Re: [pfSense] 802.1X VLAN function and switch support
Sorry, it is in the wiki on the FreeRadius site. Regards, Daniel Davis -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of bsd Sent: Thursday, 15 December 2011 7:10 PM To: pfSense support and discussion Subject: Re: [pfSense] 802.1X VLAN function and switch support Le 15 déc. 2011 à 01:20, Daniel Davis a écrit : This is generally supported on nearly all reasonable managed switches these days (not always on the el-cheapo 'web-managed' switches). The switch really doesn't do much other than forward authentication requests and then act on the authorisation response. As long as the authentication server (NAC) can return the correct IETF attributes such as Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-Id it will generally work. Ok, I guess I'll have to give It a try with the switch I am using. This is all supported by FreeRadius and well documented in the wiki with example configs for numerous different switch manufacturers. I am sorry but I can not find any link about this specific topic in the doc.pfsense.org section or in the dev section - can you be more specific ? Which wiki are you refering to ? Thanks for your reply. Regards, Daniel Davis -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of bsd Sent: Thursday, 15 December 2011 7:47 AM To: pfSense support and discussion Subject: [pfSense] 802.1X VLAN function and switch support Hi, I am bit off topic for the pfSense list, but since I want to be compliant with the FreeRadius package deployed on the pfSense system. I guess It is ok to ask that question here. I want FreeRadius to provide distinct VLANs to each of my clients based on the parameters defined in the FreeRadius settings. I am not certain that a lot of switches are compatible with this function, most of them provide 802.1X authentication, but can they automatically set the VLAN once the client has authenticated ? Can they provide a default VLAN for failed auth? As stated on the package, the switch should understand the following parameters : Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-ID = My_ID Any feed back on implementing this VLAN attribution feature with FreeRadius and xxx switch will be welcome. Switch brands supporting this feature is also of interest. Thanks. -- - Grégory Bernard Director - --- www.osnet.eu --- -- Your provider of OpenSource appliances -- -- OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- This message has been scanned for viruses and dangerous content by mail.lasseters.com.au, and no infections were found. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- - Grégory Bernard Director - --- www.osnet.eu --- -- Your provider of OpenSource appliances -- -- OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- This message has been scanned for viruses and dangerous content by mail.lasseters.com.au, and no infections were found. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 802.1X VLAN function and switch support
This is generally supported on nearly all reasonable managed switches these days (not always on the el-cheapo 'web-managed' switches). The switch really doesn't do much other than forward authentication requests and then act on the authorisation response. As long as the authentication server (NAC) can return the correct IETF attributes such as Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-Id it will generally work. This is all supported by FreeRadius and well documented in the wiki with example configs for numerous different switch manufacturers. Regards, Daniel Davis -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of bsd Sent: Thursday, 15 December 2011 7:47 AM To: pfSense support and discussion Subject: [pfSense] 802.1X VLAN function and switch support Hi, I am bit off topic for the pfSense list, but since I want to be compliant with the FreeRadius package deployed on the pfSense system. I guess It is ok to ask that question here. I want FreeRadius to provide distinct VLANs to each of my clients based on the parameters defined in the FreeRadius settings. I am not certain that a lot of switches are compatible with this function, most of them provide 802.1X authentication, but can they automatically set the VLAN once the client has authenticated ? Can they provide a default VLAN for failed auth? As stated on the package, the switch should understand the following parameters : Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-ID = My_ID Any feed back on implementing this VLAN attribution feature with FreeRadius and xxx switch will be welcome. Switch brands supporting this feature is also of interest. Thanks. -- - Grégory Bernard Director - --- www.osnet.eu --- -- Your provider of OpenSource appliances -- -- OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- This message has been scanned for viruses and dangerous content by mail.lasseters.com.au, and no infections were found. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Multiple IPSEC Mutual PSK + Xauth Tunnels
Bump... any ideas? From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Davis Sent: Wednesday, 2 November 2011 3:09 PM To: 'pfSense support and discussion' Subject: [pfSense] Multiple IPSEC Mutual PSK + Xauth Tunnels We have a situation where all our iOS users connect via IPSEC VPN for remote access. This works great and is very stable. What we want to achieve however is for certain clients to have access only to certain networks (different sets of firewall rules and phase 2 tunnels for different groups of users). I believe that to do this we would need to be able to have multiple Phase 1 tunnel definitions with Mutual PSK + Xauth as the authentication method, however this is not available as an option if I manually add another Phase 1 tunnel. Is this possible to achieve with PfSense 2? Thanks, Daniel -- This message has been scanned for viruses and dangerous content by mail.lasseters.com.au, and no infections were found. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Replacing CheckPoint Firewall-1 with pfSense
-Original Message- From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of Ugo Bellavance Sent: Thursday, 24 November 2011 4:04 AM To: list@lists.pfsense.org Subject: [pfSense] Replacing CheckPoint Firewall-1 with pfSense Hi, We're thinking about replacing our CheckPoint Firewall-1 by pfSense. Ugo, Been there, done this. Trust me, you will thank yourself for it (no more SmartDashboard/SmartCenter and exorbitant support fees!!). We've replaced both Checkpoint and Fortinet systems with pfSense with great success. We are using only those features on Firewall-1 (R65): - Security (default deny on everything) - NAT (inbound (for internet-facing hosts) and outbound (selective, workstations go out through a proxy, other selected hosts are NAT'd based on destination host and port(s)) - We do have some security rules defined in their SmartDefense, but it is a nightmare to configure without having many false positives. I'm pretty sure we could go without or simply add Snort to pfSense We had a project of roaming users VPN but it's on the ice right now. We are using SSH tunnels to connect home user's PC to the corporate network and we will need a solution for the few corporate laptops to connect to the corporate network. However, I guess that with all the options available in pfSense regarding VPN, I don't think this would be a problem. Reasons to switch to pfSense: - Our Firewall-1 version is not supported anymore so we have to upgrade anyway - Service contracts are a lot cheaper - We would have to pay extra $$ for a redundant setup (CARP pfSense is free) - It is a platform that I know and I like open-source software - It is officially supported on vmware (Well, I guess, with a service contract) - Server load balancing can be used for simple HA setups - DHCP server on the firewall (no need for DHCP relay) - Other interesting packages We are thinking about running a redundant (CARP) setup with one pfSense on our VMWare cluster, and one on a physical, separate machine. I would not recommend a hybrid physical/virtual CARP cluster as CARP is entirely network reliant. In a physical CARP cluster best practice is to dedicate a network interface on each machine for CARP with a crossover cable between them so that even in the event of a switch failure they can still talk and elect a master. You would need a dedicated NIC per host, an additional physical switch and additional vswitches to achieve the same sort of resiliency in a mixed physical/virtual configuration. This can get expensive and adds additional points of failure, but without it you run the risk of ending up with two masters (i.e. split brain) if the connectivity between your physical and virtual networks were to fail. vmWare HA is your friend here, it will remove the possibility of a split brain for you if both hosts are running in the cluster. HA is not network reliant (as long as you are using a separate storage network), it uses a combination of network and shared data store heartb eats to monitor hosts and VMs. One host can lose network connectivity, CARP will failover the firewalls, the cluster will detect a host isolation response and restart the failed VM on another host, all very orderly and controlled with less than a couple of seconds of downtime and no physical intervention. We use two firewalls with CARP in a vSphere cluster, works very nicely. The things to remember if you go with the two virtual machines are: 1. Make sure you follow the instructions for CARP and ESX/ESXi from the wiki. 2. Change the host that ESXi pings to determine its network availability. If you leave this as the default gateway, the ESX host that is hosting the master node will never fail over even in the event of a network outage, as it will still be able to ping the VM. This must be something that is highly available, we use the address of the stacked switches in our blade chassis. See http://kb.vmware.com/selfservice/microsites/search.do?language=en_UScmd=displayKCexternalId=1002478 If you can tolerate a minute or two of downtime in the event of a host failure you could even consider a single pfSense VM and just trust vmWare HA to do the failover. Concerns: 1- NAT Reflexion - We don't have a split-DNS setup. CheckPoint does seem to manage NAT Reflexion perfectly. 2- Ease to migrate the configuration to pfSense - I would set a pfSense VM in parallel and start migrating all the rules manually, but I'm scared about missing some or seeing a situation where the Firewall-1 can do it and not pfSense. 3- Backups. Are automated backups (of the config, at least) possible even w/o a service contract? Can people share their experience with this kind of scenario? Don't hesitate if you need more info. Thanks, Ugo pfSense works well for the most part, the Snort package has had a few issues in the past but
Re: [pfSense] Forwarding an external port according to user
David, Whilst this is not as secure as a real VPN, you could possibly use something like OpenVPN ALS (Previously Adito). It is a remote access over SSL solution that allows your users to somewhat securely connect to work resources without needing to install a VPN client or open insecure ports on your firewall. Your users will log in to the OpenVPN ALS page and authenticate using their credentials (it can authenticate against LDAP, AD etc.), they will then get a portal page which will show the resources you have given them access to (This can be RDP, VNC etc). When they open a resource it will launch a Java client and tunnel the connection over SSL. Some things to note though is that the project is dead and the last released version has some significant known security flaws, however, it will still be vastly more secure than just forwarding VNC traffic through your firewall. Regards, Daniel Davis -Original Message- From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of David Brown Sent: Tuesday, 25 October 2011 12:14 AM To: pfSense support and discussion Subject: Re: [pfSense] Forwarding an external port according to user On 24/10/2011 15:53, Vassilis V. wrote: David Brown wrote on 10/24/2011 02:34 PM: Using a VPN is certainly a possibility - our road warriors who use a laptop as a main computer use a VPN (OpenVPN), and I use a VPN from my home machine regularly to access everything in the network here. Where VPNs are the right solution, they are what we use. But I see two disadvantages of VPNs. They give too much access. Obviously firewall rules can be added to limit access in some ways, but it is somewhere between difficult and impossible to get the right balance between security and functionality here. How do I set up firewalls that lets the user access company files on a server from their home machine without also opening these files to whatever malware they've installed? I can proscribe rules and regulations for computers on the company network, I can monitor them for suspicious behaviour, and do regular checks. But I can't do that for people's home computers. I can do so on a limited basis for a few users, especially for those with company laptops that they use from home or outside, but it is not scalable in general. I cant agree that VPN's give too much access. The way the VPN in pfsense is configured, it gives exactly the amount of access that you allow. Having a VPN connection that allows only to connect to port 5900 on a certain PC is a piece of cake. If you want to offer samba to your users, you shouldnt really port forward the ports to WAN. Even if you limit the source IP it feels somehow wrong to do it :) But its more of a general question if you want to give them access to samba or not, the tool you want to use (port forward or VPN) doesnt matter. I agree that samba over WAN feels wrong - it's only an option I'm vaguely considering, and just mentioning here as another example. An alternative example, as well as VNC, would be RDP for Windows remote desktop protocol (though I prefer VNC as it is more cross-platform). I understand that you can specify exactly the rules you want in pfSense for VPN access. But it can only restrict traffic based on the IP address and other such criteria - my point about having too much access is there is no way to restrict it by the type of originating program. Perhaps you are one of the lucky few who only has to deal with *nix type systems, but I have to assume that employees home machines and home networks are full of malware (except for the few that I've checked, and know that they are kept reasonably secure). So if a home machine has access over a VPN to files on a company server, then so does all the malware they have installed. With VNC only, I avoid that (although keyloggers are still a potential issue). Of course, if I do try out samba over the WAN, the same thing applies there as with VPN access. The other disadvantage of a VPN is that the we use a lot of specialised software - people can't easily install it on their home machines. They may also need different sorts of access to different machines - trying to get routine and firewalling rules that allow this over a VPN without being too permissive is hard. I didnt clearly describe the solution I proposed, they would still use VNC to work on their work PC. They would just tunnel it through the VPN and have only access to port 5900 on their PC. Ah, okay. That's one way to handle it that I'm already considering. Of course, this also means that users would need to install and configure OpenVPN on their home machines. It's not hard, but it is an extra step. With pure VNC, I can also look at using the VNC java client - if I put that on a server somewhere, then it makes it possible for people
[pfSense] Traffic shaping query
Hi all. I am in the process of replacing a Fortinet firewall with a nice shiny pfSense virtual appliance and am trying to plan our traffic shaping/qos but I'm having trouble getting my head around it. We currently have 11 LAN segments and a single WAN. We are not really interested in shaping/prioritising the inter-LAN traffic, just inbound and outbound WAN traffic. My idea so far is to simply use limiters for inbound traffic (as we cannot influence the order that packets arrive from the ISP so HFSC does not seem any better for this purpose, just more complicated) and use HFSC to prioritize and shape outbound traffic. This configuration means I only need to create one set of limiters for inbound traffic (as opposed to a set of queues for each interface with HFSC) and one set of HFSC queues on the WAN interface for outbound traffic. We have a 10Mb/10Mb connection which is shared between users internet access, web/dns/mail hosting and guest internet access, so I really want to get my QoS right to make the most of this connection. The configuration I am thinking of implementing is: Inbound traffic (Downloads) 3Mbit Limiter (For all data requested by the outside world, i.e. served by us) Priority traffic (e.g. VoIP traffic DNS requests) highest weighting Standard traffic (e.g. FTP, HTTP requests) medium weighting Low Priority traffic (e.g. SMTP, POP3 IMAP connections) lowest weighting 7Mbit Limiter (For all data served by external systems, i.e. requested by us) Priority traffic (e.g. VoIP traffic, DNS requests) highest weighting Standard traffic (e.g. VPN, Remote Desktop, FTP, HTTP) medium weighting Low Priority traffic (e.g. SMTP, POP3, IMAP etc.) low weighting Penalty traffic (everything else not classified above) lowest weighting Outbound traffic (Uploads) 9700Kbit Root Class (97% of Max WAN upload) Ack Traffic - Priority 7, Bandwidth 15%, Qlimit 500, Realtime 10% DNS Traffic - Priority 6, Bandwidth 5%, Realtime 5% Served Traffic (e.g. traffic sent by our servers) - Priority 6, Bandwidth 50%, Upperlimit 80%, Realtime 50% VoIP - Priority 6, Bandwidth 10%, Upperlimit (35% 30ms 10%), Realtime 10% RDP/VNC - Priority 5, Bandwidth 20%, Upperlimit (50%, 200, 10%), Realtime 15% HTTP/HTTPS/FTP - Priority 4, Bandwidth 50%, Realtime (75%, 1, 40%) Mail - Priority 3, Bandwidth 20%, Realtime 10% Client Traffic (e.g. Client uploads, VoIP traffic, VPN traffic etc.) - Priority 5, Bandwidth 20%, Upperlimit 50%, Realtime 25% VoIP - Priority 6, Bandwidth 10%, Upperlimit (35% 30ms 10%), Realtime 20% RDP/VNC - Priority 5, Bandwidth 30%, Upperlimit (50%, 200, 10%), Realtime 15% HTTP/HTTPS/FTP - Priority 4, Bandwidth 50%, Realtime (75%, 1, 40%) Mail - Priority 3, Bandwidth 10%, Realtime 10% Unclassified Traffic (Anything that wasn't caught by the above rules) - Priority 3, Bandwidth 10%, Upperlimit 30%, Realtime 10% Does anyone see any problems with this configuration? Feel free to shoot me down in flames if this won't work for any reason, I want to get this right. Cheers, Daniel ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] cannot access gui
Nelson, If you can get to the console you can choose option 11 - Restart webConfigurator, this will restart the web interface services without affecting other services. Cheers, Daniel From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Nelson Serafica Sent: Wednesday, 5 October 2011 11:41 AM To: list@lists.pfsense.org Subject: [pfSense] cannot access gui pfsense has been up for almost 5 months now. Then, yesterday we are not able to access the gui anymore though everything is doing fine such as rules and port forwarding. The last change I'm doing with the gui is the DHCP mapping and then suddenly, I cannot access anymore the gui. I'm accessing it thru https. I tried also connecting from the private network but still no luck. Is there a command I can execute on the shell? As much as possible I don't want to restart the pfsense server. There could be a service somewhere (apache/lighthttpd?) that I could restart. I haven't tried to start the ssh cause I though I wouldn't have any issue on the GUI. Guess I need to enable ssh. But before anything else, I need to fix the gui access. Any suggesstions? TIA -- This message has been scanned for viruses and dangerous content by mail.lasseters.com.au, and no infections were found. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list