Re: [pfSense] Bandwidth Mismatch between pfSense and Data Center Provider...

[Chris L]

On May 23, 2018, at 10:57 AM, Chuck Mariotti  wrote:
> 
> We've run into a data overage situation at a datacenter... We get charged a 
> premium per GB over 500GB (yes I know, stupid). Their reporting system seems 
> to indicate significantly less data usages vs pfSense's RRD reporting... 
> their billing system seems to be indicating overage similar to their 
> reporting... Uploads seem to be growing significantly. Any idea why the 
> pfSense box seems to be counting differently than the datacenter's metrics? 
> We need to track down where this usage is happened, but I know users have 
> only grown ~5% over that same period of time.
> 
> Here are stats for each month:
> 
> JanuaryFebruary  
> March   April 
>May (to 23rd)
> Datacenter (Upload/Download):   618.95GB/76.01GB  
> 365.25/47.15GB799.92/79.81GB801.67/105.01GB   
>581.57/76.26GB
> pfSense RRD (Upload/Download):1372.41GiB/148.91GiB
> 1388.65/149.60GiB   1697.71/152.24GiB
> 1706.53/200.86GiB   1177.95/139.55GiB
> 
> 
> Any suggestions how or why there is a mismatch?
> 

What version of pfSense? I recall there was an issue with counting double. With 
the exception of your Feb numbers those are all very close to double.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS configurazione under VPN

[Chris L]

> On May 13, 2018, at 11:39 AM, WebDawg  wrote:
> 
> "In any case, if you configure your DNS Resolver to use the LAN
> interface as outgoing interface, the DNS Resolver should use the same
> routing than your computer, VPN or not."
> 
> Can anyone confirm that this is true?  I never tested it, but it would
> be nice to get a confirm.  I had an issue, similar to what Antonio is
> trying to do, that required something like this in the past.

No. Unfortunately it is not true.

Traffic originating from the firewall itself is never policy routed.

In that case it is sourced from LAN address but it never actually arrives into 
LAN and is therefore not policy routed according to the rules there.

That configuration will, however, make that traffic interesting to IPsec as 
long as the source address and the DNS server are contained in a traffic 
selector (phase 2). It can also be routed across OpenVPN according to the 
routing table to a server on the other side of the VPN and, thanks to the LAN 
source address, the other side might be able to route back.

dnsmasq (the DNS forwarder) can be a little more flexible here since you can 
select a different source address for each domain override.

Really though, the best solution for policy routing DNS (and LDAP and RADIUS, 
etc) traffic is to tell the clients to use server(s) on the inside network 
(external to the firewall). That way any resolution queries that server has to 
do can be policy routed however you want just like any other traffic into LAN.
> 

> Also, are not the firewall rules ingress only, what would be the
> relationship between the DNS resolver being on an ingress interface
> instead of egrees?  How does it 'set it self up' on this interface?
> 
> On Mon, May 7, 2018 at 4:36 AM, Stephane Bouvard  wrote:
>> Hi,
>> 
>> Try this :
>> 
>> - Create a gateway group (System / Routing / Gateway Groups) with VPN
>> Gateway as Tier 1 and WAN Gateway as Tier 2
>> 
>> - Use this gateway group as outgoing gateway (in my config, i use a LAN
>> Firewall rule with the created gateway group, and i use LAN as outgoing
>> interface for my DNS Resolver).
>> 
>> In any case, if you configure your DNS Resolver to use the LAN interface as
>> outgoing interface, the DNS Resolver should use the same routing than your
>> computer, VPN or not.
>> 
>> 
>> 
>> 
>> Le 07-05-18 à 01:09, Antonio a écrit :
>>> 
>>> After messing around for much of the weekend and reading a bit here and
>>> there I have made one small step to achieving my goal. Basically, I am
>>> able to bound the DNS Resolver to the VPN interface by selecting it
>>> under "Outgoing Network Interfaces". This all traffic goes through the
>>> VPN tunnel, including DNS queries. Infact, when I go on dnsleaktest.com,
>>> I do not have any leaks and this is very positive.
>>> 
>>> The only problem is that when the VPN link fails, then I cannot resolve
>>> DNS queries anymore on my LAN devices. So, what I need to do now, is
>>> understand how I can achieve this automatically, i.e. when the VPN link
>>> comes up, it tells the DNS Resolver to route through the VPN tunnel;
>>> when the VPN link is down, it tells the DNS Resolver to route the DBS
>>> queries through the LAN interface. Any suggestions?
>> 
>> --
>> Bien à vous...
>> 
>> _  Envie de vous concentrer sur votre coeur de métier ?
>> (_'Nous gérons et surveillons vos serveurs pour vous
>> ,_)téphane Bouvard   http://www.myown.eu
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Seeking local support/reseller

[Chris L]

On Apr 2, 2018, at 4:32 PM, Ryan Coleman  wrote:
> 
> Jim, Ivork, et al Rubicon Employees on this list…
> 
> My boss is looking for a regional support/reseller… is there a list of 
> authorized resellers and outside support providers? 

Might help if you told people where you are local to.

https://www.netgate.com/partners/locator.html

> 
> 
> Thanks!
> —
> Ryan C
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Limiters

[Chris L]

> On Feb 15, 2018, at 9:22 AM, user49b  wrote:
> 
> Hi
> 
> I currently have some limiters setup on my WiFi interface.
> I limit some IP's (192.168.2.105, 192.168.1.109,...) to only have 700 Kbit/s.
> 
> So every IP (device) has 700 Kbit/s.
> 
> I want to add a "global" limit on Wifi interface so the total subnet/network 
> can only have 3000 Kbit/s.
> Each IP (device) can only have 700 Kbit/s of the total 3000 Kbit/s limit.
> 
> If tried putting a "global" limit for the subnet / network before and/or 
> after all the IP devices with 700kbit/s under rules.
> This does not seem to work.
> 
> Is something like this possible, and if possible what am I doing wrong. Maybe 
> somewhere I can find documentation?

No, unfortunately you can do one or the other with limiters. You can set a 
total pipe of 3000Kb/sec then put a child underneath that masked by /32 to 
create a separate pipe for every host but you cannot additionally limit each of 
those to 700K. It does a pretty good job of not letting anyone monopolize with 
the traffic in that case. It might be worth a try. If you do that when not much 
is going on, the users can use the full 3000K.

Or you can set a top limiter of 700K with a mask of /32 which gives each host a 
700K pipe but no top limit.

You might try to combine the latter limiter configuration with a simple altq. 
You could make a simple PRIQ or perhaps CBQ with a 3000K bandwidth limit with 
just one child queue marked default (so you don’t have to worry about steering 
any traffic through it). That would prevent any transmission out that interface 
(downloads) of more than 3000K while the limiter would limit each host to 700K. 
You would have to use a different strategy to limit uploads if there was other 
traffic there you did not want to limit. Pretty sure you would need to use HFSC 
which can be daunting. Should not be too bad for something simple like that 
though. Looking though, CBQ is probably worth a look there. You can set 
separate bandwidth limits of child queues there too and it is much simpler than 
HFSC.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Maximum CARP Addresses?

[Chris L]

On Feb 15, 2018, at 11:35 AM, ad^2  wrote:
> 
> Hello all,
> 
> I read in the forum (h_t_t_p_s://forum.pfsense.org/index.php?topic=109346.0)
> the 255 VHID limitation in CARP is no longer an issue in recent versions. I
> cannot find any documentation to support it.
> 
> I have a need to host a lot more than 255 virtual IP addresses.
> 
> Can someone confirm or deny this. If it's true point me to the
> documentation that states this. If not, is there a way around it?
> 
> Thanks in advance,
> 

jimp was referring to the requirement that a CARP VIP must be contained in the 
same subnet as the interface address. Removal of that requirement/limitation is 
what changed.

The VHID is 8 bits and you can’t use 0 so 1-255.

As discussed there, make IP Alias VIPs and assign them to CARP VIPs. They will 
go up and down with CARP MASTER/BACKUP status and will result in no additional 
multicast traffic per VIP. Try it I think you’ll like it.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 1:1 NAT - Packets not leaving WAN interface

[Chris L]

> On Feb 15, 2018, at 7:29 AM, ad^2  wrote:
> 
> Hello all,
> 
> Objective - Connect to services from the Internet hosted on an internal
> server assigned an RFC1918 address.
> 
> pfSense version 2.4.2-RELEASE-p1
> 
> I have followed the instructions listed here - h_t_t_p_s://
> doc.pfsense.org/index.php/1:1_NAT
> 
> [Setup]
> 
> Firewall > Rules > WAN
> protocol, source, port, destination, port, gateway, queue
> IPv4, *, *, 192.168.1.10, *, *, none,
> 
> Firewall > NAT > 1:1
> 
> Interface, External IP, Internal IP, Destination IP
> WAN, , 192.168.1.10, *
> 
> Problem: Packets returning from 192.168.1.10 stop at the 192.168.1 LAN side
> of the pfSense server never leaving the WAN side.
> 
> [TEST]
> 
> Internet Test Server initiates an SSH connection to the CARP VIP:  ssh
> 
> 
> Packet Trace:
> 
> [TCPDUMP on the 192.168.1.10 Server] - SYN, SYN ACK
> 
> 06:53:24.130161 IP .36896 > 192.168.1.10.22: Flags
> [S], seq 650597210, win 29200, options [mss 1460,sackOK,TS val 953815939
> ecr 0,nop,wscale 7], length 0
> 06:53:24.130227 IP 192.168.1.10.22 > .36896: Flags
> [S.], seq 1752400391, ack 650597211, win 28960, options [mss 1460,sackOK,TS
> val 20074848 ecr 953815939,nop,wscale 7], length 0
> 
> [TCPDUMP on the pfSense Server LAN side (em2)] - SYN, SYN ACK
> 
> 06:53:25.351889 IP .36896 > 192.168.1.10.22: Flags
> [S], seq 650597210, win 29200, options [mss 1460,sackOK,TS val 953815939
> ecr 0,nop,wscale 7], length 0
> 06:53:25.353085 IP 192.168.1.10.22 > .36896: Flags
> [S.], seq 1752400391, ack 650597211, win 28960, options [mss 1460,sackOK,TS
> val 20074848 ecr 953815939,nop,wscale 7], length 0
> 
> [TCPDUMP on the pfSense Server WAN side (em1)] - SYN
> 
> 06:53:25.351739 IP .36896 > .22: Flags [S],
> seq 650597210, win 29200, options [mss 1460,sackOK,TS val 953815939 ecr
> 0,nop,wscale 7], length 0
> 
> Problem Note: Packets are not getting forwarded from the LAN interface out
> the WAN interface
> 

I’d want to see the same captures including MAC addresses.

Any firewall blocks logged on LAN there for TCP:SA from 192.168.1.10?

Is this HA or did you just decide to use a CARP VIP on the WAN for the 1:1?

Fairly comprehensive list of things to check here (Something like a captive 
portal active on LAN would look like that): 

  https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

[Chris L]

> On Feb 11, 2018, at 1:29 PM, Marco <li...@homerow.info> wrote:
> 
> On Sun, 11 Feb 2018 20:46:41 +
> "Joseph L. Casale" <jcas...@activenetwerx.com> wrote:
> 
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris
>> L Sent: Sunday, February 11, 2018 1:43 PM
>> To: pfSense Support and Discussion Mailing List
>> <list@lists.pfsense.org> Subject: Re: [pfSense] Port forwards don't
>> work on one machine
>> 
>>> What interface is that taken on? Take one on the interface the
>>> destination server is connected to (WLAN?) and test again. While
>>> you’re capturing also do another Diagnostics > Test Port from the
>>> local pfSense itself. Please include the capture of both events
>>> (from outside and using test port.)
>>> 
>>> It looks like the server is not responding.  
>> 
>> I'd also suggest running a capture on the destination, if it's
>> actually receiving traffic and/or sending it elsewhere (routing rule)
>> this will provide some insight.
> 
> I ran a wireshark on the destination and it received packets when
> “port testing” from the pfSense, but not when using external access
> (e.g. canyouseeme.org)
> 

Are the packets going out pfSense LAN? To what MAC/IP address?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

[Chris L]

> On Feb 11, 2018, at 11:12 AM, Marco  wrote:
> 
> 6) Packet capture:
> 
>https://i.imgur.com/xT3qFXW.png

What interface is that taken on? Take one on the interface the destination 
server is connected to (WLAN?) and test again. While you’re capturing also do 
another Diagnostics > Test Port from the local pfSense itself. Please include 
the capture of both events (from outside and using test port.)

It looks like the server is not responding.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec not routing traffic over tunnel

[Chris L]

> On Feb 9, 2018, at 5:25 AM, Mark Wiater  wrote:
> 
> 
> 
> On 2/9/2018 6:42 AM, Roland Giesler wrote:
>> Ok, I'll try again with real (fake) addresses to make it better understood.
>> 
>> WAN gateway: 197.212.127.194  (primary firewall interface), next hop
>> gateway 197.212.127.193
>> 
>> Phase1:
>> 
>> Interface: Virtual IP 41.22.123.70
>> 
>> Phase2:
>> 
>> Local address: address 192.168.110.130
>> Local NAT translation: address 41.22.123.70
>> 
>> Remote address: 196.210.117.67   (A public ip)
>> 
>> When phase1 and 2 are up and connected, I see no route for 196.210.117.67
>> in the routing table.
>> 
>> Doing a traceroute from 192.168.110.130, I get traffic leaving the network
>> via 197.212.127.193, not via 41.22.123.70.  This could be because
>> 41.22.123.70 is just a virtual address though, or what?  It may not be
>> meaningful after all.
>> 
>> In the firewall log I see:
>> Feb 8 18:07:40 â–º IPsec
>> 
>> 41.22.123.70:57914
>> 
>> 196.210.117.67:12345 TCP:S
>> So traffic is being allowed via IPsec from 41.22.123.70 to 196.210.117.67,
>> but I'm not getting any response from the remote.
>> 
>> Is this wrong?  If so, what is right?  I cannot expose the LAN ip address
>> to the tunnel (192.168.110.130), I need to use the public IP...
>> 
>> thanks again
>> 
>> 
> 
> In my experience, one does not see routes in the routing table for IPSEC 
> based routes.
> 
> IPSEC tunneling, I believe, happens before any NATting might. This might be 
> why you're seeing your traffic exit the default gateway since it still 
> possesses it's original ip addresses. I'm not sure what you are trying to 
> achieve is possible on the same device, unless you do some kind of NAT on the 
> incoming interface if that's possible.
> 
> Seeing actual configuration files might be helpful. So would the results of 
> packet capture on both I{SEC interfaces.
> 
> 

IPsec “routes” do not appear in the routing table. They are installed in the 
kernel as traffic selectors. Status > IPsec, SPDs.

If you are policy routing on the 192.168.110.130 interface you will need to 
bypass that with a pass rule to the other side (the Remote Network in the Phase 
2) with no gateway set.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Squid crash: assertion failed: store_swapout.cc:289: "mem->swapout.sio == self"

[Chris L]

> On Jan 8, 2018, at 8:39 AM, Eero Volotinen  wrote:
> 
> try removing squid package from package manager and then reinstalling.
> 
> 8.1.2018 18.24 "Roberto Carna"  kirjoitti:
> 
>> Dear Eero,
>> 
>> How do I have to remove Squid + config files in a good manner ?
>> 
>> Squid I suppose by the package manager from pfSense, but how do I have
>> to remove the config files ???
>> 
>> Thanks a lot, regards !!!


The General page in Services > Squid contains a checkbox for that: Keep 
Settings/Data.

Unchecking that and uninstalling/reinstalling should give you a pretty clean 
slate.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Open ports with OpenVPN tunnel

[Chris L]

On Jan 1, 2018, at 2:35 PM, Antonio <m...@geotux.it> wrote:
> 
> Hi,
> 
> Its the rules that are under the heading "Additional steps to route WAN
> through tunnel" at the bottom of this page:
> 
> https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/
> 
> Regards
> 
> Antonio
> 

OK those are not rules on OpenVPN or the assigned interface tabs.

You are probably seeing something at the OpenVPN provider responding when you 
test from shields up.

To be certain you should packet capture on the OpenVPN interface and see if the 
traffic to 80, 81, 443 actually arrives at your location and is responded to.

That is highly doubtful.

For an OpenVPN provider connection, which is essentially a WAN connection, you 
should have no rules (which is a default deny all) on the OpenVPN tab or the 
assigned interface tab.

> Il 01/01/2018 21:50, Chris L ha scritto:
>> What are the Firewall > Rules on your OpenVPN tab and the OpenVPN assigned 
>> interface tab for the ExpressVPN connection?
>> 
>> 
>>> On Jan 1, 2018, at 1:48 PM, Antonio <m...@geotux.it> wrote:
>>> 
>>> Hi,
>>> 
>>> I recently managed to get  pfSense to run a OpenVPN connection with my VPN 
>>> provider (ExpressVPN). All traffic is routed through this VPN tunnel via my 
>>> pfSense device.
>>> 
>>> I randomly use ShieldsUp to test my ports and see if they are dropping 
>>> requests. All fine when the VPN tunnel is down. I then ran the ShieldsUp 
>>> (https://www.grc.com/x/ne.dll?bh0bkyd2)
>>> test when the VPN tunnel was up and to my surprise I found that when I run 
>>> the ShieldUp against the IP i get off "What my IP" (which presumably is the 
>>> IP of the VPN server which I'm connecting to) there are a few open ports: 
>>> 80, 81, 443.
>>> 
>>> I' assuming that as these are the open ports of the VPN server that is 
>>> allowing me to connect, its not reflecting the configuration of OpenVPN on 
>>> my pfSense device, correct? Apologies, this may be a bit OT but I thought I 
>>> would check that its not a pfSense related issue before I knock on 
>>> ExpressVPN's door. Presumably, this is the way OpenVPN works ...
>>> 
>>> 
>>> Regards
>>> 
>>> -- 
>>> 
>>> 
>>> Respect your privacy and that of others, don't give your data to big 
>>> corporations.
>>> Use alternatives like Signal (https://whispersystems.org/) for your 
>>> messaging or 
>>> Diaspora* (https://joindiaspora.com/) for your social networking.
>>> 
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> 
> 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Open ports with OpenVPN tunnel

[Chris L]

What are the Firewall > Rules on your OpenVPN tab and the OpenVPN assigned 
interface tab for the ExpressVPN connection?


> On Jan 1, 2018, at 1:48 PM, Antonio  wrote:
> 
> Hi,
> 
> I recently managed to get  pfSense to run a OpenVPN connection with my VPN 
> provider (ExpressVPN). All traffic is routed through this VPN tunnel via my 
> pfSense device.
> 
> I randomly use ShieldsUp to test my ports and see if they are dropping 
> requests. All fine when the VPN tunnel is down. I then ran the ShieldsUp 
> (https://www.grc.com/x/ne.dll?bh0bkyd2)
> test when the VPN tunnel was up and to my surprise I found that when I run 
> the ShieldUp against the IP i get off "What my IP" (which presumably is the 
> IP of the VPN server which I'm connecting to) there are a few open ports: 
> 80, 81, 443.
> 
> I' assuming that as these are the open ports of the VPN server that is 
> allowing me to connect, its not reflecting the configuration of OpenVPN on my 
> pfSense device, correct? Apologies, this may be a bit OT but I thought I 
> would check that its not a pfSense related issue before I knock on 
> ExpressVPN's door. Presumably, this is the way OpenVPN works ...
> 
> 
> Regards
> 
> -- 
> 
> 
> Respect your privacy and that of others, don't give your data to big 
> corporations.
> Use alternatives like Signal (https://whispersystems.org/) for your messaging 
> or 
> Diaspora* (https://joindiaspora.com/) for your social networking.
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Slow/impossible updates to 2.4?

[Chris L]

> On Dec 27, 2017, at 6:41 AM, David Jenner  wrote:
> 
> I was finally able to update from the console.  It took a total of one hour.  
> I have almost 200 megabits per second of wan connection, 51 MB of updates to 
> download.
> 
> Similar behavior from Package Manager.  It does not succeed in showing me 
> packages I have installed.  If I ask for all available packages, it does show 
> them.  Then it will immediately show what I have installed, if I select that.

Perhaps your IPv6 is actually being used/attempted and it is sub-optimal?
> 

>> On Dec 26, 2017, at 11:30 PM, Eero Volotinen  wrote:
>> 
>> Did you tried also update from ssh shell? or only from web-gui?
>> 
>> Eero
>> 
>> 2017-12-27 6:10 GMT+02:00 David C. Jenner :
>>> I updated successfully to 2.4.
>>> 
>>> Then I tried to update to 2.4.2.  It took many minutes for 
>>> System/Update/System Update to get to the point of asking me to confirm the 
>>> update.  Then the update was excruciatingly slow, it took 1/2 hour or more. 
>>>  It finally succeeded.
>>> 
>>> Now I am trying to update to 2.4.2_p1.  Again it takes many minutes to get 
>>> to the request for confirming the update.  After confirming, it takes many 
>>> minutes for an error "System update failed!" to appear, and Updating System 
>>> says:
>>> 
>>> done.
>>> 2.4.2_1 version of pfSense is available.
>>> 
>>> All this is on an SG-2440:
>>> 
>>> Version 2.4.2-RELEASE (amd64)
>>>built on Mon Nov 20 09:10:42 CST 2017
>>>FreeBSD 11.1-RELEASE-p4
>>> 
>>> CPU TypeIntel(R) Atom(TM) CPU C2358 @ 1.74GHz
>>>2 CPUs: 1 package(s) x 2 core(s)
>>>AES-NI CPU Crypto: Yes (active)
>>> 
>>> The current installation of 2.4.2 appears to be running OK.  What is the 
>>> problem with updating?
>>> 
>>> Thanks, Dave
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Moving traffic between LAN & OPT1

[Chris L]

> On Dec 24, 2017, at 10:08 AM, Matthew Hall <mh...@mhcomputing.net> wrote:
> 
> 
>> On Dec 24, 2017, at 9:45 AM, Chris L <c...@viptalk.net> wrote:
>> 
>> Not a bug. That is by design. Create the rules to pass the traffic you need 
>> to pass on OPTX interfaces after you create them.
> 
> That's inconsistent with the LAN interface which has secret undocumented 
> default rules that allow self traffic to the firewall from the interface 
> network segment by default. To me this inconsistency does feel like a bug. 

There is nothing secret or undocumented about them. There is a pass any any any 
rule on LAN created by the installer because that is what most people need to 
get up and running. If you deleted LAN and recreated it you would have no 
rules. The rule is right there in Firewall > Rules, LAN. Not a bug.

Other automatically-installed rules include passing DHCP traffic when a DHCP 
server is enabled and passing IKE, ESP, and NAT-T when IPsec is enabled on an 
interface. There are also rules for required ICMPv6 etc.

All rules are visible at all times in /tmp/rules.debug and by running pfctl -sr.

> 
>>> Again, not a bug.
> 
> There's a long open bug for it actually:
> 
> https://redmine.pfsense.org/issues/5826
> 
> It will break your configuration whenever you configure IPSec between an OPT* 
> and a remote destination whose CIDR block happens to be a superset of your 
> interface CIDR block and you have been using any local service like DNS, 
> HTTPS, SSH, etc. on the firewall. The traffic will be misrouted through the 
> tunnel due to missing logic for bypassing the firewall self traffic from the 
> tunnel. 
> 
> Matthew.

That is a specific edge case that is rarely a factor. There is certainly room 
for improvement regarding the bypasslan functionality in IPsec.

> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Moving traffic between LAN & OPT1

[Chris L]

> On Dec 23, 2017, at 9:10 PM, Matthew Hall  wrote:
> 
> I did run into various bugs involving interfaces != LAN. One common one is 
> that the other interfaces are missing a default allow rule for reaching 
> pfSense on 53/udp. This makes all your DNS requests fail and then it can seem 
> like none of your stuff is working.

Not a bug. That is by design. Create the rules to pass the traffic you need to 
pass on OPTX interfaces after you create them.

> Another problem you can find is, if you use IPsec or another site to site 
> VPN, these other interfaces don't have a bypass rule preventing self-traffic 
> to the firewall from being forced through the VPN tunnel. So I'm not sure 
> what configuration you've got but there are some funny things you can see. I 
> will say that once I worked around these items I was easily able to move or 
> block traffic between LAN and the other interfaces with no issues. One trick 
> that can help with the debugging is to replace the implicit default block 
> rule with a default reject rule so you can easily see what's misconfigured on 
> the end nodes and watch the firewall for log messages on your rules with logs 
> enabled to see why your traffic refuses to flow.

Traffic for other interfaces should not match the IPsec traffic selector. Not 
sure what you did there.

If you try to IPsec to destination 0.0.0.0/0 (all traffic), then you have to 
bypass that traffic selector by policy routing traffic for other destinations 
to where it needs to go. Again, not a bug. Getting a functional setup with a 
0.0.0.0/0 IPsec destination can be tricky due to the way the traffic selectors 
work.

If you policy route all traffic to an OpenVPN tunnel, you have to bypass said 
policy routing for local traffic. Again, not a bug.

> 
> Matthew Hall
> 
>> On Dec 23, 2017, at 6:53 PM, Walter Parker  wrote:
>> 
>>> On Fri, Dec 22, 2017 at 8:25 PM, Antonio  wrote:
>>> 
>>> Hi,
>>> 
>>> I'm not sure how you move traffic between the above interfaces. I was
>>> under the impression that all you needed was a "Default allow LAN to any
>>> rule" and job done. Yet i'm struggling to get devices of different
>>> interfaces to communicate. What am I missing?
>>> 
>>> That rule allows the LAN to move traffic. Traffic on OPT1 is a different
>> network. You will have addition rules to allow it talk to LAN. You will
>> need to add two sets of rules (or floating rules) depending on how you wish
>> to design your network.
>> 
>> 
>> Walter
>> 
>> 
>> 
>>> 
>>> Thanks
>>> 
>>> 
>>> 
>>> --
>>> 
>>> 
>>> Respect your privacy and that of others, don't give your data to big
>>> corporations.
>>> Use alternatives like Signal (https://whispersystems.org/) for your
>>> messaging or
>>> Diaspora* (https://joindiaspora.com/) for your social networking.
>>> 
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>> 
>> 
>> 
>> 
>> -- 
>> The greatest dangers to liberty lurk in insidious encroachment by men of
>> zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] best ipsec cipher for aes-ni on sg-8860

[Chris L]

AES-GCM with all hashes disabled in the ESP/Phase 2.


> On Dec 9, 2017, at 12:03 PM, Karl Fife  wrote:
> 
> You might try...
> 
> (Wait for it)
> 
> ...AES.
> 
> 
> On 12/9/2017 4:02 AM, Eero Volotinen wrote:
>> Hi,
>> 
>> What is the best ipsec ciphers for aes-ni ipsec acceleration?
>> 
>> Eero
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] single pfsense to ha conversion

[Chris L]

> On Dec 4, 2017, at 9:07 AM, Eero Volotinen <eero.voloti...@iki.fi> wrote:
> 
> well. my plan was to add first carp vip addresses to old configuration with
> gui and then
> switching them to main addresses using search and replace.
> 
> and then just restore config to main firewall and use config sync to
> replicate it to secondary..
> 
> 

I guess do whatever feels right then.

> --
> Eero
> 
> 2017-12-04 18:41 GMT+02:00 Chris L <c...@viptalk.net>:
> 
>> On Dec 4, 2017, at 8:11 AM, Eero Volotinen <eero.voloti...@iki.fi> wrote:
>>> 
>>> Well. is that really so hard?
>>> 
>>> thinking to add carp ip addresses and switching them to main addresses by
>>> editing xml backup and then restoring it to firewall..
>>> 
>>> I have same hardware (3* sg-8860). one for backup..
>> 
>> It depends on how complicated your setup is.
>> 
>> If there were lots of interfaces and physical interface name changes, I
>> might edit the configuration to change the interface names and the
>> interface addresses (many people use .2 for the primary, .3 for the
>> secondary, and .1 for the CARP VIP, for instance) but after that I would
>> use the GUI to make the HASYNC interface, VIPs and configure HA.
>> 
>> I would not try to configure the secondary that way. I would configure it
>> from scratch and let the configuration for everything exceopt the
>> interfaces, etc sync over.
>> 
>>> 
>>> Eero
>>> 
>>> 4.12.2017 17.49 "Steve Yates" <st...@teamits.com> kirjoitti:
>>> 
>>>> I don't think it would qualify as "simple" since it involves setting up
>> an
>>>> additional interface on each as well as the CARP virtual IPs.
>>>> 
>>>> If you're asking about linking your old router to a new router, the
>>>> routers have to use the same hardware interface (NIC) names in order to
>>>> sync firewall states (em0 to igb0 won't sync).
>>>> 
>>>> --
>>>> 
>>>> Steve Yates
>>>> ITS, Inc.
>>>> 
>>>> -Original Message-
>>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
>>>> Volotinen
>>>> Sent: Saturday, December 2, 2017 11:04 AM
>>>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org
>>> 
>>>> Subject: [pfSense] single pfsense to ha conversion
>>>> 
>>>> Hi List,
>>>> 
>>>> I just bought two pieces of sg-8860 netgate devices and planning to
>> convert
>>>> old unit to ha solution.
>>>> 
>>>> Is there simple way to convert units to ha with a bit editing xml
>> backup?
>>>> 
>>>> --
>>>> Eero
>>>> ___
>>>> pfSense mailing list
>>>> https://lists.pfsense.org/mailman/listinfo/list
>>>> Support the project with Gold! https://pfsense.org/gold
>>>> ___
>>>> pfSense mailing list
>>>> https://lists.pfsense.org/mailman/listinfo/list
>>>> Support the project with Gold! https://pfsense.org/gold
>>>> 
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] single pfsense to ha conversion

[Chris L]

On Dec 4, 2017, at 8:11 AM, Eero Volotinen  wrote:
> 
> Well. is that really so hard?
> 
> thinking to add carp ip addresses and switching them to main addresses by
> editing xml backup and then restoring it to firewall..
> 
> I have same hardware (3* sg-8860). one for backup..

It depends on how complicated your setup is.

If there were lots of interfaces and physical interface name changes, I might 
edit the configuration to change the interface names and the interface 
addresses (many people use .2 for the primary, .3 for the secondary, and .1 for 
the CARP VIP, for instance) but after that I would use the GUI to make the 
HASYNC interface, VIPs and configure HA.

I would not try to configure the secondary that way. I would configure it from 
scratch and let the configuration for everything exceopt the interfaces, etc 
sync over.

> 
> Eero
> 
> 4.12.2017 17.49 "Steve Yates"  kirjoitti:
> 
>> I don't think it would qualify as "simple" since it involves setting up an
>> additional interface on each as well as the CARP virtual IPs.
>> 
>> If you're asking about linking your old router to a new router, the
>> routers have to use the same hardware interface (NIC) names in order to
>> sync firewall states (em0 to igb0 won't sync).
>> 
>> --
>> 
>> Steve Yates
>> ITS, Inc.
>> 
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
>> Volotinen
>> Sent: Saturday, December 2, 2017 11:04 AM
>> To: pfSense Support and Discussion Mailing List 
>> Subject: [pfSense] single pfsense to ha conversion
>> 
>> Hi List,
>> 
>> I just bought two pieces of sg-8860 netgate devices and planning to convert
>> old unit to ha solution.
>> 
>> Is there simple way to convert units to ha with a bit editing xml backup?
>> 
>> --
>> Eero
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multiple OpenVPNs (site to site) to one head end

[Chris L]

> On Nov 22, 2017, at 9:34 AM, Ryan Coleman  wrote:
> 
> I want to pass the entire traffic from a few locations through one master. 
> 
> I have one site working. But when I try to connect the second site it kills 
> the first.
> 
> I have IPSec for some basic network connections as a backup for the moment 
> that allows me to get to customer servers but I want to run all my traffic 
> because… Comcast. 
> 
> I have Gig Fiber at the headend, bandwidth is not an issue.
> 
> Does anyone have a tried/tested example of getting either OpenVPN full tunnel 
> working on a (multiple sites)-to-(one site) or an IPSec configuration example 
> that would allow for 100% routing? 
> 
> My guinea pig is my home network. I have one customer that is also on Comcast 
> that is using the full site-to-site tunnel and I cannot afford to drop during 
> store hours.
> 
> Thanks!
> 

If you are trying to use a server-mode connection (SSL/TLS with larger than a 
/30 tunnel network) and you are getting one connection then the second kills 
the first it sounds like you are trying to use the same credentials for each 
site but don’t have Duplicate Connections enabled on the server.

My suggestion would be to leave Duplicate Connections disabled and use discrete 
credentials for each site.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HTTP/HTTPS filtering with Pfsense+Squid+Squidguard for cell phones

[Chris L]

> On Oct 19, 2017, at 8:36 AM, Adam Cage  wrote:
> 
> Dear Volker and others,
> 
> If I just inspect on host name only, do I have to create a CA and
> Certificate to install in the proxy server of pfSense anyway ???
> 
> Thnks a lot,
> 
> ADAM

You do have to create a CA and tell squid to use it but it is not used to spin 
up certificates and it does not have to be installed to the clients’ trusted 
stores if you are only using peek/splice.

I am not sure if the requirement is due to the GUI form or squid itself. End 
result is the same regardless.


> 

> 2017-10-12 17:24 GMT-03:00 Volker Kuhlmann :
> 
>> On Fri 13 Oct 2017 08:15:20 NZDT +1300, Adam Cage wrote:
>> 
>>> This is useful to filter facebook, twitter, gmail and other HTTPS sites,
>>> just taking into account the URL ??? What can't I block for example ???
>> 
>> Look at squidguard rules - they're in 3 sections: hosts only, URLs, and
>> general regexp. With http all 3 of them work (within the bugginess of
>> squidguard and pfsense anyway).
>> 
>> With https the URL is encrypted, except for the host name part. I.e. the
>> SSL connection to the server is established on the host part only, and
>> the client sends the full URL only over the SSL connection once
>> established.
>> 
>> So you have 2 options for https:
>> 
>> 1) Full MITM attack, requiring client cert installs on all clients so
>> that the clients establish encrypted connections with the key of your
>> attack server (aka firewall) instead, and you have a chance of
>> inspecting the content.
>> 
>> 2) Inspect on host name only, that part is not encrypted.
>> 
>> As everything is moving to http it's becoming seriously difficult to use
>> squidguard as outgoing filter to get rid of all the shitvertising and
>> privacy invading user tracking rubbish (which wastes my time, bandwidth
>> and money for absolutly zero gain to me).
>> 
>> Volker
>> 
>> --
>> Volker Kuhlmann is list0570 with the domain in header.
>> http://volker.top.geek.nz/  Please do not CC list postings to me.
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HTTP/HTTPS filtering with Pfsense+Squid+Squidguard for cell phones

[Chris L]

> On Oct 11, 2017, at 1:05 PM, Adam Cage <adamcag...@gmail.com> wrote:
> 
> Dear Chris, I need the Squid proxy to filter traffic working with
> Squidguard. The guest cell phones will be authenticated to my WiFi, and
> after that they can go to HTTP/HTTPS web sites with zero configuration
> because I can't tell my guests to setup a CA certificate, a proxy IP and
> port in their phone's browsers or whatever at all. So I need a transparent
> proxy.
> 
> Squid also let me have web traffic statistics with its logs.
> 
> Thanks again.

You can do it with SSL Peek/Splice but you cannot get a standard “site blocked”
page you just get broken SSL negotiations for blocked sites.

The best thing to do, if you have pfSense Gold, is to watch the hangout
from January 2017 "Squid, SquidGuard, and Lightsquid”

This is all covered.

> 
> 2017-10-11 16:56 GMT-03:00 Chris L <c...@viptalk.net>:
> 
>> 
>>> On Oct 11, 2017, at 12:54 PM, Adam Cage <adamcag...@gmail.com> wrote:
>>> 
>>> Dear people, I have pfSense 2.3 with Squid and Squidguard installed.
>>> 
>>> I need a transparent proxy in order to let every cell phone that uses the
>>> WiFi service, go to the web without any extra configuration...just go to
>>> the web in a 100% transparent way.
>>> 
>>> I've read that this is impossible because for HTTPS traffic I have to
>>> intercept it, also create a CA certificate and installing it in every
>> cell
>>> phone clientbut this is not what I want because it implies a
>>> certificate installation task (I repeat I want 100% transparent mode).
>>> 
>>> Is there any manner to setup a transparent HTTP/HTTPS proxy without
>> setting
>>> up the CA certificate in the cell phone guests clients from my WiFi ???
>> My
>>> scenario is that a person comes to my company, uses the WiFi with zero
>>> configuration accessing to HTTP/HTTPS web sites, and finally leaves.
>>> 
>>> Special thanks.
>>> 
>>> ADAM
>> 
>> What are you looking to accomplish with the proxy in the first place?
>> 
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HTTP/HTTPS filtering with Pfsense+Squid+Squidguard for cell phones

[Chris L]

> On Oct 11, 2017, at 12:54 PM, Adam Cage  wrote:
> 
> Dear people, I have pfSense 2.3 with Squid and Squidguard installed.
> 
> I need a transparent proxy in order to let every cell phone that uses the
> WiFi service, go to the web without any extra configuration...just go to
> the web in a 100% transparent way.
> 
> I've read that this is impossible because for HTTPS traffic I have to
> intercept it, also create a CA certificate and installing it in every cell
> phone clientbut this is not what I want because it implies a
> certificate installation task (I repeat I want 100% transparent mode).
> 
> Is there any manner to setup a transparent HTTP/HTTPS proxy without setting
> up the CA certificate in the cell phone guests clients from my WiFi ??? My
> scenario is that a person comes to my company, uses the WiFi with zero
> configuration accessing to HTTP/HTTPS web sites, and finally leaves.
> 
> Special thanks.
> 
> ADAM

What are you looking to accomplish with the proxy in the first place?


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multi-WAN and HA. Established connections through a not default gateway are broken when I disable CARP in the master unit.

[Chris L]

> On Sep 27, 2017, at 12:43 PM, dayer  wrote:
> 
> 2017-09-27 20:29 GMT+02:00 Steve Yates :
>>I'm not sure if I am following you correctly, but the WAN CARP IP has 
>> to be the same on both routers.  So router1 has a WAN of a.a.a.a and CARP of 
>> a.a.a.b, and router2 has a WAN of a.a.a.c and CARP of a.a.a.b.  Same thing 
>> with the LAN IPs.
>> 
>> --
>> 
>> Steve Yates
>> ITS, Inc.
>> 
>> -Original Message-
>>> If I had to guess: Are you using a CARP address for outbound NAT?  If
>>> not then the connections *will* break on failover.
>> 
>> 
>> Thanks for your reply, Jon :)
>> 
>> Yes, I'm using CARP addresses from each WAN for outbound NAT:
>> - WLAN1 CARP, for WLAN1
>> - WLAN2 CARP, for WLAN2
>> 
>> In addition, when the *new* master unit routes the established
>> traffic, it continues doing the previous NAT according to the state
>> synchronised from the previous master. So it continues doing outbound
>> NAT with the WLAN2 CARP address, but trying to route through WLAN1.
>> This proves that the new master unit has the synchronised states, but
>> it try to route the established connections according to routing table
>> and not to firewall rules.
> 
> Hi Steve! Exactly. It doesn't matter, I know this behavior is some
> difficult to explain.
> 
> In my example, according to the diagram from [1]:
> 
> PC:
> - LAN: 192.168.2.1
> - GW: 192.168.2.10
> 
> Pfsense1:
> - LAN: 192.168.2.11
> - LAN CARP: 192.168.2.10
> - WAN1: 192.168.56.11
> - WAN1 CARP: 192.168.56.10
> - GW1: 192.168.56.1 (default)
> - WAN2: 192.168.57.11
> - WAN2 CARP: 192.168.57.10
> - GW2: 192.168.57.1
> 
> Pfsense2:
> - LAN: 192.168.2.12
> - LAN CARP: 192.168.2.10
> - WAN1: 192.168.56.12
> - WAN1 CARP: 192.168.56.10
> - GW1: 192.168.56.1 (default)
> - WAN2: 192.168.57.12
> - WAN2 CARP: 192.168.57.10
> - GW2: 192.168.57.1
> 
> Outbound NAT settings, something like:
> - LAN→WAN1→WAN1 CARP
> - LAN→WAN2→WAN2 CARP
> 
> Initially (Pfsense1 master; Pfsense2 backup; Traffic from LAN is
> routing through GW2 according to a firewall rule):
> SSH from PC → LAN → WAN2 (NAT with WAN2 CARP) → GW2
> 
> If I disable CARP in Pfsense1, Pfsense2 is the new master and:
> - The *established* connections do this path (wrong):
> PC → LAN → WAN1 (WAN2 CARP) → GW1
> - The *new* connections do this path (right):
> PC → LAN → WAN2 (WAN2 CARP) → GW2

What are the physical interface names (igb0, em0_vlan120, lagg2_vlan200, etc) 
for all of those interfaces? They must match exactly across nodes for pfsync to 
work correctly.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPsec NAT/BINAT not working

[Chris L]

On Aug 22, 2017, at 8:09 AM, Kilian Ries  wrote:
> 
> Hi,
> 
> 
> my setup is the following:
> 
> 
> Site A:
> 
> Lan: 192.168.100.0/24
> 
> Lan_IP: 192.168.100.1
> 
> Transfer: 10.2.81.0/24
> 
> Transfer_IP: 10.2.81.1
> 
> 
> Site B:
> 
> Lan: 10.2.82.0/24
> 
> Lan_IP: 19.2.82.1
> 
> 
> I'm doing a site-to-site IPsec wich is working. I can ping from both routers 
> (pfsense, juniper) to each other (10.2.81.1 <-> 10.2.82.1) but not from the 
> clients in my LAN (192.168.68.x <-> 10.2.82.x). I'm now trying to setup a 
> Transfer-Net with NAT / BINAT routing:
> 
> 
> Site B should reach the clients on site A via an 10.2.81.x ip-address and not 
> via an 192.168.100.x ip-address. So i want to map 10.2.81.0/24 <-> 
> 192.168.100.0/24.
> 
> 
> First i tried to do this via the NAT/BINAT setting inside the IPsec settings:
> 
> 
> Site A IPsec Phase2
> 
> 
> Local Network: 192.168.100.0/24
> 
> NAT/BINAT translation: 10.2.81.0/24
> 
> Remote Network: 10.2.82.0/24
> 
> 
> That didn't work and i tried the same thing with 1:1 NAT from the Firewall 
> tab:
> 
> 
> Site A
> 
> 
> External subnet IP 10.2.81.0
> 
> Internal IP: 192.168.100.0/24
> 
> Destiantion: 10.2.82.0/24
> 
> 
> 
> No matter which mapping i choose, if i try to ping from 192.168.100.x to 
> 10.2.82.x, pfsense routes the request through the WAN interface instead of 
> the IPsec / Transfer-Net Interface. How can i tell pfsense to route the 
> traffic from my Lan through the IPsec tunnel (not WAN) and do the NAT?

You might be policy routing that traffic out the WAN interface using rules that 
match the traffic on the 192.168.100.0/24 interface with a gateway or gateway 
group set.

Try bypassing policy routing for the remote subnet using a pass rule above that 
with the destination 10.2.82.0/24 and no gateway set.

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multiple DMZs isolated from each other

[Chris L]

> On Jun 26, 2017, at 5:27 PM, Jeppe Øland  wrote:
> 
> Well, at least that matches what I found: That I can't get connections to
> the internet working without allowing everything else too.
> 
> That seems like a pretty bad design... It would be much better to be able
> to allow something to just the WAN interface...
> 
> On Mon, Jun 26, 2017 at 11:26 AM, Jim Spaloss  wrote:
> 
>> The rule(s) that allow internet access are the "Allow to Any" rule(s). This
>> could be accomplished as one rule on a floating or interface group ruleset.
>> (Allow any from any to any).
>> 
>> The trick is to block the things that you don't want the DMZ to have access
>> to first. I also use an alias to keep the DMZs from talking to each other.
>> 
>> If you want, I could post some screenshots of my config.

You can allow something to just the WAN interface. It’s just that the WAN 
interface is not the internet.

There is really nothing different here from any stateful firewall made.

If this is a vote, I would record that I pretty much despise passing traffic to 
! RFC1918. I would much rather see Block to RFC1918 then Pass any.

I have reasons. First of which is don’t block traffic with a pass rule. Block 
undesired traffic with a block rule. Reasons.

I like jspal...@gmail.com's solution.

If you take something like 172.29.128.0/18 and assign your DMZ interfaces out 
of that, you can block them all with one rule.


>> 
>> 
>> On Jun 26, 2017 9:32 AM, "Jeppe Øland"  wrote:
>> 
>>> The thing is I couldn't figure out what rules are needed to get out to
>> the
>>> Internet!
>>> 
>>> If I add no rules at all, then the PC can get a DHCP address, but it
>> can't
>>> even ping pfSense.
>>> 
>>> I tried adding several rules (simultaneously), but didn't find anything
>> to
>>> allow me out to the Internet.
>>> 
>>> Simply adding a "DMZnet -> WANnet" rule did not let me get out.
>>> Adding the firewall specifically (since that is the GW it will go
>> through)
>>> did not help either.
>>> (I tried a few more things in desperation, but nothing changed)
>>> 
>>> Obviously the "DMZnet -> !LANnet" worked, but that doesn't block off all
>>> the other DMZs :-(
>>> 
>>> Regards,
>>> -Jeppe
>>> 
>>> 
>>> On Sun, Jun 25, 2017 at 8:28 PM, Leandro de la Paz >> 
>>> wrote:
>>> 
 Hi, it should be simple. pfsense deny all the traffic in the absence of
 any rules so it should be blocking all communication between DMZs by
 default. To allow the traffic to reach Internet, all you need to do is
 create a rule that permit the traffic that goes everywhere except to an
 alias that contains the private network (RFC1918) subnets. I recommend
>> it
 that you do it at the floating rules tab, that way you may select
>> several
 interfaces​ in one rule. However, you still may need to edit the rule
>>> every
 time that new DMZ is added.
 
 ⁣---
 Regards,
 Leandro
 
 En 25 jun. 2017 4:04 p. m., en 4:04 p. m., "Jeppe Øland" <
>>> jol...@gmail.com>
 escribió:
> Does anybody know how to do this more easily.
> 
> Lets say I have 10 different isolated DMZs.
> (They are created as VLANs on the "inside" interface so I can connect
> servers to them).
> 
> Now I want each VLAN to be able to get an IP address from a DHCP pool,
> and
> to hit the Internet.
> Nothing else.
> No DMZ<->DMZ or DMZ->LAN traffic.
> 
> The default LAN rules allow me to hit each DMZ from the LAN, so that
> part
> is good.
> The problem is getting each DMZ isolated from each other.
> 
> The only thing I have working is to create 10 rules on each DMZ (to
> block
> access to the other DMZs and the LAN), and an accept "any" rule to be
> able
> to get out.
> 
> I really don't like this as it's error prone.
> If I add a new DMZ, I have to remember to add that rule to all the
> others.
> 
> Is there an easy set of rules I can make to allow the DMZ access to
> only
> its own net, and the Internet?
> 
> Regards,
> -Jeppe
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
 
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense 

Re: [pfSense] two GWs in WAN, correct static routes to second GW however deault is used and second GW ignored

[Chris L]

Oleg -

Glad that helped.

You need the static routes to get the proper traffic sent to the correct 
gateway. That floating rule essentially just removes the route-to for traffic 
already routed that way.

If you want to run routing protocols, etc, out on the WAN subnet it might be 
best to just eliminate the gateway from the WAN interface configuration and 
manually set a default gateway + the static routes or the routing protocol to 
the other router.

That will disable all of the reply-to and route-to functionality reverting to 
the routing table as being authoritative.

It will also make things like automatic outbound NAT not know it is a WAN 
interface so those rules will have to be added manually. (If you set manual and 
save before deleting the gateway rules for what interfaces are already there 
will be created for you.)

That configuration might be incompatible with Multi-WAN to another ISP on 
another interface if it is ever added. Especially if the system ever thought 
the other WAN was the default gateway. Things would break.

Another option might be moving that second router off of the WAN subnet and 
onto it’s own transit network to pfSense.

> On May 29, 2017, at 9:35 AM, Oleg Cherkasov <ol...@broadpark.no> wrote:
> 
> Hi Chris,
> 
> Thank you for tip!  I have successfully added floating outbound rules and it 
> works now.  Do I need to add static routes and firewall rules or it would be 
> enough to add just floating rules?  I may see static rules on WAN are 
> redundant than.
> 
> Any thoughts about RIP/BGP/OSP routing if my second gateway advertise routing 
> tables?  Do I need to add floating rules as well for advertised routes via 
> RIP/BGP/OSP? Or with EBFPd daemon it would be more flexible.
> 
> 
> Thank you!
> 
> Oleg
> 
> 
> On 28. mai 2017 22:05, Chris L wrote:
>> Oleg -
>> 
>> WAN interfaces (interfaces with a gateway set on them) are treated 
>> differently.
>> 
>> The rule set forces all connections out that interface to a specific gateway 
>> (the interface gateway) with route-to.
>> 
>> You can add floating pass rules on WAN in the outbound direction to the 
>> destinations on the other side of that router (every network with that 
>> gateway as a static route) and probably a destination of the gateway address 
>> with no gateway set (the default gateway). That will disable route-to for 
>> that traffic.
>> 
>> If you want connections from the networks on the other side of the second 
>> gateway into pfSense you will need to disable reply-to on those pass rules 
>> or reply traffic will be forced to the interface gateway. Disable reply-to 
>> is in the advanced section of the rules.
>> 
>> 
>>> On May 27, 2017, at 11:31 AM, Oleg Cherkasov <ol...@broadpark.no> wrote:
>>> 
>>> Hi,
>>> 
>>> I am setting up static routes on WAN with two gateways.  One gateway is 
>>> default ISP and the second is a private network however both are in public 
>>> WAN net.  I may ping both gateways and of course the default one works 
>>> flawlessly.  Second GW works ok using other FW GW from other networks.  
>>> Both GW are in the same WAN network, the same subnet.
>>> 
>>> Status shows both gateways are online and I have added static rules to 
>>> direct traffic to 4 IPs to the second gateway so I may access resources in 
>>> private network via second gateway in WAN network.
>>> 
>>> All statuses and suggested diagnostics looks good indeed, gateways are 
>>> online and static routes are up however whatever I do the default gateway 
>>> is used!  I am running traceroute/tracepath from clients behind the 
>>> firewall and from pfSense WAN itself but it always uses default gateway and 
>>> ignores active second gateway and static rules.  I have tried to reboot 
>>> pfSense of course however the issue remains.
>>> 
>>> Anyone have any suggestion? How I may verbosely debug static routing?
>>> 
>>> 
>>> 
>>> Cheers,
>>> Oleg
>>> 
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] two GWs in WAN, correct static routes to second GW however deault is used and second GW ignored

[Chris L]

Oleg -

WAN interfaces (interfaces with a gateway set on them) are treated differently.

The rule set forces all connections out that interface to a specific gateway 
(the interface gateway) with route-to.

You can add floating pass rules on WAN in the outbound direction to the 
destinations on the other side of that router (every network with that gateway 
as a static route) and probably a destination of the gateway address with no 
gateway set (the default gateway). That will disable route-to for that traffic.

If you want connections from the networks on the other side of the second 
gateway into pfSense you will need to disable reply-to on those pass rules or 
reply traffic will be forced to the interface gateway. Disable reply-to is in 
the advanced section of the rules.


> On May 27, 2017, at 11:31 AM, Oleg Cherkasov  wrote:
> 
> Hi,
> 
> I am setting up static routes on WAN with two gateways.  One gateway is 
> default ISP and the second is a private network however both are in public 
> WAN net.  I may ping both gateways and of course the default one works 
> flawlessly.  Second GW works ok using other FW GW from other networks.  Both 
> GW are in the same WAN network, the same subnet.
> 
> Status shows both gateways are online and I have added static rules to direct 
> traffic to 4 IPs to the second gateway so I may access resources in private 
> network via second gateway in WAN network.
> 
> All statuses and suggested diagnostics looks good indeed, gateways are online 
> and static routes are up however whatever I do the default gateway is used!  
> I am running traceroute/tracepath from clients behind the firewall and from 
> pfSense WAN itself but it always uses default gateway and ignores active 
> second gateway and static rules.  I have tried to reboot pfSense of course 
> however the issue remains.
> 
> Anyone have any suggestion? How I may verbosely debug static routing?
> 
> 
> 
> Cheers,
> Oleg
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Host Overrides in Services/DNS Forwarder not working until manual restart of DNS Forwarder Service

[Chris L]

Maybe this:

"Do not use 'local' as a domain name. It will cause local hosts running mDNS 
(avahi, bonjour, etc.) to be unable to resolve local hosts not running mDNS.”

> On May 13, 2017, at 9:08 AM, Stefan Baur  
> wrote:
> 
> Hi,
> 
> I'm seeing this on 2.3.3-RELEASE and 2.3.4-RELEASE, not sure if older
> versions are affected as well.
> 
> I have multiple entries in the Services/DNS Forwarder/Host Overrides
> section, all looking similar to this one:
> 
> |wpad|office.local|192.168.2.3|Microsoft Proxy Autoconfiguration|
> 
> When I attach a Client computer to any of the downstream interfaces of
> this pfSense installation (it has two), I get:
> 
> nslookup wpad.office.local
> Server: 192.168.134.1
> Address:192.168.134.1#53
> 
> ** server can't find wpad.office.local: NXDOMAIN
> 
> (192.168.134.1 is the pfSense IP on that network)
> 
> As soon as I log in to the pfSense WebGUI, go to Services/DNS Forwarder,
> and hit the "circle arrow" that says "Restart Service", DNS lookups from
> the clients start to work.
> 
> Upstream DNS resolving is not affected, though - trying
> 
> nslookup www.google.com
> 
> will give the correct result from the start.
> 
> This somehow doesn't look right.
> 
> Any insights? Bug in pfSense or misconfiguration on my side?
> 
> Kind Regards,
> Stefan Baur
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense + carp + ha

[Chris L]

On Nov 16, 2016, at 10:30 AM, Eero Volotinen <eero.voloti...@iki.fi> wrote:
> 
> I think it is possible to use lagg interface for workaround with interface
> naming?
> 
> Eero

If you want to go that route, by all means do so.

Completely unnecessary added complexity, IMHO. That should probably be 
considered an available workaround to get you out of a jam until the real 
problem can be fixed.

If it’s worth doing HA at all, it’s worth doing right. Use a matching set of HA 
nodes.


> 
> 2016-11-16 7:14 GMT+02:00 Chris L <c...@viptalk.net>:
> 
>>> On Nov 15, 2016, at 1:50 PM, Eero Volotinen <eero.voloti...@iki.fi>
>> wrote:
>>> 
>>> same ports? you mean that same port assigment and nic can be different
>> type?
>>> 
>>> eero
>> 
>> No.
>> 
>> Hardware should be as identical as possible. 100% identical is best. If
>> LAN is em0 on one side, it must be em0 on the other.
>> 
>> 
>>> 
>>> 15.11.2016 11.36 ip. "Steve Yates" <st...@teamits.com> kirjoitti:
>>> 
>>>>   Any hardware should work fine.  They recommend a separate
>> NIC/port
>>>> for the sync traffic since if syncing states there can be a lot of
>> traffic
>>>> (if not syncing state there is probably very little).  I don't think it
>>>> needs to be identical hardware but the rules would need to copy over so
>> it
>>>> would need the same ports.
>>>> 
>>>>   One gotcha that caught me...under "System/High Availability
>>>> Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a
>>>> "Remote System Username" field.  That field is ignored, and "admin" is
>>>> always used.
>>>> 
>>>> --
>>>> 
>>>> Steve Yates
>>>> ITS, Inc.
>>>> 
>>>> -Original Message-
>>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
>>>> Volotinen
>>>> Sent: Tuesday, November 15, 2016 2:20 PM
>>>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org
>>> 
>>>> Subject: [pfSense] pfsense + carp + ha
>>>> 
>>>> Hi List,
>>>> 
>>>> What are requirements for pfsense ha clustering? does any of x86
>> hardware
>>>> work with ha? does hardware need to be identical?
>>>> 
>>>> ___
>>>> pfSense mailing list
>>>> https://lists.pfsense.org/mailman/listinfo/list
>>>> Support the project with Gold! https://pfsense.org/gold
>>>> 
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense + carp + ha

[Chris L]

> On Nov 15, 2016, at 1:50 PM, Eero Volotinen  wrote:
> 
> same ports? you mean that same port assigment and nic can be different type?
> 
> eero

No.

Hardware should be as identical as possible. 100% identical is best. If LAN is 
em0 on one side, it must be em0 on the other.


> 
> 15.11.2016 11.36 ip. "Steve Yates"  kirjoitti:
> 
>>Any hardware should work fine.  They recommend a separate NIC/port
>> for the sync traffic since if syncing states there can be a lot of traffic
>> (if not syncing state there is probably very little).  I don't think it
>> needs to be identical hardware but the rules would need to copy over so it
>> would need the same ports.
>> 
>>One gotcha that caught me...under "System/High Availability
>> Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a
>> "Remote System Username" field.  That field is ignored, and "admin" is
>> always used.
>> 
>> --
>> 
>> Steve Yates
>> ITS, Inc.
>> 
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
>> Volotinen
>> Sent: Tuesday, November 15, 2016 2:20 PM
>> To: pfSense Support and Discussion Mailing List 
>> Subject: [pfSense] pfsense + carp + ha
>> 
>> Hi List,
>> 
>> What are requirements for pfsense ha clustering? does any of x86 hardware
>> work with ha? does hardware need to be identical?
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] changes made in web GUI not sticking, yet claims "saved".

[Chris L]

Check that the users/groups do not have the User - Config:Deny Config Write 
privilege set.
 
> On Oct 5, 2016, at 10:42 AM, Rodrigo Cunha  wrote:
> 
> Hello greg, send for this list a checksun this pfsense iso, i have pfsense
> but i not have this problems.
> I have pfsense 2.3.2 too, but i dont have this problem in my system...
> Try restore standard rules in the pfsense console,may be option 4 in
> console terminal...restart pfsense.
> but send for us the checksun for this iso...
> 
> 2016-10-05 14:00 GMT-03:00 greg whynott :
> 
>> Hello,
>> 
>> Installed the v2.3.2 community edition today and am having a problem with
>> the web gui not implementing changes made.
>> 
>> Any changes made via the web gui pfsense claims they are saved and asks you
>> to apply the changes,  yet after doing so any changes made are not
>> reflected in the web gui or the actual config.   If you refresh the page,
>> log out/in the changes are not shown.  The don't end up in the config.   I
>> don't know if it has anything to do with it but it *seemed* to be working
>> up till I added the AD authentication server.  But that was the first thing
>> I did after IP'n the interfaces,  no other changes were made up to that
>> point.
>> 
>> As it is now,  the solution can not be configured any further from the web
>> interface.
>> 
>> Now I can't rename an interface,  add an IP,  change the host-name of the
>> system and so on.  Anything you change within the web gui is lost, even
>> after it clams your changes have been saved.  I've tried this with both a
>> local admin account (built in admin) and an AD admin account.  behaves the
>> same with both.   I've also tried 3 browsers,  and two different machines.
>> Same results.
>> 
>> In our environment we have an older 2.1.5 system,  on the same
>> browsers/system the older one is functioning as expected.  Since it was a
>> new install,  I tried installing it again but it is acting the same.
>> 
>> Are there any logs I can forward or look at which may provide insight?
>> Looking at the standard ones in /var/log/* does not reveal anything odd
>> looking..
>> 
>> thank you,
>> -greg
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> 
> 
> 
> -- 
> Atenciosamente,
> Rodrigo da Silva Cunha
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lost limiter config after upgrade

[Chris L]

Yeah there’s a difference between the upgrade fails and the upgraded system 
just doesn’t work with limiters.

It seems either traffic just doesn’t flow or limiters don’t limit.

I am really looking forward to this being fixed. Until then, 2.1.5 rules the 
roost.

It’s a pretty sad state.

> On Dec 14, 2015, at 8:26 AM, Ryan Clough  wrote:
> 
> Might also depend on how the limiters are being used and how the rest of
> the router is configured. I have been up against this bug for at least six
> months:
> https://redmine.pfsense.org/issues/4326
> 
> ___
> ¯\_(ツ)_/¯
> Ryan Clough
> Information Systems
> Decision Sciences International Corporation
> 
> 
> 
> On Sun, Dec 13, 2015 at 5:29 PM, ED Fochler 
> wrote:
> 
>> Limiters work on 2.2.4, I’m using them.  But I didn’t upgrade, I created
>> the limiters on 2.2.4.  Are you asking if limiters work?  Or are you just
>> noting that they don’t cleanly upgrade?  If you create them through the GUI
>> and link them in with the firewall rules, do they work now?
>> 
>>ED.
>> 
>>> On 2015, Dec 12, at 1:43 PM, Ugo Bellavance  wrote:
>>> 
>>> Hi,
>>> 
>>> We upgraded from 2.0.1-RELEASE to 2.2.4-RELEASE and the limiter that
>> worked on 2.0.1 stopped working.  This limiter (and sub-limiters) is
>> located on an inside interface and its role is to limit the traffic that
>> can come in.  This firewall is at a remote site and we replicate backups
>> there.  We use this limiter because the bandwidth at the remote site is
>> higher than at our main site.  Using this limiter avoids saturating our
>> main site's WAN link and cause slowdowns.
>>> 
>>> Looking at the config diffs, it looks like the  tags have
>> changed during the upgrade.  It looked like ?1 and ?2 and now it looks like
>> labels.  Also, the  tag seem to include more stuff now.
>>> 
>>> It was 28 and now it looks like
>>>  
>>>  
>>>  28
>>>  Mb
>>>  none
>>>  
>>>  
>>> 
>>> 
>>> Thanks,
>>> 
>>> Ugo
>>> 
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> 
> -- 
> This email and its contents are confidential. If you are not the intended 
> recipient, please do not disclose or use the information within this email 
> or its attachments. If you have received this email in error, please report 
> the error to the sender by return email and delete this communication from 
> your records.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multi-Wan Setup, High Availability and Traffic Segmentation

[Chris L]

On Nov 13, 2015, at 7:09 AM, David White  wrote:
> 
> I have a unique scenario:
> 
> The higher ups require a multi-wan high availability setup, but assuming
> both ISPs are working, some traffic is required to use 1 ISP and some
> traffic is required to use the other.
> 
> I've read in some pfSense docs on how I can setup a high availability,
> multi-wan setup, but those docs say nothing about segmenting the traffic.
> 
> My idea is to setup 2 VLANS, and route 1 VLAN out of 1 gateway and 1 VLAN
> out the other, but configure them so that if 1 ISP or the other ISP goes
> down, both VLANS will go out whichever ISP is working.
> 
> Is this possible?

Absolutely.  Look at Multi-WAN, Failover, and Policy Routing on the doc wiki.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Chris L]

 On Jul 24, 2015, at 5:18 PM, Ted Byers r.ted.by...@gmail.com wrote:
 
 On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler c...@pfsense.com wrote:
 
 On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers r.ted.by...@gmail.com wrote:
 This is an external scan.  We forward ports such as 443 and 22 to
 specific
 Ubuntu machines.  But both sshd and apache have been configured to accept
 only TLS1.2
 
 
 In the case of forwarded ports it's the Ubuntu machines that are
 triggering it. That has nothing to do with the firewall.
 
 
 In that case, then, the scan is wrong as all our Ubuntu machines are
 configured to use only TLS1.2

Or you think they are and they’re really not.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] best way to change WAN interface after migration

[Chris L]

 On Apr 11, 2015, at 11:58 AM, Espen Johansen pfse...@gmail.com wrote:
 
 In the past I have edited a config backup and restored it. Maybe there are
 better ways, but find and replace in a editor does the trick :-)
 
 Brgds, Espen

Be careful you don’t match anything in any certificates and keys or other 
base64-encoded blobs.  Manually approve every replacement.



 11. apr. 2015 20:46 skrev Martin Fuchs mar...@fuchs-kiel.de:
 
 Hi !
 
 
 
 Does anyone have any experience with changing WAN-interfaces ?
 
 
 
 We migrated out CARP-cluster from one provider to another.
 
 On em1 we have provider-old and
 
 On em7 we have provider-new.
 
 
 
 The old provider will switch off his connection soon.
 
 
 
 We changed the gateways and everything, but might it be a cosmetical issue
 or not, how can i change the WAN interface (as set up in the console) from
 em1 to em7 without losing any config ?
 
 
 
 Can i use the console to change it without any harm, what will happen tot
 he
 attached rules ?
 
 
 
 Regards,
 
 martin
 
 
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP sync of skew results in blank Status on backup router, breaking failover

[Chris L]

 On Mar 24, 2015, at 9:47 AM, Steve Yates st...@teamits.com wrote:
 
   I'm going to start a new thread since I think this is a different issue.
 
   I have a rule to allow all IPv4 from PFSYNC net to PFSYNC net.  That 
 network is on a VLAN with only those two interfaces on it.
 
   The failover and fail back works fine on all five CARP 
 interfaces/aliases if router1 is shut down, it enters CARP maintenance mode, 
 etc.
 
   I think this is a bug that if the CARP skew setting syncs, something 
 happens to the backup so it has a blank Status and no longer considers itself 
 the Backup for that interface, and therefore failover does not happen.  
 (enabling CARP maintenance mode on router1 sets only the other four 
 interfaces to Backup status and the broken one remains Master).
 
   Interesting to note, the breakage happens immediately upon editing the 
 router1 skew, before Apply Changes are clicked on router1.  And, when 
 router2's CARP alias is in that state, setting the skew on router1 back to 0 
 does not sync over to router2; its skew stays at 101.  It's as if the link is 
 broken.
 

Since nobody else has chimed in are you sure CARP setting changes are supposed 
to be synced?

It makes sense that when a primary syncs to a new secondary, or a new VIP is 
created on the Master, defaults are chosen on the secondary to ensure it comes 
up as Backup.

After that happens, I don’t think I want changes to CARP settings to be synced.

What are you doing messing around with base and skew anyway?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setup Question - Routing

[Chris L]

On Mar 24, 2015, at 5:46 PM, Walter Parker walt...@gmail.com wrote:
 
 Using a chart like 
 http://www.engineeringradio.us/blog/wp-content/uploads/2013/01/Subnet_Chart.pdf
  you can see the different /28 and /29 subnets that exist on a /24 network.
 
 You would bind the .248/29 network to the WAN interface (use a /29 to leave a 
 few extra addresses).

If the provider side of the interface is set for /24 and his WAN is set for /29 
expect hilarious shenanigans to ensue.

 
 Then you would bind an reserved network (10.X, 192,168,X 172.16,X) to the LAN 
 interface.
 
 Then on your third interface, you would bind multiple networks, .240/29, 
 .232/29, .224/29, etc to the OPT1/DMZ interface.

What you say?

 Then each customer would use put there equipment directly on that that 
 network. If the customers have routers themselves, you might want to setup a 
 bunch of /30 networks (.252/30, .248/30, .244/30, .236/30, .232/30) for your 
 and the customer's WAN interfaces. Then start down from .224 and assign /29 
 networks for the customer's DMZ/OPT1 interfaces. Unless the customer is 
 running without NAT, then the addresses could be put on the customer's LAN 
 interfaces.
 
 The big trick here is make sure than none of your networks have overlapping 
 IP address ranges. The chart above is very helpful for tracking different 
 sizes. This means that you can't put .254 on one interface and .249/29 on a 
 different interface as those networks overlap.
 
 
 Walter


He needs a routed subnet or has to use VIPs on WAN and 1:1 NAT.  Or some 
convoluted bridging thing that I shouldn’t even mention because it’s no 
solution at all.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setup Question - Routing

[Chris L]

 On Mar 24, 2015, at 5:12 PM, Joseph H jharde...@cirracore.com wrote:
 
 I have a buddy and he wants to use pfSense as his firewall to protect his 
 devices and also provide a gateway for customers.  And he has asked me if I 
 know of a good way to set this up, so I decided to ask the list
 
 He has gotten a /24 subnet, he wants to use a small section of it for his web 
 site and stuff, and then split off subnets to several customers.  For 
 instance, he was given a gateway of x.x.x.254 by his provider, he will use 
 the x.x.x.249/29 for his own use, then wants to pass subnets through to his 
 customers in say several /28's or /29's.
 
 Does anyone know of an easy way to set this up?  He has a server with 3 
 interfaces to use for this.
 

To make this a LOT easier (or even possible at all without 1:1 NAT) he should 
ask the provider for a /29 or /30 for his WAN interface with the /24 routed to 
an IP address on that.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] VIPs : CARP vs IP Alias

[Chris L]

 On Mar 9, 2015, at 2:56 AM, Brian Candler b.cand...@pobox.com wrote:
 
 On 09/03/2015 09:51, Bryan D. wrote:
 So it sounds like the IPsec and OpenVPN traffic would be such traffic?
 IPSEC traffic is addressed *to* the firewall (at least the IKE stuff on udp 
 500 is, since it is received by strongswan/racoon)
 
 But the firewall already has a public IP address for IPSec.
 
 Are you saying you want different clients' IPSEC tunnels to terminate on 
 different public IP addresses on the firewall WAN side? That I've never 
 tried, and I don't know if it's possible.

It listens (binds) on whatever interface/VIP is specified in the Interface 
drop-down in the IPSec/OpenVPN config.  If you have a VIP specified, and you 
change the VIP, you might have to go back and select the new VIP.  Firewall 
rules other than actual interface addresses are specified by IP address so they 
should still be good if you change the VIP type.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] VIPs : CARP vs IP Alias

[Chris L]

 On Mar 9, 2015, at 3:07 AM, Brian Candler b.cand...@pobox.com wrote:
 
 On 09/03/2015 10:05, Chris L wrote:
 Are you saying you want different clients' IPSEC tunnels to terminate on 
 different public IP addresses on the firewall WAN side? That I've never 
 tried, and I don't know if it's possible.
 It listens (binds) on whatever interface/VIP is specified in the Interface 
 drop-down in the IPSec/OpenVPN config.
 Sure: I was asking if the requirement is to have *multiple* IPSEC VIPs which 
 are processed differently.
 
 If not, then why not just terminate IPSEC on the firewall's primary IP 
 address?

Good question for OP.  As far as I know, racoon and strongswan listen on one 
binding for all clients. OpenVPN is set per-instance.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] VIPs : CARP vs IP Alias

[Chris L]

 On Mar 9, 2015, at 2:38 AM, Brian Candler b.cand...@pobox.com wrote:
 
 On 09/03/2015 09:33, Bryan D. wrote:
 So, for what I'm doing, an IP Alias VIP seems like it should work where a 
 CARP VIP works -- but it doesn't appear that a Proxy ARP VIP should, since I 
 think I'm using them by the firewall itself (i.e., port forwarding and 
 NATing) ... no -- or does that mean something different?
 
 As I understand it, used by the firewall itself means traffic which 
 terminates *on* the firewall: for example, the firewall admin web page, and 
 any services which run on the firewall itself (e.g. DNS cache, packages you 
 have installed)
 
 Traffic which is forwarded *through* the firewall, including NAT, is not 
 addressed to the firewall itself.

OpenVPN, IPSec, etc.  If there is a socket listening on pfSense, that is the 
“firewall itself.”  Or “bind” in the doc.

This isn’t that complicated.  What, exactly, is OP trying to do?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] VIPs : CARP vs IP Alias

[Chris L]

 On Mar 9, 2015, at 3:01 AM, Bryan D. pfse...@derman.com wrote:
 
 On 2015-Mar-09, at 2:43 AM, Chris L c...@viptalk.net wrote:
 
 On Mar 9, 2015, at 2:38 AM, Brian Candler b.cand...@pobox.com wrote:
 
 On 09/03/2015 09:33, Bryan D. wrote:
 So, for what I'm doing, an IP Alias VIP seems like it should work where a 
 CARP VIP works -- but it doesn't appear that a Proxy ARP VIP should, since 
 I think I'm using them by the firewall itself (i.e., port forwarding and 
 NATing) ... no -- or does that mean something different?
 
 As I understand it, used by the firewall itself means traffic which 
 terminates *on* the firewall: for example, the firewall admin web page, and 
 any services which run on the firewall itself (e.g. DNS cache, packages you 
 have installed)
 
 Traffic which is forwarded *through* the firewall, including NAT, is not 
 addressed to the firewall itself.
 
 OpenVPN, IPSec, etc.  If there is a socket listening on pfSense, that is the 
 “firewall itself.”  Or “bind” in the doc.
 
 This isn’t that complicated.  What, exactly, is OP trying to do?
 
 Yeah, that's what I thought.  It's explained in the initial posting ...
 ---
 I have a functioning v2.2 setup that uses a /29 set of static IPs:
 - 1 IP is the gateway address and 5 IPs are usable (quite common, I believe)
 - one of the usable IPs is assigned to the WAN interface
 - the other 4 usable IPs are assigned to VIPs
 - the WAN IP and VIPs have various port-forward and NAT rules associated with 
 them
 - the WAN IP and 2 of the VIPs serve 3 different domains
 (e.g., web, email, VPN -- servers are behind the firewall on isolated LAN)
 - one of the other VIPs is used by mobile VPNs (IPsec and OpenVPN)
 ---
 
 Works well with CARP VIPs, switching a VIP to Alias IP renders the services 
 inaccessible -- services that are made available simply by switching the VIP 
 back to CARP.  I'm not using any failover/etc. so I'd like to simplify and 
 though Alias IP VIPs were the right choice.


Yeah, depending on the service if you change the VIP type you probably have to 
rebind and restart the service.  It is probably not a hitless event.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] how to get to CARP settings in 2.2?

[Chris L]

To set up the actual CARP VIPs you go to Firewall  Virtual IPs then create a 
VIP of type CARP. That’s where you set the freq, skew, etc.

 On Feb 28, 2015, at 7:18 AM, Vick Khera vi...@khera.org wrote:
 
 I must be totally blind here, but I cannot get to CARP configuration settings 
 on my 2.2 install.
 
 I traversed the menus:
 
  Status - CARP then clicked the + icon, but that takes me to HA sync.
 
  Firewall - Virtual IPs - CARP Settings, but that also takes me to HA sync.
 
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multi-WAN port forwarding

[Chris L]

SIP is UDP, not TCP.

 On Feb 12, 2015, at 12:33 PM, Tiernan OToole tier...@tiernanotoole.ie wrote:
 
 Morning all.
  
 I have a question I hope someone can help me with.
  
 I have my PFSense server with 3 WAN connections, load balanced and I need to 
 start forwarding ports, specifically SIP ports. I have done port forwarding 
 on port 80, and it works grand, but doing the same steps with 5060, not so 
 much…
  
 The steps I took was:
  
 Firewall/NAT, Add, interface = WAN1, proto TCP, src addr and port are both *, 
 dest = WAN1 address, dst port 5060, nat IP (internal ip of the voip box), nat 
 ports 5060
  
 Did this for each WAN connection and again for other ports… but the VoIP 
 firewall checker is still telling me the ports aint open… What am I doing 
 wrong?
  
 It works on port 80! Why not SIP?!
  
 Thanks.
  
 --Tiernan
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2-RELEASE (i386) - FTP passive mode broken

[Chris L]

 On Feb 9, 2015, at 9:18 AM, Sergii Cherkashyn ser...@accurategroup.com 
 wrote:
 
 After pfSense upgrade to 2.2, clients’ connection to FTP server is broken.
 
  
 
 On the server side we see that the server tells the client to connect to port 
 in 5000-5050 range per our settings, but the client that is behind the 
 15000-25000 range. Everything woks fine with 2.1.5 version
 
  
 
 Playing with System  Advanced  System Tunables tab, debug.pfftpproxy 
 doesn’t fix the issue.  And debug.pfftpports tunable is missing.
 
  
 
 Workaround is to allow all ports to the FTP server IP.
 
  
 
 Does anybody experience the same issue and what is solution?

https://doc.pfsense.org/index.php/Upgrade_Guide#FTP_Proxy


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2 Packages

[Chris L]

 On Jan 30, 2015, at 12:07 PM, Brian Caouette bri...@dlois.com wrote:
 
 Where is a good place to monitor for package updates for 2.2? I had to revert 
 back to 2.1.5 after a fatal error shut me down.
 

I have had pretty good success getting an RSS feed on the 2.1 branch of the 
main pfsense github repository.  You might have the same luck with 
github/pfsense-packages.

RSS feed of docs.pfsense.org has been enlightening as well.  jimp’s been hard 
at work lately.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] New pfSense 2.2 install

[Chris L]

 On Jan 29, 2015, at 8:53 AM, compdoc comp...@hotrodpc.com wrote:
 
 The link I'm working with is:
 
 http://www.malwaredomainlist.com/hostslist/ip.txt
 
 
 When an alias is created with this url, do you know where the list is stored
 on pfSense? I just want to see if I've created the alias correctly and that
 the list matches the ip addresses in the url. 
 

Pretty sure you can see that info in Diagnostics  Tables

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Enforcing policy routing gateway

[Chris L]

On every rule that specifies a gateway, set a mark on the traffic then block 
the traffic with the mark on the interface(s) you don’t want it to egress.

Say you have GW_WAN1 and GW_WAN2.

On the rule that policy routes traffic out GW_WAN2, make the rule also set a 
mark of WAN2_ONLY.

Then make a floating rule on WAN1 out that blocks or rejects traffic marked 
with WAN2_ONLY.

 On Jan 20, 2015, at 10:28 AM, Steven Sherwood stev...@coc.ca wrote:
 
 I have two kludgy (and untested) ideas if per gateway functionality is 
 required.
  
 1)  Disable gateway monitoring for your VPN gateway so pfSense always 
 considers it ‘up’.  Your traffic wouldn’t flow to the default gateway, but 
 you also wouldn’t know the VPN gateway was down. (in pfSense at least)  You’d 
 need to rely on an external tool to check if the real gateway/subnet was 
 still available.
 2)  Activate a new interface (real or virtual) and define a new gateway 
 for that interface.  As above, disable gateway monitoring to this ‘gateway to 
 nowhere’ (GWTN), but leave gateway monitoring on (as-is) for your VPN 
 gateway.  Create a new fail-over gateway group with your real VPN gateway as 
 Tier 1, and your GWTN as Tier 2.  In an actual failover situation, your VPN 
 GW would show offline, and your traffic should failover to the GWTN.  Prevent 
 leaking by defining block rules to your subnet(s) on the new interface.
  
 Again – these are untested ideas which came to me when you mentioned the 
 desire to do what you wanted on a per gateway basis.  I don’t know what your 
 application is or how secure you need this to be, but it might be a better 
 option for you than the global one currently available.
  
 Moving forward, an option to null route traffic should the GW go down on a 
 per interface basis would be great as an enhancement.
  
 Steve
  
 From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe Katz
 Sent: Sunday, January 11, 2015 10:41 PM
 To: pfSense Support and Discussion Mailing List
 Subject: Re: [pfSense] Enforcing policy routing gateway
  
 On Fri, Jan 9, 2015 at 11:07 PM, Tim Eggleston tim.li...@eggleston.ca wrote:
 
 On 2015-01-09 19:45, Chris Bagnall wrote:
 
 Check the setting of System - Advanced - Miscellaneous - Skip rules
 when gateway is down.
 
 Nice! That sounds like exactly what I'm after. Shame it's global and not a 
 per-policy-route or per-gateway setting but I'll take what I can get. Many 
 thanks!
 
  ---tim
  
  
 Depending on how complex your rules are, you could also create negative 
 versions of them that explicitly block that traffic on all other interfaces 
 except the VPN.  (Aliases could help simplify that, but you may or may not 
 actually want to do it, depending on the rule complexity.)
  
 Moshe
 
 --
 Moshe Katz
 -- mo...@ymkatz.net
 -- +1(301)867-3732
  
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to change driver for NIC

[Chris L]

 On Jan 4, 2015, at 1:42 PM, Morten Christensen mc-m...@g.mc.cx wrote:
 
 
 Den 04-01-2015 kl. 18:57 skrev compdoc:
 Is it impossible to try to improve on pfSense 2.2's problem in pfSense
 You might not be the only person having the problem, but I haven't
 researched to know for sure.
 
 Sometimes, it's possible to do the work and discover the problem yourself.
 There are a few areas of experimentation that might lead to the problem, or
 to the solution...
 
 First of all, it's possible that there is a problem with that version of
 pfSense. Something that may be fixed before or after its release.
 
 Or, its possible there is a problem with the drivers for the virtual nics in
 that version of freebsd. Guess that would be either the 100baseT Realtek NIC
 emulation, or the xenserver NIC drivers if you have managed to install
 those.
 
 You can see if a better or newer driver exists. I have compiled realtek's
 newest freebsd drivers myself and used them, for example.
 If I could find drivers, I have no idea, how to install them on pfSense.
 If you were to try the e1000 emulation as suggested in the url I posted and
 saw no improvement, that knowledge might be a great help to the community.
 I tried to make the cange from your link in the xenserver, and installed a 
 new pfSense 2.2.
 The pfSenses nic's ware called xn like before, so I have no idea, if it had 
 any effect.
 
 The iperf network speed from another VM on the same Xenserver through pfSense 
 was 1,4 Kbits/sec. As unusable as before with pfSense 2.2.
 
 
 Finally, there's the actual server hardware itself. Its takes a certain
 speed and type cpu to host virtual machine firewalls. Also, certain brands
 of network cards perform better than others. Maybe you can describe these...
 It don't think it is the hardware.
 On the same hardware and the same Xenserver-install both pfSense 2.1, IPCop 
 and Zentyal is acting normal.
 It is only pfSense 2.2, that has this not usuable speed from other VM's in 
 the Xenserver.
 
 
 As said in the other thread. Speed from behind the xenserver is normal.


There is definitely something wrong with 2.2 under XenServer 6.2.  I’m seeing 
exactly the same thing as Morten.  To pfSense is fine.  Through pfSense is 
horrible.

2.1.5 is fine but represents re adapters, not xn.  I have not tried from 
pfSense to a VM on the same vswitch yet.  Only through pfSense 2.2 to the WAN.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Very slow traffic from other VM's through pfSense 2.2RC on XenServer

[Chris L]

 On Dec 27, 2014, at 3:25 PM, Morten Christensen mc-m...@g.mc.cx wrote:
 
 
 Den 22-12-2014 kl. 20:43 skrev Morten Christensen:
 
 Den 20-12-2014 23:33, Morten Christensen skrev:
 I have 2 XenServers, 1 with XenServer 6.2 and one with Xenserver Creedence 
 beta 3.
 
 Both have a pfSense 2.2 RC as router/firewall and a couple of Ubuntu Linux 
 VM's and a windows-VM.
 
 Traffic through both the physical xenserver-box and the virtual pfSense 
 firewall goes at expected speeds.
 But traffic from the other VM's on the same server through the pfSense out 
 on wan/internet goes very, very slow.
 It goes so bad they cannot update themselve with apt-get.
 
 When I try with iperf from a linux VM through the pfSense's WAN the speed 
 is 3,82 KBits/sec.
 The VM's and pfSense are connected with an internal single-server network 
 (as OPT1), and tests to iperf server run on pfSense from a linux VM shows 
 gigabit-speed.
 
 One of the pfSense' has xen-tools installed. The other has not. I cannot se 
 improvements with the tools installed.
 
 One of my XenServers can get several public IP'numbers. On that I now have 
 installed VM's with both an IPCop firewall and a Zentyal firewall.
 When one of those new firewall-VMs' is default gateway for the ordinary VM's 
 on the XenServer, theirm...@moseboelle.dk is normal.
 
 So it must be a configuration-problem om pfSense.
 
 Still no ideas how to find the problem ?
 
 Tried to install a pfSense 2.1.5 as VM.
 With 2.1.5 as default gateway other VM's on the Xenserver have normal 
 wan/internet-speed.
 
 But very slow speeed through 2.2RC continues.
 

I installed 2.2-RC and am seeing exactly the same thing.  12/26 2.2-RC and 
XenServer 6.2

Upgrading from 2.1.5 yielded an unbootable node (can’t mount root).

I then attached the .iso to the existing 2.1.5 vm and installed fresh.  Got the 
slow throughput.

I then created a new VM using the iso and got the slow throughput.

I disabled NAT for this virtual LAN - WAN and told my actual external pfSense 
to NAT for the internal network and no change.

Shaping disabled, no limiters defined.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Aliases are auto-deleted

[Chris L]

On Dec 9, 2014, at 1:13 PM, Volker Kuhlmann list0...@paradise.net.nz wrote:

 Is this why gateway monitoring is active by default? I'd have guessed
 most pfsense installs to be single WAN. What would gw monitoring be
 useful for then? Nothing could be done about the Internet going
 offline.

It’s nice to have the RRD graph for quality.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Aliases are auto-deleted

[Chris L]

On Dec 9, 2014, at 2:04 PM, Volker Kuhlmann list0...@paradise.net.nz wrote:

 On Wed 10 Dec 2014 07:39:36 NZDT +1300, Ryan Clough wrote:
 
 I, too, am using aliases which do not retain domain names or IP addresses.
 
 I opened https://redmine.pfsense.org/issues/4087
 
 What happens is that a rule reload, which can be triggered by many
 things e.g. interface yoyo (see WAN gw) or applying alias or rule
 changes, clears all the FQDN alias entries from the tables used by pf,
 and then fails to put them back in. They are added again some time
 later, but I don't know what some time is, several minutes at least.
 Meanwhile the user interface is showing these entries as being part of
 the running rule set when they are silently not. I consider that to be a
 security problem - the running rule set is not the configured one.

If you’re using my DNS zone to generate a block list for my IPs I can
make those names return anything I want and get through anyway.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Client-Side 1:1 NAT for IP address conflicts w/ VPN

[Chris L]

On Dec 9, 2014, at 8:53 PM, Karl Fife karlf...@gmail.com wrote:

 In the wild, I'm seeing a an increasing number of crappy consumer/ISP
 routers with subnets that conflict with ours (10../8). Comcast appears
 to be a common offender, curiously allocating the largest private subnet
 to their smallest customers.  Of course this breaks VPN due to address
 ambiguity/conflicts.

That’s actually your fault for using 10/8, not Comcast's.

Even if they were to use something like 10.58.223.0/24 they’d still conflict 
with your 10/8.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] secure management access on transparent bridge firewall

[Chris L]

Management VLAN.

On Dec 8, 2014, at 9:08 AM, Richard Lussier richard.luss...@inter-node.com 
wrote:

 Hi,
 
 We are providing Internet access to coop housing (50 units)
 We have a transit access to the exchange via Fiber and a /26 public IPV4 
 addresses.
 
 I purchased a Netgate C2758 router to be able to do limiter and traffic 
 shaping at rush hour.
 I did set-up a transparent bridge and everything works fine so far.
 This feeds two Cisco SF300 Switches, and each unit has a tp-link wdr3600 
 wireless router with static address.
 
 I need to secure the management interface to the pfSense and to the switches.
 I could make a rule to let access only to a fixed IP source, but I travel a 
 lot and need flexibility.
 The best for me would be on openvpn.
 Is this possible without a lan ? , or ?
 
 Thank you,
 
 Richard
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Limit bandwith pr user / ip

[Chris L]

On Nov 1, 2014, at 11:15 PM, Vassilis V. bigracc...@gmx.net wrote:

 Thank you Chris!
 
 Since I am interested in this too, are there any tricks when you want to
 do the same but you have a multi-WAN setup, or ,probably even worse, a
 multi-WAN setup with different WAN bandwidth?


With multi-WAN, you would probably want to create a limiter set for each WAN, 
then set the limiters with floating Match rules on the WAN interfaces in the 
outbound direction.

That way you would have different limiters for each WAN.  You could restrict 
the limit to traffic from certain interfaces with source “LAN net” etc.

Just a guess but that’d be what I would try.

Note that if you set them on a rule with interface direction “out the In/Out 
directions are reversed, and the perspective will be from WAN instead of LAN, 
so you want to be sure they’re not backwards.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Limit bandwith pr user / ip

[Chris L]

On Nov 1, 2014, at 4:07 PM, Morten Christensen mc-m...@g.mc.cx wrote:

 I am going to setup pfSense as gateway/firewall in front of a small wireless 
 broadband system with 10 to 20 houses connected.
 
 We want to prevent one single house from taking up all bandwith, when other 
 users can use their share, but not to restrict anyone unnessessary, when 
 demand is low.
 
 I have found howto's that make permanent limits on each users or ip-numbers 
 bandwith, They seems to make that limitation without taking care of, if the 
 limitations is needed.
 Other howto's shows how to make smarter QOS limitations based on different 
 applications like telephones versus http-download that is only active, when a 
 service actually needs the bandwith.
 
 Do you know of howto's that can limit users bandwith, when the line is under 
 heavy use, but not, when that user is alone on the line, and that do not care 
 if the user is downloading an ISO, streaming HDTV or making a 
 video-conference ?
 


You create a limiter for the total amount of bandwidth available, then create a 
child limiter that masks on IP addresses.

Make a limiter for uploads masked on source addresses and a limiter for 
downloads masked by destination addresses.

Everyone has the full capacity unless/until there is contention.

The steps are outlined starting here:

https://forum.pfsense.org/index.php?topic=63531.msg364520#msg364520

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Vlan Question

[Chris L]

On Oct 29, 2014, at 10:54 AM, Jon Munford jon.munf...@nlcsd.org wrote:

 I have an internet vlan that is Vlan 10.  Right now I have the traffic 
 tagged on my L3 switch and PFsense and all is working well.  My issue is that 
 my internet filter that sits between the two needs to have an untagged vlan.  
 While my l3 switch can easily change to untagged vlan 10, how do i tell 
 PFsense that I want vlan 10 to be untagged and not tagged?
 
 Thanks!
 -Jon

You can tag to pfSense and untag to other ports.  A mix of tagged and untagged 
ports is perfectly normal.  When an untagged port receives traffic, it is put 
on the untagged VLAN.  When an untagged port needs to transmit, the VLAN tag is 
stripped.  No special consideration or configuration is needed on the device 
plugged into the untagged port.  It thinks its on VLAN 1 (default VLAN 
untagged).


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Vlan Question

[Chris L]

On Oct 29, 2014, at 11:02 AM, Jon Munford jon.munf...@nlcsd.org wrote:

 A bit of clarification. The content filter sits inline between the l3 switch 
 and pfsense and all 3 use vlan 10.  I just need to make vlan 10 untagged 
 instead of tagged.  I'm not sure how to do that in PFsense.
 
 On Wed, Oct 29, 2014 at 12:59 PM, Chris L c...@viptalk.net wrote:
 On Oct 29, 2014, at 10:54 AM, Jon Munford jon.munf...@nlcsd.org wrote:
 
  I have an internet vlan that is Vlan 10.  Right now I have the traffic 
  tagged on my L3 switch and PFsense and all is working well.  My issue is 
  that my internet filter that sits between the two needs to have an untagged 
  vlan.  While my l3 switch can easily change to untagged vlan 10, how do i 
  tell PFsense that I want vlan 10 to be untagged and not tagged?
 
  Thanks!
  -Jon
 
 You can tag to pfSense and untag to other ports.  A mix of tagged and 
 untagged ports is perfectly normal.  When an untagged port receives traffic, 
 it is put on the untagged VLAN.  When an untagged port needs to transmit, the 
 VLAN tag is stripped.  No special consideration or configuration is needed on 
 the device plugged into the untagged port.  It thinks its on VLAN 1 (default 
 VLAN untagged).
 


Put pfsense on an untagged port and assign it to the untagged interface.  If 
your tagged interface is em0_vlan10, assign it to em0.

If you need multiple VLANs on the pfSense interface, you likely can’t.  Depends 
on the capabilities of the internet filter that will have to forward tagged 
traffic through to the switch.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense h/w

[Chris L]

On Oct 23, 2014, at 9:06 AM, Jim Thompson j...@netgate.com wrote:

 We don't release the tuning info, and, incredibly, a couple people a month 
 write in demanding it.

Does this mean there’s a special, hardware-specific version of pfSense (or a 
package or ?) or is the tuning in the hardware itself?
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense h/w

[Chris L]

On Oct 23, 2014, at 1:13 PM, Adam Thompson athom...@athompso.net wrote:

 On 14-10-23 03:06 PM, Chris L wrote:
 We don't release the tuning info, and, incredibly, a couple people a month 
 write in demanding it.
 Does this mean there’s a special, hardware-specific version of pfSense (or a 
 package or ?) or is the tuning in the hardware itself?
 
 AFAIK it's the same software (plus or minus some logo and CSS changes? not 
 100% sure...), but with different sysctl values precisely (in theory) matched 
 to the hardware it's running on.  I would imagine they also ensure all the 
 BIOS settings are set appropriately, IRQs are distributed appropriately, etc.
 
 If you spent a few weeks testing the crap out of your own system, you'd be 
 able to figure out the precise values that maximized throughput for your 
 hardware, too.
 Note that the precise values that work for any particular piece of hardware 
 are unlikely to be precisely ideal for any other particular piece of 
 hardware... so even copying exactly what Netgate provides on *their* system 
 onto yours doesn't guarantee optimal performance.
 
 Besides, given what Jim just said, do you really think he's going to answer 
 your question? ;-)
 The value-add is technically in the labour, but the secret sauce is knowing 
 precisely where to direct that labour to maximize the value to his paying 
 customers.
 The rest of us get enough value from the software as it is.
 

I’m not asking what the changes are - I’m asking if these boxes require a 
special version of pfSense for maximum performance.

I am considering some C2758s and I’m curious.  I have another APU4 on its way 
to me as we speak.

If it’s just sysctl values then it’s not possible to keep it secret.  sysctl 
-a, sysctl -a, diff

If it’s a custom kernel, etc, then I have to take waiting for netgate to issue 
patches into consideration.  Now and in the future.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NIC support

[Chris L]

On Oct 15, 2014, at 12:59 AM, Ulrik Lunddahl u...@proconsult.dk wrote:

 Will A SMB without L3 capable switches, that needs routing between 3-4 local 
 subnets (LAN, SERVERS, WIRELESS/GUEST, OTHER/DMZ) as close to wirespeed as 
 possible, be happy with a C2758. ?
  
 Very.  
  
 Is a dual socket Xeon a bit faster? Yes.  
 Does your application need that speed? Unlikely. 
 
 Really depends on what you mean by wirespeed. 
  
 The case I always seem to run into is Clients on the LAN, moving a bulk 
 amount of data to/from NAS devices on the SERVER or DMZ subnet, that is 
 typically backup data or data that are somewhat being replicated.
  
 I work a lot with companies dealing in media, and RAW images and/or video is 
 very huge, and devices to store it on is dead cheap.
  
 I also work a lot with virtual environments; backup and replication of 
 virtual machines also generate huge files, which need to be transferred as 
 fast as possible.
  
 So having a hardware router that can both handle internet access from the 
 many LAN clients, and hours of forwarding at interface speed between a few 
 other interfaces is what I would like.
  
 Let’s say that we have a Intel Rangeley Atom 8-core C2758 box with 5 
 interfaces. (WAN, LAN, SERVERS, OPT1, OPT2)
  
 Will it be able to handle forwarding the packets generated from copying 
 approx. 1 TB of files from LAN to SERVERS and OPT1 to OPT2, and services 50 
 computers + 50 phones with heavy internet usage.
  
 NAT only, very few rules. ?
  
 I ask because I have no idea how powerful the new Atom’s is.
 

My first thoughts are:

What is the threat profile you are facing in your organization?  Why do you 
need a firewall between your users and your NAS?

I, personally, would not put pfSense in that duty.  If firewalling was not 
necessary, I’d use a layer 3 switch.  And with only 100 devices plus a few 
servers, I’d wonder why layer 2 wouldn’t suffice.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense DNS routing issue

[Chris L]

On Sep 24, 2014, at 8:58 AM, Ehsan Sabri ehsa...@gmail.com wrote:

 Hey everyone,
 
 I hope you are well. I am having some issues in connecting to the internet to 
 install packages using my pfsense box [2.1.5-RELEASE] and was looking for 
 some help if possible. I have 1 WAN (with gateway) and 2 LAN interfaces 
 configured for the pfsense box.
 
 So I just ran a bunch of tests and wanted to share the results with you.
 
 01. Gateway configured to 10.113.114.1
 
 When I set the gateway to this IPv4 address, I am unable to see You are on 
 the latest version on the pfsense dashboard with the correct proxy settings. 
 Also I don't get any internet activity on the 2 LAN interfaces that I have 
 configured with pfsense. I am unable to browse anything in those machines as 
 I get a proxy server error. When I changed back to 10.113.114.129 for the 
 Gateway for the WAN interface, I am able to see the message You are on the 
 latest version on pfsense dashboard along with the fact that I am able to 
 browse the internet in the two LAN interfaces that are connected to the 
 pfsense box, but not the pfsense box itself.
 
 02. Pinging the two LAN interfaces
 
 When I ping the two LAN interfaces from the pfsense box, I get packets 
 received results which means I am able to ping them both accordingly. Also 
 when I ping the WAN of the pfsense box from any of the LAN interfaces, I am 
 able to see ping results as well. 
 
 03. The two LAN interfaces connect to the internet from the browser but 
 doesn't ping any outside DNS.
 
 So with the correct config of the WAN in the pfsense box, I am able to browse 
 the internet in the machines that are connected to the LAN interfaces of the 
 pfsense box using the browser but when I am trying to ping any DNS server 
 (eg., www.google.ca), I am not seeing any results.
 
 As a TLDR - I am able to browse the internet from the 2 LAN interfaces 
 connected to the pfsense box but not through the WAN interface. Also it seems 
 that if I have the incorrect configuration of the pfsense WAN interface, I do 
 not access internet in any of the LAN interfaces.
 
 Hopefully, this gives a clear picture

Double-tapping the forum and the mailing list is discouraged.

Do not crosspost ! if you are looking for quick answers try IRC first. If you 
do not get any answers there, try either Forum or mailing lists. NEVER both.”


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Crash Dump Analysis?

[Chris L]

Looks like this is the crucial text from the dump:

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x420
fault code  = supervisor read data, page not present
instruction pointer = 0x20:0x8023be83
stack pointer   = 0x28:0xff8000183320
frame pointer   = 0x28:0xff8000183350
code segment= base 0x0, limit 0xf, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags= interrupt enabled, resume, IOPL = 0
current process = 12 (irq16: bge0 bge1+)

I want to tell them I need new hardware.  This is a pretty old legacy server.

Any ideas what that indicates?
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Hang Outs

[Chris L]

Is there an official way to request/suggest hangout topics?

I’d love to see “Traffic Shaping with HFSC
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Network Topology - Home Lab

[Chris L]

On Jun 28, 2014, at 11:18 PM, Jonatas Baldin jonatas.bal...@gmail.com wrote:

 Hi guys, how are you doing? I hope someone can bring me some lights here haha 
 I know this thread isn't about pfSense specific, it's more a network 
 discussion, but I know someone here can help! Plus, if you know some good 
 mailing list for Network discussion, please send me!
 
 Well, I got some equipment to make a network home lab for study, and before I 
 start to set everything up, I need to fill up some issues.
 
 First, I want to my topology to looks more or less like this:
 http://imgur.com/aDBbBZK

Fairly straightforward.

 
 - My pfSense box is facing the Internet, using PPPoE DSL authentication from 
 my ISP, and providing a DMZ and a LAN subnet.
 - After, this subnet is connected do VyoS (router OS, fork from Vyatta), that 
 finally routes to the clients (and another VyOS, where I'll use OSPF).
 
 My doubts are:
 - Are this generally ok? It is recommended?
 

Looks fine if what’s in the diagram is what you want to accomplish.


 - If I want to make NAT rules for my clients in LAN A, a 8080 port for 
 example, what configuration should I make? Because pfSense doesn't know 
 directly the LAN subnet... Should I make a NAT for the VyOS and there make 
 another one?
 

NAT needs to happen where NAT needs to happen.  You probably don’t need to NAT 
between 10.0.0.0/24 and 192.168.10.0/24.  You would set up NAT in pfSense to 
the 192.168.10.X address.  Note that pfSense will need routes so it knows to 
send traffic for 192.168.10.0/24 and 192.168.10.20.0/24 to 10.0.0.10.

 - If I make a mobile IPsec VPN in the pfSense box, will I get access normally 
 to the LANs?

You will need to tell IPsec to tell its clients that they can reach all the 
networks over the VPN connection (The clients need to know to route all traffic 
for 10.0.0.1/24, 192.168.10.0/24, 192.168.20.0/24, and possibly 172.16.0.0/24 
over the VPN connection).

 
 - What should the clients Default Gateway be? Should it be the IP from the 
 router (and than, the router default GW  the IP from pfSense)?

What clients?  The default gateway for each client needs to be the gateway of 
last resort to get off its subnet.  A default gateway must be on the same 
subnet as the client. You probably want LANA to be 192.168.10.1, LANB 
192.168.20.1, and the VyOS routers 10.0.0.1.

 
 I know some how-to for configuring the pfSense and router, but I'm stuck in 
 the theory behind the topology.

It’s all in the diagram.  ;)  You can do the active/standby with two pfSenses 
and CARP.  Note that it would require switching for the outside and DMZ 
interfaces that isn’t pictured.

 
 PS: I still didn't developed this physically, it's just on the scratch... I 
 want to know if this is correct before start.
 
 Best regards,
 Jonatas B.
 
 
 Jonatas Baldin de Oliveira
 Profissional de TI
 Skype: jonatas.baldin
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] vmware

[Chris L]

I call [OT]

Please read a manual / move to an ESXi list.

On May 28, 2014, at 8:34 AM, Brian Caouette bri...@dlois.com wrote:

 virtual switch?
 
 On 5/28/2014 11:18 AM, Doug Lytle wrote:
  With a hardware configuration of two nics wan/lan how does each vm use 
 them?
 On my home ESXi system, the computer has 3 NICs.  Each NIC is assigned to a 
 virtual switch.  I have 3 Virtual switches, LAN, DMZ, Internet
 
 Each VM is assigned to one of the virtual switches, but in the case of my 
 pfSense VM, it is assigned all 3.  So, it ends up with 3 NIC(s), 1 on the 
 LAN, 1 on the DMZ and 1 on the Internet.
 
 Doug
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Poweredge 2850

[Chris L]

Citrix XenServer is worth a look too.

On May 20, 2014, at 11:03 AM, Ryan Coleman ryanjc...@me.com wrote:

 Same here - 4 servers around the country running it.
 
 
 On May 20, 2014, at 12:57, Doug Lytle supp...@drdos.info wrote:
 
 What software is
 available to do virtual machines?
 
 I'm currently using ESXi 5.10 Free version.
 
 Doug
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense 2.1.3 and IPv6 problem

[Chris L]

On May 15, 2014, at 7:15 AM, R. Svejda r...@balsec.com wrote:

 
 On 14/05/14 17:55, Chris L wrote:
 On May 14, 2014, at 2:51 AM, R. Svejda r...@balsec.com wrote:
 
 Hi Chris
 
 generally full agreement with your suggestion, but that's not my problem. 
 Same IPv6 setup works well with the very same computer in 2nd network 
 environment, only difference is only the WAN link on the 2nd pfsense.
 
 In my case, I assume that:
 - client sends to IPv6 gateway on link-lokal address
 - link lokal address is used by multiple devices
 - default route for IPv6 is HE tunnel (through gif0 interface)
 - But: pppoe2 interface (in very same link-local address!) has an own IPv6 
 gateway which is not working ..
 
 I am not a network pro and above thoughts might be wrong, but that's how I 
 see it now ...
 
 PS1: Most problematic (reliably failing) page in bad IPv6 setup is 
 de.wikipedia.org (never checked if en.wikipedia.org has the same problem)
 PS2: Ubuntu apt-get update  upgrade fail as well! it's not only web 
 access.
 
 
 
 Hi Chris
 thats the wrong path. Same client is working perfectly in Main Office. No 
 difference except for the WAN interface (pppoe at home office; static with 
 another upstream firewall at main office).
 
 1)
 Why is pppoe interface getting an IPv6 gateway assigned - in pfsense 
 settings, IPv6 is marked as NONE on WAN interface!

That’s a good question.  I assume you’ve reset the interface/restarted pfSense 
since disabling IPv6 on pppoe2.  I don’t have a PPPoE service to test with.  
It’s coming from somewhere. Check the logs when the interface resets/reboots.

 
 2)
 Why do the interfaces vr0, ppoe2, gif0 and vr1_vlan11 all have the same 
 link-local address? Specially vr1_vlan11 has the same link-local address like 
 the device vr0 while vr1 has a different one!

I don’t think that’s your problem.

http://www.freebsd.org/doc/en/books/developers-handbook/ipv6.html

Interfaces that has no IEEE802 address (pseudo interfaces like tunnel 
interfaces, or ppp interfaces) will borrow IEEE802 address from other 
interfaces, such as Ethernet interfaces, whenever possible. If there is no 
IEEE802 hardware attached, a last resort pseudo-random value, MD5(hostname), 
will be used as source of link-local address. If it is not suitable for your 
usage, you will need to configure the link-local address manually.”

Though it does seem like vr1_vlan11 should use vr1’s MAC address to generate 
its link-local, I don’t think it’s causing your problems and is probably 
harmless - perhaps intended.

 
 IPv4 connection is on  pppoe2 / vr1_vlan
 IPv6 connection is on gif0
 LAN is vr0
 
 Anybody a hint? How can I disable or remove IPv6 config from pppoe/WAN?
 
 Radim
 
 
 
  old stuff, wrong order, sorry:
 
 regards, Radim
 
 
 On 14/05/14 10:06, Chris L wrote:
 Instead of generic, local ifconfig information, it might be more 
 beneficial to concentrate on a specific site that isn’t working and work 
 back from there.
 
 If you fix one, you might just fix them all.
 
 In dual-stack, I have found that the problem is usually receiving a good 
  record when querying DNS but not having a good v6 route.  Your 
 browser does the right thing, trying v6 first, gets a good DNS response, 
 but can’t get there.
 
 This is what I experience when my IP address changes.  It doesn’t happen 
 often, maybe every eight months or so, but it trashes my HE tunnel until I 
 get it reconfigured.  This is because IPv4 nameservers can give good  
 answers. But then there’s no IPv6 route.  The IPv4 nameserver has no idea 
 whether you have a good IPv6 route. It receives an  resolution request 
 and dutifully obliges.
 
 My client computers have no idea the HE tunnel is dead.  They ask if 
 there’s an IPv6 router on the segment, get a response, and think 
 everything is hunky-dory so they ask for  records first.  They get a 
 good response, and try to connect.  But the Internetv6 is down.  :(
 
 On May 14, 2014, at 12:47 AM, R.Sv. r...@balsec.com wrote:
 
 Dear all
 
 Started to play around with IPv6 with my Swiss provider (VTX, not yet 
 officially supporting IPv6) and HE.net IPv6 Tunnel.
 
 IPv6 works, but not correctly, some web pages do not load at all or never 
 end to finish loading. I guess because some routing problem. Looking at 
 ifconfig I have 2 questions:
 
 1) Why do vr0, vr1_vlan, pppoe2 and gif0 interfaces have the same 
 link-local address?
 2) Why does ppoe2 have a an official IPv6 address (in 
 GUI/Status/Interfaces it displays as Gateway IPv6)
 
 On the box, IPv6 is on
 On WAN interface: IPv4 Config Type: PPPoE; IPv6 Config Type: None
 
 With Config-Type=None I would expect no IPv6 configuration at all, except 
 an link-local address.
 I already tried other IPv6 config types for WAN, but result is always the 
 same. I have not yet contacted the provider.
 
 The multiple and for me weird distribution of link-local addresses is 
 probably my missing knowledge 
 But the IPv6 gateway on pppoe without

Re: [pfSense] pfsense 2.1.3 and IPv6 problem

[Chris L]

/ or http://[2620:0:863:ed1a::1] 
and I get the wikimedia “domain not configured” page for both.  That’s expected 
(HTTP 1.1) and indicates it’s all working as it should.  Note that the 
nameserver at 192.168.223.1/2001:470:f00e:223::1 is pfsense 2.1.3 with an IPv4 
connection and an HE tunnel over that.

What do you get?

See Also: www.whatismyipv6.com

 regards, Radim
 
 
 On 14/05/14 10:06, Chris L wrote:
 Instead of generic, local ifconfig information, it might be more beneficial 
 to concentrate on a specific site that isn’t working and work back from 
 there.
 
 If you fix one, you might just fix them all.
 
 In dual-stack, I have found that the problem is usually receiving a good 
  record when querying DNS but not having a good v6 route.  Your browser 
 does the right thing, trying v6 first, gets a good DNS response, but can’t 
 get there.
 
 This is what I experience when my IP address changes.  It doesn’t happen 
 often, maybe every eight months or so, but it trashes my HE tunnel until I 
 get it reconfigured.  This is because IPv4 nameservers can give good  
 answers. But then there’s no IPv6 route.  The IPv4 nameserver has no idea 
 whether you have a good IPv6 route. It receives an  resolution request 
 and dutifully obliges.
 
 My client computers have no idea the HE tunnel is dead.  They ask if there’s 
 an IPv6 router on the segment, get a response, and think everything is 
 hunky-dory so they ask for  records first.  They get a good response, 
 and try to connect.  But the Internetv6 is down.  :(
 
 On May 14, 2014, at 12:47 AM, R.Sv. r...@balsec.com wrote:
 
 Dear all
 
 Started to play around with IPv6 with my Swiss provider (VTX, not yet 
 officially supporting IPv6) and HE.net IPv6 Tunnel.
 
 IPv6 works, but not correctly, some web pages do not load at all or never 
 end to finish loading. I guess because some routing problem. Looking at 
 ifconfig I have 2 questions:
 
 1) Why do vr0, vr1_vlan, pppoe2 and gif0 interfaces have the same 
 link-local address?
 2) Why does ppoe2 have a an official IPv6 address (in GUI/Status/Interfaces 
 it displays as Gateway IPv6)
 
 On the box, IPv6 is on
 On WAN interface: IPv4 Config Type: PPPoE; IPv6 Config Type: None
 
 With Config-Type=None I would expect no IPv6 configuration at all, except 
 an link-local address.
 I already tried other IPv6 config types for WAN, but result is always the 
 same. I have not yet contacted the provider.
 
 The multiple and for me weird distribution of link-local addresses is 
 probably my missing knowledge 
 But the IPv6 gateway on pppoe without having a routable IPv6 behind the 
 link is the problem! How can I prevent/delete that interface and routing 
 setting?
 
 Setup:
 provider - pppoe2 - vr1_vlan11 - WAN
 pfsense - WAN - vr1_vlan11 - pppoe2 - provider (VTX)
 pfsense - IPV6HE - gif0- WAN- tunnel-to-ipv6 (HE)
 
 A very similar setup where WAN is a static address (private address/DMZ) 
 works without a problem. The problem is not the IPv6 tunnel setup.
 
 ifconfig | grep inet6:
 --
 [2.1.3-RELEASE][r...@pfs0097.xxx.ch]/root(2): ifconfig | grep inet6
inet6 fe80::20d:b9ff:fe1c:b04%vr0 prefixlen 64 scopeid 0x1
inet6 fe80::20d:b9ff:fe1c:b05%vr1 prefixlen 64 scopeid 0x2
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet6 fe80::20d:b9ff:fe1c:b04%vr1_vlan11 prefixlen 64 scopeid 0x7
inet6 fe80::20d:b9ff:fe1c:b04%pppoe2 prefixlen 64 scopeid 0x8
inet6 2001:4c78:bee0:413:20d:b9ff:fe1c:b04 prefixlen 64 autoconf
inet6 2001:470:25:8c::2 -- 2001:470:25:8c::1 prefixlen 128
inet6 fe80::20d:b9ff:fe1c:b04%gif0 prefixlen 64 scopeid 0x9
 
 
 ifconfig:
 --
 [2.1.3-RELEASE][r...@pfs0097.xxx.ch]/root(1): ifconfig
 vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500
 options=8280bRXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE
ether 00:0d:b9:1c:0b:04
inet6 fe80::20d:b9ff:fe1c:b04%vr0 prefixlen 64 scopeid 0x1
inet 172.28.58.1 netmask 0xff00 broadcast 172.28.58.255
nd6 options=1PERFORMNUD
media: Ethernet autoselect (100baseTX full-duplex)
status: active
 vr1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500
 options=8280bRXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE
ether 00:0d:b9:1c:0b:05
inet6 fe80::20d:b9ff:fe1c:b05%vr1 prefixlen 64 scopeid 0x2
nd6 options=3PERFORMNUD,ACCEPT_RTADV
media: Ethernet autoselect (100baseTX full-duplex)
status: active
 enc0: flags=0 metric 0 mtu 1536
 pflog0: flags=100PROMISC metric 0 mtu 33192
 pfsync0: flags=0 metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384
options=3RXCSUM,TXCSUM
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1

Re: [pfSense] blog.pfsense.org OCSP lookup fails

[Chris L]

On May 11, 2014, at 7:21 AM, Angus Scott-Fleming an...@geoapps.com wrote:

 I was trying to read a post at https://blog.pfsense.org/ 
 but Firefox reports an OCSP failure at this site.
 
Problem loading page
https://blog.pfsense.org/?p=1287
 
Secure Connection Failed
 
An error occurred during a connection to 
blog.pfsense.org. The OCSP server experienced an 
internal error. (Error code: 
sec_error_ocsp_server_error)
 
The page you are trying to view cannot be shown 
because the authenticity of the received data could 
not be verified.
Please contact the website owners to inform them 
of this problem. Alternatively, use the command 
found in the help menu to report this broken site.
 
 Seems to me a security-conscious organization like 
 pfSense should pay close attention to SSL security issues 
 like this …

The OCSP server is run by the registrar, not pfSense.

I don’t believe this error has anything to do with mixed content on the page.

It simply means that you have hard fail turned on for OCSP and, for some 
reason, couldn’t check the status at the globalsign server.

$ openssl ocsp -CAfile globalsign.pem -issuer globalsign.pem -VAfile 
globalsign.pem -cert wildcard.pfsense.org.pem -url 
http://ocsp2.globalsign.com/gsdomainvalg2 -header HOST ocsp2.globalsign.com
Response verify OK
wildcard.pfsense.org.pem: good
This Update: May 11 18:19:06 2014 GMT

Works here.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense version 2.1.1 has been released

[Chris L]

Does “custom screens” mean customizations to index.php as well?

captiveportal.inc and index.php always get whacked in an upgrade.

On Apr 7, 2014, at 10:46 AM, Brian Caouette bri...@dlois.com wrote:

 I love the CP. Have some nice customs screens made up for it. Not sure what 
 happen.
 
 On 4/7/2014 1:26 PM, Ryan Coleman wrote:
 Good to know - we’re pushing the CP at the pub in a few weeks and this would 
 be troubling.
 
 
 On Apr 7, 2014, at 12:25 PM, Brian Caouette bri...@dlois.com wrote:
 
 I noticed everything stopped working after update. After a few days pulling 
 hair I've found that disabling captive portal allows me to surf the net 
 again. Problem being we no longer have security without the Captive Portal.
 
 On 4/4/2014 11:58 AM, Jim Thompson wrote:
 
 Please see the blog post 
 https://blog.pfsense.org/?p=1238
 
 or changelog
 https://doc.pfsense.org/index.php/2.1.1_New_Features_and_Changes
 
 for details.
 
 Happy upgrading.
 
 Jim
 
 
 
 ___
 List mailing list
 
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 
 
 ___
 List mailing list
 
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Captive Portal questions - Interstitial page

[Chris L]

I don’t think so.  Your remote system will not have access to the things 
pfSense needs to add the captive portal bypass entries to ipfw.  Namely the MAC 
address associated with the IP Address.

A RADIUS Server could be remote.

On Feb 27, 2014, at 8:17 AM, Ryan Coleman ryanjc...@me.com wrote:

 Can I have the interstitial page go straight to a website to handle 
 everything? Rather than locally handled on the system?
 
 I am activating this feature at a bar where I do tech work and would prefer 
 to manage everything back on our website rather than trying to maintain code 
 on the controller.
 
 TIA.
 —
 Ryan
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Captive Portal Bug in 2.1.1

[Chris L]

You could look at the commit below, download the appropriate 
/etc/inc/captiveportal.inc file, and manually apply it.  No need to reinstall 
firmware for one change to one file.

On Feb 24, 2014, at 2:45 PM, Brian Caouette bri...@dlois.com wrote:

 OK but you said it was fixed for latest snapshot. When should I try again? 
 Anyway of confirming before shutting the network down for the hour it takes 
 to reinstall firmware?
 
 On 2/24/2014 5:33 PM, Ermal Luçi wrote:
 Probably the fix is not in there.
 Hence the error.
 
 
 On Mon, Feb 24, 2014 at 10:58 PM, Brian Caouette bri...@dlois.com wrote:
 Installed today's snapshot. No change.
 
 Feb 24 16:54:53  logportalauth[55653]: Trying to modify DB returned 
 error: no such column: first
 Feb 24 16:54:50  logportalauth[55653]: LOGIN: brianc, 9c:04:eb:5b:86:88, 
 192.168.1.20
 Feb 24 16:52:09  logportalauth[55570]: Trying to modify DB returned 
 error: no such column: first
 Feb 24 16:52:08  logportalauth[55570]: LOGIN: brianc, e0:ca:94:2c:f3:ec, 
 192.168.1.10
 
 
 On 2/24/2014 3:41 PM, Ermal Luçi wrote:
 This is the commit.
 https://github.com/pfsense/pfsense/commit/846bedf994079102c29cd140b41b2d1deb466a13
 
 Normally 1 or 2 snapshot per day.
 
 
 On Mon, Feb 24, 2014 at 4:45 PM, Brian Caouette bri...@dlois.com wrote:
 I installed the 2.1.1 on Sunday. How often are the snapshots updated? Is 
 there a change list per snapshot?
 
 
 On 2/24/2014 9:40 AM, Ermal Luçi wrote:
 
 
 
 On Mon, Feb 24, 2014 at 12:02 AM, Brian Caouette bri...@dlois.com wrote:
 Last 25 Portal Auth log entries
 Feb 23 18:00:05 logportalauth[61937]: Trying to modify DB returned 
 error: no such column: first
 Feb 23 18:00:03 logportalauth[61937]: LOGIN: brianc, 
 e0:ca:94:2c:f3:ec, 192.168.1.10
 
 I suspect this is why the dashboard shows no connected users?
 
 
 Fixed for the latest snapshot.
 My bad.
  
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 
 ___
 List mailing list
 
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 
 
 
 ___
 List mailing list
 
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 
 
 
 -- 
 Ermal
 
 
 ___
 List mailing list
 
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Apple Messages Blocked

[Chris L]

On Jan 15, 2014, at 2:29 PM, Paul Galati paulgal...@gmail.com wrote:

 I must have something misconfigured.  Since I was not able to successfully 
 create the right NAT and/or RULES to make this work, I decided to change the 
 IP address of the client behind the pf firewall to a static address that does 
 have a 1:1 NAT.  Now I am not able to get DNS replies, the browser says 
 Looking up host and fails.  I am trying to configure this pf box to go live 
 in a couple weeks.  I do have a server with a static 1:1 NAT that is working 
 properly, but for whatever reason a what I thought was an identical NAT/RULE 
 except the IP address is not resolving DNS, even if entered manually at the 
 client.  I am obviously doing something wrong.
 
 I tried enabling UPNP but that did not change the end result.  FaceTime rings 
 the recipient, but they both time out waiting for a response from the other 
 computer.
 
 Other suggestion would be greatly appreciated.  I will report back if I find 
 what is causing this not to function properly.

Sounds like maybe you should save your config, reset to factory, set up a 
simple out-of-the-box with WAN/LAN and see if it works before you fix it.” :)

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Very slow printing when 2 of pfSense on network

[Chris L]

On Oct 24, 2013, at 1:16 PM, Pete Boyd petes-li...@thegoldenear.org wrote:

 From what you've given me I've managed to fix the printing issue by making
 this alteration on Windows workstations:
 
 Windows Firewall - Advanced - ICMP - Settings - [*] Allow redirect
 
 I'm going to investigate the performance issues you spoke of (there are 15
 workstations on the network), and likewise look into employing a dynamic
 routing protocol.
 
 After all the time I've spent tracking this down, I find that my pfSense
 book has precisely the same information as you've told me, if only I'd
 picked it up, and is quite reassuring about the security implications.
 
 Thanks again
 

If they really must be on separate subnets I would opt for a third interface in 
pfSense A and ditch pfSense B.  Could be VLAN if you have a managed switch.  
You might also consider something like a Cisco Small Business (SF302-08, etc.) 
switch with basic, static Layer 3 capabilities if you want to offload some of 
the inter-subnet traffic from pfSense.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] newsyslog: No such file or directory

[Chris L]

On Oct 17, 2013, at 6:43 AM, Andreas Meyer anme...@anup.de wrote:

 Vick Khera vi...@khera.org wrote:
 
 curious. i have email notifcations on, but I do not receive errors from
 cron. i wonder why.
 
 the newsyslog binary seems to not be on the system. normally on freebsd it
 is in /usr/sbin. seems like an error to me.
 
 no newsyslog in /usr/sbin and not elsewhere found.
 
 
 i'd just comment out that line in /etc/crontab. pfsense uses a different
 kind of logging scheme that does not rotate log files.
 
 ok, done that

There was a recent commit on github that deletes that crontab entry.

https://github.com/pfsense/pfsense/commit/fda96df060e5a813875496a3b9ad09b6708d02af

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] issue a STARTTLS command

[Chris L]

On Oct 17, 2013, at 3:31 AM, Andreas Meyer anme...@anup.de wrote:

 Warren Baker war...@decoy.co.za wrote:
 
 On Thu, Oct 17, 2013 at 11:43 AM, Andreas Meyer anme...@anup.de wrote:
 I thougt if I set Notification E-Mail auth username (optional)
 with the password, some kind of SASl is used. If I set it, the log says:
 
 php: /system_advanced_notifications.php: Could not send the message
 to i...@anup.de -- Error: server does not require authentication
 
 This means the smtp server does not advertise SMTP AUTH. The smtp
 connection tests for this smtp extension and if it does not find AUTH
 it returns that error.
 That smtp username and password is then used in one of the supported
 authentication methods (eg login, plain, cram-md5 etc.). Its not for
 SASL.
 
 You can double check the server by doing a telnet to the port (25 or
 587) and sending EHLO fqdn and see what smtp extensions are supported.
 
 allright, I guess the
 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5
 was not offered because of the smtpd_enforce_tls=yes and the MTA
 awaited a starttls first. I'll check that again.

You can test after starttls with:

openssl s_client -connect fqdn:25 -starttls smtp

Then EHLO somefqdn
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Chris L]

 On 2013-10-12 01:40, Jim Thompson wrote:
 
 I'm not willing to endure this uninformed Alex Jonesian crapfest.

Nice position to take, except Alex Jones was right.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] [Filters engaged]

[Chris L]

On Oct 9, 2013, at 3:20 PM, Joe Landman land...@scalableinformatics.com wrote:

 I just worked out setting up new filters for the recent S/N destroying, high 
 tin-foil-hat content, on gmail.  Since people pleading for this to go away 
 hasn't worked, technological measures to restore S/N for my inbox on this 
 list have been engaged.
 
 Please folks, take the tin foil hat discussion elsewhere.  Please?
 


Wow.  Still denigrating those concerned about wholesale US(!) government 
surveillance of the internet and back doors in encryption products as tinfoil 
hat huh?

Seems to me everything they've been saying for the past couple decades turned 
out to be true, and we likely don't know most of it yet.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Wireless Issues

[Chris L]

On Sep 24, 2011, at 11:44 PM, Chris Brennan wrote:

 On Sun, Sep 25, 2011 at 1:58 AM, Chris Brennan xa...@xaerolimit.net wrote:
 As far as I know, it is bridged. I was looking around today but I
 couldn't find any kind of bridging interface in the pfsense GUI. I'm
 not home right now, but will be shortly, then to bed. I will paste my
 bridged interfaces from the cmdln and get it to the list. Maybe this
 is the problem.

Yes, it certainly seems that both the LAN and Wireless interfaces should be in 
the same bridge group.

Interfaces-(assign)-Bridges


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Wireless Issues

[Chris L]

On Sep 25, 2011, at 12:48 PM, Chris Brennan wrote:

 On Sun, Sep 25, 2011 at 3:30 PM, Chris L c...@viptalk.net wrote:
 It doesn't make sense to me to have the LAN interface in two different bridge 
 groups.
 
 If you want LAN, WLAN, and OPT1 in the same bridge, why not put them in one 
 bridge?
 
 I've been asking myself that very same question now. I had always questioned 
 why I had two bridge interfaces and couldn't figure out why I only had 
 one in pfS-1.2.3, so I'm left with the conclusion that the upgrade process 
 did something it shouldn't have. I will go ahead and move it all into one 
 bridge, would this solve my issues of not being able to connect to my 
 wireless though? That is still the larger issue here.
 

I don't know.  If it were me I'd delete and rebuild the bridge interfaces.

If your config is otherwise simple, I might just default the whole thing and 
reconfigure from scratch.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Wireless Issues

[Chris L]

On Sep 23, 2011, at 11:45 PM, Chris Brennan wrote:

 I've got pfSense 2.0 running and for the wired side of my LAN, it works fine. 
 The problem is my Wireless LAN. I can associate just fine, but none of my 
 wireless devices (Blu-Ray Player, Sony TV, iPod, Android Phone) cannot browse 
 to the internet and I cannot figure out why. I could certainly use some 
 guidance here as to why.

Umm.

On the wireless clients, check:

Assigned addresses
Assigned netmask
Assigned default gateway
Assigned DNS servers

There's not much more to it.

 
 P.S. I'm still new to pfSense in general and 2.0 specifically, so please, be 
 kind to me :D
  --
  Chris Brennan
  A: Yes.
  Q: Are you sure?
  A: Because it reverses the logical flow of conversation.
  Q: Why is top posting frowned upon?
  
 http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/
 
  GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8  9E4A EECD 9A84 D5B2 0C0C)
 
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Wireless Issues

[Chris L]

On Sep 24, 2011, at 12:07 AM, Chris Brennan wrote:

 On Sat, Sep 24, 2011 at 2:52 AM, Chris L c...@viptalk.net wrote:
 Umm.
 
 On the wireless clients, check:
 
 Assigned addresses
 Assigned netmask
 Assigned default gateway
 Assigned DNS servers
 
 There's not much more to it.
 
 Yes, all the clients are assigned IP's via DHCP, so that wouldn't matter 
 anyway.

It matters if they're given wrong info.

 I've double-checked and even triple-checked all my defaults. My clients get 
 an IP in the right range, they are given the right gateway and DNS servers, 
 they just can't go anywhere.


Is this an access point on your wired LAN pfSense interface or a wireless 
device built into your pfSense device?

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Wireless Issues

[Chris L]

On Sep 24, 2011, at 8:22 AM, Chris Brennan wrote:

 On Sat, Sep 24, 2011 at 3:34 AM, Chris L c...@viptalk.net wrote:
  Yes, all the clients are assigned IP's via DHCP, so that wouldn't matter 
  anyway.
 
 It matters if they're given wrong info.
 
  I've double-checked and even triple-checked all my defaults. My clients 
  get an IP in the right range, they are given the right gateway and DNS 
  servers, they just can't go anywhere.
 
 I've checked their DHCP assignments, they are getting the right info, I can 
 navigate *within* the LAN just fine (wirelessly), I just can't leave it 
 (again, wirelessly).

Does that include being able to access the pfSense interface?  Can you ping it 
and bring up the admin interface in a web browser (using the IP address)

If so, then you can stop looking at the wireless config and focus on your 
firewall rules for the wireless interface.

You haven't stated what can't go anywhere and inability to leave the WLAN 
really means.  Are they unable to resolve DNS?  Can they ping outside using 
just IP addresses?

Anything useful being logged in the firewall?

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Wireless Issues

[Chris L]

On Sep 24, 2011, at 5:29 PM, Chris Brennan wrote:
 
 Oh and here is a screenshot of my Wireless firewall settings - 
 http://i.imgur.com/wFgnn.png, If more information is needed, please,
 let me know and I will provide it.
 

Are you trying to use the same IP network on the Wireless interface as on the 
LAN interface?

If so, you probably want to simply bridge the Wireless interface with the LAN 
interface and it'll just pick up the LAN characteristics, DHCP server, firewall 
rules, etc.  And it'll be in the same broadcast domain as the LAN network, much 
like if you connected a separate access point to the LAN network.

If not, then you probably want your firewall rules on the Wireless interface to 
allow traffic from Wireless Net not LAN Net because they're going to have 
to be different, routed IP networks.

Chris
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list