Re: [pfSense] OpenVPN TCP vs UDP

[David Brown]

On 08/02/13 15:51, j...@millican.us wrote:
> Hello,
> Can anyone give a basic pro and con assessment of  TCP vs UDP for
> OpenVPN?  I am getting some random disconnects which I "think" may be
> caused by the same reason I am getting "TLS Error: local/remote TLS keys
> are out of sync" based on some older forum threads.  I will be going
> over my configs and looking at maybe tweaking the keep-alive times. 
> These disconnects are random but do seem to happen more often when I am
> connected to more than one VPN, in case that may have some baring on the
> situation.  I have several  network segments behind a master-slave pair
> of pfSense boxes and each segment is accessed by its own VPN tunnel to
> maintain separation.
> Any thoughts?
> Thank You,
> JohnM

UDP is a bit more efficient - TCP includes more error-checking and needs
acknowledges for each packet transferred (though the acknowledges can be
tagged onto other TCP packets).  OpenVPN already has enough
error-checking and synchronisation.

On the other hand, UDP can be problematic through some types of
firewalls and complicated routing.

I used to use UDP for all my OpenVPN setups - but when I failed to get
it to work properly between different clients connected to different
server instances on the same router machine, I tried switching to TCP
and it worked perfectly.  So now I use TCP for OpenVPN.

(This was using a Linux router box rather than pfSense, but I don't
think that will make a difference).


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Open VPN or IPSec for site to site VPNs

[David Brown]

On 20/04/12 21:32, Bob Gustafson wrote:

On Fri, 2012-04-20 at 21:04 +0200, David Brown wrote:

On 20/04/12 20:08, Jim Pingle wrote:

On 4/20/2012 12:23 PM, Gavin Will wrote:

Traditionally used IPSec VPN's for site to site links however with replacing 
remote site routers with PFsense boxes I thought about using Open VPN instead.

Any pro's cons?

I quite like the ability to push a route easily with OpenVPN.


Off the top of my head...

Pros for OpenVPN:
* Plays nicer with NAT and other intermediate filtering, since it only
requires a single UDP or TCP port
* Able to route traffic arbitrarily on a basic VPN setup
* No issues with reconnecting/disconnecting
* Easy to add secondary peers
* Very easy to setup a remote access VPN with authentication
* Shared key mode works well with OSPF for dynamic routing

Cons for OpenVPN:
* Little in the way of vendor compatibility, mainly only found on OSS
firewalls
* People have a tendency to fear the unknown so they don't try it, or
dislike it because it's unfamiliar. Once they drink the kool-aid though,
they rarely stop. :-)

Pros for IPsec:
* Long-lived standard
* Many implementations on many devices, can usually build a tunnel to
just about anything
* Fairly easy to build a tunnel between two firewalls
* Familiarity, many people use it because they have used it before.

Cons for IPsec:
* Long history of problems reconnecting/rebuilding tunnels
* Rare if devices support multiple peers
* Implementations between vendors can often have quirks
* Requires both UDP and ESP for Tunneled traffic
* Remote access/mobile clients can have issues, but may work (see our
ticket system for open issues)
* Lots of problems traversing NAT or behind restrictive firewalls/networks
* Routing arbitrary networks (not using Phase 2's in tunnel mode)
requires IPsec in transport mode + GIF/GRE, which few vendors support.

Jim


I'd add another couple of pros for OpenVPN:
* It's easy to set up multiple independent OpenVPN VPN's on the same
server or client, running on different ports on the same IP address.
* If you don't mind installing a little extra software, it is easy to
use on lots of different clients.
* It's easy to set up an OpenVPN server in existing networks with
minimal changes - all you need is a port forward from the firewall
through to the OpenVPN server.

We have several independent OpenVPN setups on a server, with clients
able to connect with different accesses.  And some of our users have
multiple client setups on their laptops for connecting to many different
servers.



How does either of these VPN approaches compare with using SSH
Tunneling? (see various Linux Journal articles on this subject)

Bob G



A VPN gives you a connection from one network (or computer) to another. 
 A SSH tunnel lets you tunnel a single TCP/IP connection over a SSH 
connection.  So the ssh tunnel is far more limited (though that's 
sometimes a good thing), and in particular it is very inconvenient if 
you want to use UDP, ICMP, or other protocols.  ssh is useful for ad-hoc 
and occasional "holes" in networks, but it's not a replacement for a vpn.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Open VPN or IPSec for site to site VPNs

[David Brown]

On 20/04/12 20:08, Jim Pingle wrote:

On 4/20/2012 12:23 PM, Gavin Will wrote:

Traditionally used IPSec VPN's for site to site links however with replacing 
remote site routers with PFsense boxes I thought about using Open VPN instead.

Any pro's cons?

I quite like the ability to push a route easily with OpenVPN.


Off the top of my head...

Pros for OpenVPN:
* Plays nicer with NAT and other intermediate filtering, since it only
requires a single UDP or TCP port
* Able to route traffic arbitrarily on a basic VPN setup
* No issues with reconnecting/disconnecting
* Easy to add secondary peers
* Very easy to setup a remote access VPN with authentication
* Shared key mode works well with OSPF for dynamic routing

Cons for OpenVPN:
* Little in the way of vendor compatibility, mainly only found on OSS
firewalls
* People have a tendency to fear the unknown so they don't try it, or
dislike it because it's unfamiliar. Once they drink the kool-aid though,
they rarely stop. :-)

Pros for IPsec:
* Long-lived standard
* Many implementations on many devices, can usually build a tunnel to
just about anything
* Fairly easy to build a tunnel between two firewalls
* Familiarity, many people use it because they have used it before.

Cons for IPsec:
* Long history of problems reconnecting/rebuilding tunnels
* Rare if devices support multiple peers
* Implementations between vendors can often have quirks
* Requires both UDP and ESP for Tunneled traffic
* Remote access/mobile clients can have issues, but may work (see our
ticket system for open issues)
* Lots of problems traversing NAT or behind restrictive firewalls/networks
* Routing arbitrary networks (not using Phase 2's in tunnel mode)
requires IPsec in transport mode + GIF/GRE, which few vendors support.

Jim


I'd add another couple of pros for OpenVPN:
* It's easy to set up multiple independent OpenVPN VPN's on the same 
server or client, running on different ports on the same IP address.
* If you don't mind installing a little extra software, it is easy to 
use on lots of different clients.
* It's easy to set up an OpenVPN server in existing networks with 
minimal changes - all you need is a port forward from the firewall 
through to the OpenVPN server.


We have several independent OpenVPN setups on a server, with clients 
able to connect with different accesses.  And some of our users have 
multiple client setups on their laptops for connecting to many different 
servers.



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] be aware, reverse squid install will break your forward squid.

[David Brown]

On 21/12/2011 19:43, Fuchs, Martin wrote:

Well, the squid-reverse package supports both ;-)

It’s a fully featured sqid2 WITH reverse ;-)

And Exchange-assistant ;-)



Just out of curiosity, what is the benefit of having a reverse proxy for 
Exchange?  My understanding of a reverse proxy is to provide caching of 
static files, but surely a lot of the traffic on webmail interface is 
dynamic and/or personal to the particular user.  The static parts of the 
interface would be relatively small files, and would quickly be cached 
at the user client end anyway.


We don't use Exchange, but I will be setting up a Horde webmail 
interface, and if there is some benefit to the reverse proxy that I'm 
missing here, maybe it will apply equally to Horde.



As another point, while we're on the topic of reverse proxies, can the 
reverse proxy pass on http requests to different servers based on the 
web address?  We have several (virtual) servers for different uses, with 
addresses such as "svn.westcontrol.no" and "www.westcontrol.no".  At the 
moment, all incoming port 80 traffic goes to a single common apache 
server, that passes the traffic on to the appropriate virtual server. 
If a reverse proxy on pfsense can handle that job, it will cut out an 
extra step.


mvh.,

David



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] how to block https sites

[David Brown]

On 27/11/11 14:41, suresh suresh wrote:

HI All,

I want block https facebook site only. how to do this. please help me.
am using pfsense 1.2.3

Thank you,

Regards,
Suresh



What are you trying to accomplish?  Do you only want people to use 
facebook through http rather than https?


If you only want to block facebook, then the easiest way is to make a 
specific dns entry for www.facebook.com (and other facebook urls, if 
there are any), pointing to a webpage informing the user that the site 
is blocked, or simply to 127.0.0.1 if you want the user-unfriendly quick 
and easy solution.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Using partitions

[David Brown]

On 01/11/2011 13:32, Norman Golisz wrote:

Hi David,

On Tue Nov  1 2011 12:46, David Brown wrote:

I didn't see anything supporting this in the pfSense installation,
or in the webconfig menus.

Would the best plan be simply to create the partitions manually from
the shell, and manually edit /etc/fstab to make /var and the squid
cache their own partitions?


Not necessary. You are presented a dialogue to configure the partitions
in the installation procedure [1].



When I did a test installation (on a virtual machine), I had the
option to make the partitions.  But I didn't see anywhere to choose
where the other partitions are mounted, meaning I'd have to copy
over the original data from / to /var after installation, then
manually modify the fstab.  I don't have any problem doing that, but
I would prefer to use a "officially supported" method, if there is
one.


unfortunately, I can't check that for myself right now. But, based on
the assumption nothing changed terribly between 1.2.3 and 2.0 in the
installation procedure, these pictures [1] indicate it is absolutely
possible. Look at section "Select Subpartitions".



Looking closer, it seems you are right.  Maybe I was a little too quick 
when installing my test system - I didn't notice that you can add more 
mountpoints there.  I'll be re-installing soon (it's so easy with 
virtual machines, and practice makes perfect), so I'll try it then.



On Linux systems, I typically also mount /tmp on a tmpfs ram disk.
Is there anything equivalent in BSD?


Yes, it's called mfs [2].


As far as I can see, this creates a specifically-sized block of ram
and makes a UFS filesystem on it.  It is not exactly the same as
tmpfs on Linux (which doesn't take any space unless it is actually
used), but it's close enough.  And if there is any contention for
ram space, the ram disk data will migrate over to swap.  That sounds
fine to me.

But can I easily set it up with a line in fstab, or does it need
something else to create it and mount it at boot time?


No magic required. Please see the examples section of mdmfs(8):


Create and mount a 32 megabyte swap-backed file system on /tmp:

mdmfs -s 32m md /tmp


I saw that one...



The same file system created as an entry in /etc/fstab:

md /tmp mfs rw,-s32m 2 0




But I managed to miss that one!

That's the key I was looking for.

Sorry for being a bit dense here - and thank you for your patience.

Thanks,

David



Norman.

[1] http://forum.pfsense.org/index.php/topic,7356.0.html
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Using partitions

[David Brown]

On 01/11/2011 12:00, Norman Golisz wrote:

Hi David,

On Tue Nov  1 2011 10:00, David Brown wrote:

I'd prefer to put the proxy cache on its own partition (or is that
"slice"?  I am not used to BSD terminology here) with its own file
system.


this is called a 'partition' within a FreeBSD slice. Whereas a 'slice'
constitutes an IBM-compatible partition on a PC. Just imagine the slice
as a "container" of FreeBSD (technically disklabel) partitions,
which are itself independent of the computer's architecture. Remember,
BSD OSs support a number of different computer hardware.


Thanks for clearing that up.




I would also like to put log files (and perhaps rrd and
other data) in a separate partition - I prefer to keep rapidly
updated files in a separate file system from mostly static files
(the OS and programs, and the setup and configuration).


That's prudent.


I didn't see anything supporting this in the pfSense installation,
or in the webconfig menus.

Would the best plan be simply to create the partitions manually from
the shell, and manually edit /etc/fstab to make /var and the squid
cache their own partitions?


Not necessary. You are presented a dialogue to configure the partitions
in the installation procedure [1].



When I did a test installation (on a virtual machine), I had the option 
to make the partitions.  But I didn't see anywhere to choose where the 
other partitions are mounted, meaning I'd have to copy over the original 
data from / to /var after installation, then manually modify the fstab. 
 I don't have any problem doing that, but I would prefer to use a 
"officially supported" method, if there is one.



And will that survive updates to pfSense?


Sure.


OK.




On Linux systems, I typically also mount /tmp on a tmpfs ram disk.
Is there anything equivalent in BSD?


Yes, it's called mfs [2].


As far as I can see, this creates a specifically-sized block of ram and 
makes a UFS filesystem on it.  It is not exactly the same as tmpfs on 
Linux (which doesn't take any space unless it is actually used), but 
it's close enough.  And if there is any contention for ram space, the 
ram disk data will migrate over to swap.  That sounds fine to me.


But can I easily set it up with a line in fstab, or does it need 
something else to create it and mount it at boot time?


Thanks,

David




Norman.

[1] http://forum.pfsense.org/index.php/topic,7356.0.html
[2] http://www.freebsd.org/cgi/man.cgi?query=mdmfs&sektion=8
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Using partitions

[David Brown]

Hi,

Are there any notes or examples regarding multiple partitions with 
pfSense installations?  I am putting together a new pfSense 
installation, and would like to include a transparent proxy.  I'd prefer 
to put the proxy cache on its own partition (or is that "slice"?  I am 
not used to BSD terminology here) with its own file system.  I would 
also like to put log files (and perhaps rrd and other data) in a 
separate partition - I prefer to keep rapidly updated files in a 
separate file system from mostly static files (the OS and programs, and 
the setup and configuration).


I didn't see anything supporting this in the pfSense installation, or in 
the webconfig menus.


Would the best plan be simply to create the partitions manually from the 
shell, and manually edit /etc/fstab to make /var and the squid cache 
their own partitions?  And will that survive updates to pfSense?


On Linux systems, I typically also mount /tmp on a tmpfs ram disk.  Is 
there anything equivalent in BSD?


mvh.,

David
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Forwarding an external port according to user

[David Brown]

On 25/10/2011 03:46, Daniel Davis wrote:

David,

Whilst this is not as secure as a real VPN, you could possibly use
something like OpenVPN ALS (Previously Adito). It is a remote access
over SSL solution that allows your users to somewhat securely connect
to work resources without needing to install a VPN client or open
insecure ports on your firewall. Your users will log in to the
OpenVPN ALS page and authenticate using their credentials (it can
authenticate against LDAP, AD etc.), they will then get a portal page
which will show the resources you have given them access to (This can
be RDP, VNC etc). When they open a resource it will launch a Java
client and tunnel the connection over SSL.

Some things to note though is that the project is dead and the last
released version has some significant known security flaws, however,
it will still be vastly more secure than just forwarding VNC traffic
through your firewall.



Thanks for the tip, though I doubt if I will use it - I'd rather not 
base the system on a dead project unless it has significant benefits.



It is always assumed as a general security principle that you should 
never transmit anything over the open internet without encryption.  Yet 
people do that all the time (think http, pop3, smtp), and even with 
plain text passwords (pop3).  In this case, the traffic will all stay 
reasonably local - the server and the clients (at least most of them) 
are all on the same ISP, and physically close.  A quick check shows that 
my home router is four hops from the office router, and all machines are 
from the ISP.  What is the real-world risk of someone breaking in there 
to monitor the traffic, much less adding equipment or routes to 
intercept and change the traffic?  It is as close to zero as makes no 
difference.  If we were a bank, or holding national secrets, it would be 
a different matter - but we are not going to be subject to targeted, 
high-power attacks.  So I don't lose any sleep about the lack of 
encryption in the VNC access we have today.


Having said that, of course it is always better to have encryption as 
well.  Thus I'm looking at what's available, to see if there is anything 
more convenient than what I have, and greater security is always a nice 
bonus.  I actually see an additional login, using passwords that /I/ 
control, as being a bigger step for security than encryption - it's too 
easy for users to pick poor passwords on VNC on their desktops.


mvh.,

David




Regards,

Daniel Davis



-Original Message- From: list-boun...@lists.pfsense.org
[mailto:list- boun...@lists.pfsense.org] On Behalf Of David Brown
Sent: Tuesday, 25 October 2011 12:14 AM To: pfSense support and
discussion Subject: Re: [pfSense] Forwarding an external port
according to user

On 24/10/2011 15:53, Vassilis V. wrote:



David Brown wrote on 10/24/2011 02:34 PM:


Using a VPN is certainly a possibility - our "road warriors"
who use

a

laptop as a main computer use a VPN (OpenVPN), and I use a VPN
from

my

home machine regularly to access everything in the network
here.

Where

VPNs are the right solution, they are what we use.

But I see two disadvantages of VPNs. They give too much
access. Obviously firewall rules can be added to limit access
in some ways,

but

it is somewhere between difficult and impossible to get the
right balance between security and functionality here. How do I
set up firewalls that lets the user access company files on a
server from

their

home machine without also opening these files to whatever
malware they've installed? I can proscribe rules and
regulations for

computers

on the company network, I can monitor them for suspicious
behaviour,

and

do regular checks. But I can't do that for people's home
computers.

I

can do so on a limited basis for a few users, especially for
those

with

company laptops that they use from home or outside, but it is
not scalable in general.


I cant agree that VPN's give too much access. The way the VPN in

pfsense

is configured, it gives exactly the amount of access that you
allow. Having a VPN connection that allows only to connect to
port 5900 on a certain PC is a piece of cake. If you want to
offer samba to your

users,

you shouldnt really port forward the ports to WAN. Even if you
limit

the

source IP it feels somehow wrong to do it :) But its more of a

general

question if you want to give them access to samba or not, the
tool

you

want to use (port forward or VPN) doesnt matter.



I agree that samba over WAN feels wrong - it's only an option I'm
vaguely considering, and just mentioning here as another example.
An alternative example, as well as VNC, would be RDP for Windows
remote desktop protocol (though I prefer VNC as it is more
cross-platform).

I understand that you can specify exactly the rules you want in
pfSense for VPN access.  But it can only restrict traffic based on
the IP address and other 

Re: [pfSense] Forwarding an external port according to user

[David Brown]

On 24/10/2011 15:53, Vassilis V. wrote:



David Brown wrote on 10/24/2011 02:34 PM:


Using a VPN is certainly a possibility - our "road warriors" who use a
laptop as a main computer use a VPN (OpenVPN), and I use a VPN from my
home machine regularly to access everything in the network here. Where
VPNs are the right solution, they are what we use.

But I see two disadvantages of VPNs. They give too much access.
Obviously firewall rules can be added to limit access in some ways, but
it is somewhere between difficult and impossible to get the right
balance between security and functionality here. How do I set up
firewalls that lets the user access company files on a server from their
home machine without also opening these files to whatever malware
they've installed? I can proscribe rules and regulations for computers
on the company network, I can monitor them for suspicious behaviour, and
do regular checks. But I can't do that for people's home computers. I
can do so on a limited basis for a few users, especially for those with
company laptops that they use from home or outside, but it is not
scalable in general.


I cant agree that VPN's give too much access. The way the VPN in pfsense
is configured, it gives exactly the amount of access that you allow.
Having a VPN connection that allows only to connect to port 5900 on a
certain PC is a piece of cake. If you want to offer samba to your users,
you shouldnt really port forward the ports to WAN. Even if you limit the
source IP it feels somehow wrong to do it :) But its more of a general
question if you want to give them access to samba or not, the tool you
want to use (port forward or VPN) doesnt matter.



I agree that samba over WAN feels wrong - it's only an option I'm 
vaguely considering, and just mentioning here as another example.  An 
alternative example, as well as VNC, would be RDP for Windows remote 
desktop protocol (though I prefer VNC as it is more cross-platform).


I understand that you can specify exactly the rules you want in pfSense 
for VPN access.  But it can only restrict traffic based on the IP 
address and other such criteria - my point about having too much access 
is there is no way to restrict it by the type of originating program. 
Perhaps you are one of the lucky few who only has to deal with *nix type 
systems, but I have to assume that employees home machines and home 
networks are full of malware (except for the few that I've checked, and 
know that they are kept reasonably secure).  So if a home machine has 
access over a VPN to files on a company server, then so does all the 
malware they have installed.  With VNC only, I avoid that (although 
keyloggers are still a potential issue).


Of course, if I do try out samba over the WAN, the same thing applies 
there as with VPN access.






The other disadvantage of a VPN is that the we use a lot of specialised
software - people can't easily install it on their home machines. They
may also need different sorts of access to different machines - trying
to get routine and firewalling rules that allow this over a VPN without
being too permissive is hard.


I didnt clearly describe the solution I proposed, they would still use
VNC to work on their work PC. They would just tunnel it through the VPN
and have only access to port 5900 on their PC.



Ah, okay.  That's one way to handle it that I'm already considering.

Of course, this also means that users would need to install and 
configure OpenVPN on their home machines.  It's not hard, but it is an 
extra step.


With "pure" VNC, I can also look at using the VNC java client - if I put 
that on a server somewhere, then it makes it possible for people to 
access their office desktops from other machines without any 
installation.  This can be very handy for people that are away from home 
and office (such as when they are trying to have a restful holiday...).


Maybe I can just put together something using the java VNC client (the 
tightvnc java client supports SSL already, I believe) and a web page 
with the required links, and simply make port forwards for the users 
that need external access.  It's not /that/ much work, or so very many 
users.  A reverse captive portal like I described may be an elegant 
solution, but it is certainly not necessary.




With VNC, both these issues are solved, since they are effectively
working on their company desktops.


Obviously running VNC over a VPN would improve the security, since
everything is encrypted, and it would be possible to set that up. In
particular, it would be easier to set OpenVPN rules to say only port
5900 is allowed, than to try to give all the required firewall rules to
let users get local access from home machines to the company systems.


Exactly! :-) And it would be alot easier to
configure/expand/maintain/monitor in the future


But encrypting VNC over a VPN is not really necessary - it is

Re: [pfSense] Forwarding an external port according to user

[David Brown]

On 24/10/2011 14:08, Jim Pingle wrote:

It isn't quite all that easy. There is already an open ticket for that
feature.

http://redmine.pfsense.org/issues/385


OK, thanks.  I'm convinced that such a feature is technically possible, 
but I also appreciate that it would take a lot of work to implement. 
Since it is already on the feature request list, and has not been 
dismissed in any way, then I suppose it will stay there until a pfSense 
developer has the time to look at it.  I doubt if such a feature will 
considered top-priority for a while, but that's fair enough.  It's 
certainly not an essential feature for me - it would just be a "nice to 
have" feature.


Thanks,

David


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Forwarding an external port according to user

[David Brown]

On 24/10/2011 13:57, Vassilis V. wrote:

Hello David!

You seem to be very over complicating things :) If I understand you
correctly, you want to have your users authenticate themselves in order
to have limited access to the work network and offer them certain
services there. You already mentioned your solution but dismissed it!
What you want to set up and would solve all your problems with high
security is a VPN.

Your workers connect to the VPN (There are clients for every OS), and
immediately they have access to "their" PC at work. No need to open
individual ports for VNC, SMB etc. If you want each user to only be able
to connect to his own PC, have every user get a fixed IP (described in
the book) and then set up rules in the OpenVPN tab so that each IP can
only access certain PC's. The added benefit of a VPN is that the traffic
is encrypted and each user must authenticate himself with certificates
(or/and username/password).

Hope it helps!

Vassilis


Using a VPN is certainly a possibility - our "road warriors" who use a 
laptop as a main computer use a VPN (OpenVPN), and I use a VPN from my 
home machine regularly to access everything in the network here.  Where 
VPNs are the right solution, they are what we use.


But I see two disadvantages of VPNs.  They give too much access. 
Obviously firewall rules can be added to limit access in some ways, but 
it is somewhere between difficult and impossible to get the right 
balance between security and functionality here.  How do I set up 
firewalls that lets the user access company files on a server from their 
home machine without also opening these files to whatever malware 
they've installed?  I can proscribe rules and regulations for computers 
on the company network, I can monitor them for suspicious behaviour, and 
do regular checks.  But I can't do that for people's home computers.  I 
can do so on a limited basis for a few users, especially for those with 
company laptops that they use from home or outside, but it is not 
scalable in general.


The other disadvantage of a VPN is that the we use a lot of specialised 
software - people can't easily install it on their home machines.  They 
may also need different sorts of access to different machines - trying 
to get routine and firewalling rules that allow this over a VPN without 
being too permissive is hard.


With VNC, both these issues are solved, since they are effectively 
working on their company desktops.



Obviously running VNC over a VPN would improve the security, since 
everything is encrypted, and it would be possible to set that up.  In 
particular, it would be easier to set OpenVPN rules to say only port 
5900 is allowed, than to try to give all the required firewall rules to 
let users get local access from home machines to the company systems. 
But encrypting VNC over a VPN is not really necessary - it is probably 
easier to use UltraVNC (or any other VNC with encryption built-in).  It 
is also not much of a security issue since most employees have the same 
ISP as the company - there is very little possibility of eavesdropping 
or other attacks.



David
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Forwarding an external port according to user

[David Brown]

Hi,

I am wondering if the following setup is possible to achieve:

A number of people at my company work at home by running a VNC server on 
their desktops, and connected to them from their home machines.  It is 
often a better choice than using a VPN because it makes security much 
easier, and saves installing work-related software on a home machine.


Since there are several people doing this, I have a series of port 
forwards from the firewall/router machine's external IP address, so that 
port 59001 is routed to 5900 on internal PC 1, port 59002 is routed to 
port 5900 on PC 2, and so on.


What would be very neat would be a kind of "captive portal" arrangement 
where the external user would first use a browser to connect to the 
firewall/router and log in.  After a successful login, the 
firewall/router would forward external port 5900 to that user's internal 
PC for the one specific external IP address.


The result would be more secure than individual port forwards (since it 
is easier to enforce password policy, and to log logins), more scalable 
(new users just means new entries in the user table rather than 
additional firewall rules), and easier to manage (all users access VNC 
using the same addresses, and the same standard port).


Obviously their are other similar situations when such a system could be 
used, such as for the samba ports to allow people access to their 
desktop drives from the outside in a reasonably secure way (no 
encryption, but at least access would only be from specific IP addresses).


I don't think there is anything difficult about the underlying 
technology here - it's just port-forward rules that depend on the 
incoming IP source address.  But it would need a sort of captive-portal 
style interface.



Is such a setup possible with pfSense, but I just don't know about it 
(my copy of the book has not yet arrived...)?  Is it something that 
would be useful to others, and could go on a features request list?  Is 
it a silly idea because of some security issue I haven't thought of?


mvh.,

David
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] The best way to penalize / shape iCloud updates from iPad's / iPhone's?

[David Brown]

On 19/10/2011 12:42, Raimund Sacherer wrote:

Hi,

On 19-10-2011 11:14, Raimund Sacherer wrote:

Hello,

Not sure about penalizing the IP's of the iCloud service, as
maintaining a list of these IP's could also be tedious ...


Null route those networks, and let them backup on their home wifi?

Yes, this was what I thought too, but I did want to know if there is a way 
without having to maintain a list of iCloud related Networks, I guess they will 
change over time :-) but who said networking is easy? ...



Tell them that it helps save their battery :-)

Hahaha, that's funny, thank good our users are very compliant!



If the users are mostly obedient, and the synchronisation doesn't work 
very well, then just tell them "don't synchronise your toy phones at the 
office, because it doesn't work well".


If gentle persuasion doesn't work, try threats "I am monitoring 
communication between iPhones and iCloud.  Any pictures being 
transferred will be posted on the company noticeboard".


You only need to go for difficult technological fixes if the simple 
psychological ones fail.


mvh.,

David


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Direct purchase of pfSense book pdf

[David Brown]

On 30/09/2011 15:09, Rainer Duffner wrote:

Am Fri, 30 Sep 2011 14:24:58 +0200
schrieb David Brown:



The thought had occurred to me, but I didn't like to mention it :-)


For obvious reasons.
I do own the paper version (and only the paper version), just for the
record.
;-)

And I do know that book-piracy is a big problem especially for books
with a small circulation.

The media like to concentrate on movies and songs.
But the real victims are authors and publishers of non-blockbuster
books.



Yes - it's easy for the media (and idiots like the BSA) to talk about 
popular media and software, since that gives them huge figures, 
especially by making the assumption that everyone who downloaded an 
unauthorised copy of something would otherwise have bought it at full 
price.  But for a specialised book like this, unauthorised copies can 
make a much bigger proportional difference to the authors.  Part of this 
is that it is more realistic to assume that a higher proportion of 
downloaded copies really are lost sales - people would only bother 
getting hold of a copy of the PfSense book if they actually needed it, 
unlike a song, movie or computer game.


The challenge for Chris is to find a way to let honest users pay 
suitably for a pdf that they can use freely (no Kindle nonsense or other 
DRM locks), while discouraging the accidental or intentional spread of 
the file.  Watermarking with the purchaser's name and company is one way 
to achieve this, at least amongst professional users.  Maybe if the 
watermark included the purchasers credit card number, people would be 
careful about sharing the file!



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Direct purchase of pfSense book pdf

[David Brown]

On 30/09/2011 12:58, Rainer Duffner wrote:

Am Fri, 30 Sep 2011 10:57:03 +0200
schrieb David Brown:


On 30/09/2011 09:50, Chris Buechler wrote:

On Fri, Sep 30, 2011 at 3:24 AM, David
Brown   wrote:

Hi,

Is it possible to buy a copy of the pfSense book as a pdf file,
with the money going directly to the pfSense project (or the
book's authors)? That would be more convenient for me for
reference, faster delivery (it will take a couple of weeks to get
the paper book to Norway), more environmentally friendly, more
up-to-date (assuming the book is being updated for 2.0), and gives
the money to the people who did the pfSense work.



By contract, we don't have that option for the current edition.
There is a Kindle version available. I expect we will for the next
edition though (ETA unknown but it'll be available electronically
in parts for purchase of some kind before it's completely finished
and in print).



For various reasons (which would be way off-topic here), Kindle is
not an option for me.

I can understand that there are reasons for different models for
books, with different types of contracts, different people wanting to
get paid (you, as authors, can get money for a directly purchased pdf
file - but there are probably editors, marketers and other people
whose income is more connected to printed versions).

I would certainly be happy to pay for an electronic version of the
book
- but it must be in a free and open format.  Typically that means a
normal pdf file - it is important that it can be easily read and
searched on a variety of platforms without needing specific software.

Of course, that makes it more difficult to make sure people are
honest, and pay for the book (you guys need to eat too - coffee and
pizza cost real money!).  One solution that I have seen on a
different project is that when you buy a pdf book, it is watermarked
with the purchaser's name and/or company.  This makes it easy for the
purchaser to use the book themselves, but they will be very unlikely
to spread it around to others.



If you're really that desperate to get your hands on a PDF, I would
order the book (dead tree version) and then download a torrent of the
PDF.
You can find them all over.


The thought had occurred to me, but I didn't like to mention it :-)

But I have ordered the dead tree format book - I'll see about the pdf 
version in the future.


I've also now seen that the pdf is for sale at Applianceshop.eu, so 
maybe I could buy it there.  (I'm also considering buying router 
hardware there, which is obviously a much more important decision.)




Keep the order, because a lot of people forget to order the book once
they have the PDF ;-)

Or try to find someone in Norway/Europe who owns it and will sell it to
you.

Maybe ask on the FreeBSD-forum?



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Direct purchase of pfSense book pdf

[David Brown]

On 30/09/2011 09:50, Chris Buechler wrote:

On Fri, Sep 30, 2011 at 3:24 AM, David Brown  wrote:

Hi,

Is it possible to buy a copy of the pfSense book as a pdf file, with the
money going directly to the pfSense project (or the book's authors)? That
would be more convenient for me for reference, faster delivery (it will take
a couple of weeks to get the paper book to Norway), more environmentally
friendly, more up-to-date (assuming the book is being updated for 2.0), and
gives the money to the people who did the pfSense work.



By contract, we don't have that option for the current edition. There
is a Kindle version available. I expect we will for the next edition
though (ETA unknown but it'll be available electronically in parts for
purchase of some kind before it's completely finished and in print).



For various reasons (which would be way off-topic here), Kindle is not 
an option for me.


I can understand that there are reasons for different models for books, 
with different types of contracts, different people wanting to get paid 
(you, as authors, can get money for a directly purchased pdf file - but 
there are probably editors, marketers and other people whose income is 
more connected to printed versions).


I would certainly be happy to pay for an electronic version of the book 
- but it must be in a free and open format.  Typically that means a 
normal pdf file - it is important that it can be easily read and 
searched on a variety of platforms without needing specific software.


Of course, that makes it more difficult to make sure people are honest, 
and pay for the book (you guys need to eat too - coffee and pizza cost 
real money!).  One solution that I have seen on a different project is 
that when you buy a pdf book, it is watermarked with the purchaser's 
name and/or company.  This makes it easy for the purchaser to use the 
book themselves, but they will be very unlikely to spread it around to 
others.





Searching for dead-tree format pfSense books, I can see three books.
"PFSense: The Definitive Guide" (Jim Pingle, Christopher Buechler, 2009),
"PFSense" (Lambert Surhone, Mariam Tennoe, Susan Henssonow, 2010), and
"PfSense 2 Cookbook" (Matt Williamson, 2011).  I gather that "The Definitive
Guide" is /the/ book,


That's correct.


but are the other two recommended?



I wouldn't bother. The 2010 one I'm not even sure what it is, looks
like some weird compilation of what is probably freely available info
(i.e. take doc.pfsense.org and some other random open source docs and
put it in print). The Packt book was written based on the alpha
version and I could write a short book just of the errata of what all
is wrong in it, plus the promised royalty money to the project from it
is nowhere to be seen.


OK - thanks for that advice.  I'll just order your book.



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Direct purchase of pfSense book pdf

[David Brown]

Hi,

Is it possible to buy a copy of the pfSense book as a pdf file, with the 
money going directly to the pfSense project (or the book's authors)? 
That would be more convenient for me for reference, faster delivery (it 
will take a couple of weeks to get the paper book to Norway), more 
environmentally friendly, more up-to-date (assuming the book is being 
updated for 2.0), and gives the money to the people who did the pfSense 
work.


I know I can get it as part of a subscription - but while the 
subscription service looks good value for money for professional support 
services, it's a touch expensive if all I want for now is the book!  (I 
would like to read the book /before/ deciding on deploying pfSense - but 
I would not pay for services until /after/ deciding.)



Searching for dead-tree format pfSense books, I can see three books. 
"PFSense: The Definitive Guide" (Jim Pingle, Christopher Buechler, 
2009), "PFSense" (Lambert Surhone, Mariam Tennoe, Susan Henssonow, 
2010), and "PfSense 2 Cookbook" (Matt Williamson, 2011).  I gather that 
"The Definitive Guide" is /the/ book, but are the other two recommended?


mvh.,

David
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 22/09/2011 15:57, Adam Thompson wrote:

Surely the Right Thing for a mailing list is plain text anyway - if
you are going to use HTML, then you might as well join the rest of
the sheeple and top-post.


Agreed.  But then how do you reply-and-quote to an email that someone else
*did* post in HTML format?  Outlook just sucks in this scenario... you
can't even convert to plain-text and quote!  !@#$%^^&* microsoft...



I only joined this mailing list a couple of days ago - is it usual
for threads to wander so off-topic?  (I believe I've got the
answers I needed for my original questions, plus a few answers to
questions I didn't ask.)


Not quite this far OT, usually.  And it appears to be mostly my fault this
time :-(

The list isn't usually this busy, either.

FYI, on the occasion that you post a question and get *no* replies -
that's a solid indicator that no-one here knows the answer.  This list
doesn't generally see any negative responses, and that confuses some
people at first.  Re-post after about a week, and if that goes nowhere ask
on the forum as well.

Sorry for making your introduction to the list a bit hectic,



That's no problem - it's nothing compared to some of the newsgroups I 
visit sometimes (such as sci.electronics.design, which is a political 
discussion group with occasional mentions of electronics).  And as I 
say, I've got the answers I was looking for for now - the next stage is 
up to me and my virtual machines.



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 22/09/2011 15:32, Adam Thompson wrote:



David Brown  wrote:

For those who are forced to use Outlook, but want to be part of
the sane world of bottom-posted text-only mailing lists, I have
heard that this
works:<http://home.in.tum.de/~jain/software/outlook-quotefix/>.  I
haven't tried it myself, and I don't know anything about version
compatibility or other details, but maybe it will help you.


That add-on only works for Outlook<= 2003, and only handles plaintext
email.  Outlook 2003 and newer can do the Right Thing with plaintext
emails by themselves.  I have not been able to discover any add-on
that works for HTML.



Surely the Right Thing for a mailing list is plain text anyway - if you 
are going to use HTML, then you might as well join the rest of the 
sheeple and top-post.


I only joined this mailing list a couple of days ago - is it usual for 
threads to wander so off-topic?  (I believe I've got the answers I 
needed for my original questions, plus a few answers to questions I 
didn't ask.)



OTOH, someone explained how to do it on Android, by installing the
K-9 email client - it's an extra few UN-obvious steps but at least
it's possible.  Of course, the K-9 client isn't compatible with
Exchange 2010, and it doesn't appear to be available for older
Android phones.

-Adam


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/2011 22:29, Bart Grefte wrote:

You've got a point with pfSense being ready to use, although I have to
admit, I never expected to be needing a null-modem cable to get the
embedded/nanoBSD version going. But other than that, it's practically ready
to use indeed. Just have to set everything, takes what, 15min tops in my
case and it's very easy. Everything is easy to find.
I have been looking for a Linux equivalent hoping I would not have to brush
up my command line skills (I have nothing against doing that though), but so
far I haven't found anything (incl the ones you mentioned) that come even
close to the look and feel of pfSense.




For small systems (typically for off-the-shelf wireless 
firewall/routers), I find OpenWRT a good solution.  It doesn't have 
anything like the features of pfSense, but it fits fine in a little box. 
 The gui is okay, though I have mostly used the command line.  And it 
lets you do a lot with such a cheap box - I use them for multiple 
independent networks and as OpenVPN clients/servers.


But for a bigger system, such as our company's main firewall/router, 
pfSense is looking like a strong alternative to Linux and command-line 
configuration.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/2011 22:33, Bart Grefte wrote:

-Oorspronkelijk bericht-
Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
Namens Scott Ullrich
Verzonden: woensdag 21 september 2011 22:19
Aan: pfSense support and discussion
Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense

On Wed, Sep 21, 2011 at 4:16 PM, Bart Grefte  wrote:

Disable B clients is something I've already tried (I believe), I tried
every setting I could find that could influence performance, no luck.
Also started from scratch couple of times, after resetting all
settings back to standard.


Please bottom post on our lists.  http://www.caliburn.nl/topposting.html

If you do not like this style use the forum.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Ow, sorry, didn't knew that was not allowed. I'll try to keep that in mind.
It does not help though that Outlook keeps putting the cursor on top.



I pity anyone who has to use Outlook.  Fortunately for me, I am the IT 
manager at my company, so /I/ make the rules - and we use Thunderbird as 
the standard email client.


For those who are forced to use Outlook, but want to be part of the sane 
world of bottom-posted text-only mailing lists, I have heard that this 
works: .  I 
haven't tried it myself, and I don't know anything about version 
compatibility or other details, but maybe it will help you.


mvh.,

David


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/11 16:34, Bart Grefte wrote:

Hmm, why switch to pfSense from Linux? I am considering the other way round,
from pfSense to Linux.
Mainly because the lack of wireless drivers with support for N and a buggy
Atheros FreeBSD driver.



I don't need wireless drivers - this is handled by wireless routers 
around the company.  It doesn't surprise me that Linux has better 
support than FreeBSD for wireless drivers - they were notoriously poor 
in Linux until recently, and wireless card manufacturers who barely 
acknowledged the existence of Linux will not have heard of FreeBSD.



Right know I'm thinking a base install of Debian, followed by only the
packages I need and do  the configuring by console. I know about Webmin, but
don't know if I can change every setting with that.



The router I have at the moment is Debian, and I've configured by hand 
(i.e., from the console).  I'm not looking to move away from Linux as 
such, but looking towards using pfSense.


I doubt if there is anything significant that can be done with FreeBSD 
and pfSense that cannot be done with Linux.  But the point is that with 
pfSense, there is so much that comes ready-to-use.  With Linux, I could 
certainly use iptraf, rrd, php, etc., and show nice graphs of network 
traffic.  With pfSense it is already there as a page on the web 
interface.  And while /I/ can write the firewalling and routing rules I 
want in an iptables script, others at my company cannot - but they 
could, if necessary, use the web interface (such as if I'm on holiday).


If you want to use Linux, you might also consider some of the dedicated 
distributions such as Smoothwall or OpenWRT (I use OpenWRT on small 
routers).  There are also firewall tools such as vuurmuur and shorewall. 
 I found that none of them had all the features I needed, so I worked 
manually.  (I also found that pfSense didn't have those features either, 
when I first looked at it many years ago.)


In the end it depends on what you need.  Both Linux and FreeBSD are 
solid bases for a firewall/router.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/11 16:38, Jim Pingle wrote:

On 9/21/2011 10:06 AM, David Brown wrote:

OK, I'll have a look at that.  If I get a redundant setup with CARP
working then there is not the same need for raid - the whole router can
be switched out.  But it is still nice to have, and makes recovery and
rebuilding much easier.


True on both counts, though if your backup hardware is
comparable/identical it's even more true. If your backup hardware is not
as powerful and you would be putting it under a load it maybe can't
handle for long periods, then raid would still be important, but not
critical.



I think the backup hardware will be fine with the load, though 
potentially a little slower.  One of the reasons I am looking at this is 
that the Linux system died a few weeks ago when the SAS controller card 
failed (ironically, when I bought the system, the only reason I got a 
SAS drive was because the salesman convinced me it was more reliable... 
 now I always insist on ordinary SATA drives using software raid). 
Until I got it back up again, we were running with a small wireless 
router (Linksys WRT54GL) with a modified Linux distribution (OpenWRT). 
It was slow, especially for OpenVPN traffic, but it worked.  But that is 
why I am so keen on a redundant solution this time!



The hardware doesn't have to be the same, but the number of assigned
NICs and the order in which they were assigned must be the same.



OK.  My current hardware has 2 motherboard GBit NICs and a 4x100Mb card
- when I buy a new system, it will probably be a little newer and be all
GBit NICs (and faster processor, etc.).  This would then be the primary
system.  It is absolutely fine that a switchover to the secondary system
means a loss in speed of the links, as long as the links all work!


Yeah that should be fine. There are some people who fail over from large
systems to a little ALIX so they can squeak by until the main unit gets
repaired. Saves on power, but depending on the kind of load involved it
may not be possible/ideal.


I am (as yet) very unfamiliar with FreeBSD.  But as far as I can see,
the names of the interfaces is dependent on the drivers, unlike Linux
(which typically calls them eth0, eth1, etc., regardless of the
drivers).  In Linux, you can use the "udev" rules to set specific names
for the devices based on the MAC address of the port - that keeps them
consistent even if you swap cards around to different ports.  Can I do
something similar with pfSense so that the NIC names are consistent even
though the two routers have different hardware?


There isn't a way to tie it down by MAC address, but the idea has been
tossed around before.

When you assign a card in pfSense it goes with a specific name (em0,
em1, vr0, vr1, etc) but if the cards are swapped around and the ordering
of the drivers changed, the association may not be as expected. If the
type of card changes, it would make you reassign the NICs to accommodate
the change.



I don't expect to swap around cards once they are installed (baring 
failure, of course).  But one the one system the WAN interface could be 
em0, and on the other it could be vr0.  It doesn't matter if I have to 
figure out the names and set up the NICs when I first install them, but 
obviously it's important that when the rules and other configuration are 
synced between the machines, they apply to same logical interfaces.



Incidentally, can I assume that FreeBSD will support the NICs on the
motherboard and add-in cards, without having to be too specific about
the types?  I am not trying to use anything too esoteric, such as 10 GB
cards or tcp offload engines - just a small Dell or IBM rack server with
a four-port Ethernet card.


Best not to assume anything, the FreeBSD hardware list is out there and
easy to compare against. pfSense 2.0 is based on FreeBSD 8.1-RELEASE,
though the em/igb driver is a bit newer than the one shipped with that
so if you have Intel cards it may be supported even if not on the list.
Only real way to know is to try.

If you are using multi-port NICs, especially if you decide to use amd64,
you'll probably want to employ some of the tweaks listed here:

http://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards



Since my current router hardware is Dell, and the motherboard interfaces 
are Broadcom, I'll keep that in mind!


These issues seem to imply that the amd64 version has more potential 
problems than the 386 version.  Would you recommend that I use the 386 
version?  Unless the new hardware I get has more than 4G memory, I don't 
suppose there is much advantage in using the 64-bit version.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/11 16:31, Jim Pingle wrote:

On 9/21/2011 9:55 AM, David Brown wrote:

Just to confirm what I'm looking for here, I would want to switch over
to the secondary if any of the NICs on the main system failed, or if the
main system itself failed.  But it should not switch if interfaces such
as the VPNs fail.

Realistically, it is probably the router computer itself (disk, cpu fan,
power supply) that will fail rather than the NICs.


The only interfaces that can trigger a failover are those with CARP VIPs
configured upon them. If one interface with a CARP VIP goes down, the
backup will take over all of the CARP VIPs.

Relating that behavior to the NIC is not 100% correct really, since it's
actually the CARP VIPs that go up/down and thus triggering the failover
to the other box since all traffic should be flowing through the CARP VIPs.

Anything that is tied specifically to one box or the other would not be
affected by the failover, which is why everything should be using CARP
VIPs for the gateway, outbound NAT, services, etc.



That makes a lot of sense.  Thanks.

David

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/2011 13:26, David Burgess wrote:

On Wed, Sep 21, 2011 at 5:13 AM, David Brown  wrote:


First, on the Linux system I have two hard disks, each with two partitions.
  The first partition on each is set as a software RAID1 and contains the OS,
configuration, data, etc.  The second partition on each is separate and
contains a squid cache.  Thus the system will boot and run fine even if one
disk fails (losing half the squid cache will not be harmful).  Can I do
something similar with pfSense?  I know a great deal about Linux software
raid, but nothing about FreeBSD.


FreeBSD does soft RAID, but I can't tell you the state of it in
pfsense. Somebody here will chime in.



Others have said that gmirror will do the job.  Of course, with a second 
redundant router, there is less need for raid.





I make use of VLANs on switches to control different subnets for parts of
our LAN, server networks, etc.  On some of these, the router has more than
one alias.  This means I have network "interfaces" with names like
"eth0.12:2" in Linux (second alias on VLAN 12 connected to the first
physical ethernet card).  In some cases there is more than one alias on the
same subnet (192.168.0.1 and 192.168.0.2), but mostly they are on different
subnets on the same VLAN.  I know pfSense is flexible about VLANs - but is
it /that/ flexible?


pfsense supports vlans and IP aliases right in the GUI. No problem here.



Great!




I have two WAN connections.  One is a symmetric link (10/10), the other is
ADSL (8/1).  I would like to set these up so that the symmetric link is the
main link, with the ADSL as backup.  But http traffic can be balanced
between them.  Can I arrange that?


Yes.



On one of the WAN connections, I have several IP addresses (a /28 subnet).
  Several services coming in on these IP addresses need to be NAT'ed to
different internal servers, depending on the port and the IP address
targeted.  It is important that replies from the internal servers get
returned from the same IP as originally targeted.  Will that work with
pfSense?


I believe virtual IPs (VIP) would take care of that in pfsense.



I have two OpenVPN servers on the current system, running on different
ports.  Clients on these have access to different servers.  Can I have
several OpenVPN servers configured with pfSense?


Yes.



OK.




I would also like to set up an OpenVPN "hub" to handle communication between
external OpenVPN servers and clients.  Some of my company's clients have
OpenVPN servers or clients that some of our employee's need access to.  My
idea is that the employee will connect to the "hub" (the pfSense system)
with OpenVPN, as will the customers' OpenVPN clients. The "hub" will also
connect to the customers' OpenVPN servers (some have servers, others have
clients).  I would like to be able to set up firewalling rules allowing the
employees access to the customers' systems, but customers' systems will not
be able to access each other (or other interfaces on the firewall/router).
  Is that going to be possible?  Will it be possible to get alerts (SMTP) or
logs when these OpenVPN connections come and go?


I believe the routing and firewalling between VPN networks is
possible. Not sure about notifications from the GUI, although you can
do what you like in the shell.



It would be nice to do it from the GUI - the GUI is one of the benefits 
of pfSense over my existing solution.  But I'm happy working directly 
from the shell - or at least I will be once I get used to the 
differences between Linux and FreeBSD!





The box is also a DHCP server on various networks, with some static assigned
addresses and some range-based.  I presume that's fine for pfSense?  And
that it integrates with the DNS server on pfSense?


Yes.



I am seriously considering getting two pfSense boxes with CARP failover.
  Does this require identical hardware on the two systems (or perhaps just
identical network card setups)?


I don't think this is a requirement for CARP.



How much information is passed over the
link between the boxes - does it cover all setup, configuration, rules, dhcp
leases, etc.?  How often does this synchronisation take place?


Not sure.



Am I correct
in thinking that each box needs its own individual IP address on each
network interface (including VLAN interfaces), and they share one or more
CARP aliases?


I believe that's correct.

Have fun playing. pfsense is a powerful platform and the GUI makes it
very easy to pick up.



I'll be trying it out this evening with VirtualBox machines.

Thanks,

David

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/2011 13:41, Seth Mos wrote:

On 21-9-2011 13:26, David Burgess wrote:

On Wed, Sep 21, 2011 at 5:13 AM, David Brown
wrote:




I have two WAN connections. One is a symmetric link (10/10), the
other is
ADSL (8/1). I would like to set these up so that the symmetric link
is the
main link, with the ADSL as backup. But http traffic can be balanced
between them. Can I arrange that?


Yes.


See Routing, Gateway Groups. You can add multiple groups and different
fallback tiers.



OK.


On one of the WAN connections, I have several IP addresses (a /28
subnet).
Several services coming in on these IP addresses need to be NAT'ed to
different internal servers, depending on the port and the IP address
targeted. It is important that replies from the internal servers get
returned from the same IP as originally targeted. Will that work with
pfSense?


I believe virtual IPs (VIP) would take care of that in pfsense.


Use this together with the 1:1 NAT feature.



The 1:1 NAT is used to pass all ports from one WAN address to a LAN/DMZ 
address, isn't it?  That might be useful for some circumstances.  All I 
really need at the moment is things like FTP or HTTPS on two different 
WAN IP addresses (on the same NIC) being passed on to ports on two 
different internal servers, and it sounds like VIP's can do that.



I am seriously considering getting two pfSense boxes with CARP failover.
Does this require identical hardware on the two systems (or perhaps just
identical network card setups)?


I don't think this is a requirement for CARP.


This is not a requirement, however, if the master is gigabit make sure
the backup has gigabit too.



I hope that isn't essential - my current hardware has a 4-port 100MB 
card and when I buy a new one, I'll probably get a 4-port GB card for it 
and use it as the primary.



How much information is passed over the
link between the boxes - does it cover all setup, configuration,
rules, dhcp
leases, etc.? How often does this synchronisation take place?


Not sure.


It synchronizes state for traffic failover, the rest is toggle boxes on
the virtuall IP settings page. Leases are not transferred, static
mappings are, you can do DHCP on both nodes with failover, see the DHCP
settings page for that.



OK.


Am I correct
in thinking that each box needs its own individual IP address on each
network interface (including VLAN interfaces), and they share one or
more
CARP aliases?


I believe that's correct.


They need their own IP + the redundant carp IP, so atleast 3. You will
need to make manual outbound NAT rules so that all traffic originates
from the external CARP address after NAT. This is required for failover.



That should be fine.

Thanks,

David

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/2011 14:28, Jim Pingle wrote:



On Wed, Sep 21, 2011 at 5:13 AM, David Brown  wrote:


First, on the Linux system I have two hard disks, each with two partitions.
  The first partition on each is set as a software RAID1 and contains the OS,
configuration, data, etc.  The second partition on each is separate and
contains a squid cache.  Thus the system will boot and run fine even if one
disk fails (losing half the squid cache will not be harmful).  Can I do
something similar with pfSense?  I know a great deal about Linux software
raid, but nothing about FreeBSD.

FreeBSD does soft RAID, but I can't tell you the state of it in
pfsense. Somebody here will chime in.



gmirror works great. I've been using it for years on pfSense with much
success. There is even a gmirror monitor widget for the dashboard.



OK, I'll have a look at that.  If I get a redundant setup with CARP 
working then there is not the same need for raid - the whole router can 
be switched out.  But it is still nice to have, and makes recovery and 
rebuilding much easier.




On 9/21/2011 8:10 AM, Seth Mos wrote:

On 21-9-2011 13:26, David Burgess wrote:

I am seriously considering getting two pfSense boxes with CARP failover.
   Does this require identical hardware on the two systems (or perhaps
just
identical network card setups)?


I don't think this is a requirement for CARP.


This is not a requirement, however, if the master is gigabit make sure
the backup has gigabit too.


The hardware doesn't have to be the same, but the number of assigned
NICs and the order in which they were assigned must be the same.



OK.  My current hardware has 2 motherboard GBit NICs and a 4x100Mb card 
- when I buy a new system, it will probably be a little newer and be all 
GBit NICs (and faster processor, etc.).  This would then be the primary 
system.  It is absolutely fine that a switchover to the secondary system 
means a loss in speed of the links, as long as the links all work!


I am (as yet) very unfamiliar with FreeBSD.  But as far as I can see, 
the names of the interfaces is dependent on the drivers, unlike Linux 
(which typically calls them eth0, eth1, etc., regardless of the 
drivers).  In Linux, you can use the "udev" rules to set specific names 
for the devices based on the MAC address of the port - that keeps them 
consistent even if you swap cards around to different ports.  Can I do 
something similar with pfSense so that the NIC names are consistent even 
though the two routers have different hardware?


Incidentally, can I assume that FreeBSD will support the NICs on the 
motherboard and add-in cards, without having to be too specific about 
the types?  I am not trying to use anything too esoteric, such as 10 GB 
cards or tcp offload engines - just a small Dell or IBM rack server with 
a four-port Ethernet card.



How much information is passed over the
link between the boxes - does it cover all setup, configuration,
rules, dhcp
leases, etc.?  How often does this synchronisation take place?


Not sure.


It synchronizes state for traffic failover, the rest is toggle boxes on
the virtuall IP settings page. Leases are not transferred, static
mappings are, you can do DHCP on both nodes with failover, see the DHCP
settings page for that.


If you have DHCP sync checked and failover configured, the lease
databases should be synchronizing IIRC, it's just done by DHCP itself
and not by the XMLRPC sync process.



Marvellous.

Thanks for your help,

David

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/2011 14:05, Chris Buechler wrote:

On Wed, Sep 21, 2011 at 7:55 AM, Tonix (Antonio Nati)
  wrote:


I think you should examine how CARP works on your routers and how it works
in pfsense.

In pre 2.0 version, PFsense CARP has a (fixed) different zone for each
interface, so if an interface goes down it switches only that interface, and
traffic bind to that interface becomes unreachable.
It is useful only if a machine goes down, not if an interface goes down.

If you actually switch all interfaces when one goes down, you can't do on
pfsense.


That's not true and never been true, the behavior of all versions is
to switch over all CARP IPs if any NIC on the primary can no longer
communicate with the secondary. You have something wrong on your
setup, or have intentionally disabled that via a manual hack, if
that's what yours does.


Just to confirm what I'm looking for here, I would want to switch over 
to the secondary if any of the NICs on the main system failed, or if the 
main system itself failed.  But it should not switch if interfaces such 
as the VPNs fail.


Realistically, it is probably the router computer itself (disk, cpu fan, 
power supply) that will fail rather than the NICs.



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Replacing a Linux router with pfSense

[David Brown]

I have a Linux machine as our company firewall/router at the moment. 
Since reading the announcement of pfSense 2.0 (on LinuxToday!), I have 
been considering replacing it with pfSense.  There are some features 
that I see as being big improvements over my existing system, such as 
the web interface (which is perhaps slightly more user-friendly than ssh 
and iptables scripts) and CARP for failover between two routers.


There are some features of my existing setup that may be difficult to 
duplicate with pfSense, and I'm hoping someone can tell me whether these 
are easy, hard-but-possible, or impossible - the pfSense wiki has a lot 
of information, but it can't cover everything (especially the latest 
features of pfSense 2.0).  I've read through a fair amount of it, but by 
no means all.



First, on the Linux system I have two hard disks, each with two 
partitions.  The first partition on each is set as a software RAID1 and 
contains the OS, configuration, data, etc.  The second partition on each 
is separate and contains a squid cache.  Thus the system will boot and 
run fine even if one disk fails (losing half the squid cache will not be 
harmful).  Can I do something similar with pfSense?  I know a great deal 
about Linux software raid, but nothing about FreeBSD.




I make use of VLANs on switches to control different subnets for parts 
of our LAN, server networks, etc.  On some of these, the router has more 
than one alias.  This means I have network "interfaces" with names like 
"eth0.12:2" in Linux (second alias on VLAN 12 connected to the first 
physical ethernet card).  In some cases there is more than one alias on 
the same subnet (192.168.0.1 and 192.168.0.2), but mostly they are on 
different subnets on the same VLAN.  I know pfSense is flexible about 
VLANs - but is it /that/ flexible?



I have two WAN connections.  One is a symmetric link (10/10), the other 
is ADSL (8/1).  I would like to set these up so that the symmetric link 
is the main link, with the ADSL as backup.  But http traffic can be 
balanced between them.  Can I arrange that?



On one of the WAN connections, I have several IP addresses (a /28 
subnet).  Several services coming in on these IP addresses need to be 
NAT'ed to different internal servers, depending on the port and the IP 
address targeted.  It is important that replies from the internal 
servers get returned from the same IP as originally targeted.  Will that 
work with pfSense?



I have two OpenVPN servers on the current system, running on different 
ports.  Clients on these have access to different servers.  Can I have 
several OpenVPN servers configured with pfSense?



I would also like to set up an OpenVPN "hub" to handle communication 
between external OpenVPN servers and clients.  Some of my company's 
clients have OpenVPN servers or clients that some of our employee's need 
access to.  My idea is that the employee will connect to the "hub" (the 
pfSense system) with OpenVPN, as will the customers' OpenVPN clients. 
The "hub" will also connect to the customers' OpenVPN servers (some have 
servers, others have clients).  I would like to be able to set up 
firewalling rules allowing the employees access to the customers' 
systems, but customers' systems will not be able to access each other 
(or other interfaces on the firewall/router).  Is that going to be 
possible?  Will it be possible to get alerts (SMTP) or logs when these 
OpenVPN connections come and go?



The box is also a DHCP server on various networks, with some static 
assigned addresses and some range-based.  I presume that's fine for 
pfSense?  And that it integrates with the DNS server on pfSense?



I am seriously considering getting two pfSense boxes with CARP failover. 
 Does this require identical hardware on the two systems (or perhaps 
just identical network card setups)?  How much information is passed 
over the link between the boxes - does it cover all setup, 
configuration, rules, dhcp leases, etc.?  How often does this 
synchronisation take place?  Am I correct in thinking that each box 
needs its own individual IP address on each network interface (including 
VLAN interfaces), and they share one or more CARP aliases?



I plan to set up a few virtual machines to play around with this before 
trying it out on a real system, but it would be nice to get an idea of 
what is possible or not!


Thanks,

David Brown
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list