Re: [pfSense] Aliases grouping
Hi, short answer: Yes ! I do it by: Create Alias / Type: Host(s) / IP or FQDN, this can also be an Alias, i found that the Alias is not (!) limited to be a single IP, can be an Alias whith whatever content. Christoph On 07/12/16 20:19, Luc Paulin wrote: > Hi, > Is there a way to create group of aliases... > > For example, let say I create > OFFICE1_NET > OFFICE2_NET > > Can I create an aliases= ALL_OFFICES that will contain OFFICE1_NET and > OFFICE2_NET > > -Luc > > > > -- > ! >( o o ) > --oOO(_)OOo-- >Luc Paulin >email: paulinster(at)gmail.com >Skype: paulinster > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Using pfSense with an external proxy appliance
On 04/09/15 15:25, Jon Gerdes wrote: > On Thu, 2015-09-03 at 09:53 -0500, Erik Anderson wrote: >> Hello, >> >> Shortly I'm going to need to deal with a situation I've never had to >> sort out before - using pfSense to redirect outbound HTTP(S) from >> clients to an iPrism proxy/filter appliance. >> >> We're running pfsense v2.2.4. >> >> Is this possible to do with pfSense in a transparent manner? Or will I >> be forced to reconfigure each client to go through the proxy? >> >> I've had a search through the forum and mailing list archives, and >> haven't seen anything on this topic. >> >> Thank you! >> Erik > > Eric > > You *may* be able to use NAT to do this (basically the opposite to the > way you do inbound NAT for systems from the internet to internal) Imho will this be only doable if the proxy/filter appliance runs in transparent mode. If the proxy/filter appliance runs in normal mode the clients, better the applications need the info: use a proxy, this has to be done by a proxy.pac, DNS, group policy or whatever. bye Christoph ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 1 of 8 phase2 tunnel will not come up
On 28/04/15 22:34, Christoph Hanle wrote: Hi, we are getting crazy with one tunnel our system pfSense 2.2 failover cluster other side a bigger Juniper. VPN with 6 tunnels was up. the 7th tunnel (10.2.2.55) fails. the afterwards created 8th tunnel is OK again. Problem is gone, don't ask why. I seems that on our side or at the other side a child SA process was not proper released. bye Christoph ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] 1 of 8 phase2 tunnel will not come up
Hi, we are getting crazy with one tunnel our system pfSense 2.2 failover cluster other side a bigger Juniper. VPN with 6 tunnels was up. the 7th tunnel (10.2.2.55) fails. the afterwards created 8th tunnel is OK again. some lines from debug log: --- configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ proposing traffic selectors for us: 10.243.35.0/24|/0 proposing traffic selectors for other: 10.2.2.55/32|/0 generating QUICK_MODE request 2417630024 [ HASH SA No KE ID ID ] ... parsed INFORMATIONAL_V1 request 3795096688 [ HASH N(NO_PROP) ] received NO_PROPOSAL_CHOSEN error notify --- looks for me as a Phase 2 Encryption Algorithm Mismatch. but why and where ? On our side i have created the entry for 10.2.2.55 based on existing entries; for troubleshooting: removed, added again and more than 5 times checked, also checked the backup-xml - no error found. Onto the other side i have no access, but there is a guy who knows what to do and as i remember, you create on a Juniper only 1 times the Phase2 settings and add then all the remote networks. Any hints or idea where to search and what to do ? bye Christoph ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Visual seperators?
On 10.02.2015 14:44, kpolb...@olberg.name wrote: Hi, Is there any possibility to create groups or otherwise have seperators between rules on the firewall page? Basically what I'm trying to do is make it easier to see which rules are connected could be based on host or service. So it would be nice to have some sort of visual seperator to create a group. Hi KP, I am doing this by creating disabled rules and have as description the description of the next rules. To differ from real disabled rules a - at the end if helpfull. not the perfect seperator, but a doable workaround bye Christoph ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Can't ping/connect to hosts in other subnet
On 21.01.2015 11:28, 51537551.3:51537551.3 wrote: LAN: 192.168.6.0/24 WAN0: 192.168.0.0/24 WAN1: 192.168.1.0/24 OPT: 192.168.7.0/24 What I am trying to achive is that I can connect/ping/etc. the clients behind OPT (192.168.7.0/24) from clients on LAN (192.168.6.0/24), but not the other way round. All I can connect to is the other pfsense gateway (192.168.7.1). What am I missing? Hi Tim, you are missing proper rules and a route on the other pfSense and.or on the clients in the OPT Lan. My way to get this done: - Disable block private networks on each interface - create an Alias RFC1918 with all private Networks - on top (after rules for access to firewall) create explicit rules to other RFC networks - then create a reject and a block rule to RFC1918 networks (log this). - DHCP Option 121 on the DHCP server for OPT with values for LAN network for clients without DHCP do a route add -p - route on pfSense2 192.168.7.1 to LAN bye Christoph ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Annoying Comcast Issue When Changing Hardware
On 10.05.2014 04:56 Aaron C. de Bruyn wrote: We figured we would just get the two new boxes up. [...] I called Comcast and had them remotely reboot the modem. Everything immediately came up and started working perfectly. Hi Aaron, this is no unexpected behavior. Arp table on the router or modem has to be cleared and a new one has to be build up. But don't worry: you are not the first one and you will not be the last one who will spend some time due to this feature (-: bye Christoph ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface options for pfsense
On 21.04.2014 00:32 Volker Kuhlmann wrote: Now freebsd dieing on the hme driver effectively turns those cards into scrap and I'm stuck. What are alternatives now? Are there any other 4-port cards that are supported by pfsense in practice (not just in theory), that are also affordable? Intel and Broadcom Server NICs. Depends on the PCI expansion slots available on your motherboard. I have not found any replacement for the SUN cards for 32 bit PCI. Are there any USB Ethernet adapters that actually work with pfsense? Reliably? I am looking for reports from those who have tried, not the freebsd supported HW list - that list is too long and not really trustworthy (I have a USB wifi adapter which runs for 10min then makes pfsense kernel panic). Tested with 2.0.3 and stable in production usage: Digitus 3015 (RTL 8150 chipset) and Digitus-10050 (MCS7832 chipset). The frequently recommended option of using VLANs may look good for larger commercial networks, but just buying a VLAN capable switch costs more than a suitable pfsense box and brings the power budget of the combination to the same level as a scrapped PC - with the latter winning hands down on cost. TP-Link, eg. TP-LINK TL-SG321 bye Christoph ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfSense help at Dayton NJ needed
Hi all, sorry for my abuse of the mailing list. We have the disaster of a broken pfSense upgrade to 2.1.2. Unfortunally we don't have a proper technican on site all repair attemps by phone have been not successfull and the (planned) new pfSense HA-cluster will not reach our location before Tuesday. Is there a list member somewhere from Dayton NJ who can help us or does someone knows somebody near Dayton ? Thanks and bye Christoph ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Pfsense Installation on Virtualbox
On 01.06.2013 20:04 wisdom Nkosi wrote: I have two ISPs ISP A and ISP B. [...] Is it possible to configure PFSENSE router on VirtualBOX so that all the users computer on the network should go through PFSENSE which is installed on the Virtualbox? Please am looking forward to hear from Hi Wisdom, my two cents: don't do this with virtualbox. Get an Alix-board and do the pfSense install on this. Or: install on the XP-machine pfSense directly instead of XP pfSense in Virtualbox on a Windows machine is imho slow and unstable, I had this done by myself for testing. Finally i have changed to Vmware player and have no problems with this. bye Christoph ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] General question
On 25.03.2013 19:30 k_o_l wrote: I see the issue even when all browser are shut down. netstat -ano (Win) or -nlp on the source PC can bring you the solution. bye Christoph ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ethernet interface stops passing traffic, can only be fixed by rebooting
On 29.07.2012 06:05 b...@bitrate.net wrote: i'm using 2.1-BETA0 (i386) [built on Fri Jul 13 19:59:57 EDT 2012] and have had two occasions so far in which the external interface has effectively died, but appears ok in the output of ifconfig. it still has an address [dhcp], but is not able to ping its gateway, etc. using ifconfig to bring the interface down and back up does not solve the problem. so far i've not been able to find any method other than rebooting that brings it back to life. in system.log, i see the following messages which i believe may correlate to the event: Jul 28 22:46:43 gw1 kernel: msk0: watchdog timeout Jul 28 22:46:43 gw1 kernel: msk0: prefetch unit stuck? Jul 28 22:46:43 gw1 kernel: msk0: initialization failed: no memory for Rx buffers lastly, while it may be purely coincidence, it happens that on both occasions i was watching a streaming movie via netflix. where else can i look, or what can i do to find more clues about what is happening and why? thanks -ben Hi Ben, googeling for msk or msk0 will bring you the information that the driver for your NIC is buggy (or the quality of the NIC opr chipset is scrap). Take a good NIC und you won't have the problems. bye Christoph ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
