
me to connect, its not reflecting the configuration of OpenVPN on my pfSense 
device, correct? Apologies, this may be a bit OT but I thought I would check 
that its not a pfSense related issue before I knock on ExpressVPN's door. 
Presumably, this is the way OpenVPN works ...


Regards

-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] OpenVPN with pfSense and TLS handshake problems

2017-12-23 Thread Antonio
Hi,

I've tried to set up a VPN tunnel using the this guide (
https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/#additional
) which covers the setting up of the tunnel and relative firewall rules
for ExpressVPN. However, it seems like I was having trouble at the early
stages (where it says "Confirm connection success". Instead of seeing
"UP" under "status" when I go to STATUS > OPENVPN, I see "reconnecting;
tls-error".

Inspection of the logs reveals several batches of the following:

Dec 24 00:53:16 openvpn 10563   Restart pause, 2 second(s)
Dec 24 00:53:16 openvpn 10563   SIGUSR1[soft,tls-error] 
received,
process restarting
Dec 24 00:53:16 openvpn 10563   TLS Error: TLS handshake failed
Dec 24 00:53:16 openvpn 10563   TLS Error: TLS object -> 
incoming
plaintext read error
Dec 24 00:53:16 openvpn 10563   TLS_ERROR: BIO read 
tls_read_plaintext
error
Dec 24 00:53:16 openvpn 10563   OpenSSL: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Dec 24 00:53:16 openvpn 10563   VERIFY ERROR: depth=0, 
error=unable to
get local issuer certificate: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN,
CN=Server-2720-0a, emailAddress=supp...@expressvpn.com
Dec 24 00:53:16 openvpn 10563   TLS: Initial packet from
[AF_INET]185.183.105.216:1195, sid=83a90840 8590b2bf
Dec 24 00:53:16 openvpn 10563   UDPv4 link remote:
[AF_INET]185.183.105.216:1195
Dec 24 00:53:16 openvpn 10563   UDPv4 link local (bound):
[AF_INET]192.168.0.2
Dec 24 00:53:16 openvpn 10563   Socket Buffers: 
R=[42080->524288]
S=[57344->524288]
Dec 24 00:53:16 openvpn 10563   NOTE: the current 
--script-security
setting may allow this configuration to call user-defined scripts

I have the same setup with dd-WRT and its working fine. So it can't be a
problem with ExpressVPN. Any suggestions. THey have this web page (
https://www.expressvpn.com/support/troubleshooting/log-items/unable-to-connect-tls-handshake-failed/
) for

TLS handshake problem but its generic and windows oriented so pretty
much useless.


Thanks for any suggestion or help you may be able to provide.


-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Moving traffic between LAN & OPT1

2017-12-22 Thread Antonio
Hi,

I'm not sure how you move traffic between the above interfaces. I was
under the impression that all you needed was a "Default allow LAN to any
rule" and job done. Yet i'm struggling to get devices of different
interfaces to communicate. What am I missing?


Thanks



-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Finding the best network setup for pfsense.

2017-12-22 Thread Antonio
You are probably right so I have gone and disconnected the Hawk. I'm a
bit worried now that my WAN is exposed to attacks. Is it sufficient to
have the "Block private networks" and "Block bogon networks" active on
the WAN interface? Any other rules needed?


Thanks

Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

Il 23/12/2017 00:29, Ryan Coleman ha scritto:
> I think the overkill is all the extra appliances doing things that
> pfSense can do.
>
> You want the pfSense to be in the middle, you want the traffic to be
> filtered and routed… pfSense is great for this very task, you don’t
> need the Hawk or Netgear firewalls… 
>
> aDSL modem -> pfSense -> switch -> Rest of network
>
>
>
>> On Dec 22, 2017, at 6:15 PM, Antonio <m...@geotux.it
>> <mailto:m...@geotux.it>> wrote:
>>
>> Sounds cool but maybe a bit overkill for what i need ...
>>
>> Cheers
>>
>> Respect your privacy and that of others, don't give your data to big
>> corporations.
>> Use alternatives like Signal (https://whispersystems.org/) for your
>> messaging or 
>> Diaspora* (https://joindiaspora.com/) for your social networking.
>>
>> Il 22/12/2017 22:35, Eero Volotinen ha scritto:
>>> Well,
>>>
>>> Just plug pfsense to ADSL and buy managed switch and some unifi wlan
>>> aps. You can install proxy on pfsense box also..
>>>
>>>
>>> Eero
>>>
>>> 22.12.2017 23.57 "Antonio" <m...@geotux.it
>>> <mailto:m...@geotux.it> <mailto:m...@geotux.it>>
>>> kirjoitti:
>>>
>>>    Hello,
>>>
>>>    I'm trying to design an optimal network setting for my home and was
>>>    wondering what people's thoughts were based on my needs:
>>>
>>>    1) Need a single DHCP, DNSMasq server;
>>>
>>>    2) want to route traffic through VPNs only on certain parts of my
>>>    network
>>>
>>>    3) want to eventually install a proxy somewhere on the network to
>>>    route
>>>    traffic from my kids laptops/tablets.
>>>
>>>    4) obviously want to firewall all centrally as best as possible.
>>>
>>>    My setup is as follows:
>>>
>>>    a) I have a little compact mini PC with four ethernet connections (1x
>>>    WAN and 3x LAN) - its wifi too
>>>
>>>    b) A Netgear Modem onto ADSL
>>>
>>>    c) A Netgear router Hawk 7000
>>>
>>>    d) a couple of desktop PCs wired to (a) as well as a server
>>>
>>>    e) several mobiles, IoTs that connect wireless to (c)
>>>
>>>    At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
>>>    getting the best of this setup, particularly pfSense which at the
>>>    moment
>>>    is just firewalling my PCs/server.
>>>
>>>    I generally consider the wifi network the weak point as guest
>>> come and
>>>    connect to it that's why its connected before (a); traffic from (c)
>>>    cannot get past (a) but the PCs/server can get out on the internet. I
>>>    feel that (a) should be connected to (b) and (c) should then be
>>>    connected to one of the LAN ports on (a), say LAN2 (I would have a
>>>    switch on LAN1 with PCs/server). I could then use pfSense to route
>>>    traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2
>>>    could not go to LAN1.
>>>
>>>    That way, I could then set up pfSense as my single DHCP and DNSMasq
>>>    server. I could then set up VPNs for just traffic of LAN1 or LAN2.
>>>
>>>    Would you agree with this sort of setup or do you think I could
>>>    implement things better?
>>>
>>>    I look forward to some of your thoughts.
>>>
>>>    Best regards
>>>
>>>    --
>>>    Respect your privacy and that of others, don't give your data to
>>>    big corporations.
>>>    Use alternatives like Signal (https://whispersystems.org/) for
>>>    your messaging or
>>>    Diaspora* (https://joindiaspora.com/) for your social networking.
>>>
>>>    ___
>>>    pfSense mailing list
>>>    https://lists.pfsense.org/mailman/listinfo/list
>>>    <https://lists.pfsense.org/mailman/listinfo/list>
>>>    Support the project with Gold! https://pfsense.org/gold
>>>
>>>
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Finding the best network setup for pfsense.

2017-12-22 Thread Antonio
Sounds cool but maybe a bit overkill for what i need ...

Cheers

Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

Il 22/12/2017 22:35, Eero Volotinen ha scritto:
> Well,
>
> Just plug pfsense to ADSL and buy managed switch and some unifi wlan
> aps. You can install proxy on pfsense box also..
>
>
> Eero
>
> 22.12.2017 23.57 "Antonio" <m...@geotux.it <mailto:m...@geotux.it>>
> kirjoitti:
>
> Hello,
>
> I'm trying to design an optimal network setting for my home and was
> wondering what people's thoughts were based on my needs:
>
> 1) Need a single DHCP, DNSMasq server;
>
> 2) want to route traffic through VPNs only on certain parts of my
> network
>
> 3) want to eventually install a proxy somewhere on the network to
> route
> traffic from my kids laptops/tablets.
>
> 4) obviously want to firewall all centrally as best as possible.
>
> My setup is as follows:
>
> a) I have a little compact mini PC with four ethernet connections (1x
> WAN and 3x LAN) - its wifi too
>
> b) A Netgear Modem onto ADSL
>
> c) A Netgear router Hawk 7000
>
> d) a couple of desktop PCs wired to (a) as well as a server
>
> e) several mobiles, IoTs that connect wireless to (c)
>
> At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
> getting the best of this setup, particularly pfSense which at the
> moment
> is just firewalling my PCs/server.
>
> I generally consider the wifi network the weak point as guest come and
> connect to it that's why its connected before (a); traffic from (c)
> cannot get past (a) but the PCs/server can get out on the internet. I
> feel that (a) should be connected to (b) and (c) should then be
> connected to one of the LAN ports on (a), say LAN2 (I would have a
> switch on LAN1 with PCs/server). I could then use pfSense to route
> traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2
> could not go to LAN1.
>
> That way, I could then set up pfSense as my single DHCP and DNSMasq
> server. I could then set up VPNs for just traffic of LAN1 or LAN2.
>
> Would you agree with this sort of setup or do you think I could
> implement things better?
>
> I look forward to some of your thoughts.
>
> Best regards
>
> --
> Respect your privacy and that of others, don't give your data to
> big corporations.
> Use alternatives like Signal (https://whispersystems.org/) for
> your messaging or
> Diaspora* (https://joindiaspora.com/) for your social networking.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> <https://lists.pfsense.org/mailman/listinfo/list>
> Support the project with Gold! https://pfsense.org/gold
>
>

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Finding the best network setup for pfsense.

2017-12-22 Thread Antonio
Hello,

I'm trying to design an optimal network setting for my home and was
wondering what people's thoughts were based on my needs:

1) Need a single DHCP, DNSMasq server;

2) want to route traffic through VPNs only on certain parts of my network

3) want to eventually install a proxy somewhere on the network to route
traffic from my kids laptops/tablets.

4) obviously want to firewall all centrally as best as possible.

My setup is as follows:

a) I have a little compact mini PC with four ethernet connections (1x
WAN and 3x LAN) - its wifi too

b) A Netgear Modem onto ADSL

c) A Netgear router Hawk 7000

d) a couple of desktop PCs wired to (a) as well as a server

e) several mobiles, IoTs that connect wireless to (c)

At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
getting the best of this setup, particularly pfSense which at the moment
is just firewalling my PCs/server.

I generally consider the wifi network the weak point as guest come and
connect to it that's why its connected before (a); traffic from (c)
cannot get past (a) but the PCs/server can get out on the internet. I
feel that (a) should be connected to (b) and (c) should then be
connected to one of the LAN ports on (a), say LAN2 (I would have a
switch on LAN1 with PCs/server). I could then use pfSense to route
traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2
could not go to LAN1.

That way, I could then set up pfSense as my single DHCP and DNSMasq
server. I could then set up VPNs for just traffic of LAN1 or LAN2.

Would you agree with this sort of setup or do you think I could
implement things better?

I look forward to some of your thoughts.

Best regards

-- 
Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.   

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Open ports between subnets

2017-10-06 Thread Antonio
Yes, they are switched off on both the LAN and the Wifi network. Its
driving me nuts ...

---

Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

Il 02/10/2017 15:53, Steve Yates ha scritto:
> Do you have the option to block private networks on both interfaces turned 
> off?
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Antonio
> Sent: Saturday, September 30, 2017 7:05 PM
> To: list@lists.pfsense.org
> Subject: [pfSense] Open ports between subnets
>
> Hi,
>
> I have a media app called EMBY on my android phone that is installed on
> androide 7.1 mobile connected via pfsense wifi network (192.168.3.x). It
> should try to connect to my server on the wired LAN at 192.168.2.X but
> doesn't appear to do so  for some reason. I inspected firewall logs and
> it says that packets from 192.168.3.7: (phone) to 192.168.3.1 are
> blocked.  Its almost as if the packets couldn't get past the WIFI
> gateway into the 192.168.2.X subnet even though I have a rule set up in
> the wifi that:
>
> a) allows a PASS for IPV4* packtes with source "LAN net" to destination
> * -> "Default allow LAN to any rule"
>
> b) allow IPV4 from 192.168.3.X any port to 192.168.2.2 any port
>
> There must be something that I am missing but can't get my head around it.
>
> Note that DHCP server on pfsense is assigning 192.168.3.7 to phone as
> default via MAC address identification so its not a DHCP problem
>
> Any clues on what I could be missing? why are the packets getting
> blocked at 192.168.3.x? in the logs, there appear to be a lot of
> requests from random ports on the mobile device to port 53.
>
> Note that I have another device on the wifi network (a little Adafruit
> ESP device logging  temperature) that is not having these problems and
> is getting to the server no problem.
>
> I hope you guys can help me work out what is wrong.
>
> Thanks
>
> Antonio
>

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] block DNS queries to external resolvers rule

2017-10-01 Thread Antonio
Silly me ... :-) Yes its working now. Does this sort of configuration
prevent a DNS leak?

Cheers


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

Il 01/10/2017 01:59, Chris L ha scritto:
>> On Sep 30, 2017, at 5:38 PM, Antonio <antoniogennar...@gmail.com> wrote:
>>
>> Hi,
>>
>> I tried to add the "block DNS queries to external resolvers" as
>> described here
>> (https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
>> ) to my LAN config and noticed that traffic would not go anywhere on the
>> LAN until I disabled the the two rule below on port 53. With rules 1,4,5
>> below, all works well. When I switch on 2 and 3 too, browser stops
>> working and all traffic on LAN goes nowhere. Why would this be?
>
> Because your clients aren’t configured to use “LAN Address” as their DNS 
> server?
>
>> Thanks
>>
>>
>>
>>  ProtocolSource  PortDestination PortGateway 
>> Queue   Schedule
>> Description  Actions
>> 1
>>  
>>  1 /3.61 MiB <https://192.168.2.1/diag_dump_states.php?ruleid=80,81>
>>  *   *   *   LAN Address 443
>> 80   *   *   
>>  Anti-Lockout Rule   
>> 2
>>  <https://192.168.2.1/firewall_rules.php?if=lan=toggle=2>
>>  0 /0 B <https://192.168.2.1/diag_dump_states.php?ruleid=84,85>
>>  IPv4+6 TCP/UDP  *   *   LAN address 53 (DNS)*   
>> noneAllow DNS to
>> pfSense/DNSMASQ/OpenDNS  
>> 3
>>  <https://192.168.2.1/firewall_rules.php?if=lan=toggle=3>
>>  0 /21 KiB <https://192.168.2.1/diag_dump_states.php?ruleid=86,87,88,89>
>>  IPv4+6 TCP/UDP  *   *   *   53 (DNS)*   none
>> Block DNS to everything
>> else 
>> 4
>>  <https://192.168.2.1/firewall_rules.php?if=lan=toggle=4>
>>  1 /44.34 MiB <https://192.168.2.1/diag_dump_states.php?ruleid=90>
>>  IPv4 *  LAN net *   *   *   *   none
>> Default allow LAN to any rule   
>> 5
>>  <https://192.168.2.1/firewall_rules.php?if=lan=toggle=5>
>>  0 /0 B <https://192.168.2.1/diag_dump_states.php?ruleid=>
>>  IPv6 *  LAN net *   *   *   *   none
>> Default allow LAN IPv6 to any rule  
>>
>> -- 
>>
>> Respect your privacy and that of others, don't give your data to big 
>> corporations.
>> Use alternatives like Signal (https://whispersystems.org/) for your 
>> messaging or 
>> Diaspora* (https://joindiaspora.com/) for your social networking.
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] block DNS queries to external resolvers rule

2017-09-30 Thread Antonio
Hi,

I tried to add the "block DNS queries to external resolvers" as
described here
(https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
) to my LAN config and noticed that traffic would not go anywhere on the
LAN until I disabled the the two rule below on port 53. With rules 1,4,5
below, all works well. When I switch on 2 and 3 too, browser stops
working and all traffic on LAN goes nowhere. Why would this be?

Thanks



ProtocolSource  PortDestination PortGateway 
Queue   Schedule
Description Actions
1

1 /3.61 MiB 
*   *   *   LAN Address 443
80  *   *   
Anti-Lockout Rule   
2

0 /0 B 
IPv4+6 TCP/UDP  *   *   LAN address 53 (DNS)*   
none    Allow DNS to
pfSense/DNSMASQ/OpenDNS 
3

0 /21 KiB 
IPv4+6 TCP/UDP  *   *   *   53 (DNS)*   none
    Block DNS to everything
else
4

1 /44.34 MiB 
IPv4 *  LAN net *   *   *   *   none    
Default allow LAN to any rule   
5

0 /0 B 
IPv6 *  LAN net *   *   *   *   none    
Default allow LAN IPv6 to any rule  

-- 

Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Open ports between subnets

2017-09-30 Thread Antonio
Hi,

I have a media app called EMBY on my android phone that is installed on
androide 7.1 mobile connected via pfsense wifi network (192.168.3.x). It
should try to connect to my server on the wired LAN at 192.168.2.X but
doesn't appear to do so  for some reason. I inspected firewall logs and
it says that packets from 192.168.3.7: (phone) to 192.168.3.1 are
blocked.  Its almost as if the packets couldn't get past the WIFI
gateway into the 192.168.2.X subnet even though I have a rule set up in
the wifi that:

a) allows a PASS for IPV4* packtes with source "LAN net" to destination
* -> "Default allow LAN to any rule"

b) allow IPV4 from 192.168.3.X any port to 192.168.2.2 any port

There must be something that I am missing but can't get my head around it.

Note that DHCP server on pfsense is assigning 192.168.3.7 to phone as
default via MAC address identification so its not a DHCP problem

Any clues on what I could be missing? why are the packets getting
blocked at 192.168.3.x? in the logs, there appear to be a lot of
requests from random ports on the mobile device to port 53.

Note that I have another device on the wifi network (a little Adafruit
ESP device logging  temperature) that is not having these problems and
is getting to the server no problem.

I hope you guys can help me work out what is wrong.

Thanks

Antonio

-- 

Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] RRD alternatives

2017-02-17 Thread Antonio Cortes Alhambra
http://www.cacti.net/


Saludos Cordiales







2017-02-17 17:30 GMT-03:00 Cheyenne Deal :

> Is there an alternative to what were the rrd graphs in 2.2?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] NAT from WAN to LAN

2016-08-14 Thread Antonio
Hello,

you'll have to forgive my newbie question but that where we are start at
some point. I'm really keen to understand more about networking hence my
desire to learn through pfSense.

This is my setup:

OpenWRT Router on the ADSL which has the 195.160.1.0 network on the LAN
side and a pfSense linked to the 195.160.1.2 address on the routers LAN
(so connected to pfSense WAN side). On the LAN side of the pfSense, I
have 195.160.2.0 network with 195.160.2.1 on the LAN side. I have a
server on the LAN on pfSense which I want isolate from all the wireless
traffic that is going on the 195.160.1.0 (lots of guest accounts). But I
also have a multimedia client on the 195.160.1.0 network that I want to
allow access to the media server (195.160.2.2:8096) on the 195.160.2.0
network.

I've set up a NAT port forward rule on pfSense like this:

InterfaceProtocolSourceAdd.SourcePortDestAdd   
DestPortNATip   NATport

WAN   TCP   **   
195.160.2.28096195.160.2.28096   


I allowed pfSense to create the firewall rule automatically so this
should be fine?


Why do i not see traffic from the media client being logged (basically,
the client does appear to be routed to the server through between the
two subnets) but I do see traffic from the media client on the
195.160.1.0 being logged to the whole 195.160.1.0 network (I see UDP
traffic from 195.160.1.4 to 195.160.1.255 being logged for netbios on
138) as blocked traffic. When I try to ping the pfSense WAN port on
195.160.1.2, it does get logged on pfSense but when I try to ping the
LAN side of the pFSense from the WAN side, nothing gets logged. HAs this
got to do with the default rules set up during setting up the WAN
interface on PfSense:

a) Blocks traffic from IP addresses that are reserved for private
networks per RFC 1918 (10/8, 172.16/12, 192.168/16) and unique local
addresses per RFC 4193 (fc00::/7) as well as loopback addresses (127/8).
This option should generally be turned on, unless this network interface
resides in such a private address space, too.

b) Blocks traffic from reserved IP addresses (but not RFC 1918) or not
yet assigned by IANA. Bogons are prefixes that should never appear in
the Internet routing table, and so should not appear as the source
address in any packets received.Note: The update frequency can be
changed under System->Advanced Firewall/NAT settings.

I have them both ticked but I thought the NAT rule would take precedence?

Thanks

geotux


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.2.6 and IPv6 RA

2016-01-27 Thread Antonio Prado
On 1/22/16 11:02 AM, Seth Mos wrote:
>> Is it a bug?
> 
> No, that sounds about right, it advertises itself as the gateway.

filed a bug: https://redmine.pfsense.org/issues/5812

fixed in 2.3
--
antonio

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.2.6 and IPv6 RA

2016-01-25 Thread Antonio Prado
On 1/22/16 11:02 AM, Seth Mos wrote:
> Op 22-1-2016 om 8:53 schreef Antonio Prado:
>> Hi,
>>
>> on a fresh installed box, IPv4 configured on 2 NICs (WAN and LAN), IPv6
>> not configured, pfSense starts advertising itself as IPv6 gateway on LAN
>> using its link-local address (fe80::/64).
>>
>> That's not the correct behavior I guess.
>>
>> Is it a bug?
> 
> No, that sounds about right, it advertises itself as the gateway.

btw, it has been already reported:

https://forum.pfsense.org/index.php?topic=101375.msg565424#msg565424

--
antonio

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.2.6 and IPv6 RA

2016-01-25 Thread Antonio Prado
On 1/25/16 10:15 AM, Antonio Prado wrote:
>> No, that sounds about right, it advertises itself as the gateway.
> 
> btw, it has been already reported:
> 
> https://forum.pfsense.org/index.php?topic=101375.msg565424#msg565424

and here:

https://forum.pfsense.org/index.php?topic=74774.0

thank you
--
antonio

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.2.6 and IPv6 RA

2016-01-23 Thread Antonio Prado
On 1/23/16 2:55 AM, Jon Gerdes wrote:
> What is the fault you are actually trying to fix?

before fixing, currently I'm trying to avoid breaking.

consider a LAN segment where everything is working as supposed to:
routing, v6 slaac etc.

now, connect a new box in that scenario mounting a fresh pfSense 2.2.6,
configure on it a LAN IPv4 address just to reach its web gui (I made
this on a LAGG).

what I achieved here is a broke IPv6 connectivity on the LAN segment
because pfSense 2.2.6 starts advertising itself as IPv6 gateway (leading
nowhere actually) like a rogue RA would do.

pfSense 2.2.6 should begin advertising only after having been told to do
so, as any other BSD box after all.

thank you
--
antonio
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.2.6 and IPv6 RA

2016-01-22 Thread Antonio Prado
On 1/22/16 11:02 AM, Seth Mos wrote:
>> on a fresh installed box, IPv4 configured on 2 NICs (WAN and LAN), IPv6
>> not configured, pfSense starts advertising itself as IPv6 gateway on LAN
>> using its link-local address (fe80::/64).
>>
>> That's not the correct behavior I guess.
>>
>> Is it a bug?
> 
> No, that sounds about right, it advertises itself as the gateway.

well, let me disagree.
when a router (pfSense) has RA disabled (as previously stated in my
message), it simply should not per RFC 4861.

in other words, nevertheless pfSense 2.2.6 has no IPv6 configured (i.e.
no v6 address on interfaces, RA disabled), it advertises itself as IPv6 gw.

let me know
thank you
--
antonio
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.2.6 and IPv6 RA

2016-01-22 Thread Antonio Prado
On 1/22/16 12:39 PM, Seth Mos wrote:
>> in other words, nevertheless pfSense 2.2.6 has no IPv6 configured (i.e.
>> no v6 address on interfaces, RA disabled), it advertises itself as IPv6 gw.
> 
> Is your LAN interface not configured for IPv6 with address fe80::1:1? It
> should be, it's in the default config, unless you disable it.

it's correctly auto-configured:
inet6 fe80::a236:9fff:fe3a:ff5c%lagg1 prefixlen 64 scopeid 0xb

but it should not advertise itself as a gw, simply because it's not a gw
and therefore it has not be instructed to do so.

thank you
--
antonio
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] 2.2.6 and IPv6 RA

2016-01-21 Thread Antonio Prado
Hi,

on a fresh installed box, IPv4 configured on 2 NICs (WAN and LAN), IPv6
not configured, pfSense starts advertising itself as IPv6 gateway on LAN
using its link-local address (fe80::/64).

That's not the correct behavior I guess.

Is it a bug?

thank you
--
antonio
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] openvpn - how do i nat the vpn segment?

2015-01-20 Thread Antonio Prado
On 1/20/15 4:27 PM, Randy Bush wrote:
 i do not know how to dump the NAT and firewall rules to text, darn it.

randy,
backup -- [Firewall Rules | NAT] -- download

that's conf to text (xml), not so compact and viewer friendly tho
--
antonio

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] This is a bug?

2012-11-16 Thread Rafael Antonio Brizuela Sosa

Production Versions:

Pfsense - 2.0-RELEASE (amd64) built on Tue Sep 13 17:05:32 EDT 2011 
squid - 2.7.9 pkg v.4.3.1
squidGuard - 1.3_1 pkg v.1.9.1

Pfsense - 2.0.1-RELEASE (amd64) built on Mon Dec 12 18:16:13 EST 2011
squid - Stable 2.7.9 pkg v.4.3.1 platform: 2 
squidGuard - Beta 1.3_1 pkg v.1.9.1 platform: 1.1 

This is the government website where the problem arises.

http://antecedentes.policia.gov.co:7003/WebJudicial/index.xhtml

Using earlier versions of pfsense, squid and squidGuard after accepting
the 
agreement, enter data to validate and click search am redirected back.

I do not get the information from the query.

Without proxy all is OK.

-- 
Rafael Antonio Brizuela Sosa
Especialista Open Source




___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense vs JunOS

2012-07-04 Thread Tonix (Antonio Nati)

Il 02/07/2012 15:51, Jim Pingle ha scritto:

On 7/2/2012 9:38 AM, Tonix (Antonio Nati) wrote:

Too much confusion in keeping filters tables,

Switching how the entire firewall operates is also very confusing and
not likely to do what people expect -- floating rules would be much
easier to understand than you expect (if the list were cleaned up a bit)


and no possibility to let a user to manage his/her interface.

That's not even possible now, and would be just as difficult/easy to
implement on the floating tab as any other. (If a user can only see
interface X, only show the rules for interface X, done.)


Would it be possible to have a technical answer about using OUTPUT 
interfaces rules instead of INPUT interfaces rules?
What should change dramatically inside pfsense, and there is any real 
security reason for not doing that?


As far as I can see PF filtering, both INPUT and OUTPUT interfaces rules 
would be evaluated in same place.


Regards,

Tonino



Jim




___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list




--

Inter@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense vs JunOS

2012-07-04 Thread Tonix (Antonio Nati)

Il 04/07/2012 11:44, Ermal Luçi ha scritto:

On Wed, Jul 4, 2012 at 10:44 AM, Tonix (Antonio Nati)
to...@interazioni.it wrote:

Il 02/07/2012 15:51, Jim Pingle ha scritto:


On 7/2/2012 9:38 AM, Tonix (Antonio Nati) wrote:

Too much confusion in keeping filters tables,

Switching how the entire firewall operates is also very confusing and
not likely to do what people expect -- floating rules would be much
easier to understand than you expect (if the list were cleaned up a bit)


and no possibility to let a user to manage his/her interface.

That's not even possible now, and would be just as difficult/easy to
implement on the floating tab as any other. (If a user can only see
interface X, only show the rules for interface X, done.)


Would it be possible to have a technical answer about using OUTPUT
interfaces rules instead of INPUT interfaces rules?
What should change dramatically inside pfsense, and there is any real
security reason for not doing that?

As far as I can see PF filtering, both INPUT and OUTPUT interfaces rules
would be evaluated in same place.


Definition of same place is not correct here.
While its true that all rules are in the same place(data structure),
on stateful firewalls they get evaluated only once that is why it is
not considered to split them out.
Also there are optimizations that make this not a factor at all in
evaluation of ruleset.
Certainly it is recommended to kill mosquitoes before they come to you :)

Though its mostly performance reasons because the packets than will
consume to much CPU and open possibility of DoS.
Although there is the other reason of buffer overflows and exploits.
Wrongly crafted packets might crash your host or even make it
vulnerable to exploits while with filtering on inbound you reduce this
risk
by at least making sure the sanity of network metadata(packet headers,
ips, etc).


Sorry, but you did not answer my question. Your comments are general 
security comments but do not answer to the central question.


Once you have an incoming connection (first time) to, let's say from INT 
X to INT Y, dest IP Z, dest port P, will these alternative rules be 
evaluated in same moment or not?


- Evaluate INPUT on INT X, dest IP Z, dest port P
- Evaluate OUTPUT on INT Y, dest IP Z, dest port P

If the answer is YES, there is no added security risk on preferring 
filering rules on OUTPUT interface. Both INPUT and OUTPUT have same risks.


If the answer is NOT, please explain where and why INPUT and OUPUT are 
evaluated in different phases.


Regards,

Tonino




Regards,

Tonino




Jim




___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



--

 Inter@zioniInterazioni di Antonio Nati
http://www.interazioni.it  to...@interazioni.it


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list




--

Inter@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense vs JunOS

2012-07-04 Thread Tonix (Antonio Nati)

Il 04/07/2012 16:21, Sean Cavanaugh ha scritto:

Once you have an incoming connection (first time) to, let's say from INT X

to INT Y, dest IP Z, dest port P, will these alternative rules be evaluated
in same moment or not?

- Evaluate INPUT on INT X, dest IP Z, dest port P
- Evaluate OUTPUT on INT Y, dest IP Z, dest port P
If the answer is YES, there is no added security risk on preferring

filering rules on OUTPUT interface. Both INPUT and OUTPUT have same risks.

If the answer is NOT, please explain where and why INPUT and OUPUT are

evaluated in different phases.

Regards,

Tonino

For full explanation you have to understand how the filtering process occurs
in entirety


SOURCE---INPUT Interface -INPUT rule set -CPU based routing rule
set -OUTPUT rule set  OUTPUT Interface -DESTINATION


The CPU based routing rule set is the area where the firewall is determining
what interface to send the data out of. Even if you only have a 2 interface
firewall, it will still have to evaluate where it has to go because it
technically can go out either interface. People do use NAT reflection to
send data from inside their networks to the firewall and bounce it back
inside. Because of this they take a bit of processing power to calculate as
they have to be reviewed by pretty much every rule on the box per state

The interface rule sets are the most simple rules. Either traffic is allowed
or not. They take very little processing power to accomplish. They act as a
simple bouncer at a night club.

It is because of this imbalance that it is preferred to do filtering as low
as possible. For a very simplistic example, lets go for extremely inflated
numbers. Let's say it takes 1% of the CPU to handle interface rules and
takes 5% of the CPU for routing rules.
If we went for pure routing based rules, we could only run 20 states before
we are at 100% utilization and start running into contention, whereas if we
went for interface rules, we could run 100 states before we hit 100%.

The problem with running rule sets on the OUTPUT interface is that you MUST
then use up the routing rule set resources, meaning you would run into the
same 20 state limit, even for streams that would hit the OUTPUT interface
and be blocked. You would then literally be wasting resources to do nothing.

This is why it is preferred to make rules based on INPUT as they will use as
little resources of the firewall as possible. There are times when people
have no choice but to put rules on the OUTPUT interface but that should be
an absolute last resort as it will cost resources.

Would you rather but a soda for a dollar or run it thru exchange rates and
end up paying 5 dollars for a soda? It's your call. Sometimes you're THAT
thirsty.


Thanks for the detailed explanation, but...

There is something I don't understand. Your considerations are based on 
having three different steps: INPUT, routing, OUTPUT.


This is possible only if you can execute PF on INPUT interfaces, then 
execute routing code, then execute again PF for OUTPUT interfaces.


Looking at PF (Packet filter) manuals, I do not see any kind of 
call/ioctl like examine only INPUT INTERFACE or any possibility to 
execute PF code on only a part of filters rules.


PF manual says PF evaluates every rule found in pf.conf, and does not 
mention any possibility to execute only a part of rules.


So, it looks like INPUT and|or OUTPUT interfaces are evaluated at same 
stage, probably after routing (which is not part of PF).


Please let me understand better.

Regards,

Tonino




-Sean

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list




--

Inter@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense vs JunOS

2012-07-04 Thread Tonix (Antonio Nati)

Il 04/07/2012 15:41, Giles Coochey ha scritto:

On 04/07/2012 11:06, Tonix (Antonio Nati) wrote:

Il 04/07/2012 11:44, Ermal Luçi ha scritto:

On Wed, Jul 4, 2012 at 10:44 AM, Tonix (Antonio Nati)
to...@interazioni.it wrote:

Il 02/07/2012 15:51, Jim Pingle ha scritto:


On 7/2/2012 9:38 AM, Tonix (Antonio Nati) wrote:

Too much confusion in keeping filters tables,

Switching how the entire firewall operates is also very confusing and
not likely to do what people expect -- floating rules would be much
easier to understand than you expect (if the list were cleaned up 
a bit)



and no possibility to let a user to manage his/her interface.

That's not even possible now, and would be just as difficult/easy to
implement on the floating tab as any other. (If a user can only see
interface X, only show the rules for interface X, done.)


Would it be possible to have a technical answer about using OUTPUT
interfaces rules instead of INPUT interfaces rules?
What should change dramatically inside pfsense, and there is any real
security reason for not doing that?

As far as I can see PF filtering, both INPUT and OUTPUT interfaces 
rules

would be evaluated in same place.


Definition of same place is not correct here.
While its true that all rules are in the same place(data structure),
on stateful firewalls they get evaluated only once that is why it is
not considered to split them out.
Also there are optimizations that make this not a factor at all in
evaluation of ruleset.
Certainly it is recommended to kill mosquitoes before they come to 
you :)


Though its mostly performance reasons because the packets than will
consume to much CPU and open possibility of DoS.
Although there is the other reason of buffer overflows and exploits.
Wrongly crafted packets might crash your host or even make it
vulnerable to exploits while with filtering on inbound you reduce this
risk
by at least making sure the sanity of network metadata(packet headers,
ips, etc).


Sorry, but you did not answer my question. Your comments are general 
security comments but do not answer to the central question.


Once you have an incoming connection (first time) to, let's say from 
INT X to INT Y, dest IP Z, dest port P, will these alternative rules 
be evaluated in same moment or not?


- Evaluate INPUT on INT X, dest IP Z, dest port P
- Evaluate OUTPUT on INT Y, dest IP Z, dest port P

If the answer is YES, there is no added security risk on preferring 
filering rules on OUTPUT interface. Both INPUT and OUTPUT have same 
risks.


If the answer is NOT, please explain where and why INPUT and OUPUT 
are evaluated in different phases.


Regards,

Tonino




My firewall has four interfaces.

A packet arrives on one interface

At this stage it is impossible for the firewall to apply a rule based 
on the outbound interface because which interface that is has not been 
evaluated yet. It is not until the packet is processed that the 
outbound interface is determined.
It is however, able to make a decision on rules applied on the INBOUND 
interface, because that is a known fact.


Simples.

As a general rule, best practices state, that if you are going to drop 
/ filter packets on your network, do so as close to the source as 
possible. This applies within systems as well as on the wire.


I'd say NOT - INPUT is evaluated upon Input, OUTPUT is evaluated upon 
Output - my guess as the reason they decided to call them INPUT and 
OUTPUT.


Your theory is perfect, and I agree totally with you. But reading PF 
manuals gave me a different vision of how PF acts.

Are you sure PF acts exactly like you are explaining?

Regards,

Tonino





___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



--

Inter@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense vs JunOS

2012-07-02 Thread Tonix (Antonio Nati)

Il 02/07/2012 14:29, tibz ha scritto:

On 1/7/2012 5:47 PM, Eugen Leitl wrote:

Are there any JunOS features you consider killer that
are not in pfSense 2.1? What would be these features?

Thanks.


A couple of features that pfSense is lacking according to me (not only 
compared to SRX/JunOS though):


- Zone-based FW, to replace the current incoming interface based 
system. Or to get the choice between both at the beginning.
This is mainly to ease the maintenance. Say I've 8 interfaces/vlans, 
and 1 is a guest that should only get Internet access. Then I've to 
create 7 drop rules on this interface to say to int1_subnet  block, 
to int2_subnet  block, etc until I can safely have a to any  
pass rule. I can perhaps workaround this by putting some rules in the 
floating tab, but if I start using it, I must keep in mind that for 
any interface, there might also be rules for it in the floating tab.


I've suggested (both for pfSense and Monowall) to give the possibility 
to invert the filtering directions.


In complex environment, it would be a lot more useful to apply filters 
to outgoing interfaces (instead of incoming interfaces).
In this way you write only one statement and only for the interface 
which is managing the output zone.


If this basic system setting (apply filters to incoming or outgoing 
interfaces) could be modified, I'm sure all ISP will apply filters to 
outgoing interfaces.


With output filters, interface management could also be allowed per 
user, as it would not interphere with other interfaces.


Tonino




- Better logging: I believe it has been discussed numerous of time and 
I might have not found the final answer on why it's not possible to 
log locally. If you run the nano version on a flash card, OK. But if 
you run it on a traditional hard drive, I see no reason why you could 
not keep more logs on the box, with rotation every day/week and to 
have a search module. (I'm not talking about best practice to export 
logs, etc, just technically, why couldnt we do local?)


- Integrate packages: while the packages system is a good idea to get 
extra functionnalities, i'm always hesitating whether to use it or 
not. There are several reason, like the fact that many packages are 
marked as ALPHA/BETA (which should means not production proof), or the 
fact that they are not maintained by pfSense's people (which means 
they could [i'm only guessing here] be broken during an upgrade, or 
commercial support wont cover issue you get with extra packages 
[guessing again]). That's why having most used (ie: Squid/Snort) 
integrated right into pfSense would be more comfortable.


- Identity-based FW, to have in addition to the source IP, the source 
User/Group. There are several ways to implement this, agent-based or 
agentless, transparent or explicit. The final objective is of course 
to get it working in a Windows Active Directory domain.
- Real application awareness. I know there are some L7 capabilities 
under Traffic Shapper (btw I wonder why it's located there), but as 
far as i've seen, it's quite limited and it allow only to block (when 
it works) and not to allow.
 These 2 are big must have in today's firewalling (it's not my 
personnal opinion, it's just a fact) so I believe pfSense must 
definitely get into it.


And what has been said (CLI, commit, ...) in the other answers as well.

Appart from that, pfSense is a great piece of software which a rich 
set of features and is clearly the best free/open-source FW appliance 
i've used/tested by now.


Keep up good work.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list




--

Inter@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense vs JunOS

2012-07-02 Thread Tonix (Antonio Nati)

Il 02/07/2012 15:00, Giles Coochey ha scritto:

On 02/07/2012 13:41, Tonix (Antonio Nati) wrote:


I've suggested (both for pfSense and Monowall) to give the 
possibility to invert the filtering directions.


In complex environment, it would be a lot more useful to apply 
filters to outgoing interfaces (instead of incoming interfaces).
In this way you write only one statement and only for the interface 
which is managing the output zone.


If this basic system setting (apply filters to incoming or outgoing 
interfaces) could be modified, I'm sure all ISP will apply filters to 
outgoing interfaces.


With output filters, interface management could also be allowed per 
user, as it would not interphere with other interfaces.
In some environments this might cause a performance issue and perhaps 
easier to DoS


In an outbound filtering scenario:

If you think about it, the firewall looks at the packet, processes it 
(NATs  routes it appropriately etc...) then when it goes to transmit 
the packet only then does it check the outbound ruleset and makes the 
decision to drop the packet - but it already wasted quite a few CPU 
loops before deciding to drop the packet.


In an inbound filtering scenario the packet is dropped or accepted 
prior to any of routing, NAT etc... and a lot fewer CPU instructions 
are wasted.


Just a thought?



I would be not so sure about that.

When I gave an inside look at PF, some years ago, I had the perception 
filters are evaluated all together in the same place, despite they are 
ingoing or outgoing.  You can even mix incomin and outgoing interfaces 
in the filter flow you design.


As far as I remember PF does let you specify INPUT or OUTPUT interface, 
but not INPUT and OUTPUT.


Tonino





___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



--

Inter@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense vs JunOS

2012-07-02 Thread Tonix (Antonio Nati)

Il 02/07/2012 15:32, Jim Pingle ha scritto:

On 7/2/2012 8:41 AM, Tonix (Antonio Nati) wrote:

I've suggested (both for pfSense and Monowall) to give the possibility
to invert the filtering directions.

Which you can do on floating rules. You can make floating rules in the
'out' direction. No need to alter the rest of the interface or make any
sweeping changes, just put your rules on the floating tab.


Too much confusion in keeping filters tables, and no possibility to let 
a user to manage his/her interface.


Tonino



Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list




--

Inter@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense vs JunOS

2012-07-02 Thread Tonix (Antonio Nati)

Il 02/07/2012 15:51, Giles Coochey ha scritto:

On 02/07/2012 14:37, Tonix (Antonio Nati) wrote:


I would be not so sure about that.

When I gave an inside look at PF, some years ago, I had the 
perception filters are evaluated all together in the same place, 
despite they are ingoing or outgoing.  You can even mix incomin and 
outgoing interfaces in the filter flow you design.


As far as I remember PF does let you specify INPUT or OUTPUT 
interface, but not INPUT and OUTPUT.


That would be some feat indeed... the output interface isn't known 
until the packet has been routed.:-)


It would be nice to know how pfsense acts now on that.
Anyway, I don't feel DoA can be a problem, since connection could be 
saturated much before than CPU on the most connections.


Regards,

Tonino


--
Regards,

Giles Coochey, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
gi...@coochey.net


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



--

Inter@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] CISCO VPN CLIENT 5.0.07.0410 CONNECTION TO PFSENSE 2.0.1

2012-05-15 Thread Antonio Cortes Alhambra (INCATEL)
someone has found the right combination of parameters settings to
achieve the connection from a CISCO VPN CLIENT 5.0.07.0410 and pfSense 2.0.1


Thanks


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfsense on sun v100 server

2012-05-10 Thread Tonix (Antonio Nati)

OpenBSD has some adavantages in this case, if I remember good.

CARP works without sacrifying useless IP, so you can use only one IP 
instead of three for each couple of redundant interfaces coupled together.


Tonino


Il 10/05/2012 22:45, Hugo Heykers ha scritto:

Op 10-05-12 22:09, Tim Nelson schreef:

- Original Message -

I was not aware of the fact the OpenBSD runs natively on Sun Server
with SPARC architecture.
It's because i bought the V100 few months ago, so that's why i would
like to integrate it,...and with OpenBSD - of -course- are quite a few
possibilities.

Last I checked[1], FreeBSD (base OS of pfSense) ran on the V100's as well. Just 
another option for you to consider.

--Tim

[1]http://www.freebsd.org/relnotes/CURRENT/hardware/article.html#PROC-SPARC64
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Thanks Tim, I'm gonna look it up about the differences between FreeBSD 
and OpenBSD...


--
Hugo Heykers
Jozef Stormsstraat 10
2660 Hoboken
+32485108699
skype: hugoh1961


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



--

Inter@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Recommended DynDns Service for PFsense

2012-04-04 Thread Antonio Cortes Alhambra (INCATEL)
Any way, If only you use dyndns the service will be continue free

 

Atte.,

Antonio Cortés Alhambra

 

 

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of David Miller
Sent: Wednesday, April 04, 2012 2:31 PM
To: pfSense support and discussion
Subject: Re: [pfSense] Recommended DynDns Service for PFsense

 

That's not exactly true.  Below is from their website.

 

When the trial ends

After the 14 day trial, you will be charged our low yearly fee of just $20 a
year (or sign up for five years and get 10% off!) to keep your DynDNS Pro
service. Only valid major credit cards (not PayPal) are accepted for DynDNS
Pro trials.

Decide you no longer want the DynDNS Pro trial? Just cancel your DynDNS Pro
trial within 14 days and you will not be charged. You may keep one hostname
free of charge for trying out the DynDNS Pro trial.

 

--
David




On Wed, Apr 4, 2012 at 11:28 AM, Paul Mather p...@gromit.dlib.vt.edu
wrote:

On Apr 4, 2012, at 10:25 AM, David Miller wrote:





Dyn.com's free service has been working well for me for years.
--
David

On Wed, Apr 4, 2012 at 9:16 AM, Gavin Will gavin.w...@exterity.com wrote:

Hi there,

Can people please give me their experience / recommendations with regards to
a 3rd party DynDNS service that will work with PFsense.

 

 

I believe Dyn.com no longer offers creation of new free hostnames.  Existing
free users are grandfathered in, but they're not allowing any new free hosts
to be created.  Furthermore, if I'm reading correctly the e-mails they sent
me, if you let your existing free hostname lapse, you won't be able to
resurrect it---you'll have to roll over to their paid service.

 

Cheers,

 

Paul.

 


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] PFSENSE 2.01 NAT TUNNELING FOR PASIVE FTP

2012-04-04 Thread Antonio Cortes Alhambra (INCATEL)
Dear friends:

 

last week I replaced my old pfSense 1.2.3 with a new hardware with pfSense
2.0.1

I made a new configuration similar to the previous firewall. Same  WAN IP
and LAN IP than older.
I have an FTP server on the LAN, which meets requirements active and
pasives.
In the pfSense 2.0.1 I proceeded to do what I did earlier in 1.2.3, ie nat
configure tunnel (port forward) to port 21, and automatically create the
associated rule to allow traffic.


To connect from the Internet in passive mode, with pfSense 1.2.3 works
perfectly, however with pfSense 2.0.1 there is not response to a ls or dir
command, and I can not transfer files.
What is the difference? What other settings must be configured manually in
version2.0.1?

 

thanks

 

Atte.,

Antonio Cortés Alhambra

 

 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] IPSec Tunnel Negotiation?

2012-04-03 Thread Antonio Cortes Alhambra (INCATEL)
Whats is your (and your peer) Key Life Time Limit in phase 1 and phase 2 ??

Atte.,
Antonio Cortés Alhambra

-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
On Behalf Of Adam Piasecki
Sent: Tuesday, April 03, 2012 11:11 AM
To: pfSense support and discussion
Subject: [pfSense] IPSec Tunnel Negotiation?

The IPSec Tunnel works great, but i was wondering about the following 
message. Seems to be happening ever hour or so.  Just wondering if it 
has any negative effects (Tunnel dropping, drop packets, ect)

Apr 3 07:54:43 racoon: []: INFO: ISAKMP-SA established 
1.1.1.1[500]-1.1.1.1[500] spi:aaf2be14269bf3c9:3429812c9d3a2775
Apr 3 07:54:43 racoon: []: INFO: respond new phase 1 
negotiation: 1.1.1.1[500]=1.1.1.1[500]
Apr 3 07:18:42 racoon: []: INFO: ISAKMP-SA deleted 
1.1.1.1[500]-1.1.1.1[500] spi:fcdef781c8f072a2:d572f427235b4d7d
Apr 3 07:18:42 racoon: []: INFO: ISAKMP-SA expired 
1.1.1.1[500]-1.1.1.1[500] spi:fcdef781c8f072a2:d572f427235b4d7d

-- 
Adam M Piasecki
MidAtlanticBroadband
Office: 410-727-8250 x 123
Cell: 940-224-4837
Fax: 410-727-8245

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] IPSec Tunnel Negotiation?

2012-04-03 Thread Antonio Cortes Alhambra (INCATEL)
Yes, but both peers must be have the same lifetimes

Check DPD too:

Dead Peer Detection: Enable 

Delay between requesting peer acknowledgement: 10 Seconds

Number of consecutive failures allowed before disconnect: 5 retries

Are good values for both peers.

Atte.,
Antonio Cortés Alhambra



-Original Message-
From: Adam Piasecki [mailto:apiase...@midatlanticbb.com] 
Sent: Tuesday, April 03, 2012 12:05 PM
To: antonio.cor...@incatel.cl; pfSense support and discussion
Subject: Re: [pfSense] IPSec Tunnel Negotiation?

Okay, I will, Is this having the effect of dropping the tunnel. I never 
catch it when it's down, so i don't know.

Adam

On 4/3/2012 10:59 AM, Antonio Cortes Alhambra (INCATEL) wrote:
 Swap this lifetimes

 Phase 1 - 28800 seconds

 Phase 2 - 3600 seconds

 phase 1 lifetime must be greather tan phase 2 lifetime.

 This values are ok
 :)

 Regards

 Atte.,
 Antonio Cortés Alhambra



 -Original Message-
 From: Adam Piasecki [mailto:apiase...@midatlanticbb.com]
 Sent: Tuesday, April 03, 2012 11:43 AM
 To: antonio.cor...@incatel.cl
 Cc: 'pfSense support and discussion'
 Subject: Re: [pfSense] IPSec Tunnel Negotiation?

 Phase 1 - 3600 seconds
 Phase 2 - 28800 seconds

 On 4/3/2012 10:37 AM, Antonio Cortes Alhambra (INCATEL) wrote:
 Whats is your (and your peer) Key Life Time Limit in phase 1 and phase 2
 ??
 Atte.,
 Antonio Cortés Alhambra

 -Original Message-
 From: list-boun...@lists.pfsense.org
 [mailto:list-boun...@lists.pfsense.org]
 On Behalf Of Adam Piasecki
 Sent: Tuesday, April 03, 2012 11:11 AM
 To: pfSense support and discussion
 Subject: [pfSense] IPSec Tunnel Negotiation?

 The IPSec Tunnel works great, but i was wondering about the following
 message. Seems to be happening ever hour or so.  Just wondering if it
 has any negative effects (Tunnel dropping, drop packets, ect)

 Apr 3 07:54:43 racoon: []: INFO: ISAKMP-SA established
 1.1.1.1[500]-1.1.1.1[500] spi:aaf2be14269bf3c9:3429812c9d3a2775
 Apr 3 07:54:43 racoon: []: INFO: respond new phase 1
 negotiation: 1.1.1.1[500]=1.1.1.1[500]
 Apr 3 07:18:42 racoon: []: INFO: ISAKMP-SA deleted
 1.1.1.1[500]-1.1.1.1[500] spi:fcdef781c8f072a2:d572f427235b4d7d
 Apr 3 07:18:42 racoon: []: INFO: ISAKMP-SA expired
 1.1.1.1[500]-1.1.1.1[500] spi:fcdef781c8f072a2:d572f427235b4d7d




-- 
Adam M Piasecki
MidAtlanticBroadband
Office: 410-727-8250 x 123
Cell: 940-224-4837
Fax: 410-727-8245


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] 'direction' of firewall rules for floating rules?

2011-12-15 Thread Tonix (Antonio Nati)
If you speak only about WAN and LAN, yes, but if you have other 
interfaces interested all changes.


You could enable a service on the OPT1, available to all existing 
interfaces.
So in this case, floating rule would permit any 'OUT' connection to that 
service offered inside OPT1.


This permit you to avoid adding an incoming rule for every existing 
interface.


Tonino



Il 15/12/2011 15:50, Seb ha scritto:
...or the WAN interface and 'out'?  Is that not the same as LAN 
interface and 'in'?  And if you are selecting all interfaces, then 
surely the direction would have no effect?  Because it would either 
match on the LAN side, or the WAN side...  Or am I just not getting 
what 'out' rules are for?


Kind regards,

Seb


*From:* list-boun...@lists.pfsense.org
[mailto:list-boun...@lists.pfsense.org] *On Behalf Of *Fuchs,
Martin martin.fuchs-at-trendchiller.com |pfSense/Allow + Forward
to Syntec|
*Sent:* 15 December 2011 13:30
*To:* s...@syntec.co.uk; pfSense support and discussion
*Subject:* Re: [pfSense] 'direction' of firewall rules for
floating rules?

Hi !

Yes, the direction has some relevance for the floating rules,
because when the direction  is wrong, the packets will not pass
the firewall...

When you want to allow a packet to pass the firewall from the LAN
side to the WAN side you have to select the LAN interface and as
direction you have to select in (from the view of the firewall)

Regards,

martin

*Von:*list-boun...@lists.pfsense.org
[mailto:list-boun...@lists.pfsense.org] *Im Auftrag von *Seb
*Gesendet:* Donnerstag, 15. Dezember 2011 14:06
*An:* 'pfSense support and discussion'
*Betreff:* [pfSense] 'direction' of firewall rules for floating rules?

Hi list,

Does the 'direction' of a firewall rule have any relevance for
floating rules?  I can't find any explanation for what direction
means in the docs, even when it applies to individual interfaces
(where I can see what it might mean), but for floating rules that
apply to all interfaces - I don't suppose it changes much? 
Perhaps just affects connections from the firewall itself if you

have it set to out but not in?

pfSense 2.0

Kind regards,

Seb



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



--

Inter@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] 'direction' of firewall rules for floating rules?

2011-12-15 Thread Tonix (Antonio Nati)

Floating rules are useful for complex situations.

We requested several times the possibility to add a rule once, instead 
of repeating it for each interface.


If you have ten DMZ offering services, all services should ve available 
to WAN and to all nine DMZ, so you should add an incoming rule for each 
service and each interface.


With floating rule you can write this rule once and apply to all 
interested interfaces.


Regards,

Tonino


Il 15/12/2011 17:56, Seb ha scritto:
So, Tonino, in your example you would select all interfaces except 
OPT1 in your rule, and also select OUT.  Correct?  Because if you also 
select OPT1, then OUT would mean an unncessary hole in the firewall 
out from OPT1.  On the other hand, if you didn't care about a few 
extra small holes in the firewall like this, you could just select all 
interfaces (or none, which is the same for floating rules), and then 
either IN or OUT or ANY and it would still pass traffic.  Because it 
would either match the IN on the near interface, or it would match OUT 
on the far interface (or it would match ANY on both interfaces).  
Hence why I said it seems to have little relevance.  But I suppose one 
should care about those extra few small holes in the firewall and just 
select all interfaces except OPT1 and IN (Or OPT1 only and OUT)...  
Although in my case I have a destination IP anyway - so it will not 
create any extra holes.
Or am I still not getting what 'OUT' rules are for?  I've just created 
1 and it seems to work fine.
[A further option with your example, I guess would be to just select 
OPT1 and OUT.]

Yes, I understand the benefits of floating rules.

Kind regards,

Seb


*From:* list-boun...@lists.pfsense.org
[mailto:list-boun...@lists.pfsense.org] *On Behalf Of *Tonix
(Antonio Nati) tonix-at-interazioni.it
*Sent:* 15 December 2011 14:57
*To:* pfSense support and discussion
*Subject:* Re: [pfSense] 'direction' of firewall rules for
floating rules?

If you speak only about WAN and LAN, yes, but if you have other
interfaces interested all changes.

You could enable a service on the OPT1, available to all existing
interfaces.
So in this case, floating rule would permit any 'OUT' connection
to that service offered inside OPT1.

This permit you to avoid adding an incoming rule for every
existing interface.

Tonino



Il 15/12/2011 15:50, Seb ha scritto:

...or the WAN interface and 'out'?  Is that not the same as LAN
interface and 'in'?  And if you are selecting all interfaces,
then surely the direction would have no effect?  Because it would
either match on the LAN side, or the WAN side...  Or am I just
not getting what 'out' rules are for?

Kind regards,

Seb


*From:* list-boun...@lists.pfsense.org
[mailto:list-boun...@lists.pfsense.org] *On Behalf Of *Fuchs,
Martin martin.fuchs-at-trendchiller.com
*Sent:* 15 December 2011 13:30
*To:* pfSense support and discussion
*Subject:* Re: [pfSense] 'direction' of firewall rules for
floating rules?

Hi !

Yes, the direction has some relevance for the floating rules,
because when the direction  is wrong, the packets will not
pass the firewall...

When you want to allow a packet to pass the firewall from the
LAN side to the WAN side you have to select the LAN interface
and as direction you have to select in (from the view of
the firewall)

Regards,

martin

*Von:*list-boun...@lists.pfsense.org
[mailto:list-boun...@lists.pfsense.org] *Im Auftrag von *Seb
*Gesendet:* Donnerstag, 15. Dezember 2011 14:06
*An:* 'pfSense support and discussion'
*Betreff:* [pfSense] 'direction' of firewall rules for
floating rules?

Hi list,

Does the 'direction' of a firewall rule have any relevance
for floating rules?  I can't find any explanation for what
direction means in the docs, even when it applies to
individual interfaces (where I can see what it might mean),
but for floating rules that apply to all interfaces - I don't
suppose it changes much?  Perhaps just affects connections
from the firewall itself if you have it set to out but not in?

pfSense 2.0

Kind regards,

Seb



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



-- 


 Inter@zioniInterazioni di Antonio Nati
http://www.interazioni.it   to...@interazioni.it

Re: [pfSense] 'direction' of firewall rules for floating rules?

2011-12-15 Thread Tonix (Antonio Nati)

Forgot to add.

Small holes (like one interface of ten to be excluded) can be handled 
putting a deny rule for that specific interface, just before the general 
rule, as usual.


Regards,

Tonino



Il 15/12/2011 18:09, Tonix (Antonio Nati) ha scritto:

Floating rules are useful for complex situations.

We requested several times the possibility to add a rule once, instead 
of repeating it for each interface.


If you have ten DMZ offering services, all services should ve 
available to WAN and to all nine DMZ, so you should add an incoming 
rule for each service and each interface.


With floating rule you can write this rule once and apply to all 
interested interfaces.


Regards,

Tonino


Il 15/12/2011 17:56, Seb ha scritto:
So, Tonino, in your example you would select all interfaces except 
OPT1 in your rule, and also select OUT.  Correct?  Because if you 
also select OPT1, then OUT would mean an unncessary hole in the 
firewall out from OPT1.  On the other hand, if you didn't care about 
a few extra small holes in the firewall like this, you could just 
select all interfaces (or none, which is the same for floating 
rules), and then either IN or OUT or ANY and it would still pass 
traffic.  Because it would either match the IN on the near interface, 
or it would match OUT on the far interface (or it would match ANY on 
both interfaces).  Hence why I said it seems to have little 
relevance.  But I suppose one should care about those extra few small 
holes in the firewall and just select all interfaces except OPT1 and 
IN (Or OPT1 only and OUT)...  Although in my case I have a 
destination IP anyway - so it will not create any extra holes.
Or am I still not getting what 'OUT' rules are for?  I've just 
created 1 and it seems to work fine.
[A further option with your example, I guess would be to just select 
OPT1 and OUT.]

Yes, I understand the benefits of floating rules.

Kind regards,

Seb


*From:* list-boun...@lists.pfsense.org
[mailto:list-boun...@lists.pfsense.org] *On Behalf Of *Tonix
(Antonio Nati) tonix-at-interazioni.it
*Sent:* 15 December 2011 14:57
*To:* pfSense support and discussion
*Subject:* Re: [pfSense] 'direction' of firewall rules for
floating rules?

If you speak only about WAN and LAN, yes, but if you have other
interfaces interested all changes.

You could enable a service on the OPT1, available to all existing
interfaces.
So in this case, floating rule would permit any 'OUT' connection
to that service offered inside OPT1.

This permit you to avoid adding an incoming rule for every
existing interface.

Tonino



Il 15/12/2011 15:50, Seb ha scritto:

...or the WAN interface and 'out'?  Is that not the same as LAN
interface and 'in'?  And if you are selecting all interfaces,
then surely the direction would have no effect?  Because it
would either match on the LAN side, or the WAN side...  Or am I
just not getting what 'out' rules are for?

Kind regards,

Seb


*From:* list-boun...@lists.pfsense.org
[mailto:list-boun...@lists.pfsense.org] *On Behalf Of
*Fuchs, Martin martin.fuchs-at-trendchiller.com
*Sent:* 15 December 2011 13:30
*To:* pfSense support and discussion
*Subject:* Re: [pfSense] 'direction' of firewall rules for
floating rules?

Hi !

Yes, the direction has some relevance for the floating
rules, because when the direction  is wrong, the packets
will not pass the firewall...

When you want to allow a packet to pass the firewall from
the LAN side to the WAN side you have to select the LAN
interface and as direction you have to select in (from the
view of the firewall)

Regards,

martin

*Von:*list-boun...@lists.pfsense.org
[mailto:list-boun...@lists.pfsense.org] *Im Auftrag von *Seb
*Gesendet:* Donnerstag, 15. Dezember 2011 14:06
*An:* 'pfSense support and discussion'
*Betreff:* [pfSense] 'direction' of firewall rules for
floating rules?

Hi list,

Does the 'direction' of a firewall rule have any relevance
for floating rules?  I can't find any explanation for what
direction means in the docs, even when it applies to
individual interfaces (where I can see what it might mean),
but for floating rules that apply to all interfaces - I
don't suppose it changes much?  Perhaps just affects
connections from the firewall itself if you have it set to
out but not in?

pfSense 2.0

Kind regards,

Seb



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

2011-09-21 Thread Tonix (Antonio Nati)

Il 21/09/2011 14:05, Chris Buechler ha scritto:

On Wed, Sep 21, 2011 at 7:55 AM, Tonix (Antonio Nati)
to...@interazioni.it  wrote:

I think you should examine how CARP works on your routers and how it works
in pfsense.

In pre 2.0 version, PFsense CARP has a (fixed) different zone for each
interface, so if an interface goes down it switches only that interface, and
traffic bind to that interface becomes unreachable.
It is useful only if a machine goes down, not if an interface goes down.

If you actually switch all interfaces when one goes down, you can't do on
pfsense.

That's not true and never been true, the behavior of all versions is
to switch over all CARP IPs if any NIC on the primary can no longer
communicate with the secondary. You have something wrong on your
setup, or have intentionally disabled that via a manual hack, if
that's what yours does.


We did several checks before putting it in production.
PFsense 1.2.3, no hack, ony web setup.
Setup forced to give a different vhid to each VIP, and we saw vhid are 
completely indipendent.


We will check it again as we dismiss it.

Regards,

Tonino


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list




--

Inter@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list