Re: [pfSense] How could I block messages trying to pass as from my net?

2018-05-18 Thread Eero Volotinen
You should use postscreen/blacklist to block spam?

Eero

pe 18. toukok. 2018 klo 17.43 Alberto José García Fumero <
albe...@ettpartagas.co.cu> kirjoitti:

> Hi all.
>
> I use PfSense 2.2.1. Of course I know it would very convenient to
> upgrade, but right now it isn't possible.
>
> Im trying to block spam (for instance, from 185.234.217.232).
> As far as I know, it's trying to pass as a message from my very net:
>
> Transcript of session follows.
> De: Mail Delivery System  cu>
> Para:   Postmaster 
> Asunto: Postfix SMTP server: errors from
> unknown[185.234.217.232]
> Fecha:  Fri, 18 May 2018 10:10:39 -0400 (CDT)
>  Out: 220 partagas.ettpartagas.co.cu ESMTP Partagas
>  In:  EHLO 190.6.79.98
>  Out: 250-partagas.ettpartagas.co.cu
>  Out: 250-PIPELINING
>  Out: 250-SIZE 1524
>  Out: 250-ETRN
>  Out: 250-STARTTLS
>  Out: 250-ENHANCEDSTATUSCODES
>  Out: 250-8BITMIME
>  Out: 250 DSN
>  In:  AUTH LOGIN
>  Out: 503 5.5.1 Error: authentication not enabled
>
> Session aborted, reason: lost connection
>
> For other details, see the local mail logfile
>
> but the MTA correctly rejects it as a fake.
>
> I have created an alias list (rechaza) in the menu Firewall/Aliases,
> where I put all the addresses known to be spammers, and tried to reject
> them with the rule in Firewall/Rules/WAN
>
> Action: Block
> Interface: WAN
> TCP/IP version: IPV4
> Protocol: TCP
> Source: (single hots or alias) rechaza
> Destination: 190.6.79.98
> Destination port range: any
>
> but I can not stop the spam right in the WAN interface.
>
> How could I create a convenient rule?
>
> TIA,
>
> Fumero
>
> --
> M.Sc. Alberto García Fumero
> Usuario Linux 97 138, registrado 10/12/1998
> http://interese.cubava.cu
> No son las horas que pones en tu trabajo lo que cuenta, sino el trabajo
> que pones en esas horas.
>
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Rebuilding confidence

2018-05-13 Thread Eero Volotinen
Well. You should use VLANs to segment IoT devices into different network.
Anyway... some commercial vendor might provide a bit better protection ;)

You can replace you apple timemachine with unifi aps.
https://www.ubnt.com/unifi/unifi-ap/

Eero

On Sun, May 13, 2018 at 10:44 PM Richard A. Relph 
wrote:

> Hi,
> I’ve been using a SG-2440 for a couple of years now, but only as a
> well-maintained basic NAT router. I know I’m not using all the capabilities
> the box offers.
> I’m increasingly concerned about ‘infected’ IoT devices inside my
> firewall. I don’t have any specific concerns. But confidence is
> continuously declining that everything I implicitly trust is really worthy
> of that trust. I’m looking for a tool that will provide me some evidence
> that my network is behaving well, and identify devices that might be
> betraying my trust.
>
> I’ve been tempted by the McAfee Secure Home Platform built in to
> certain Arris Cable Modem/Routers. https://securehomeplatform.mcafee.com
> I’d be interested in this groups thoughts on that product… but I’m
> even more interested in thoughts on what pfSense offers that could detect
> “unusual” traffic.
>
> Thanks in advance,
> Richard
> PS. Also looking for recommendations to replace my aging Access Point… An
> Apple TimeMachine (in Bridge mode).
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Need Help setting up new SG-4860

2018-04-19 Thread Eero Volotinen
I usually first reinstall it with zfs from usb stick and then configure it..

Eero

On Fri, Apr 20, 2018 at 1:04 AM, WebDawg <webd...@gmail.com> wrote:

> I actually noticed an issue on these devices.  I have not filed a bug
> report yet.  The setup wizard fails when their is no internet.
>
> I think it has to do with/ ntp sync.
>
> On Thu, Apr 19, 2018, 5:38 PM Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>
> >  so, what is the main issue?
> >
> > Eero
> >
> > pe 20. huhtik. 2018 klo 0.35 Bryan Hemedinger <bry...@esgfla.com>
> > kirjoitti:
> >
> > > I received the Netgate unit SG-4860 and need help setting it up
> > >
> > >
> > > Bryan Hemedinger D.O.P.
> > > 954-722-2223
> > > Photography Dept.
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Need Help setting up new SG-4860

2018-04-19 Thread Eero Volotinen
 so, what is the main issue?

Eero

pe 20. huhtik. 2018 klo 0.35 Bryan Hemedinger  kirjoitti:

> I received the Netgate unit SG-4860 and need help setting it up
>
>
> Bryan Hemedinger D.O.P.
> 954-722-2223
> Photography Dept.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.4.3 - cannot define table bogonsv6

2018-04-19 Thread Eero Volotinen
fix is in reddit thread ..

Someone should fix this on pfsense default config..

Eero

On Thu, Apr 19, 2018 at 11:53 AM, mayak  wrote:

> On 04/19/2018 10:33 AM, Fabian Bosch wrote:
>
>> Same here on v*2.3.3 *and even after update to v*2.4.3
>> *Any news on this?*
>> *
>>
>>
>> Am 02.04.2018 um 05:04 schrieb Travis Hansen:
>>
>>> I'm seeing this same issue on 2 separate 2.3.x boxes the last couple
>>> days as well that haven't been tampered with in ages.  Something strange
>>> going on for sure..
>>> Travis hansentravisghan...@yahoo.com
>>>
>> Same here:
> 3 APU boxes -- two running 2.3 and the other 2.4
> 1 Intel based pizza box running 2.4
>
> All 4:
> There were error(s) loading the rules: /tmp/rules.debug:22: cannot define
> table bogonsv6: Cannot allocate memory - The line in question reads [22]:
> table bogonsv6 persist file /etc/bogonsv6
> --
>
> It's not what you look at that matters, it's what you see
>
> — Henry David Thoreau
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.4.3 - cannot define table bogonsv6

2018-04-19 Thread Eero Volotinen
Sounds like a bug:
https://www.reddit.com/r/PFSENSE/comments/88ry96/there_were_errors_loading_the_rules/

Eero

On Thu, Apr 19, 2018 at 11:33 AM, Fabian Bosch 
wrote:

> Same here on v*2.3.3 *and even after update to v*2.4.3
> *Any news on this?*
> *
>
> regards,
>
> Fabian
>
> Am 02.04.2018 um 05:04 schrieb Travis Hansen:
>
>> I'm seeing this same issue on 2 separate 2.3.x boxes the last couple days
>> as well that haven't been tampered with in ages.  Something strange going
>> on for sure..
>> Travis hansentravisghan...@yahoo.com
>>
>>
>>  On Sunday, April 1, 2018, 5:35:32 PM MDT, Victor Padro <
>> vpa...@gmail.com> wrote:
>> Don't think so, since I'm not using IPv6 and the issue wasn't there in
>> version 2.4.2, looks to me it's something else, but haven't dug in deeper
>> since that occured to me early this morning and changing that value helped
>> me too, I saw that recommendation in the pfsense reddit site while
>> troubleshooting a reinstall I had to do urgently.
>>
>> On Sun, Apr 1, 2018 at 5:25 PM, Olivier Mascia  wrote:
>>
>> Thanks Victor,
>>>
>>> On Sun, Apr 1, 2018 at 4:46 PM, Olivier Mascia  wrote:

 Since I have upgraded 2 HW box and 2 VMs to 2.4.3 I have started seeing
> such occasionally:
>
> 0:40:54 There were error(s) loading the rules: /tmp/rules.debug:22:
>
 cannot
>>>
 define table bogonsv6: Cannot allocate memory - The line in question
>
 reads
>>>
 [22]: table  persist file "/etc/bogonsv6"
>
> Is there a known bug/quirk at work here?
>

>>> Le 2 avr. 2018 à 01:05, Victor Padro  a écrit :

 Change the value of the Firewall Maximum Table Entries to 50 in

>>> System
>>>
 | Advanced | Firewall & NAT

>>> Indeed it then reloads filter cleanly.  The default (empty) is said to be
>>> 200'000. So 500'000 is a large change from default.  Is that the default
>>> is
>>> now highly underestimated and should/will be raised later or that this
>>> needs be significantly higher than default only because I use IPv6 and
>>> have
>>> Block logon networks checked?
>>>
>>>
>>> --
>>> Best Regards, Meilleures salutations, Met vriendelijke groeten,
>>> Olivier Mascia
>>>
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>>
>>>
>>
>> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-19 Thread Eero Volotinen
Maybe. I think that hardware can still do full gigabit nat and firewalling.

--
Eero

On Mon, Feb 19, 2018 at 7:12 PM, Moshe Katz <mo...@ymkatz.net> wrote:

> On Mon, Feb 19, 2018 at 10:42 AM, Paul Mather <p...@gromit.dlib.vt.edu>
> wrote:
>
> > On Feb 19, 2018, at 10:10 AM, Eero Volotinen <eero.voloti...@iki.fi>
> > wrote:
> >
> > > Well. Does it require so much power, that I cannot run it on intel
> core2
> > > quad Q9400, 2.66Ghz processor (4 cores) ?
> >
> >
> > What a curious question.  It does not require "so much power" but it does
> > require a minimum hardware spec, which that CPU will lack (no AESNI).
> >
> > I can understand why people would be unhappy that their hardware becomes
> > unsupported by a new release, but I also understand it's common in the
> > computing industry and makes a lot of sense for Netgate to do this
> (reduced
> > support costs; increased developer focus; etc.).  It's nice, also,
> they've
> > laid out a roadmap for doing this and telegraphed clearly how they plan
> to
> > support older hardware and for how long.  It's not like they just decided
> > yesterday over a couple of pints at the pub to throw everyone without
> > AESNI-capable CPUs under the bus right now.
> >
> > I still have a CF NanoBSD-based pfSense installation running on Netgate
> > hardware, and I appreciate they are still supporting 2.3, giving people
> > like me time to migrate off to something else.
> >
> > Cheers,
> >
> > Paul.
>
>
> It's also worth mentioning that the Q9400 is turning 10 years old this
> year.
>
> I am a very enthusiastic proponent of reusing old computer hardware instead
> of throwing it away, but there still comes a point in time at which it's
> time to move on, and ten years is a very long life for commodity computing
> hardware.
>
> Moshe
>
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Configs or hardware?

2018-02-19 Thread Eero Volotinen
ng as they
> are
> > running a 2.4.x release of pfSense, and, as above, 2.4 has a plan that
> > includes support until, at least, 2020.
> > >
> > > This is acceptable. It just also just sucks, and I understand it must
> be
> > > faced.
> > >
> > > This is, however, beyond just replacing some networking equipment, as I
> > > have to replace my primary VM host due to CPU replacements supporting
> > > AES-NI not existing. Before knowing that the AES-NI requirement was to
> > > address the timing attack, I felt as if I have to pay for new hardware
> > > due to Netgate not "wanting" non-AES-NI AES implementations being
> > > utilized. Until this, I have not exactly had software support issues
> > > with even this aging hardware.
> >
> > Nor do you now.  It’s only (at least) a year after the release of 2.5
> that
> > we’ll stop supporting 2.4, and then it’s a matter of when a security
> issue
> > or other bug that is important enough to you switch gets addressed in 2.5
> > but not in 2.4 might occur (gosh that’s an awful sentence, Jim).
> >
> > > I understand that a lot of people are effectively threatening to switch
> > > to OpnSense due to this, but I fear that I will *have to* if I can't
> > > replace my hardware by the time support for software AES ends entirely.
> >
> > People should run what suits their purpose best.  Perhaps someone else
> > will fork pfSense and continue the 2.4 train on a different track.
> That’s
> > the beauty of open source software.
> >
> >
> > > See:
> > > https://ark.intel.com/Search/FeatureFilter?productType=
> > processors=LGA771=true
> > >
> > > I thank you for addressing this with me. I appreciate your conduct with
> > > me despite my comment.
> >
> > Sure thing.  I also appreciate your response here.
> >
> > Thanks,
> >
> > Jim
> >
> > >
> > >> Jim
> > >>
> > >>> On Feb 15, 2018, at 2:11 PM, Kyle Marek <pspps...@gmail.com> wrote:
> > >>>
> > >>> I think you're missing the point that software support exists;
> pfSense
> > >>> supports software AES *now*, and this is being removed. New
> technology
> > >>> is cool; things not working anymore is not.
> > >>>
> > >>> Anyway, what are are other projects such as the TLS libraries doing
> > >>> about this? Is hardware acceleration really the only solution?
> > >>>
> > >>> On 02/15/2018 01:39 PM, Walter Parker wrote:
> > >>>> Well, both Intel and AMD starting shipping the AES-NI instructions 8
> > years
> > >>>> ago...
> > >>>>
> > >>>> How long does a project need to wait before it can require a feature
> > found
> > >>>> on all major x64 processors? Waiting 8-9 years seems reasonable to
> me.
> > >>>>
> > >>>> Given the fact that the project is only supporting 64-bit and
> suggests
> > >>>> using a modern processor this requirement should be a non issue for
> > most
> > >>>> users.
> > >>>>
> > >>>> The only place where the AES-NI instructions are not found is in a
> > small
> > >>>> number of embedded/dev boards using older Celeron processors.
> > >>>>
> > >>>>
> > >>>> Walter
> > >>>>
> > >>>> On Thu, Feb 15, 2018 at 9:37 AM, Kyle Marek <pspps...@gmail.com>
> > wrote:
> > >>>>
> > >>>>> This is silly. I shouldn't have to replace my hardware to support a
> > >>>>> feature I will not use...
> > >>>>>
> > >>>>> I shame Netgate for such an artificial limitation...
> > >>>>>
> > >>>>> Thank you for the information.
> > >>>>>
> > >>>>> On 02/15/2018 12:20 PM, Eero Volotinen wrote:
> > >>>>>> Well:
> > >>>>>>
> > >>>>>> https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we
> are
> > >>>>> talking
> > >>>>>> about 2.5 not 3.x ?
> > >>>>>>
> > >>>>>> "While we’re not revealing the extent of our plans, we do want to
> > give
> > >>>>>> early notice that, in order to support the increased cryptographic
> > loads
> > >>>>>> that we see as part of pfSense verison 2.5, pfSense Community
> > Edition
> > >>>>>> version 2.5 will include a requirement that the CPU supports
> > AES-NI. On
> > >>>>>> ARM-based systems, the additional load from AES operations will be
> > >>>>>> offloaded to on-die cryptographic accelerators, such as the one
> > found on
> > >>>>>> our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM
> > v8 CPUs
> > >>>>>> include instructions like AES-NI
> > >>>>>> <https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that
> > can be
> > >>>>>> used to increase performance of the AES algorithm on these
> > platforms."
> > >>>>>>
> > >>>>>>
> > >>>>>> Eero
> > >>>>>>
> > >>>>>> On Thu, Feb 15, 2018 at 7:18 PM, Edwin Pers <ep...@ansencorp.com>
> > wrote:
> > >>>>>>
> > >>>>>>> I believe I read somewhere that the new version that requires
> > aes-ni
> > >>>>> will
> > >>>>>>> be 3.x, and they plan to continue the 2.x line alongside it, as
> 3.x
> > >>>>> will be
> > >>>>>>> a major rewrite
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> -Ed
> > >>>>>>>
> > >>>>>>> -Original Message-
> > >>>>>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
> > Eero
> > >>>>>>> Volotinen
> > >>>>>>> Sent: Thursday, February 15, 2018 12:14 PM
> > >>>>>>> To: Kyle Marek <pspps...@gmail.com>
> > >>>>>>> Cc: pfSense Support and Discussion Mailing List <
> > list@lists.pfsense.org
> > >>>>>>> Subject: Re: [pfSense] Configs or hardware?
> > >>>>>>>
> > >>>>>>> Well. Next version of pfsense (2.5) will not install into
> hardware
> > that
> > >>>>>>> does not support AES-NI, so buying such hardware is not wise ?
> > >>>>>>>
> > >>>>>>> Eero
> > >>>>>>>
> > >>>>>>>
> >
> >
>
> Well Said.
>
> Thank you for sharing the numbers.
>
>
> Walter
>
>
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D.
> Brandeis
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense on watchguard xtm 810?

2018-02-19 Thread Eero Volotinen
Thanks. that worked. It was a bit hard without console :)

Eero

On Fri, Feb 16, 2018 at 9:00 PM, Melvin <mel...@sleepydragon.net> wrote:

> I've had good luck in similar cases by installing on a generic machine
> then putting the media in the target box.
>
> On Feb 16, 2018, 13:40, at 13:40, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
> >Hi List,
> >
> >I need to install pfsense 2.4 on watchguard xtm 810. there is issue as
> >it
> >does not boot from usb stick, only from cf or sata.
> >
> >Any idea how to install pfsense on it? it works with 2.3 nano-vga
> >image,
> >but such is not available for pfsense 2.4
> >
> >--
> >Eero
> >___
> >pfSense mailing list
> >https://lists.pfsense.org/mailman/listinfo/list
> >Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] a bit offtopic, vga header cable for netgate device

2018-02-17 Thread Eero Volotinen
well, that is nonstandard 12 pin cable :)

This might work with male to female adapter
https://www.alibaba.com/product-detail/VGA-to-12pin-IDC-connector-with_60477249920.html

Eero

17.2.2018 16.52 "Ryan Coleman" <ryan.cole...@cwis.biz> kirjoitti:

> Googlefu: https://www.google.com/search?q=VGA+header+to+15-pin+ribbon;
> source=lnms=shop=X=0ahUKEwiwybq2ma3ZAhVI2oMKHf9zBWwQ_AUICigB <
> https://www.google.com/search?q=VGA+header+to+15-pin+
> ribbon=lnms=shop=X=0ahUKEwiwybq2ma3ZAhVI2oMKHf9zB
> WwQ_AUICigB>
>
> > On Feb 17, 2018, at 3:29 AM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
> >
> > Hi List,
> >
> > Does anyone know where I can buy this cable:
> > https://store.netgate.com/Hamakua-VGA-Cable-P350.aspx
> >
> > Eero
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] a bit offtopic, vga header cable for netgate device

2018-02-17 Thread Eero Volotinen
Hi List,

Does anyone know where I can buy this cable:
https://store.netgate.com/Hamakua-VGA-Cable-P350.aspx

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfSense on WatchGuard xtm 810?

2018-02-16 Thread Eero Volotinen
well. there is sata ports. I will try them first..

Eero

16.2.2018 21.27 "Peder Rovelstad" <provels...@comcast.net> kirjoitti:

> May be wrong, but I think without nano, you can only install full, which
> will thrash the CF in short order.  But I see someone on EBay selling one
> preconfigured for the xtm 5 series.
> No headers for a 2.5" drive inside, eh?  Here's a guide, but you'd still
> need a CF adapter or machine with a CF slot for install.
> https://doc.pfsense.org/index.php/Upgrading_64-bit_NanoBSD_2.3_to_2.4
>
> >
> >I've had good luck in similar cases by installing on a generic machine
> then
> putting the media in the target box.
>
> >>On Feb 16, 2018, 13:40, at 13:40, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
> >>Hi List,
> >>
> >>I need to install pfsense 2.4 on watchguard xtm 810. there is issue as
> >>it does not boot from usb stick, only from cf or sata.
> >>
> >>Any idea how to install pfsense on it? it works with 2.3 nano-vga
> >>image, but such is not available for pfsense 2.4
> >>
> >>--
> >>Eero
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense on watchguard xtm 810?

2018-02-16 Thread Eero Volotinen
Thanks. that sounds like a good idea.

Eero


16.2.2018 21.02 "Melvin" <mel...@sleepydragon.net> kirjoitti:

> I've had good luck in similar cases by installing on a generic machine
> then putting the media in the target box.
>
> On Feb 16, 2018, 13:40, at 13:40, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
> >Hi List,
> >
> >I need to install pfsense 2.4 on watchguard xtm 810. there is issue as
> >it
> >does not boot from usb stick, only from cf or sata.
> >
> >Any idea how to install pfsense on it? it works with 2.3 nano-vga
> >image,
> >but such is not available for pfsense 2.4
> >
> >--
> >Eero
> >___
> >pfSense mailing list
> >https://lists.pfsense.org/mailman/listinfo/list
> >Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] pfsense on watchguard xtm 810?

2018-02-16 Thread Eero Volotinen
Hi List,

I need to install pfsense 2.4 on watchguard xtm 810. there is issue as it
does not boot from usb stick, only from cf or sata.

Any idea how to install pfsense on it? it works with 2.3 nano-vga image,
but such is not available for pfsense 2.4

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eero Volotinen
something like that. (very cheap) Celeron J1900 firewall devices are not
supporting aes-ni.

Eero

15.2.2018 20.40 "Walter Parker" <walt...@gmail.com> kirjoitti:

> Well, both Intel and AMD starting shipping the AES-NI instructions 8 years
> ago...
>
> How long does a project need to wait before it can require a feature found
> on all major x64 processors? Waiting 8-9 years seems reasonable to me.
>
> Given the fact that the project is only supporting 64-bit and suggests
> using a modern processor this requirement should be a non issue for most
> users.
>
> The only place where the AES-NI instructions are not found is in a small
> number of embedded/dev boards using older Celeron processors.
>
>
> Walter
>
> On Thu, Feb 15, 2018 at 9:37 AM, Kyle Marek <pspps...@gmail.com> wrote:
>
> > This is silly. I shouldn't have to replace my hardware to support a
> > feature I will not use...
> >
> > I shame Netgate for such an artificial limitation...
> >
> > Thank you for the information.
> >
> > On 02/15/2018 12:20 PM, Eero Volotinen wrote:
> > > Well:
> > >
> > > https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are
> > talking
> > > about 2.5 not 3.x ?
> > >
> > > "While we’re not revealing the extent of our plans, we do want to give
> > > early notice that, in order to support the increased cryptographic
> loads
> > > that we see as part of pfSense verison 2.5, pfSense Community Edition
> > > version 2.5 will include a requirement that the CPU supports AES-NI. On
> > > ARM-based systems, the additional load from AES operations will be
> > > offloaded to on-die cryptographic accelerators, such as the one found
> on
> > > our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8
> CPUs
> > > include instructions like AES-NI
> > > <https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that can
> be
> > > used to increase performance of the AES algorithm on these platforms."
> > >
> > >
> > > Eero
> > >
> > > On Thu, Feb 15, 2018 at 7:18 PM, Edwin Pers <ep...@ansencorp.com>
> wrote:
> > >
> > >> I believe I read somewhere that the new version that requires aes-ni
> > will
> > >> be 3.x, and they plan to continue the 2.x line alongside it, as 3.x
> > will be
> > >> a major rewrite
> > >>
> > >>
> > >> -Ed
> > >>
> > >> -Original Message-
> > >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> > >> Volotinen
> > >> Sent: Thursday, February 15, 2018 12:14 PM
> > >> To: Kyle Marek <pspps...@gmail.com>
> > >> Cc: pfSense Support and Discussion Mailing List <
> list@lists.pfsense.org
> > >
> > >> Subject: Re: [pfSense] Configs or hardware?
> > >>
> > >> Well. Next version of pfsense (2.5) will not install into hardware
> that
> > >> does not support AES-NI, so buying such hardware is not wise ?
> > >>
> > >> Eero
> > >>
> > >>
> > >> ___
> > >> pfSense mailing list
> > >> https://lists.pfsense.org/mailman/listinfo/list
> > >> Support the project with Gold! https://pfsense.org/gold
> > >>
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
>
>
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D.
> Brandeis
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eero Volotinen
Well:

https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are talking
about 2.5 not 3.x ?

"While we’re not revealing the extent of our plans, we do want to give
early notice that, in order to support the increased cryptographic loads
that we see as part of pfSense verison 2.5, pfSense Community Edition
version 2.5 will include a requirement that the CPU supports AES-NI. On
ARM-based systems, the additional load from AES operations will be
offloaded to on-die cryptographic accelerators, such as the one found on
our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8 CPUs
include instructions like AES-NI
<https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that can be
used to increase performance of the AES algorithm on these platforms."


Eero

On Thu, Feb 15, 2018 at 7:18 PM, Edwin Pers <ep...@ansencorp.com> wrote:

> I believe I read somewhere that the new version that requires aes-ni will
> be 3.x, and they plan to continue the 2.x line alongside it, as 3.x will be
> a major rewrite
>
>
> -Ed
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Thursday, February 15, 2018 12:14 PM
> To: Kyle Marek <pspps...@gmail.com>
> Cc: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: Re: [pfSense] Configs or hardware?
>
> Well. Next version of pfsense (2.5) will not install into hardware that
> does not support AES-NI, so buying such hardware is not wise ?
>
> Eero
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eero Volotinen
Well. Next version of pfsense (2.5) will not install into hardware that
does not support AES-NI,
so buying such hardware is not wise ?

Eero

On Thu, Feb 15, 2018 at 7:01 PM, Kyle Marek <pspps...@gmail.com> wrote:

> I have not had such an issue. Using 2.4.2 with System Information widget
> saying "AES-NI CPU Crypto: No".
>
> On 02/15/2018 11:55 AM, Eero Volotinen wrote:
> > Please note that next pfsense will not install hardware that is not
> > supporting aes-ni?
> >
> > Eero
> >
> > On Thu, Feb 15, 2018 at 6:37 PM, Kyle Marek <pspps...@gmail.com> wrote:
> >
> >> This board does round-up gigabit (something like 976 Mb/s) in both
> >> directions on all 4 interfaces: https://www.amazon.com/dp/B00XNR4HE2/
> >>
> >> The key for me here was the interrupt coalescence of these particular
> >> Intel NICs. A very similar board with Broadcom NICs that lacked this
> >> feature maxed out the interrupt handler's CPU usage on Linux when
> >> surpassing the forwarding of a single 1 Gb/s stream (1 Gb/s in on one
> >> interface; 1 Gb/s out on another).
> >>
> >> A potential downside is no AES-NI, which will affect any AES-utilizing
> >> VPNs that you need to operate at gigabit speeds. I have no benchmarks at
> >> the moment but can measure if this is necessary for you.
> >>
> >> On 02/15/2018 09:14 AM, Michael Munger wrote:
> >>> TL; DR.
> >>>
> >>> On 1Gbps downloads, our pfSense firewalls are performing poorly with
> >>> speed tests of ~400Mbps. It's either pfSense configs (not likely) or
> the
> >>> hardware (more likely). I do not want to buy a commercial box. For our
> >>> corporate network, we use HP DL360s, so zero problem there.I need
> >>> something that is the size of a router, but can do 1Gbps with pfSense.
> >>>
> >>> Who's got working configs / hardware combos that do 1Gbps easily?
> >>>
> >>> Background.
> >>>
> >>> I've been using Alix boards (APU1D4 as of late). The problem is: these
> >>> boards seem to top out at 400Mbps download. I have several clients who
> >>> have gigabit fiber connections, and they have been complaining to the
> >>> ISP that their service is slow. When they connect to the modem
> directly,
> >>> they get 1G download. When they go through the pfSense firewall we put
> >>> together using these Alix boards from PC engines, it drops to ~400Mbps.
> >>>
> >>> There are several competing "router boards" (Microtik and the like),
> but
> >>> I have zero experience with them, I don't know if they will run pfSense
> >>> or if they will do the speed. The Alix + pfSense combo has been GREAT
> >>> for many years. If I change to something else, I don't want to go
> >>> through growing pains since I figure this is a solved problem, and
> >>> someone on this list knows / has a recommendation.
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eero Volotinen
Please note that next pfsense will not install hardware that is not
supporting aes-ni?

Eero

On Thu, Feb 15, 2018 at 6:37 PM, Kyle Marek  wrote:

> This board does round-up gigabit (something like 976 Mb/s) in both
> directions on all 4 interfaces: https://www.amazon.com/dp/B00XNR4HE2/
>
> The key for me here was the interrupt coalescence of these particular
> Intel NICs. A very similar board with Broadcom NICs that lacked this
> feature maxed out the interrupt handler's CPU usage on Linux when
> surpassing the forwarding of a single 1 Gb/s stream (1 Gb/s in on one
> interface; 1 Gb/s out on another).
>
> A potential downside is no AES-NI, which will affect any AES-utilizing
> VPNs that you need to operate at gigabit speeds. I have no benchmarks at
> the moment but can measure if this is necessary for you.
>
> On 02/15/2018 09:14 AM, Michael Munger wrote:
> > TL; DR.
> >
> > On 1Gbps downloads, our pfSense firewalls are performing poorly with
> > speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
> > hardware (more likely). I do not want to buy a commercial box. For our
> > corporate network, we use HP DL360s, so zero problem there.I need
> > something that is the size of a router, but can do 1Gbps with pfSense.
> >
> > Who's got working configs / hardware combos that do 1Gbps easily?
> >
> > Background.
> >
> > I've been using Alix boards (APU1D4 as of late). The problem is: these
> > boards seem to top out at 400Mbps download. I have several clients who
> > have gigabit fiber connections, and they have been complaining to the
> > ISP that their service is slow. When they connect to the modem directly,
> > they get 1G download. When they go through the pfSense firewall we put
> > together using these Alix boards from PC engines, it drops to ~400Mbps.
> >
> > There are several competing "router boards" (Microtik and the like), but
> > I have zero experience with them, I don't know if they will run pfSense
> > or if they will do the speed. The Alix + pfSense combo has been GREAT
> > for many years. If I change to something else, I don't want to go
> > through growing pains since I figure this is a solved problem, and
> > someone on this list knows / has a recommendation.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eero Volotinen
Hi,

This hardware can do gigabit (wirespeed) NAT/FW

https://www.amazon.com/gp/product/B016VHBA7C (tested on my home, using
symmetric gigabit line...)

but, I we use NetGate SG-8860 on our main offices:

https://www.voleatech.de/en/product/sg-8860-1u/?gclid=EAIaIQobChMIlbTj5o-o2QIVBJ8bCh1phgmKEAAYASAAEgKuzPD_BwE

Eero

On Thu, Feb 15, 2018 at 4:14 PM, Michael Munger  wrote:

> TL; DR.
>
> On 1Gbps downloads, our pfSense firewalls are performing poorly with
> speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
> hardware (more likely). I do not want to buy a commercial box. For our
> corporate network, we use HP DL360s, so zero problem there.I need
> something that is the size of a router, but can do 1Gbps with pfSense.
>
> Who's got working configs / hardware combos that do 1Gbps easily?
>
> Background.
>
> I've been using Alix boards (APU1D4 as of late). The problem is: these
> boards seem to top out at 400Mbps download. I have several clients who
> have gigabit fiber connections, and they have been complaining to the
> ISP that their service is slow. When they connect to the modem directly,
> they get 1G download. When they go through the pfSense firewall we put
> together using these Alix boards from PC engines, it drops to ~400Mbps.
>
> There are several competing "router boards" (Microtik and the like), but
> I have zero experience with them, I don't know if they will run pfSense
> or if they will do the speed. The Alix + pfSense combo has been GREAT
> for many years. If I change to something else, I don't want to go
> through growing pains since I figure this is a solved problem, and
> someone on this list knows / has a recommendation.
>
> --
> Michael Munger, dCAP, MCPS, MCNPS, MBSS
> High Powered Help, Inc.
> Microsoft Certified Professional
> Microsoft Certified Small Business Specialist
> Digium Certified Asterisk Professional
> mich...@highpoweredhelp.com 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] IPSec not routing traffic over tunnel

2018-02-09 Thread Eero Volotinen
 I am sorry, but I cannot help.

You can get commercial support from NetGate.

--
Eero

On Fri, Feb 9, 2018 at 1:42 PM, Roland Giesler <roland@greentree.systems>
wrote:

> Ok, I'll try again with real (fake) addresses to make it better understood.
>
> WAN gateway: 197.212.127.194  (primary firewall interface), next hop
> gateway 197.212.127.193
>
> Phase1:
>
> Interface: Virtual IP 41.22.123.70
>
> Phase2:
>
> Local address: address 192.168.110.130
> Local NAT translation: address 41.22.123.70
>
> Remote address: 196.210.117.67   (A public ip)
>
> When phase1 and 2 are up and connected, I see no route for 196.210.117.67
> in the routing table.
>
> Doing a traceroute from 192.168.110.130, I get traffic leaving the network
> via 197.212.127.193, not via 41.22.123.70.  This could be because
> 41.22.123.70 is just a virtual address though, or what?  It may not be
> meaningful after all.
>
> In the firewall log I see:
> Feb 8 18:07:40 ► IPsec
> <https://in.gtst.xyz/easyrule.php?action=block=ipsec;
> src=41.75.111.178=inet>
> 41.22.123.70:57914
> <https://in.gtst.xyz/easyrule.php?action=pass=ipsec;
> proto=tcp=41.75.111.178=196.201.107.67=21410=inet>
> 196.210.117.67:12345 TCP:S
> So traffic is being allowed via IPsec from 41.22.123.70 to 196.210.117.67,
> but I'm not getting any response from the remote.
>
> Is this wrong?  If so, what is right?  I cannot expose the LAN ip address
> to the tunnel (192.168.110.130), I need to use the public IP...
>
> thanks again
>
>
> On 8 February 2018 at 23:51, Eero Volotinen <eero.voloti...@iki.fi> wrote:
>
> > Well. Maybe You need to hire pfsense consultant with NDA, so you can
> unmask
> > needed information.
> >
> > Usually there is no need to NAT in ipsec as you can tunnel private
> > network/ip address too and limit access with firewall rules.
> >
> > Eero
> >
> > On Thu, Feb 8, 2018 at 9:42 PM, Roland Giesler <roland@greentree.systems
> >
> > wrote:
> >
> > > On 8 February 2018 at 20:40, Eero Volotinen <eero.voloti...@iki.fi>
> > wrote:
> > >
> > > > how about not masking ip addresses?
> > > >
> > >
> > > I'm not allowed to show the ip addresses (by my client), hence the
> > > masking...
> > >
> > > I thought I need NAT, but I also testing simply added the virtual ip,
> > > a.a.a.a as the address, but it still doesn't work.
> > >
> > >
> > >
> > > >
> > > > do you really need nat in phase 2 ? why?
> > > >
> > >
> > > I have servers in a farm all NAT'ed (ie they only have LAN addresses)
> and
> > > use NAT to forward the desired traffic to them (ie HTTPS to a web
> > server).
> > >
> > > Now, it I want to establish an IPSec link that will allow a service
> > > provider to push API calls to our server (with the NAT'ed address), I
> > want
> > > to give them a public address to talk to and them NAT that traffic to
> the
> > > actual server.  I understood that's the point of having NAT as an
> option
> > in
> > > phase2?
> > >
> > > I don't see any other way to achieve that, not?
> > >
> > >
> > >
> > > >
> > > > Eero
> > > >
> > > >
> > > >
> > > > 8.2.2018 18.17 "Roland Giesler" <roland@greentree.systems>
> kirjoitti:
> > > >
> > > > > I'm trying to find a solution and know there are quite a few
> pfSense
> > > > users
> > > > > here, so here goes...
> > > > >
> > > > > We've set up some IPSec tunnels and they connect.  The Phase2 also
> > > "comes
> > > > > up", but we can't reach the hosts specified in the Phase2 "remote
> > > > network".
> > > > >
> > > > > One instance (to keep it simpler):
> > > > >
> > > > > WAN gateway: x.x.x.x  (primary firewall interface)
> > > > >
> > > > > Phase1:
> > > > >
> > > > > Interface: Virtual IP a.a.a.a
> > > > >
> > > > > Phase2:
> > > > >
> > > > > Local address: address c.c.c.c
> > > > > Local NAT translation: address a.a.a.a
> > > > >
> > > > > Remote address: r.r.r.r  (A public ip)
> > > > >
> > > > > When phase1 and 2 are up and connected, I see no route for r.r.r.r
> in
> > > the
&g

Re: [pfSense] IPSec not routing traffic over tunnel

2018-02-08 Thread Eero Volotinen
Well. Maybe You need to hire pfsense consultant with NDA, so you can unmask
needed information.

Usually there is no need to NAT in ipsec as you can tunnel private
network/ip address too and limit access with firewall rules.

Eero

On Thu, Feb 8, 2018 at 9:42 PM, Roland Giesler <roland@greentree.systems>
wrote:

> On 8 February 2018 at 20:40, Eero Volotinen <eero.voloti...@iki.fi> wrote:
>
> > how about not masking ip addresses?
> >
>
> I'm not allowed to show the ip addresses (by my client), hence the
> masking...
>
> I thought I need NAT, but I also testing simply added the virtual ip,
> a.a.a.a as the address, but it still doesn't work.
>
>
>
> >
> > do you really need nat in phase 2 ? why?
> >
>
> I have servers in a farm all NAT'ed (ie they only have LAN addresses) and
> use NAT to forward the desired traffic to them (ie HTTPS to a web server).
>
> Now, it I want to establish an IPSec link that will allow a service
> provider to push API calls to our server (with the NAT'ed address), I want
> to give them a public address to talk to and them NAT that traffic to the
> actual server.  I understood that's the point of having NAT as an option in
> phase2?
>
> I don't see any other way to achieve that, not?
>
>
>
> >
> > Eero
> >
> >
> >
> > 8.2.2018 18.17 "Roland Giesler" <roland@greentree.systems> kirjoitti:
> >
> > > I'm trying to find a solution and know there are quite a few pfSense
> > users
> > > here, so here goes...
> > >
> > > We've set up some IPSec tunnels and they connect.  The Phase2 also
> "comes
> > > up", but we can't reach the hosts specified in the Phase2 "remote
> > network".
> > >
> > > One instance (to keep it simpler):
> > >
> > > WAN gateway: x.x.x.x  (primary firewall interface)
> > >
> > > Phase1:
> > >
> > > Interface: Virtual IP a.a.a.a
> > >
> > > Phase2:
> > >
> > > Local address: address c.c.c.c
> > > Local NAT translation: address a.a.a.a
> > >
> > > Remote address: r.r.r.r  (A public ip)
> > >
> > > When phase1 and 2 are up and connected, I see no route for r.r.r.r in
> the
> > > routing table.
> > >
> > > Doing a traceroute from c.c.c.c, I get traffic leaving the network via
> > > x.x.x.x, not via a.a.a.a.  This could be because x.x.x.x is just a
> > virtual
> > > address though, or what?
> > >
> > > In the firewall log I see:
> > > Feb 8 18:07:40 ► IPsec
> > > <https://mailtrack.io/trace/link/3810b0b653bf2d2e2cba22508a65c8
> > <https://mailtrack.io/trace/link/892ace929998acda9ead81d80013db
> e1b7ad28cf?url=https%3A%2F%2Fmailtrack.io%2Ftrace%2Flink%
> 2F3810b0b653bf2d2e2cba22508a65c8=977006=9d738053b0d33cb5>
> > > ee1e61d53a?url=https%3A%2F%2Fin.gtst.xyz
> > <https://mailtrack.io/trace/link/f83ddb7327a8f200d411500bbce4cd
> 5593aa39f4?url=http%3A%2F%2F2Fin.gtst.xyz=977006&
> signature=2a744f53ef768e7b>
> > %2Feasyrule.php%
> > > 3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178%
> > > 26ipproto%3Dinet=977006=20ffc7b51058b751>
> > > a.a.a.a:57914
> > > <https://mailtrack.io/trace/link/1a280d2835c7f522f38efd56201a0e
> > <https://mailtrack.io/trace/link/7695ee502d0c9ac5d0ed75c5577abe
> eec113a055?url=https%3A%2F%2Fmailtrack.io%2Ftrace%2Flink%
> 2F1a280d2835c7f522f38efd56201a0e=977006=571e99f7a2732a8f>
> > > b835d0bb60?url=https%3A%2F%2Fin.gtst.xyz
> > <https://mailtrack.io/trace/link/c2904059b91634be72796e03b8ffb1
> 4066c9777e?url=http%3A%2F%2F2Fin.gtst.xyz=977006&
> signature=cdc956157cdd5df3>
> > %2Feasyrule.php%
> > > 3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75.
> > > 111.178%26dst%3D196.201.107.67%26dstport%3D21410%
> > 26ipproto%3Dinet=
> > > 977006=9606a76d3910d126>
> > > r.r.r.r:12345 TCP:S
> > > So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but I'm
> > not
> > > getting any response from the remote.
> > >
> > > What is going on here?  Should there be a route to r.r.r.r in the
> routing
> > > table or does pfSense hide some mechanics of the ports and routes from
> > me?
> > >
> > > Thanks
> > >
> > > Roland
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > <https://mailtrack.io/trace/link/813c2da34aa99bf7f9ee

Re: [pfSense] IPSec not routing traffic over tunnel

2018-02-08 Thread Eero Volotinen
how about not masking ip addresses?

do you really need nat in phase 2 ? why?

Eero



8.2.2018 18.17 "Roland Giesler"  kirjoitti:

> I'm trying to find a solution and know there are quite a few pfSense users
> here, so here goes...
>
> We've set up some IPSec tunnels and they connect.  The Phase2 also "comes
> up", but we can't reach the hosts specified in the Phase2 "remote network".
>
> One instance (to keep it simpler):
>
> WAN gateway: x.x.x.x  (primary firewall interface)
>
> Phase1:
>
> Interface: Virtual IP a.a.a.a
>
> Phase2:
>
> Local address: address c.c.c.c
> Local NAT translation: address a.a.a.a
>
> Remote address: r.r.r.r  (A public ip)
>
> When phase1 and 2 are up and connected, I see no route for r.r.r.r in the
> routing table.
>
> Doing a traceroute from c.c.c.c, I get traffic leaving the network via
> x.x.x.x, not via a.a.a.a.  This could be because x.x.x.x is just a virtual
> address though, or what?
>
> In the firewall log I see:
> Feb 8 18:07:40 ► IPsec
>  ee1e61d53a?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php%
> 3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178%
> 26ipproto%3Dinet=977006=20ffc7b51058b751>
> a.a.a.a:57914
>  b835d0bb60?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php%
> 3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75.
> 111.178%26dst%3D196.201.107.67%26dstport%3D21410%26ipproto%3Dinet=
> 977006=9606a76d3910d126>
> r.r.r.r:12345 TCP:S
> So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but I'm not
> getting any response from the remote.
>
> What is going on here?  Should there be a route to r.r.r.r in the routing
> table or does pfSense hide some mechanics of the ports and routes from me?
>
> Thanks
>
> Roland
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Squid crash: assertion failed: store_swapout.cc:289: "mem->swapout.sio == self"

2018-01-08 Thread Eero Volotinen
try removing squid package from package manager and then reinstalling.

8.1.2018 18.24 "Roberto Carna" <robertocarn...@gmail.com> kirjoitti:

> Dear Eero,
>
> How do I have to remove Squid + config files in a good manner ?
>
> Squid I suppose by the package manager from pfSense, but how do I have
> to remove the config files ???
>
> Thanks a lot, regards !!!
>
> 2018-01-03 13:30 GMT-03:00 Eero Volotinen <eero.voloti...@iki.fi>:
> > Fix:https://forum.pfsense.org/index.php?topic=110155.0
> >
> > remove squid+config file & reinstall squid..
> >
> > 3.1.2018 17.55 "Roberto Carna" <robertocarn...@gmail.com> kirjoitti:
> >
> >> Dear, I have updated Squid on pfSense to 0.4.42_1 version on pfSense
> >> 2.4.2-RELEASE-p1 (amd64). But after start the service togeteher with
> >> squidGuard, Squid crashes.
> >>
> >> I try running from CLI in debug mode:
> >>
> >> # squid -d 10
> >> [2.4.2-RELEASE][ad...@fw-pfsense-guest.g-bapro.net]/var/log:
> >> 2018/01/03 12:46:44 kid1| Starting Squid Cache version 3.5.27 for
> >> amd64-portbld-freebsd11.1...
> >> 2018/01/03 12:46:44 kid1| Service Name: squid
> >> 2018/01/03 12:46:50 kid1| assertion failed: store_swapout.cc:289:
> >> "mem->swapout.sio == self"
> >> 2018/01/03 12:46:53 kid1| Starting Squid Cache version 3.5.27 for
> >> amd64-portbld-freebsd11.1...
> >> 2018/01/03 12:46:53 kid1| Service Name: squid
> >> 2018/01/03 12:46:59 kid1| assertion failed: store_swapout.cc:289:
> >> "mem->swapout.sio == self"
> >> 2018/01/03 12:47:02 kid1| Starting Squid Cache version 3.5.27 for
> >> amd64-portbld-freebsd11.1...
> >> 2018/01/03 12:47:02 kid1| Service Name: squid
> >> 2018/01/03 12:47:04 kid1| assertion failed: store_swapout.cc:289:
> >> "mem->swapout.sio == self"
> >> 2018/01/03 12:47:07 kid1| Starting Squid Cache version 3.5.27 for
> >> amd64-portbld-freebsd11.1...
> >> 2018/01/03 12:47:07 kid1| Service Name: squid
> >> 2018/01/03 12:47:12 kid1| assertion failed: store_swapout.cc:289:
> >> "mem->swapout.sio == self"
> >> 2018/01/03 12:47:16 kid1| Starting Squid Cache version 3.5.27 for
> >> amd64-portbld-freebsd11.1...
> >> 2018/01/03 12:47:16 kid1| Service Name: squid
> >> 2018/01/03 12:47:20 kid1| assertion failed: store_swapout.cc:289:
> >> "mem->swapout.sio == self"
> >>
> >> How can I do ??? What's the problem ???
> >>
> >> Thanks a lot.
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] pfsense force ipsec initiator

2018-01-07 Thread Eero Volotinen
Hi List,

Is there way to configure pfsense as ipsec initiator only? (on some ipsec
connections)

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Squid 0.4.42_1 crashes in pfSense 2.4.2

2018-01-05 Thread Eero Volotinen
See: http://lists.pfsense.org/pipermail/list/2018-January/011620.html

--
Eero

2018-01-05 15:33 GMT+02:00 Roberto Carna :

> Dear, I've moved from pfSEnse 2.4.0 with Squid 0.4.42 to pfSEnse
> 2.4.42 with Squid 0.4.42_1. After the update, the Squid service
> crashes and stops.
>
> If I run Squid 0.4.42_1 in debug mode, this is the log before the crash:
>
> # squid -d 10
> [2.4.2-RELEASE][ad...@fw-pfsense-guest.g-bapro.net]/var/log:
> 2018/01/03 12:46:44 kid1| Starting Squid Cache version 3.5.27 for
> amd64-portbld-freebsd11.1...
> 2018/01/03 12:46:44 kid1| Service Name: squid
> 2018/01/03 12:46:50 kid1| assertion failed: store_swapout.cc:289:
> "mem->swapout.sio == self"
> 2018/01/03 12:46:53 kid1| Starting Squid Cache version 3.5.27 for
> amd64-portbld-freebsd11.1...
> 2018/01/03 12:46:53 kid1| Service Name: squid
> 2018/01/03 12:46:59 kid1| assertion failed: store_swapout.cc:289:
> "mem->swapout.sio == self"
> 2018/01/03 12:47:02 kid1| Starting Squid Cache version 3.5.27 for
> amd64-portbld-freebsd11.1...
> 2018/01/03 12:47:02 kid1| Service Name: squid
> 2018/01/03 12:47:04 kid1| assertion failed: store_swapout.cc:289:
> "mem->swapout.sio == self"
> 2018/01/03 12:47:07 kid1| Starting Squid Cache version 3.5.27 for
> amd64-portbld-freebsd11.1...
> 2018/01/03 12:47:07 kid1| Service Name: squid
> 2018/01/03 12:47:12 kid1| assertion failed: store_swapout.cc:289:
> "mem->swapout.sio == self"
> 2018/01/03 12:47:16 kid1| Starting Squid Cache version 3.5.27 for
> amd64-portbld-freebsd11.1...
> 2018/01/03 12:47:16 kid1| Service Name: squid
> 2018/01/03 12:47:20 kid1| assertion failed: store_swapout.cc:289:
> "mem->swapout.sio == self"
>
> Is there a solution to this problem ? Do you know if Squid 0.4.42_1
> runs OK over pfSEnse 2.4.2 ???
>
> Special thanks!!!
>
> Robert
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] 'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign • The Register - patch to pfsense?

2018-01-03 Thread Eero Volotinen
https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

is there patch soon available on pfsense kernel?

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Squid crash: assertion failed: store_swapout.cc:289: "mem->swapout.sio == self"

2018-01-03 Thread Eero Volotinen
Fix:https://forum.pfsense.org/index.php?topic=110155.0

remove squid+config file & reinstall squid..

3.1.2018 17.55 "Roberto Carna"  kirjoitti:

> Dear, I have updated Squid on pfSense to 0.4.42_1 version on pfSense
> 2.4.2-RELEASE-p1 (amd64). But after start the service togeteher with
> squidGuard, Squid crashes.
>
> I try running from CLI in debug mode:
>
> # squid -d 10
> [2.4.2-RELEASE][ad...@fw-pfsense-guest.g-bapro.net]/var/log:
> 2018/01/03 12:46:44 kid1| Starting Squid Cache version 3.5.27 for
> amd64-portbld-freebsd11.1...
> 2018/01/03 12:46:44 kid1| Service Name: squid
> 2018/01/03 12:46:50 kid1| assertion failed: store_swapout.cc:289:
> "mem->swapout.sio == self"
> 2018/01/03 12:46:53 kid1| Starting Squid Cache version 3.5.27 for
> amd64-portbld-freebsd11.1...
> 2018/01/03 12:46:53 kid1| Service Name: squid
> 2018/01/03 12:46:59 kid1| assertion failed: store_swapout.cc:289:
> "mem->swapout.sio == self"
> 2018/01/03 12:47:02 kid1| Starting Squid Cache version 3.5.27 for
> amd64-portbld-freebsd11.1...
> 2018/01/03 12:47:02 kid1| Service Name: squid
> 2018/01/03 12:47:04 kid1| assertion failed: store_swapout.cc:289:
> "mem->swapout.sio == self"
> 2018/01/03 12:47:07 kid1| Starting Squid Cache version 3.5.27 for
> amd64-portbld-freebsd11.1...
> 2018/01/03 12:47:07 kid1| Service Name: squid
> 2018/01/03 12:47:12 kid1| assertion failed: store_swapout.cc:289:
> "mem->swapout.sio == self"
> 2018/01/03 12:47:16 kid1| Starting Squid Cache version 3.5.27 for
> amd64-portbld-freebsd11.1...
> 2018/01/03 12:47:16 kid1| Service Name: squid
> 2018/01/03 12:47:20 kid1| assertion failed: store_swapout.cc:289:
> "mem->swapout.sio == self"
>
> How can I do ??? What's the problem ???
>
> Thanks a lot.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Slow/impossible updates to 2.4?

2017-12-26 Thread Eero Volotinen
Did you tried also update from ssh shell? or only from web-gui?

Eero

2017-12-27 6:10 GMT+02:00 David C. Jenner :

> I updated successfully to 2.4.
>
> Then I tried to update to 2.4.2.  It took many minutes for
> System/Update/System Update to get to the point of asking me to confirm the
> update.  Then the update was excruciatingly slow, it took 1/2 hour or
> more.  It finally succeeded.
>
> Now I am trying to update to 2.4.2_p1.  Again it takes many minutes to get
> to the request for confirming the update.  After confirming, it takes many
> minutes for an error "System update failed!" to appear, and Updating System
> says:
>
> done.
> 2.4.2_1 version of pfSense is available.
>
> All this is on an SG-2440:
>
> Version 2.4.2-RELEASE (amd64)
> built on Mon Nov 20 09:10:42 CST 2017
> FreeBSD 11.1-RELEASE-p4
>
> CPU TypeIntel(R) Atom(TM) CPU C2358 @ 1.74GHz
> 2 CPUs: 1 package(s) x 2 core(s)
> AES-NI CPU Crypto: Yes (active)
>
> The current installation of 2.4.2 appears to be running OK.  What is the
> problem with updating?
>
> Thanks, Dave
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] openvpn loadbalancing

2017-12-26 Thread Eero Volotinen
Hi List.

Is there easy way to loadbalance openvpn on multiple cores? like using
loadbalancer on pfsense?

looks like it is not threaded and only running single core?

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] OpenVPN with pfSense and TLS handshake problems

2017-12-23 Thread Eero Volotinen
you are missing something like ca certificate that is used to verify remote
endpoint

routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Dec 24 00:53:16 openvpn 10563   VERIFY ERROR: depth=0,
error=unable to
get local issuer certificate: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN,

or turn option off..

24.12.2017 2.59 "Antonio"  kirjoitti:

> Hi,
>
> I've tried to set up a VPN tunnel using the this guide (
> https://www.expressvpn.com/support/vpn-setup/pfsense-
> with-expressvpn-openvpn/#additional
> ) which covers the setting up of the tunnel and relative firewall rules
> for ExpressVPN. However, it seems like I was having trouble at the early
> stages (where it says "Confirm connection success". Instead of seeing
> "UP" under "status" when I go to STATUS > OPENVPN, I see "reconnecting;
> tls-error".
>
> Inspection of the logs reveals several batches of the following:
>
> Dec 24 00:53:16 openvpn 10563   Restart pause, 2 second(s)
> Dec 24 00:53:16 openvpn 10563   SIGUSR1[soft,tls-error]
> received,
> process restarting
> Dec 24 00:53:16 openvpn 10563   TLS Error: TLS handshake
> failed
> Dec 24 00:53:16 openvpn 10563   TLS Error: TLS object ->
> incoming
> plaintext read error
> Dec 24 00:53:16 openvpn 10563   TLS_ERROR: BIO read
> tls_read_plaintext
> error
> Dec 24 00:53:16 openvpn 10563   OpenSSL: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Dec 24 00:53:16 openvpn 10563   VERIFY ERROR: depth=0,
> error=unable to
> get local issuer certificate: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN,
> CN=Server-2720-0a, emailAddress=supp...@expressvpn.com
> Dec 24 00:53:16 openvpn 10563   TLS: Initial packet from
> [AF_INET]185.183.105.216:1195, sid=83a90840 8590b2bf
> Dec 24 00:53:16 openvpn 10563   UDPv4 link remote:
> [AF_INET]185.183.105.216:1195
> Dec 24 00:53:16 openvpn 10563   UDPv4 link local (bound):
> [AF_INET]192.168.0.2
> Dec 24 00:53:16 openvpn 10563   Socket Buffers:
> R=[42080->524288]
> S=[57344->524288]
> Dec 24 00:53:16 openvpn 10563   NOTE: the current
> --script-security
> setting may allow this configuration to call user-defined scripts
>
> I have the same setup with dd-WRT and its working fine. So it can't be a
> problem with ExpressVPN. Any suggestions. THey have this web page (
> https://www.expressvpn.com/support/troubleshooting/log-
> items/unable-to-connect-tls-handshake-failed/
> ) for
>
> TLS handshake problem but its generic and windows oriented so pretty
> much useless.
>
>
> Thanks for any suggestion or help you may be able to provide.
>
>
> --
>
>
> Respect your privacy and that of others, don't give your data to big
> corporations.
> Use alternatives like Signal (https://whispersystems.org/) for your
> messaging or
> Diaspora* (https://joindiaspora.com/) for your social networking.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Moving traffic between LAN & OPT1

2017-12-22 Thread Eero Volotinen
Hi,

Check out firewall / rules / interface_name

Eero

2017-12-23 6:25 GMT+02:00 Antonio :

> Hi,
>
> I'm not sure how you move traffic between the above interfaces. I was
> under the impression that all you needed was a "Default allow LAN to any
> rule" and job done. Yet i'm struggling to get devices of different
> interfaces to communicate. What am I missing?
>
>
> Thanks
>
>
>
> --
>
>
> Respect your privacy and that of others, don't give your data to big
> corporations.
> Use alternatives like Signal (https://whispersystems.org/) for your
> messaging or
> Diaspora* (https://joindiaspora.com/) for your social networking.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Finding the best network setup for pfsense.

2017-12-22 Thread Eero Volotinen
Well,

Just plug pfsense to ADSL and buy managed switch and some unifi wlan aps.
You can install proxy on pfsense box also..


Eero

22.12.2017 23.57 "Antonio"  kirjoitti:

Hello,

I'm trying to design an optimal network setting for my home and was
wondering what people's thoughts were based on my needs:

1) Need a single DHCP, DNSMasq server;

2) want to route traffic through VPNs only on certain parts of my network

3) want to eventually install a proxy somewhere on the network to route
traffic from my kids laptops/tablets.

4) obviously want to firewall all centrally as best as possible.

My setup is as follows:

a) I have a little compact mini PC with four ethernet connections (1x
WAN and 3x LAN) - its wifi too

b) A Netgear Modem onto ADSL

c) A Netgear router Hawk 7000

d) a couple of desktop PCs wired to (a) as well as a server

e) several mobiles, IoTs that connect wireless to (c)

At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
getting the best of this setup, particularly pfSense which at the moment
is just firewalling my PCs/server.

I generally consider the wifi network the weak point as guest come and
connect to it that's why its connected before (a); traffic from (c)
cannot get past (a) but the PCs/server can get out on the internet. I
feel that (a) should be connected to (b) and (c) should then be
connected to one of the LAN ports on (a), say LAN2 (I would have a
switch on LAN1 with PCs/server). I could then use pfSense to route
traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2
could not go to LAN1.

That way, I could then set up pfSense as my single DHCP and DNSMasq
server. I could then set up VPNs for just traffic of LAN1 or LAN2.

Would you agree with this sort of setup or do you think I could
implement things better?

I look forward to some of your thoughts.

Best regards

--
Respect your privacy and that of others, don't give your data to big
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your
messaging or
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense crashing

2017-12-18 Thread Eero Volotinen
this long standing issue: https://redmine.pfsense.org/issues/4310

:(

Eero

2017-12-18 10:07 GMT+02:00 Eero Volotinen <eero.voloti...@iki.fi>:

> looks like turning pfsync from on to off resolved this issue.
>
> --
> Eero
>
> 2017-12-17 20:11 GMT+02:00 Joseph L. Casale <jcas...@activenetwerx.com>:
>
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
>> Volotinen
>> Sent: Sunday, December 17, 2017 11:02 AM
>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
>> Subject: Re: [pfSense] pfsense crashing
>>
>> > Need to test that tomorrow. Just wondering how to attach remote debugger
>> > or
>> > similar to get root cause of crash.
>>
>> Page 13 in the SG-8860 manual.
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense crashing

2017-12-18 Thread Eero Volotinen
looks like turning pfsync from on to off resolved this issue.

--
Eero

2017-12-17 20:11 GMT+02:00 Joseph L. Casale <jcas...@activenetwerx.com>:

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Sunday, December 17, 2017 11:02 AM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: Re: [pfSense] pfsense crashing
>
> > Need to test that tomorrow. Just wondering how to attach remote debugger
> > or
> > similar to get root cause of crash.
>
> Page 13 in the SG-8860 manual.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense crashing

2017-12-17 Thread Eero Volotinen
ok. I might be able to use screen to save output from firewall :) good idea.

Eero

2017-12-17 20:11 GMT+02:00 Joseph L. Casale <jcas...@activenetwerx.com>:

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Sunday, December 17, 2017 11:02 AM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: Re: [pfSense] pfsense crashing
>
> > Need to test that tomorrow. Just wondering how to attach remote debugger
> > or
> > similar to get root cause of crash.
>
> Page 13 in the SG-8860 manual.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense crashing

2017-12-17 Thread Eero Volotinen
Need to test that tomorrow. Just wondering how to attach remote debugger or
similar to get root cause of crash.

Eero

17.12.2017 19.57 "Joseph L. Casale" <jcas...@activenetwerx.com> kirjoitti:

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Sunday, December 17, 2017 5:28 AM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: [pfSense] pfsense crashing
>
> > After updating and restoring config to my SG-8860, it goes to endless
> boot
> > - reboot - crash loop.
> >
> > Any idea how to test if this is hardware or software issue?
>
> Well, re-install fresh and _dont_ restore the config?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] pfsense crashing

2017-12-17 Thread Eero Volotinen
Hi List,

After updating and restoring config to my SG-8860, it goes to endless boot
- reboot - crash loop.

Any idea how to test if this is hardware or software issue?

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] pfsense adi 2.4.2-1 (p1)

2017-12-16 Thread Eero Volotinen
is this install image available in net? for netgate devices.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense ha issues

2017-12-12 Thread Eero Volotinen
Well. I did not tested that. I need to do that when I can switch carp
cluster back online. I did rollback to single firewall as ha setup caused
packet loss issues on production network (office).

--
Eero

2017-12-12 22:26 GMT+02:00 Steve Yates <st...@teamits.com>:

> I get the actual LAN IP back from a traceroute also so that's normal.  In
> the sense of "that's the router handling the packet" that makes sense.
>
> Do you get packet loss if you ping out from the pfSense?
>
> Steve
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Tuesday, December 12, 2017 2:01 PM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: Re: [pfSense] pfsense ha issues
>
> Well,
>
> I did traceroute 8.8.8.8 and that shows traffic via 192.168.1.7 which is
> primary firewall lan address.
>
> DHCP gives default route to 192.168.1.1 which is the carp vip. I got only
> continuos packet loss to internet not to .1 (vip) or .7 addresses and carp
> status is stable. (ie. primary firewall is master on all carp addresses)
>
> Eero
>
> 2017-12-12 21:55 GMT+02:00 Steve Yates <st...@teamits.com>:
>
> > They aren't swapping master/backup are they?  If you turn off one of the
> > two what happens?
> >
> > Not sure how you're determining traffic going to the .7 IP...?  The
> > gateway on a device on the LAN should be .1 (the "CARP" LAN IP).
> >
> > Are you getting packet loss if you ping the .1 address?  The .7 address?
> > Or just out to the Internet?
> >
> > --
> >
> > Steve Yates
> > ITS, Inc.
> >
> > -Original Message-
> > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> > Volotinen
> > Sent: Tuesday, December 12, 2017 1:03 PM
> > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> > Subject: [pfSense] pfsense ha issues
> >
> > Hi,
> >
> > installed pfsense ha system on office. it works, but experiencing about
> 25%
> > packet loss. any idea why? switch issue? failover works fine.
> >
> > VIP lan gw ip is .1 but looks like traffic is going to .7 ip (normal ip
> of
> > fw) even dhcp offers .1 as gw. is this normal?
> >
> > Eero
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense ha issues

2017-12-12 Thread Eero Volotinen
Well,

I did traceroute 8.8.8.8 and that shows traffic via 192.168.1.7 which is
primary firewall lan address.

DHCP gives default route to 192.168.1.1 which is the carp vip. I got only
continuos packet loss to internet not to .1 (vip) or .7 addresses and carp
status is stable. (ie. primary firewall is master on all carp addresses)

Eero

2017-12-12 21:55 GMT+02:00 Steve Yates <st...@teamits.com>:

> They aren't swapping master/backup are they?  If you turn off one of the
> two what happens?
>
> Not sure how you're determining traffic going to the .7 IP...?  The
> gateway on a device on the LAN should be .1 (the "CARP" LAN IP).
>
> Are you getting packet loss if you ping the .1 address?  The .7 address?
> Or just out to the Internet?
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Tuesday, December 12, 2017 1:03 PM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: [pfSense] pfsense ha issues
>
> Hi,
>
> installed pfsense ha system on office. it works, but experiencing about 25%
> packet loss. any idea why? switch issue? failover works fine.
>
> VIP lan gw ip is .1 but looks like traffic is going to .7 ip (normal ip of
> fw) even dhcp offers .1 as gw. is this normal?
>
> Eero
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] pfsense ha issues

2017-12-12 Thread Eero Volotinen
Hi,

installed pfsense ha system on office. it works, but experiencing about 25%
packet loss. any idea why? switch issue? failover works fine.

VIP lan gw ip is .1 but looks like traffic is going to .7 ip (normal ip of
fw) even dhcp offers .1 as gw. is this normal?

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] single pfsense to ha conversion

2017-12-11 Thread Eero Volotinen
Did my conversion this way:

- added carp ips to firewall
- did config backup
- switched carp and main ips with editor
- restored config to firewall
- edited fw & nat rules
- did backup
- edited ips and restored to sec. firewall
- and enabled config sync

works well.it was about two hour job ;)

Eero

4.12.2017 19.16 "Chris L" <c...@viptalk.net> kirjoitti:

>
>
> > On Dec 4, 2017, at 9:07 AM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
> >
> > well. my plan was to add first carp vip addresses to old configuration
> with
> > gui and then
> > switching them to main addresses using search and replace.
> >
> > and then just restore config to main firewall and use config sync to
> > replicate it to secondary..
> >
> >
>
> I guess do whatever feels right then.
>
> > --
> > Eero
> >
> > 2017-12-04 18:41 GMT+02:00 Chris L <c...@viptalk.net>:
> >
> >> On Dec 4, 2017, at 8:11 AM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
> >>>
> >>> Well. is that really so hard?
> >>>
> >>> thinking to add carp ip addresses and switching them to main addresses
> by
> >>> editing xml backup and then restoring it to firewall..
> >>>
> >>> I have same hardware (3* sg-8860). one for backup..
> >>
> >> It depends on how complicated your setup is.
> >>
> >> If there were lots of interfaces and physical interface name changes, I
> >> might edit the configuration to change the interface names and the
> >> interface addresses (many people use .2 for the primary, .3 for the
> >> secondary, and .1 for the CARP VIP, for instance) but after that I would
> >> use the GUI to make the HASYNC interface, VIPs and configure HA.
> >>
> >> I would not try to configure the secondary that way. I would configure
> it
> >> from scratch and let the configuration for everything exceopt the
> >> interfaces, etc sync over.
> >>
> >>>
> >>> Eero
> >>>
> >>> 4.12.2017 17.49 "Steve Yates" <st...@teamits.com> kirjoitti:
> >>>
> >>>> I don't think it would qualify as "simple" since it involves setting
> up
> >> an
> >>>> additional interface on each as well as the CARP virtual IPs.
> >>>>
> >>>> If you're asking about linking your old router to a new router, the
> >>>> routers have to use the same hardware interface (NIC) names in order
> to
> >>>> sync firewall states (em0 to igb0 won't sync).
> >>>>
> >>>> --
> >>>>
> >>>> Steve Yates
> >>>> ITS, Inc.
> >>>>
> >>>> -Original Message-
> >>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> >>>> Volotinen
> >>>> Sent: Saturday, December 2, 2017 11:04 AM
> >>>> To: pfSense Support and Discussion Mailing List <
> list@lists.pfsense.org
> >>>
> >>>> Subject: [pfSense] single pfsense to ha conversion
> >>>>
> >>>> Hi List,
> >>>>
> >>>> I just bought two pieces of sg-8860 netgate devices and planning to
> >> convert
> >>>> old unit to ha solution.
> >>>>
> >>>> Is there simple way to convert units to ha with a bit editing xml
> >> backup?
> >>>>
> >>>> --
> >>>> Eero
> >>>> ___
> >>>> pfSense mailing list
> >>>> https://lists.pfsense.org/mailman/listinfo/list
> >>>> Support the project with Gold! https://pfsense.org/gold
> >>>> ___
> >>>> pfSense mailing list
> >>>> https://lists.pfsense.org/mailman/listinfo/list
> >>>> Support the project with Gold! https://pfsense.org/gold
> >>>>
> >>> ___
> >>> pfSense mailing list
> >>> https://lists.pfsense.org/mailman/listinfo/list
> >>> Support the project with Gold! https://pfsense.org/gold
> >>
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] best ipsec cipher for aes-ni on sg-8860

2017-12-10 Thread Eero Volotinen
well. Just thinking site to site ipsec :)

anyway. not happy with meraki aes speed, but that might be problem on
meraki device..

Eero

10.12.2017 19.06 "Vick Khera"  kirjoitti:

> If you're going to use IPSec mobile client with an iPhone, it does not seem
> to propose the GCM variants of AES, only the CBC ones with SHA2.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] best ipsec cipher for aes-ni on sg-8860

2017-12-09 Thread Eero Volotinen
Hi,

What is the best ipsec ciphers for aes-ni ipsec acceleration?

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

2017-12-05 Thread Eero Volotinen
well. take backup of config and ask operator to reinstall box from usb
stick & restore backup?

Eero

5.12.2017 11.53 "Pete Boyd"  kirjoitti:

> It was available to login to again after power cycling.
>
> From the log - General:
>
> check_reload_status Rewriting resolv.conf
>
> From the log - DNS Resolver:
>
> dnsmasq 6768failed to create listening socket for port 53:
> Address
> already in use
>
> dnsmasq 6768FAILED to start up
>
> /etc/resolv.conf was missing. I created a new copy and DNS now works.
> Version 2.4.2 is again being advertised. I initiated the upgrade and it
> appears to take place, though there are lots of this kind of issue, I
> don't know if this is of interest:
>
> Installed packages to be REINSTALLED:
> xinetd-2.3.15_2 [pfSense] (ABI changed: 'freebsd:10:x86:64' ->
> 'freebsd:11:x86:64')
>
> "Number of packages to be removed: 1
> Number of packages to be installed: 16
> Number of packages to be upgraded: 47
> Number of packages to be reinstalled: 81"
>
> After the eventual reboot it's still saying it's 2.3.5.
> I initiated the upgrade again from the GUI and it says "Please wait
> while the update system initializes" and nothing more.
>
> It's at least currently stable enough for people to use.
>
> Any help is most appreciated, thanks.
>
>
>
> --
> Pete Boyd
>
> Open Plan IT - http://openplanit.co.uk
> The Golden Ear - http://thegoldenear.org
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

2017-12-04 Thread Eero Volotinen
well. ssh into box and cat /etc/resolv.conf to see nameserver addresses. if
it contains 127.0.0.1 entry, then it is using dnsmasq/unbound or similar
dns cache.

I think it is under services tab..

Eero

4.12.2017 23.56 "Pete Boyd"  kirjoitti:

> I'm not sure where to look for a DNS Forwarder issue.
> I tried restarting the service.
> I looked in firewall rules for WAN.
> I changed DNS servers in System > General Setup to Google Public DNS.
>
> I tried turning this off:
> DNS Server Override [ ] Allow DNS server list to be overridden by
> DHCP/PPP on WAN
>
> I tried enabling this:
> Disable DNS Forwarder [*] Do not use the DNS Forwarder/DNS Resolver as a
> DNS server for the firewall
>
> I turned the latter 2 back. I rebooted, and it didn't come back.
>
>
>
>
> --
> Pete Boyd
>
> Open Plan IT - http://openplanit.co.uk
> The Golden Ear - http://thegoldenear.org
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

2017-12-04 Thread Eero Volotinen
well. for temporary fix, try hardcoding needed hostnames in /etc/hosts and
check also that your firewall rules allow access to dns server 53/udp and
tcp.

Eero




4.12.2017 22.41 "Pete Boyd"  kirjoitti:

> On 04/12/2017 20:39, Adam Thompson wrote:
> > Do you have functional DNS from the CLI?
>
> No, I can't ping google.com or localdomain names.
>
>
>
> --
> Pete Boyd
>
> Open Plan IT - http://openplanit.co.uk
> The Golden Ear - http://thegoldenear.org
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

2017-12-04 Thread Eero Volotinen
is dns (nameresolution) working correctly?

Eero

4.12.2017 22.29 "Pete Boyd"  kirjoitti:

> On 04/12/2017 20:11, Steve Yates wrote:
> > If you ssh to the device and pick the option to update from its console
> menu, does it update there?
>
> No, those package repository errors are what I'm seeing when doing that.
>
> I tried the swapping to different repositories in the GUI, trying update
> from console, back and forth, as described in the page you linked to,
> but that hasn't helped, each time it has the same repository errors.
>
>
>
> --
> Pete Boyd
>
> Open Plan IT - http://openplanit.co.uk
> The Golden Ear - http://thegoldenear.org
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

2017-12-04 Thread Eero Volotinen
It might be possible to transfer static version of strace to box via ssh.

this might a bit tricky, but ..

--
Eero

2017-12-04 22:11 GMT+02:00 Pete Boyd :

> strace isn't installed, no packages are installed.
>
> Ideally I'd like to recover this to 2.3.5 or 2.4.2 if possible.
> I'd like to not have to do a fresh install and restore of config if
> possible, though I can get local people brought in to do that, or have
> it posted to me.
> People on site can draft in the spare pfSense PC if need be tomorrow.
>
>
>
> --
> Pete Boyd
>
> Open Plan IT - http://openplanit.co.uk
> The Golden Ear - http://thegoldenear.org
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

2017-12-04 Thread Eero Volotinen
I got similar problems on my device :) reinstalled it with 2.4.2 and did
restore from backup.

Anyway, do you have strace or similar tools installed in the box?

Eero

2017-12-04 21:57 GMT+02:00 Pete Boyd <petes-li...@thegoldenear.org>:

> On 04/12/2017 19:52, Eero Volotinen wrote:
> > Can you ssh into device and drop to shell?
>
> Yes, that's where I've been trying the pkg-static commands.
>
>
>
> --
> Pete Boyd
>
> Open Plan IT - http://openplanit.co.uk
> The Golden Ear - http://thegoldenear.org
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

2017-12-04 Thread Eero Volotinen
Can you ssh into device and drop to shell?

Eero

2017-12-04 21:19 GMT+02:00 Pete Boyd :

> Hi. I upgraded a production SG-2440 running pfSense 64-bit 2.3.5 to
> 2.4.2 using the web GUI. There were no packages installed. It appeared
> to update OK, and rebooted afterwards. However it came back as version
> 2.3.5 and now says it's on the latest version, despite going to the
> update page and re-saving.
>
> Choosing "Update from console" gives the following:
>
> "Updating pfSense-core repository catalogue...
>
> pkg-static: Repository pfSense-core load error: access repo
> file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or
> directory
>
> pkg-static:
> https://firmware.netgate.com/pkg/pfSense_factory-v2_4_2_
> amd64-core/meta.txz:
> No address record
> repository pfSense-core has no meta file, using default settings
>
> pkg-static:
> https://firmware.netgate.com/pkg/pfSense_factory-v2_4_2_
> amd64-core/packagesite.txz:
> No address record
>
> Unable to update repository pfSense-core
>
> Updating pfSense repository catalogue...
>
> pkg-static: Repository pfSense load error: access repo
> file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
>
> pkg-static:
> https://firmware.netgate.com/pkg/pfSense_factory-v2_4_2_
> amd64-pfSense_factory-v2_4_2/meta.txz:
> No address record
> repository pfSense has no meta file, using default settings
>
> pkg-static:
> https://firmware.netgate.com/pkg/pfSense_factory-v2_4_2_
> amd64-pfSense_factory-v2_4_2/packagesite.txz:
> No address record
>
> Unable to update repository pfSense
>
> Error updating repositories!
>
> If I run "pkg update -f" I get this error:
> Shared object "libssl.so.8" not found, required by "pkg"
>
> These commands give the same repository error messages as aobve:
> pkg-static update –f
> pkg-static upgrade –f
>
> I don't have physical access to the device.
> So far, ostensibly, it appears to be running OK; I'm VPNd in.
>
> Has anyone any ideas that might help please?
> Thanks
>
>
> --
> Pete Boyd
>
> Open Plan IT - http://openplanit.co.uk
> The Golden Ear - http://thegoldenear.org
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] single pfsense to ha conversion

2017-12-04 Thread Eero Volotinen
well. my plan was to add first carp vip addresses to old configuration with
gui and then
switching them to main addresses using search and replace.

and then just restore config to main firewall and use config sync to
replicate it to secondary..


--
Eero

2017-12-04 18:41 GMT+02:00 Chris L <c...@viptalk.net>:

> On Dec 4, 2017, at 8:11 AM, Eero Volotinen <eero.voloti...@iki.fi> wrote:
> >
> > Well. is that really so hard?
> >
> > thinking to add carp ip addresses and switching them to main addresses by
> > editing xml backup and then restoring it to firewall..
> >
> > I have same hardware (3* sg-8860). one for backup..
>
> It depends on how complicated your setup is.
>
> If there were lots of interfaces and physical interface name changes, I
> might edit the configuration to change the interface names and the
> interface addresses (many people use .2 for the primary, .3 for the
> secondary, and .1 for the CARP VIP, for instance) but after that I would
> use the GUI to make the HASYNC interface, VIPs and configure HA.
>
> I would not try to configure the secondary that way. I would configure it
> from scratch and let the configuration for everything exceopt the
> interfaces, etc sync over.
>
> >
> > Eero
> >
> > 4.12.2017 17.49 "Steve Yates" <st...@teamits.com> kirjoitti:
> >
> >> I don't think it would qualify as "simple" since it involves setting up
> an
> >> additional interface on each as well as the CARP virtual IPs.
> >>
> >> If you're asking about linking your old router to a new router, the
> >> routers have to use the same hardware interface (NIC) names in order to
> >> sync firewall states (em0 to igb0 won't sync).
> >>
> >> --
> >>
> >> Steve Yates
> >> ITS, Inc.
> >>
> >> -Original Message-
> >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> >> Volotinen
> >> Sent: Saturday, December 2, 2017 11:04 AM
> >> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org
> >
> >> Subject: [pfSense] single pfsense to ha conversion
> >>
> >> Hi List,
> >>
> >> I just bought two pieces of sg-8860 netgate devices and planning to
> convert
> >> old unit to ha solution.
> >>
> >> Is there simple way to convert units to ha with a bit editing xml
> backup?
> >>
> >> --
> >> Eero
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] single pfsense to ha conversion

2017-12-04 Thread Eero Volotinen
Well. is that really so hard?

thinking to add carp ip addresses and switching them to main addresses by
editing xml backup and then restoring it to firewall..

I have same hardware (3* sg-8860). one for backup..

Eero

4.12.2017 17.49 "Steve Yates" <st...@teamits.com> kirjoitti:

> I don't think it would qualify as "simple" since it involves setting up an
> additional interface on each as well as the CARP virtual IPs.
>
> If you're asking about linking your old router to a new router, the
> routers have to use the same hardware interface (NIC) names in order to
> sync firewall states (em0 to igb0 won't sync).
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Saturday, December 2, 2017 11:04 AM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: [pfSense] single pfsense to ha conversion
>
> Hi List,
>
> I just bought two pieces of sg-8860 netgate devices and planning to convert
> old unit to ha solution.
>
> Is there simple way to convert units to ha with a bit editing xml backup?
>
> --
> Eero
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] single pfsense to ha conversion

2017-12-02 Thread Eero Volotinen
Hi List,

I just bought two pieces of sg-8860 netgate devices and planning to convert
old unit to ha solution.

Is there simple way to convert units to ha with a bit editing xml backup?

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

2017-12-01 Thread Eero Volotinen
inplace upgrade from 2.3 to 2.4 looks fragile. is there way to upgrade
system to latest 2.3.* series without reinstalling? online upgrade wants to
update 2.4.2..

Eero

1.12.2017 16.27 "Alberto Moreno" <ports...@gmail.com> kirjoitti:

> The last version from 2.3.x is 2.3.5 u can stick with latter u can test
> 2.4.2 upgrade.
>
>
> On Sun, Nov 26, 2017 at 4:04 AM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>
> > just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any
> > known issues?
> >
> > it's not so complex setup, but running as our hq main firewall. so, some
> > ipsec and openvpn connections are running against it.
> >
> >
> >
> > Eero
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
>
>
>
> --
> LIving the dream...
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

2017-11-29 Thread Eero Volotinen
anyway, why the upgrade routine does not remove packges as needed. update
process is a bit complex and unreliable..

30.11.2017 0.31 "Ryan Coleman" <ryan.cole...@cwis.biz> kirjoitti:

> Anything that isn’t a maintenance release (2.x.y … the “y” here) should be
> considered a major release.
>
> macOS 10.11 is a major release. 10.11.1 is not.
>
> —
> Ryan
>
> > On Nov 29, 2017, at 1:37 PM, Steve Yates <st...@teamits.com> wrote:
> >
> > Does it work if you uninstall haproxy first?  I know pfSense recommends
> uninstalling packages for "major" version upgrades but (per my past thread
> here ) I would think point versions are minor upgrades.
> >
> > --
> >
> > Steve Yates
> > ITS, Inc.
> >
> > -Original Message-
> > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> > Sent: Wednesday, November 29, 2017 12:02 PM
> > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> > Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
> >
> > yes. looks like very similar problem :)
> >
> > Eero
> >
> > 2017-11-29 18:59 GMT+02:00 Tom Müller-Kortkamp <tmu...@kommunity.net>:
> >
> >> Did you had any packages installed?
> >> I filed this bug 2 Days ago:
> >> https://redmine.pfsense.org/issues/8135
> >>
> >>> Am 29.11.2017 um 00:11 schrieb Steve Yates <st...@teamits.com>:
> >>>
> >>>  https://redmine.pfsense.org/ is the bug tracker.
> >> https://www.netgate.com/support/contact-support.html for tech support.
> >>>
> >>> --
> >>>
> >>> Steve Yates
> >>> ITS, Inc.
> >>>
> >>> -Original Message-
> >>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> >> Volotinen
> >>> Sent: Monday, November 27, 2017 12:37 AM
> >>> To: pfSense Support and Discussion Mailing List <
> list@lists.pfsense.org>;
> >> j...@netgate.com
> >>> Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
> >>>
> >>> Hi,
> >>>
> >>> Looks like "online" upgrade (2.3.5 -> 2.4.2) trashes sg-8860 unit to
> >>> "non-working state". (ie. ssl libraries missing and so on)
> >>>
> >>> Where I can file critical bug ticket? :D
> >>>
> >>> --
> >>> Eero
> >>>
> >>> 2017-11-26 19:53 GMT+02:00 Daniel <dan...@linux-nerd.de>:
> >>>
> >>>> I Updates 3 Firewalls all without any problems.
> >>>>
> >>>>
> >>>>
> >>>> Am 26.11.17, 13:04 schrieb "List im Auftrag von Eero Volotinen" <
> >>>> list-boun...@lists.pfsense.org im Auftrag von eero.voloti...@iki.fi>:
> >>>>
> >>>>   just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is
> there
> >>>> any
> >>>>   known issues?
> >>>>
> >>>>   it's not so complex setup, but running as our hq main firewall. so,
> >>>> some
> >>>>   ipsec and openvpn connections are running against it.
> >>>>
> >>>>
> >>>>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

2017-11-29 Thread Eero Volotinen
yes. looks like very similar problem :)

Eero

2017-11-29 18:59 GMT+02:00 Tom Müller-Kortkamp <tmu...@kommunity.net>:

> Did you had any packages installed?
> I filed this bug 2 Days ago:
> https://redmine.pfsense.org/issues/8135
>
> > Am 29.11.2017 um 00:11 schrieb Steve Yates <st...@teamits.com>:
> >
> >   https://redmine.pfsense.org/ is the bug tracker.
> https://www.netgate.com/support/contact-support.html for tech support.
> >
> > --
> >
> > Steve Yates
> > ITS, Inc.
> >
> > -Original Message-----
> > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> > Sent: Monday, November 27, 2017 12:37 AM
> > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>;
> j...@netgate.com
> > Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
> >
> > Hi,
> >
> > Looks like "online" upgrade (2.3.5 -> 2.4.2) trashes sg-8860 unit to
> > "non-working state". (ie. ssl libraries missing and so on)
> >
> > Where I can file critical bug ticket? :D
> >
> > --
> > Eero
> >
> > 2017-11-26 19:53 GMT+02:00 Daniel <dan...@linux-nerd.de>:
> >
> >> I Updates 3 Firewalls all without any problems.
> >>
> >>
> >>
> >> Am 26.11.17, 13:04 schrieb "List im Auftrag von Eero Volotinen" <
> >> list-boun...@lists.pfsense.org im Auftrag von eero.voloti...@iki.fi>:
> >>
> >>just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there
> >> any
> >>known issues?
> >>
> >>it's not so complex setup, but running as our hq main firewall. so,
> >> some
> >>ipsec and openvpn connections are running against it.
> >>
> >>
> >>
> >>Eero
> >>___
> >>pfSense mailing list
> >>https://lists.pfsense.org/mailman/listinfo/list
> >>Support the project with Gold! https://pfsense.org/gold
> >>
> >>
> >>
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> Viele Grüße
> Tom Müller-Kortkamp
> --
> kommunity GmbH & Co.KG - Goseriede 4, D-30159 Hannover
> Telefon: +49 (0)5 11 - 80 72 58 - 0 Fax: +49 (0)5 11 - 80 72 58 - 10
> Mail: mailto:tmu...@kommunity.net, Web: http://www.kommunity.net
> 
> USt.-IDNr.: DE 813740826; Handelsregister: Amtsgericht Hannover;
> Registernummer: HRA 26721;
> Persönlich haftende Gesellschafterin: kommunity Verwaltungsgesellschaft mbH
> vertreten durch den Geschäftsführer Tom Müller-Kortkamp;
> Handelsregister: Amtsgericht Hannover; Registernummer: HRB 60200
> 
> Teamviewer-Support-Link: http://kommunity.help
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.4 Bricked my APU4 Netgate

2017-11-27 Thread Eero Volotinen
Well. I have similar issue on my sg-8860. it complains about missing ssl
and php libraries :)

well. at least it boots from usb .. so I can do full reinstall + config
restore..

Eero

2017-11-23 18:59 GMT+02:00 Ryan Coleman :

> There’s likely a package you added to your APU4 that is stopping the
> upgrade.
>
> If you use reddit you can get some assistance from more NetGate staff
> there: http://reddit.com/r/pfsense/
>
> > On Nov 23, 2017, at 10:08 AM, Elijah Savage 
> wrote:
> >
> > I know it is an older model but after my attempt to upgrade my APU4 it
> would
> > not reboot. I let it sit for 24 hours as it was still passing traffic
> but no
> > reboot. Logged into the console from my laptop and rebooted it and
> nothing
> > comes back. It doesn't give anything on the console and doesn't beep
> anymore
> > when booting up, I believe it doesn't get to that point.
> >
> >
> >
> > Interesting enough I was able to get 2.4 loaded on an older dell optiplex
> > 780 with 3 nics to replace it just fine.
> >
> >
> >
> > This is not intended to bash pfSense, I like it so much that I do
> contribute
> > monetarily. This meant to be nothing more than a public service
> announcement
> > for others with this platform. Maybe it was just time for mine to dye
> and it
> > potentially has nothing to do with pfSense.
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

2017-11-26 Thread Eero Volotinen
Hi,

Looks like "online" upgrade (2.3.5 -> 2.4.2) trashes sg-8860 unit to
"non-working state". (ie. ssl libraries missing and so on)

Where I can file critical bug ticket? :D

--
Eero

2017-11-26 19:53 GMT+02:00 Daniel <dan...@linux-nerd.de>:

> I Updates 3 Firewalls all without any problems.
>
>
>
> Am 26.11.17, 13:04 schrieb "List im Auftrag von Eero Volotinen" <
> list-boun...@lists.pfsense.org im Auftrag von eero.voloti...@iki.fi>:
>
> just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there
> any
> known issues?
>
> it's not so complex setup, but running as our hq main firewall. so,
> some
> ipsec and openvpn connections are running against it.
>
>
>
> Eero
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense openvpn speed?

2017-11-26 Thread Eero Volotinen
Is that real line "mtu" or just virtual parameter?

Eero

2017-11-26 6:04 GMT+02:00 Jim Thompson <j...@netgate.com>:

>
> To explain why this is an good thing:
>
> One of the problems here is that while the AES-CBC (actual crypto) can be
> accelerated via AES-NI, the HMAC isn’t (very new Intel parts have SHA
> instructions, but no support in OpenSSL in any version of FreeBSD or
> pfSense as yet).
>
> So, at the end of the day, your speed will be throttled by the speed of
> SHA-256 on <= ~1450 byte packets, as well as the overhead of making two
> “crypto” passes (one enc/dec, one hmac) over the stream of data.
>
> AES-GCM is a AEAD algorithm, so you get the HMAC as a “side effect”.
>
> OpenVPN recommends AES-GCM for OpenVPN >= 2.4.
> https://community.openvpn.net/openvpn/wiki/SWEET32
>
> The other thing you can do, as indicated, is to run the “MTU” up such that
> the (OpenVPN) packet size increases, which reduces the overhead of both the
> TUN/TAP interface, as well as some of the overhead of handing relatively
> short packets to OpenSSL for encryption/decryption.
>
> Jim
>
> > On Nov 25, 2017, at 2:51 PM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
> >
> > Well,
> >
> > cipher AES-256-CBC
> > auth SHA256
> >
> > thinking to upgrade this to AES-256-GCM
> >
> > Eero
> >
> > 2017-11-25 21:30 GMT+02:00 Jim Thompson <j...@netgate.com>:
> >
> >> What crypto transform and authentication are you running?  Maybe try
> >> AES-GCM (which is AES-NI accelerated) at both ends if both devices
> support
> >> it. Might need pfSense 2.4 for this.
> >>
> >> Try setting the (OpenVPN) MTU to a larger number.
> >>
> >> More hints: https://forum.pfsense.org/index.php?topic=123915.0
> >>
> >>> On Nov 25, 2017, at 11:37 AM, Lyle <l...@lcrcomputer.net> wrote:
> >>>
> >>> There is a lot of information missing here.
> >>>
> >>>
> >>> You have a better Netgate unit, but if the internet port on it is
> >> connected to a 100Mbps switch, performance will suck.  Same on the LAN
> >> side.  And if the ports are mismatched(half vs full duplex for
> instance),
> >> performance will suffer.
> >>>
> >>>
> >>> What percentage of the gigabit link and/or LAN link on Netgate are you
> >> utilizing before adding in OpenVPN ?  Your ISP may be over subscribed
> and
> >> it's uplinks are saturated.
> >>>
> >>>
> >>> You may be pushing too much traffic through the NetGate and it can not
> >> handle the load.
> >>>
> >>>
> >>> In other words, based on the limited info you provided, you have not
> >> provided proof that it's a problem with the NetGate.
> >>>
> >>>
> >>> Lyle Giese
> >>>
> >>>> On 11/25/17 06:34, Eero Volotinen wrote:
> >>>> Hi list,
> >>>>
> >>>> We are running pfsense 2.3 on netgate sg-8860.
> >>>>
> >>>> Device is connected to internet with gigabit link, but openvpn speed
> is
> >>>> very slow (about 50Mbit/s). Any idea how to get more speed to vpn
> >> clients?
> >>>>
> >>>> Eero
> >>>> ___
> >>>> pfSense mailing list
> >>>> https://lists.pfsense.org/mailman/listinfo/list
> >>>> Support the project with Gold! https://pfsense.org/gold
> >>>
> >>> ___
> >>> pfSense mailing list
> >>> https://lists.pfsense.org/mailman/listinfo/list
> >>> Support the project with Gold! https://pfsense.org/gold
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfsense 2.3 -> 2.4 upgrade?

2017-11-26 Thread Eero Volotinen
just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any
known issues?

it's not so complex setup, but running as our hq main firewall. so, some
ipsec and openvpn connections are running against it.



Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense openvpn speed?

2017-11-25 Thread Eero Volotinen
Well,

cipher AES-256-CBC
auth SHA256

thinking to upgrade this to AES-256-GCM

Eero

2017-11-25 21:30 GMT+02:00 Jim Thompson <j...@netgate.com>:

> What crypto transform and authentication are you running?  Maybe try
> AES-GCM (which is AES-NI accelerated) at both ends if both devices support
> it. Might need pfSense 2.4 for this.
>
> Try setting the (OpenVPN) MTU to a larger number.
>
> More hints: https://forum.pfsense.org/index.php?topic=123915.0
>
> > On Nov 25, 2017, at 11:37 AM, Lyle <l...@lcrcomputer.net> wrote:
> >
> > There is a lot of information missing here.
> >
> >
> > You have a better Netgate unit, but if the internet port on it is
> connected to a 100Mbps switch, performance will suck.  Same on the LAN
> side.  And if the ports are mismatched(half vs full duplex for instance),
> performance will suffer.
> >
> >
> > What percentage of the gigabit link and/or LAN link on Netgate are you
> utilizing before adding in OpenVPN ?  Your ISP may be over subscribed and
> it's uplinks are saturated.
> >
> >
> > You may be pushing too much traffic through the NetGate and it can not
> handle the load.
> >
> >
> > In other words, based on the limited info you provided, you have not
> provided proof that it's a problem with the NetGate.
> >
> >
> > Lyle Giese
> >
> >> On 11/25/17 06:34, Eero Volotinen wrote:
> >> Hi list,
> >>
> >> We are running pfsense 2.3 on netgate sg-8860.
> >>
> >> Device is connected to internet with gigabit link, but openvpn speed is
> >> very slow (about 50Mbit/s). Any idea how to get more speed to vpn
> clients?
> >>
> >> Eero
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense openvpn speed?

2017-11-25 Thread Eero Volotinen
thanks for links. looks like it might be wise to upgrade pfsense 2.4 and
enable --cipher AES-256-GCM on openvpn?



Eero

2017-11-25 20:01 GMT+02:00 Joseph L. Casale <jcas...@activenetwerx.com>:

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Saturday, November 25, 2017 5:35 AM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: [pfSense] pfsense openvpn speed?
>
> > We are running pfsense 2.3 on netgate sg-8860.
> >
> > Device is connected to internet with gigabit link, but openvpn speed is
> > very slow (about 50Mbit/s). Any idea how to get more speed to vpn
> clients?
>
> Assuming the obvious, low hanging fruit is addressed, there is much more
> to getting high throughput with openvpn than just link speed
> considerations.
>
> The openvpn wiki has good articles which may provide insight:
> https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
> https://community.openvpn.net/openvpn/wiki/PerformanceTesting
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense openvpn speed?

2017-11-25 Thread Eero Volotinen
Well.

Both lan and wan is connected to full duplex gigabit port. It can do at
least 600Mbit/s nat as tested with speedtest.net

Well. Wan is utilized at max about 100Mbit/s. (10% of total connect speed)

Is this hardware underpowered to do over 100Mbit/s openvpn speed?

Eero

2017-11-25 19:37 GMT+02:00 Lyle <l...@lcrcomputer.net>:

> There is a lot of information missing here.
>
>
> You have a better Netgate unit, but if the internet port on it is
> connected to a 100Mbps switch, performance will suck.  Same on the LAN
> side.  And if the ports are mismatched(half vs full duplex for instance),
> performance will suffer.
>
>
> What percentage of the gigabit link and/or LAN link on Netgate are you
> utilizing before adding in OpenVPN ?  Your ISP may be over subscribed and
> it's uplinks are saturated.
>
>
> You may be pushing too much traffic through the NetGate and it can not
> handle the load.
>
>
> In other words, based on the limited info you provided, you have not
> provided proof that it's a problem with the NetGate.
>
>
> Lyle Giese
>
>
> On 11/25/17 06:34, Eero Volotinen wrote:
>
>> Hi list,
>>
>> We are running pfsense 2.3 on netgate sg-8860.
>>
>> Device is connected to internet with gigabit link, but openvpn speed is
>> very slow (about 50Mbit/s). Any idea how to get more speed to vpn clients?
>>
>> Eero
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] pfsense openvpn speed?

2017-11-25 Thread Eero Volotinen
Hi list,

We are running pfsense 2.3 on netgate sg-8860.

Device is connected to internet with gigabit link, but openvpn speed is
very slow (about 50Mbit/s). Any idea how to get more speed to vpn clients?

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.4 Bricked my APU4 Netgate

2017-11-23 Thread Eero Volotinen
from usb stick?

Eero

23.11.2017 23.25 "Elijah Savage" <esav...@digitalrage.org> kirjoitti:

> Can't get it to boot on any image.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Thursday, November 23, 2017 4:23 PM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: Re: [pfSense] 2.4 Bricked my APU4 Netgate
>
> reinstall with factory factory image from usb stick?
>
> 23.11.2017 18.09 "Elijah Savage" <esav...@digitalrage.org> kirjoitti:
>
> > I know it is an older model but after my attempt to upgrade my APU4 it
> > would not reboot. I let it sit for 24 hours as it was still passing
> > traffic but no reboot. Logged into the console from my laptop and
> > rebooted it and nothing comes back. It doesn't give anything on the
> > console and doesn't beep anymore when booting up, I believe it doesn't
> > get to that point.
> >
> >
> >
> > Interesting enough I was able to get 2.4 loaded on an older dell
> > optiplex
> > 780 with 3 nics to replace it just fine.
> >
> >
> >
> > This is not intended to bash pfSense, I like it so much that I do
> > contribute monetarily. This meant to be nothing more than a public
> > service announcement for others with this platform. Maybe it was just
> > time for mine to dye and it potentially has nothing to do with
> > pfSense.
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.4 Bricked my APU4 Netgate

2017-11-23 Thread Eero Volotinen
reinstall with factory factory image from usb stick?

23.11.2017 18.09 "Elijah Savage"  kirjoitti:

> I know it is an older model but after my attempt to upgrade my APU4 it
> would
> not reboot. I let it sit for 24 hours as it was still passing traffic but
> no
> reboot. Logged into the console from my laptop and rebooted it and nothing
> comes back. It doesn't give anything on the console and doesn't beep
> anymore
> when booting up, I believe it doesn't get to that point.
>
>
>
> Interesting enough I was able to get 2.4 loaded on an older dell optiplex
> 780 with 3 nics to replace it just fine.
>
>
>
> This is not intended to bash pfSense, I like it so much that I do
> contribute
> monetarily. This meant to be nothing more than a public service
> announcement
> for others with this platform. Maybe it was just time for mine to dye and
> it
> potentially has nothing to do with pfSense.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Multiple OpenVPNs (site to site) to one head end

2017-11-22 Thread Eero Volotinen
Take look of this how to:

https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel

adding site is simple, just replicate site A with different lan addressing.

Eero

2017-11-23 8:19 GMT+02:00 Eero Volotinen <eero.voloti...@iki.fi>:

> Hi Ryan,
>
> Ipsec is the way you want to go. We have multiple sites connecting our HQ
> running sg-8860 with similar setup.
>
> Please note that you need different ip ranges on each site. (for example
> site1: 192.168.2.0/24, site2: 192.168.3.0/24 and hq site with
> 192.168.4.0/24)
>
> --
> Eero
>
> 2017-11-22 19:34 GMT+02:00 Ryan Coleman <ryan.cole...@cwis.biz>:
>
>> I want to pass the entire traffic from a few locations through one master.
>>
>> I have one site working. But when I try to connect the second site it
>> kills the first.
>>
>> I have IPSec for some basic network connections as a backup for the
>> moment that allows me to get to customer servers but I want to run all my
>> traffic because… Comcast.
>>
>> I have Gig Fiber at the headend, bandwidth is not an issue.
>>
>> Does anyone have a tried/tested example of getting either OpenVPN full
>> tunnel working on a (multiple sites)-to-(one site) or an IPSec
>> configuration example that would allow for 100% routing?
>>
>> My guinea pig is my home network. I have one customer that is also on
>> Comcast that is using the full site-to-site tunnel and I cannot afford to
>> drop during store hours.
>>
>> Thanks!
>>
>> —
>> Ryan
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>
>
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multiple OpenVPNs (site to site) to one head end

2017-11-22 Thread Eero Volotinen
Hi Ryan,

Ipsec is the way you want to go. We have multiple sites connecting our HQ
running sg-8860 with similar setup.

Please note that you need different ip ranges on each site. (for example
site1: 192.168.2.0/24, site2: 192.168.3.0/24 and hq site with 192.168.4.0/24
)

--
Eero

2017-11-22 19:34 GMT+02:00 Ryan Coleman :

> I want to pass the entire traffic from a few locations through one master.
>
> I have one site working. But when I try to connect the second site it
> kills the first.
>
> I have IPSec for some basic network connections as a backup for the moment
> that allows me to get to customer servers but I want to run all my traffic
> because… Comcast.
>
> I have Gig Fiber at the headend, bandwidth is not an issue.
>
> Does anyone have a tried/tested example of getting either OpenVPN full
> tunnel working on a (multiple sites)-to-(one site) or an IPSec
> configuration example that would allow for 100% routing?
>
> My guinea pig is my home network. I have one customer that is also on
> Comcast that is using the full site-to-site tunnel and I cannot afford to
> drop during store hours.
>
> Thanks!
>
> —
> Ryan
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense ipv6 not working

2017-11-21 Thread Eero Volotinen
Finally got it working on WAN side of firewall, by just enabling this
checkbox:

Request a IPv6 prefix/information through the IPv4 connectivity link

Still need some work on lan side, because I am a bit lost with it.

--
Eero

2017-11-21 20:46 GMT+02:00 Steve Yates <st...@teamits.com>:

> Ah yes, System/Advanced/Networking, Allow IPv6.
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel
> Sent: Tuesday, November 21, 2017 12:42 PM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: Re: [pfSense] pfsense ipv6 not working
>
> You also need to enbale it in the Setting.. tick te IPv6 Box.
>
> Am 21.11.17, 19:38 schrieb "List im Auftrag von Steve Yates" <
> list-boun...@lists.pfsense.org im Auftrag von st...@teamits.com>:
>
> Starting at the top level, do you have a firewall rule allowing ICMP
> for IPv6?
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Monday, November 20, 2017 1:01 PM
> To: pfSense Support and Discussion Mailing List <
> list@lists.pfsense.org>
> Subject: [pfSense] pfsense ipv6 not working
>
> Hi List,
>
> Running ipv6 with dhcpv6 from isp and it works on my laptop without
> pfsense,
> but on pfsense shell, I cannot even ping other network addresses that
> gw:
>
> ping6 fe80::208:20ff:fe4e:1c1b
>
> PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
> fe80::208:20ff:fe4e:1c1b
>
> 16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=0 hlim=64
> time=0.573
> ms
>
> 16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=2 hlim=64
> time=0.578
> ms
>
> 16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=3 hlim=64
> time=0.518
> ms
>
>
> and when trying to ping google:
>
>
>
> ping6 2a00:1450:4001:820::200e
>
> PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
> 2a00:1450:4001:820::200e
>
> ^C
>
> --- 2a00:1450:4001:820::200e ping6 statistics ---
>
> 7 packets transmitted, 0 packets received, 100.0% packet loss
>
> Wan configuration is using DHCPv6
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] pfsense ipv6 not working

2017-11-20 Thread Eero Volotinen
Hi List,

Running ipv6 with dhcpv6 from isp and it works on my laptop without pfsense,
but on pfsense shell, I cannot even ping other network addresses that gw:

ping6 fe80::208:20ff:fe4e:1c1b

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
fe80::208:20ff:fe4e:1c1b

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=0 hlim=64 time=0.573
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=2 hlim=64 time=0.578
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=3 hlim=64 time=0.518
ms


and when trying to ping google:



ping6 2a00:1450:4001:820::200e

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
2a00:1450:4001:820::200e

^C

--- 2a00:1450:4001:820::200e ping6 statistics ---

7 packets transmitted, 0 packets received, 100.0% packet loss

Wan configuration is using DHCPv6

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Bug in loading configuration on device with different NICs

2017-10-24 Thread Eero Volotinen
well. you cannot import config to different device without manually editing
the xml configuration

Eero

2017-10-24 14:03 GMT+03:00 Adrian Zaugg :

>
> Hi
>
> When loading a configuration file from a different device (with other
> NICs) to a freshly installed pfSense, it correctly detects a mismatch of
> the network interfaces and redirects the user to the interface setup
> page. If there are VLANs defined in the loaded config, the VLANs are
> still bound to the non-existent NICs, thus the user has to open the VLAN
> assigning page and correct this. Pressing then on save, pfSense executes
> the change immediately leading under unlucky conditions to the loss of
> the connection to the admin interface of pfsense.
>
> In my opinion if pfsense discovers a mismatch in interface assignment
> after restoring a configuration file, the changes made by the user to
> VLANs and interface assignment should not happen immediately. It should
> let the user finish all the reassignment work and then do the reboot of
> the device like it does it always after restoring a config.
>
> How to reproduce:
> - do a fresh pfsense installation and boot, connect to the web-gui
> - instead of following the presented wizard, chose Diagnostics ->
> Backup/Restore from the menu
> - load a config using VLANs originating from a different device, which
> has other kind of NICs built in (different brand e.g.)
> - when presented with the interface assignment page, change to the VLAN
> page and reassign a VLAN to the inner interface
> - press save
>
>
> Regards, Adrian.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] problems with lagg interfaces?

2017-10-18 Thread Eero Volotinen
Hi,

Problem looks very similar, but I am using failover mode instead of lacp.

Need to buy support and crate ticket. Looks like same feature works on
2.3.x series.

--
Eero

2017-10-17 23:51 GMT+03:00 Adam Thompson <athom...@athompso.net>:

> No, you misunderstood the last response.
> You have not provided enough information yet to determine what the problem
> is.
>
> Three things have been suggested:
> 1. It *might* be a bug *similar* to one someone else encountered using
> different hardware (which does not even exist on your firewall),
> 2. You could open a ticket with Netgate support,
> 3. You can try running tcpdump on the underlying interfaces to see what's
> happening there.
>
> If you don't know how to manually troubleshoot LACP issues or VLAN issues,
> I suggest you open that support ticket.
> If you are reasonably confident in your ability to troubleshoot one or the
> other, then go ahead and use tcpdump (with the -e option) to figure out
> which part is broken and why.
>
> Also:
>
> Since pfSense does not allow LAG creation from the command-line, building
> a one-armed router like this is a dangerous design unless you have a spare
> interface for management through the webui. I learned that the hard way :-/.
>
> -Adam
>
> On October 17, 2017 10:16:24 AM CDT, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>>
>> so sad. how to downgrade to 2.3?
>>
>>
>> Eero
>>
>> 2017-10-17 17:57 GMT+03:00 <rai...@ultra-secure.de>:
>>
>>  Am 2017-10-17 16:54, schrieb Ivo Tonev:
>>>
>>>  Even if your vlan dont bright up  you can capture traffic on physical
>>>>  interfaces with tcpdump.
>>>>  See what you can capture before any other move.
>>>
>>>
>>>
>>>
>>>  if the lagg(4) works while you run tcpdump(8), it's (most likely) a driver
>>>  bug like bxe(4)
>>>
>>>  https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213606
>>>
>>>
>>>  IMHO.
>>>
>>> --
>>>
>>>  pfSense mailing list
>>>  https://lists.pfsense.org/mailman/listinfo/list
>>>  Support the project with Gold! https://pfsense.org/gold
>>
>>
>> --
>>
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] problems with lagg interfaces?

2017-10-17 Thread Eero Volotinen
so sad. how to downgrade to 2.3?


Eero

2017-10-17 17:57 GMT+03:00 :

> Am 2017-10-17 16:54, schrieb Ivo Tonev:
>
>> Even if your vlan dont bright up  you can capture traffic on physical
>> interfaces with tcpdump.
>> See what you can capture before any other move.
>>
>
>
> if the lagg(4) works while you run tcpdump(8), it's (most likely) a driver
> bug like bxe(4)
>
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213606
>
>
> IMHO.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] problems with lagg interfaces?

2017-10-17 Thread Eero Volotinen
So, you mean that it is not working?

Eero

2017-10-17 17:32 GMT+03:00 <rai...@ultra-secure.de>:

> Am 2017-10-17 16:28, schrieb Eero Volotinen:
>
>> It's netgate pfsense SG-4860 running 2.4 final release
>>
>
>
> So, these are intel nics?
>
> Can you look in freebsd-bugzilla if there are bugs open for this interface
> type and lagg(4)?
>
> I've had the same problem with bxe(4) (on FreeBSD).
>
> I had to switch to ix(4).
>
> Might be worth filing a ticket with netgate...
>
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] problems with lagg interfaces?

2017-10-17 Thread Eero Volotinen
It's netgate pfsense SG-4860 running 2.4 final release

Eero

2017-10-17 17:23 GMT+03:00 <rai...@ultra-secure.de>:

> Am 2017-10-17 15:36, schrieb Eero Volotinen:
>
>> Hi All,
>>
>> Tried to configure lagg0 interface with vlans. Looks like traffic is not
>> passing in the interface.
>>
>> Any ideas? It works fine, if I just configure interface with vlan, but not
>> with lagg interface
>>
>> Setup is like this:
>>
>> -> Lagg0 with two interfaces in failover mode and vlan tagging top of
>> that.
>> -> Both switches are configured to pass traffic with vlan tags to
>> firewall.
>>
>
>
>
> what NIC hardware is this?
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] problems with lagg interfaces?

2017-10-17 Thread Eero Volotinen
Hi All,

Tried to configure lagg0 interface with vlans. Looks like traffic is not
passing in the interface.

Any ideas? It works fine, if I just configure interface with vlan, but not
with lagg interface

Setup is like this:

-> Lagg0 with two interfaces in failover mode and vlan tagging top of that.
-> Both switches are configured to pass traffic with vlan tags to firewall.

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense 2.4rc wirespeed?

2017-09-03 Thread Eero Volotinen
Thanks for information. I didn't know that about speedtest.

Tested with laptop from switch and now speed looks cool:
http://beta.speedtest.net/result/6593218471

So, my hardware has enought power to process almost gigabit wirespeed :)

Eero

2017-09-03 14:20 GMT+03:00 Adam Thompson <athom...@athompso.net>:

> The speedteet server code is not optimized for high upload speed
> measurement. When running speedtest from a machine on the same subnet, in
> the same rack in the same data center as the speedtest server (I worked for
> an ISP) you will still get funny results. Or even two VMs running on the
> same hypervisor, more recently at a different ISP.
> Use iperf or something (anything!) better to make more accurate
> measurements before questioning pfSense, IMHO.
> -Adam
>
> On September 3, 2017 3:59:24 AM CDT, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>
>> Hi,
>>
>> Is there any setting to optimize pfsense nat speed?
>>
>> Tried with speedtest and upload speed is abit slow?
>>
>> Retrieving speedtest.net configuration...
>> Testing from Suomi Communications (77.246.193.181)...
>> Retrieving speedtest.net server list...
>> Selecting best server based on ping...
>> Hosted by Elisa Oyj (Helsinki) [9.91 km]: 3.648 ms
>> Testing download
>> speed
>> Download: 882.05 Mbit/s
>> Testing upload
>> speed
>> Upload: 249.09 Mbit/s
>>
>> Link is symmetric gigabit carrier grade line. Just wondering why upload
>> speed is so slow and download is much faster?
>>
>> --
>> Eero
>> --
>>
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense 2.4rc wirespeed?

2017-09-03 Thread Eero Volotinen
System is this:

https://www.amazon.com/gp/product/B016VHBA7C/ref=oh_aui_detailpage_o00_s00?ie=UTF8=1
http://www.supermicro.com/products/motherboard/Atom/X10/A1SRi-2558F.cfm

Intel(R) Atom(TM) CPU C2558 @ 2.40GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)

If it can download over 800Mbit/s, why it cannot upload at same speed?
(tester is speedtest-cli)

Eero



2017-09-03 13:52 GMT+03:00 Alexandre Paradis <alexandre.para...@gmail.com>:

> it might be your desktop cpu that is too weak.
>
> not enough info here.
>
> On Sun, Sep 3, 2017 at 4:59 AM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>
> > Hi,
> >
> > Is there any setting to optimize pfsense nat speed?
> >
> > Tried with speedtest and upload speed is abit slow?
> >
> > Retrieving speedtest.net configuration...
> > Testing from Suomi Communications (77.246.193.181)...
> > Retrieving speedtest.net server list...
> > Selecting best server based on ping...
> > Hosted by Elisa Oyj (Helsinki) [9.91 km]: 3.648 ms
> > Testing download
> > speed...
> .
> > Download: 882.05 Mbit/s
> > Testing upload
> > speed...
> > .
> > Upload: 249.09 Mbit/s
> >
> > Link is symmetric gigabit carrier grade line. Just wondering why upload
> > speed is so slow and download is much faster?
> >
> > --
> > Eero
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
>
>
>
> --
> Alexandre
>
>
>
> -BEGIN PGP PUBLIC KEY BLOCK-
> Version: Mailvelope v1.3.2
> Comment: https://www.mailvelope.com
>
> xsFNBFZvl5sBEACmVYP3VsN/OtDyb+oNz9GHcN2fdWIeil+N3gL7vRuhcb+x
> 6D3uHiC5kqtvivGVuV+/jQK1OFkHRki8CBFKjAAtGZbZ3qeKRjuZlU+McZv0
> dh9J/ELp1LdQ1NH1WFTDYUDaPW+7aQaBa8TsRnmEX9759XYJGc36FYf+Y1CN
> AB2AOA04JHcaspZyDwa8KP3G6rqCGs5+D/kJB5qrMW0nuMamlaT71lHYhb1l
> 9LzU90sdRw0mkMNqf4J2iK6w/cBMlWOfHMo3LtuWkrTFacqvNbxq2+AnKO6w
> XgYu4qKxapk7wQeDuzsocJX3iSAT/xfNki7GU6X8YVyMaevAHqTuyyTPzTH5
> nMdt8Yuvqh8AThRR9EjVCuXJdNPAnr+QLXqDta2lY3J+RwLxSfW6ypOh+YuX
> CMuqYvyra7btroosbYvQVLIPAVoTAvjqEV86Y1puNPx/Uw49pp0aWtgpp+Zi
> a233R+fm/W13NqvyPljEkD1EMunKpSA6kF2czN4GEV4vCfpK6Gr+vr8TiPz6
> h42Ke2fXNe6XbF3RJL3Jtjm1BGZv1qrIEXyuDyNBq3OA+5aetMYkXqhtv66x
> OEzfAJQRJFWVpIHdniTSdbV1Udmv2ALfeY2BAMbxY3qvHS/3DMKTafjdSRPv
> ikWxxBBD8r5ObLcbm/8Z1AMpzHWXpLercKzGoQARAQABzS9BbGV4YW5kcmUg
> UGFyYWRpcyA8YWxleGFuZHJlLnBhcmFkaXNAZ21haWwuY29tPsLBdQQQAQgA
> KQUCVm+XnwYLCQgHAwIJEIy6zwnSMMDIBBUIAgoDFgIBAhkBAhsDAh4BAABm
> fBAAn1CBuE15s53nNpgwO6XRW7xIP2HcZpkt5eAJCB5QqX3Y3+9JGRlLhNeZ
> 7kEvSnnLRghJ398GCpqYFgC5YndbEJAiFVNWddMr6SD7V+YFt6pZXD+daGWq
> leNnTpdvGaxoO0x57ljp0pQxylK4J1tJzun1182Ux9h2RJzXPmBU6WE86Lmv
> hKrxCEDf11QcbxGL9MzMXVNP6dzTjxB22xHlTjVYmwgbdOVE57bKnpvQujby
> lDW7WanGH5nMWynJlL6Tz81xjQyK8kmnNQ+l8Rh95vBwIaZ4l4xpD1breuwZ
> xat+LrQlfZ37frOYDgtFtWAooYhTquQgErVEzELZS66MbaKQcRTjosX8yp8P
> 4H5RCl1xPgYyK0lhpIMf0Wlyj12XqvC926ilmiF9ZkU+PtCgWmOHRtelD2r/
> mcjSCfqn4DbQ+xwiGwQco+nNZQrOaeRczwnXWQzN3tHlzRIS9NTvdQASW5WO
> sEfOhbBVjC9Xvs3KM5/DRcKqk5xmGTg2VpH8YJgM0XL2NbB3hihYCd1jflgF
> rn1wCA2QGJyxSBy9V5WZlUvgR4rzNz+wIeBH7VogMb8mvginyGugd5CnUAs+
> HL7gNaWK3CePDrzDd1WbbvgEg/s9yRFS7cJ7igP9F4asLRkJkCP8JKWP27bt
> 7lo6iz6zp1TwLgseqDE2X9PgibDOwU0EVm+XmwEQANeWM/KTDbY8MwN/Lti2
> i3UUDxY/ddIntDRPVvtZazZ0N//7X0TSobtIbptTtEsOeBtgeGCKLTKYqnRt
> 89I/3dv1QHS1YUdwk/MCRiXt/JKsZJxGs8oJLBbhHQBGtGzKZWFA3RP9WrCi
> 8zwZz/O75Id4JgkYk1KAmIAqxpukIrZfbo7k8in2cjr9M82/i5v60mO3ChGD
> mzf+Vs/FA/g7qDjmHYz12KdWOTdEMeKfjYwRpNkW3EYs6h2MfeOnsSHih1BR
> xh3tpFLki3nvGfIXUTCHpluyJFLeWZDpppfF76wLZdj18dQ7UEMXLByUL/ig
> BQCsqrCHQDcn31IEFkfe2kjVtr0wY4bPovuFIwUrcAD4msJg4G9xNtiRtr5C
> KBzO1BwKINybjw/eWiRkxpgYCrCsW49LtIdUc1Gz3KvLOTR9E2qPvwT5TlOm
> f0cHdkmoxB4xYFCkFz85Kg2pTtAvGSiRSgKHYZkEJBIgfnupLuciLyET4auN
> GYqrc9Hk6toithUQsN35pTN0s9jUU1g+5z/Wo4e6Wwj55Xu/ulZn7cd3XkCn
> u2TI9s+agUfvd4Zg9cQRFHclkuqd1FIX+KLdIvHdn9tMwf1bbPbo2aaYilpg
> YqBXmxQKSjXdcYOfNBc1e2+snpcmr2E60RA4VMYRJRhqKZtfm86XVqqn+5iu
> 4fUTABEBAAHCwV8EGAEIABMFAlZvl6IJEIy6zwnSMMDIAhsMAAA1rQ//bJmC
> F7S3fx5LyTAHd7jK/nNNAUfeEbsFaDHMts8uN4S0//E1qk1CW0an2kUoQBAX
> ATRd4agJeXX0IIxEgizyz0+xOSuetgXTeYtI/B1dg64/62V/hCkBZp3gYPOX
> k1jrOGUq4fMfkS4Vrm+Jf0fspPoDHj2WbA5/uxGTZWvcRqnfbPfwuMwJj/NS
> tNu8tkiC8ty4yXbiEYLHw0e1pDyHQ4hnFNr3l3/Cshj7CJjUIDNWYcNwYvRW
> Y+KZEVdE1a83ViwsSam5D1+qpXlhv52RAZ3zdm8KsPYshnL4zLqFz1eQFTk3
> x9sFJml482D0m5XK2qi5wlqljdeeLaNTa6QGoTnWGfW0zbH0ure/uiaFtO7H
> FOW+G1pP+9N2F4r7CgQAi/voxBzdOZUCwDDFYECWkQEaotPInv0YMbXtj/7Y
> zkWUpUHR5QCowO

[pfSense] pfsense 2.4rc wirespeed?

2017-09-03 Thread Eero Volotinen
Hi,

Is there any setting to optimize pfsense nat speed?

Tried with speedtest and upload speed is abit slow?

Retrieving speedtest.net configuration...
Testing from Suomi Communications (77.246.193.181)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by Elisa Oyj (Helsinki) [9.91 km]: 3.648 ms
Testing download
speed
Download: 882.05 Mbit/s
Testing upload
speed
Upload: 249.09 Mbit/s

Link is symmetric gigabit carrier grade line. Just wondering why upload
speed is so slow and download is much faster?

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Migration from an old linux firewall

2017-03-30 Thread Eero Volotinen
ok. that sounds really bad: http://dilbert.com/strip/1998-08-24

Eero

30.3.2017 5.40 ip. "Claudio M."  kirjoitti:

> In data mercoledì 29 marzo 2017 10:13:36, WebDawg ha scritto:
> > You can do two different subnets on one network, but it is not the way to
> > do things.  Everyone can imagine the issues but it would also be
> completely
> > insecure.
>
> Unfortunately I can not change the network, I am a consultant who handles
> only
> the firewall. I know that this solution is not safe, but the customer does
> not
> want to change this configuration because another external company that
> manages
> internal servers want so.
> We manage the firewalls so we have to solve this situation.
> Now i'll try to use a internal linux server how a gateway to forwards all
> packets for the 10.7.13.0/24 creating a routing roule so i can use the
> rules
> explained in the pfsense site
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Migration from an old linux firewall

2017-03-29 Thread Eero Volotinen
How about using vlan tagging?

Eero

2017-03-29 13:55 GMT+03:00 Claudio M. :

> Hi
> I've migrated a linux firewall to a 2.3.3-RELEASE-p1 pfsense.
> The old configuration was with 2 interfaces connected to adsl routers and
> an
> interface for the lan. Was configurated also a GRE VPN with an alias IP on
> this
> LAN network so on the same LAN  coexisted two networks
> 192.168.1.0/24
> 10.7.13.0/24
> where the first was for all desktop clients and the seconds for the
> servers. A
> server have a interface on the LAN with Ip 10.7.13.1 and a alias on the
> same
> interface with 192.168.1.6.
> When a client is connect to this server, sends packets to the firewall and
> the
> firewall resends  that to the destination server. The server receive this
> packets and reply using the same interface but contact directly the client
> with IP on the same net. Before with linux this was not a problem but with
> pfsense, a statefull firewall, this is not more possible. Now i've an
> asymmetric routing without a routing so I cannot use the tips present at
> this
> page https://doc.pfsense.org/index.php/Asymmetric_Routing_and_
> Firewall_Rules
>
> How can I to do?
>
> Best regards
> Claudio M.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] looking for silent and powerful pfsense hardware

2017-03-28 Thread Eero Volotinen
http/https, vpn, torrent and 4k streaming :)

28.3.2017 7.50 ip. "Matthew Hall" <mh...@mhcomputing.net> kirjoitti:

> On Tue, Mar 28, 2017 at 09:59:05AM +0300, Eero Volotinen wrote:
> > Hi List,
> >
> > Looking for pfsense hardware that can handle 1000M/1000M internet
> > connection with NAT.
> >
> > Any recommendations? It must be silent..
> >
> > --
> > Eero
>
> This model can do gigabit with line-rate 64-byte packets:
>
> https://store.pfsense.org/SG-2440/
>
> If you don't need line-rate it's possible with some other units.
>
> Can you provide more specifics on the traffic mix?
>
> Matthew.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] looking for silent and powerful pfsense hardware

2017-03-28 Thread Eero Volotinen
Well, I don't know PPS values :) This is just home gigabit connection for
.. surfing/movies/4K streaming :)

Eero

2017-03-28 15:13 GMT+03:00 Vick Khera <vi...@khera.org>:

> On Tue, Mar 28, 2017 at 2:59 AM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>
> > Looking for pfsense hardware that can handle 1000M/1000M internet
> > connection with NAT.
> >
>
> I would recommend at least a Xeon processor base system for that traffic.
> Really, the limit is PPS; do you know what that would be? Any system using
> a Xeon will not be silent. I use a pair of high end custom-built boxes at
> my data center, and they can push this kind of traffic, though my usual
> sustained is only in the 200Mbps range.
>
> The only silent systems I have are based on the Atom C2758 processor, and I
> do not think those will handle a full gigabit connection at full speed.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] looking for silent and powerful pfsense hardware

2017-03-28 Thread Eero Volotinen
Yes, but there is no specifications which hardware can do 1000M/1000M
wirespeed NAT.

Eero

2017-03-28 10:40 GMT+03:00 Ian Jacobs <i...@jtsav.com>:

> Hello Eero,
>
> Have you had a look at the Netgate products, pFsense's partners?
>
> https://pfsense.org/products/
>
> I have a SG-2220, which is silent and adequate for most needs.  Most are
> silent/fanless!
>
> Regards,
>
> Ian Jacobs
>
>
> > On 28 Mar 2017, at 07:59, Eero Volotinen <eero.voloti...@iki.fi> wrote:
> >
> > Hi List,
> >
> > Looking for pfsense hardware that can handle 1000M/1000M internet
> > connection with NAT.
> >
> > Any recommendations? It must be silent..
> >
> > --
> > Eero
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] looking for silent and powerful pfsense hardware

2017-03-28 Thread Eero Volotinen
Hi List,

Looking for pfsense hardware that can handle 1000M/1000M internet
connection with NAT.

Any recommendations? It must be silent..

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] SIP through IKEv2-tunnel

2017-03-20 Thread Eero Volotinen
maybe you need something like this
https://doc.pfsense.org/index.php/Siproxd_package

Eero

20.3.2017 11.56 ap. "Martin Fuchs"  kirjoitti:

> Hi !
>
> I have a Fritz!Box (router) connected to the internet (no other
> possibility).
>
> In i have NATted ESP, GRE, 4500, 500, 1701, ... to a pfSense VM.
>
> This pfSense VM just operates as a VPN-Gateway.
>
> I have set up the routes in the Fritz!Box for the dial-in networks to the
> pfSense.
>
>
> I can connect via IKEv2 and browse internat services.
>
> I have a Fritz!App (SIP-Client) on my phone.
>
> This app connects to the Fritz!Box (which provides a SIP-connection)
> successfully.
>
>
> When I try to make a call, the other phone rings BUT no party cann hear
> the other.
>
>
> It seems to me like a RTP-issue.
>
>
> On the pfSense i have Advanced Outbound NAT configured with no NAT-Rules.
>
> The firewall-rules allow IPSec to LAN (any service).
>
> I'm running pfSense 2.3.3p1 with one interface.
>
>
> Does anyone have any idea or some hint for me ?
>
>
> regards,
>
> martin
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense upgrade problems?

2017-02-22 Thread Eero Volotinen
for some reason my pfsense crashed & corrupted fs during upgrade :(

Eero

23.2.2017 2.57 ap. "Dave Warren" <da...@hireahit.com> kirjoitti:

> On Wed, Feb 22, 2017, at 10:23, Eero Volotinen wrote:
> > The process will require 14 MiB more space.
> >
> > 73 MiB to be downloaded.
> >
> > Fetching php56-5.6.30.txz: .. done
> >
> > pkg: php56-5.6.30 failed checksum from repository
> >
> > something wrong with the packages?
>
> I upgraded a couple pfSense boxes without difficulty, including one
> virtual test server a few hours ago.
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] pfsense upgrade problems?

2017-02-22 Thread Eero Volotinen
The process will require 14 MiB more space.

73 MiB to be downloaded.

Fetching php56-5.6.30.txz: .. done

pkg: php56-5.6.30 failed checksum from repository


something wrong with the packages?


--

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Fake OpenVPN / IPSec IP

2017-02-04 Thread Eero Volotinen
it depends on ipsec configuration.

Eero

4.2.2017 12.16 ip. "Chris"  kirjoitti:

> WebDawg wrote:
> > On Sun, Jan 15, 2017 at 7:57 AM, Chris  wrote:
> >
> >> is a client able to change his assigned OpenVPN or IPSec IP?
> >>
> >> Are packets still routed to him, if he chooses an arbitrary address?
> >>
>
>
> Thank you! Exactly what I was looking for.
>
> Does anyone happen to know if it's the same in IPSec?
>
> - Chris
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] IPSec Bug?

2017-02-03 Thread Eero Volotinen
how about disabling pfs?

Eero

2017-02-03 13:25 GMT+02:00 Roland Giesler <roland@greentree.systems>:

> On Fri, Feb 3, 2017 at 1:19 PM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>
>> It's a bit antique selection of ciphers.
>>
>
> It is indeed.  We were experimenting for a long time with many others and
> got similar result (no matches).  So I opted to check what pfSense offers
> and set Sonicwall to ask for that, but Sonicwall can't do MODP_3072,
> which is the only combination of what pfSense offers and what Sonicwall
> supports.
>
> We gave up in the end and opted to use SSH tunnels to work through, rather
> than set up a VPN.  In the end we may have to set up OpenVPN, which mobile
> clients rather that site-to-site...  :-(  Not what we had in mind.
>
> Roland
>
>
>>
>> Problem is in DH group. try enabling same DH also in pfsense.
>>
>> --
>> Eero
>>
>> 2017-02-03 13:17 GMT+02:00 Roland Giesler <roland@greentree.systems>:
>>
>>> On Tue, Jan 24, 2017 at 8:16 PM, Eero Volotinen <eero.voloti...@iki.fi>
>>> wrote:
>>>
>>>> What hardware is other side running? Why you are trying to use 3des?
>>>>
>>>
>>> The other side is Sonicwall.  I'm using 3DES because it's enabled by
>>> default and seeming a simple place to start.
>>>
>>> However, regardless of what I select (by ticking the boxes - net very
>>> difficult), that is then not offered.  So if I select 3DES, it is not
>>> offered.  If I select SHA256 it's not offered, and so on.
>>>
>>> Roland
>>>
>>>
>>>
>>>>
>>>> Eero
>>>>
>>>> 2017-01-17 16:36 GMT+02:00 Roland Giesler <rol...@thegreentree.za.net>:
>>>>
>>>>> We've battled all afternoon to establish an IPSec site-to-site
>>>>> connection.
>>>>> Here's what happens:
>>>>>
>>>>> TimeProcessPIDMessage
>>>>> Jan 17 15:58:53 charon 05[NET] <197> sending packet: from
>>>>> 129.232.232.130[500] to 105.27.116.62[500] (56 bytes)
>>>>> Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1
>>>>> request
>>>>> 2809641300 [ N(NO_PROP) ]
>>>>> Jan 17 15:58:53 charon 05[IKE] <197> no proposal found
>>>>> Jan 17 15:58:53 charon 05[CFG] <197> configured proposals:
>>>>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
>>>>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAM
>>>>> ELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HM
>>>>> AC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/A
>>>>> ES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/P
>>>>> RF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD
>>>>> 5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_B
>>>>> P/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_20
>>>>> 48_256/MODP_1024,
>>>>> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_
>>>>> 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_19
>>>>> 2/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC
>>>>> _SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_H
>>>>> MAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_5
>>>>> 12_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
>>>>> Jan 17 15:58:53 charon 05[CFG] <197> received proposals:
>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>>>>> Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a
>>>>> Aggressive Mode IKE_SA
>>>>>
>>>>> The strange thing is that I have set 3DES and SHA1 to in my setup, yet
>>>>> it
>>>>> is not being offered.  I have also test quite a few other like AES 265
>>>>> and
>>>>> SHA2, but they are also not offered.  The other side (SonicWall) is
>>>>> offering what we set mutually.
>>>>>
>>>>> Is this a bug?  If now, how to I force pfSense to behave and start
>>>>> using
>>>>> the settings I set.
>>>>>
>>>>> IPSec IKE V2 with pre-shared key.
>>>>>
>>>>> I'm running 2.3.2_1
>>>>>
>>>>> Anyone that has seen this?
>>>>>
>>>>> regards
>>>>>
>>>>>
>>>>> Roland Giesler
>>>>> ___
>>>>> pfSense mailing list
>>>>> https://lists.pfsense.org/mailman/listinfo/list
>>>>> Support the project with Gold! https://pfsense.org/gold
>>>>>
>>>>
>>>>
>>>
>>
>
>
>
>
> <https://mailtrack.io/trace/link/2b8864f31199d0082f474438ad99b04c615adf78?url=https%3A%2F%2Fmailtrack.io%2F=1032642e759d6d34>Sent
> with Mailtrack
> <https://mailtrack.io/install?source=signature=en=rol...@thegreentree.za.net=22>
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] IPSec Bug?

2017-02-03 Thread Eero Volotinen
It's a bit antique selection of ciphers.

Problem is in DH group. try enabling same DH also in pfsense.

--
Eero

2017-02-03 13:17 GMT+02:00 Roland Giesler <roland@greentree.systems>:

> On Tue, Jan 24, 2017 at 8:16 PM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>
>> What hardware is other side running? Why you are trying to use 3des?
>>
>
> The other side is Sonicwall.  I'm using 3DES because it's enabled by
> default and seeming a simple place to start.
>
> However, regardless of what I select (by ticking the boxes - net very
> difficult), that is then not offered.  So if I select 3DES, it is not
> offered.  If I select SHA256 it's not offered, and so on.
>
> Roland
>
>
>
>>
>> Eero
>>
>> 2017-01-17 16:36 GMT+02:00 Roland Giesler <rol...@thegreentree.za.net>:
>>
>>> We've battled all afternoon to establish an IPSec site-to-site
>>> connection.
>>> Here's what happens:
>>>
>>> TimeProcessPIDMessage
>>> Jan 17 15:58:53 charon 05[NET] <197> sending packet: from
>>> 129.232.232.130[500] to 105.27.116.62[500] (56 bytes)
>>> Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1 request
>>> 2809641300 [ N(NO_PROP) ]
>>> Jan 17 15:58:53 charon 05[IKE] <197> no proposal found
>>> Jan 17 15:58:53 charon 05[CFG] <197> configured proposals:
>>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
>>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAM
>>> ELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HM
>>> AC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/
>>> AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_
>>> 384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_
>>> HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_
>>> BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_
>>> 2048/MODP_2048_256/MODP_1024,
>>> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_
>>> 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_19
>>> 2/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC
>>> _SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_
>>> HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_
>>> 512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
>>> Jan 17 15:58:53 charon 05[CFG] <197> received proposals:
>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>>> Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a
>>> Aggressive Mode IKE_SA
>>>
>>> The strange thing is that I have set 3DES and SHA1 to in my setup, yet it
>>> is not being offered.  I have also test quite a few other like AES 265
>>> and
>>> SHA2, but they are also not offered.  The other side (SonicWall) is
>>> offering what we set mutually.
>>>
>>> Is this a bug?  If now, how to I force pfSense to behave and start using
>>> the settings I set.
>>>
>>> IPSec IKE V2 with pre-shared key.
>>>
>>> I'm running 2.3.2_1
>>>
>>> Anyone that has seen this?
>>>
>>> regards
>>>
>>>
>>> Roland Giesler
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>>
>>
>>
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] IPSec Bug?

2017-01-24 Thread Eero Volotinen
What hardware is other side running? Why you are trying to use 3des?

Eero

2017-01-17 16:36 GMT+02:00 Roland Giesler :

> We've battled all afternoon to establish an IPSec site-to-site connection.
> Here's what happens:
>
> TimeProcessPIDMessage
> Jan 17 15:58:53 charon 05[NET] <197> sending packet: from
> 129.232.232.130[500] to 105.27.116.62[500] (56 bytes)
> Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1 request
> 2809641300 [ N(NO_PROP) ]
> Jan 17 15:58:53 charon 05[IKE] <197> no proposal found
> Jan 17 15:58:53 charon 05[CFG] <197> configured proposals:
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/
> CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_
> 128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_
> SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_
> SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_
> CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/
> ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_
> 8192/MODP_2048/MODP_2048_256/MODP_1024,
> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_
> 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_
> 192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/
> PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_
> MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_
> 384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/
> MODP_2048_256/MODP_1024
> Jan 17 15:58:53 charon 05[CFG] <197> received proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a
> Aggressive Mode IKE_SA
>
> The strange thing is that I have set 3DES and SHA1 to in my setup, yet it
> is not being offered.  I have also test quite a few other like AES 265 and
> SHA2, but they are also not offered.  The other side (SonicWall) is
> offering what we set mutually.
>
> Is this a bug?  If now, how to I force pfSense to behave and start using
> the settings I set.
>
> IPSec IKE V2 with pre-shared key.
>
> I'm running 2.3.2_1
>
> Anyone that has seen this?
>
> regards
>
>
> Roland Giesler
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Two factor Authentication

2016-12-08 Thread Eero Volotinen
Just configure radius with two factor authentication and point
authentication server to it:

sample how to configure two factor radius under linux:

http://www.supertechguy.com/help/security/freeradius-google-auth

I am using it with minor modifications for vpn and console+gui
authentication..

--
Eero



2016-12-08 17:04 GMT+02:00 RB :

> On Thu, Dec 8, 2016 at 2:33 AM, user49b  wrote:
> > Any idea's on how to get two factor authentication to work in console
> and/or
> > GUI?
>
> Should be pretty simple.  Point the system to third-party
> authentication (say, AD).  Configure that third-party option to use
> 2-factor.  Enter your username, password, a separator (usually comma)
> and your token value.  Done.  No need for three fields.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense + carp + ha

2016-11-16 Thread Eero Volotinen
I think it is possible to use lagg interface for workaround with interface
naming?

Eero

2016-11-16 7:14 GMT+02:00 Chris L <c...@viptalk.net>:

> > On Nov 15, 2016, at 1:50 PM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
> >
> > same ports? you mean that same port assigment and nic can be different
> type?
> >
> > eero
>
> No.
>
> Hardware should be as identical as possible. 100% identical is best. If
> LAN is em0 on one side, it must be em0 on the other.
>
>
> >
> > 15.11.2016 11.36 ip. "Steve Yates" <st...@teamits.com> kirjoitti:
> >
> >>Any hardware should work fine.  They recommend a separate
> NIC/port
> >> for the sync traffic since if syncing states there can be a lot of
> traffic
> >> (if not syncing state there is probably very little).  I don't think it
> >> needs to be identical hardware but the rules would need to copy over so
> it
> >> would need the same ports.
> >>
> >>One gotcha that caught me...under "System/High Availability
> >> Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a
> >> "Remote System Username" field.  That field is ignored, and "admin" is
> >> always used.
> >>
> >> --
> >>
> >> Steve Yates
> >> ITS, Inc.
> >>
> >> -Original Message-
> >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> >> Volotinen
> >> Sent: Tuesday, November 15, 2016 2:20 PM
> >> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org
> >
> >> Subject: [pfSense] pfsense + carp + ha
> >>
> >> Hi List,
> >>
> >> What are requirements for pfsense ha clustering? does any of x86
> hardware
> >> work with ha? does hardware need to be identical?
> >>
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense + carp + ha

2016-11-15 Thread Eero Volotinen
ok. does it also sync all settings like ipsec and openvpn keys?

Eero

16.11.2016 7.14 ap. "Chris L" <c...@viptalk.net> kirjoitti:

> > On Nov 15, 2016, at 1:50 PM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
> >
> > same ports? you mean that same port assigment and nic can be different
> type?
> >
> > eero
>
> No.
>
> Hardware should be as identical as possible. 100% identical is best. If
> LAN is em0 on one side, it must be em0 on the other.
>
>
> >
> > 15.11.2016 11.36 ip. "Steve Yates" <st...@teamits.com> kirjoitti:
> >
> >>Any hardware should work fine.  They recommend a separate
> NIC/port
> >> for the sync traffic since if syncing states there can be a lot of
> traffic
> >> (if not syncing state there is probably very little).  I don't think it
> >> needs to be identical hardware but the rules would need to copy over so
> it
> >> would need the same ports.
> >>
> >>One gotcha that caught me...under "System/High Availability
> >> Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a
> >> "Remote System Username" field.  That field is ignored, and "admin" is
> >> always used.
> >>
> >> --
> >>
> >> Steve Yates
> >> ITS, Inc.
> >>
> >> -Original Message-
> >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> >> Volotinen
> >> Sent: Tuesday, November 15, 2016 2:20 PM
> >> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org
> >
> >> Subject: [pfSense] pfsense + carp + ha
> >>
> >> Hi List,
> >>
> >> What are requirements for pfsense ha clustering? does any of x86
> hardware
> >> work with ha? does hardware need to be identical?
> >>
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense + carp + ha

2016-11-15 Thread Eero Volotinen
same ports? you mean that same port assigment and nic can be different type?

eero

15.11.2016 11.36 ip. "Steve Yates" <st...@teamits.com> kirjoitti:

> Any hardware should work fine.  They recommend a separate NIC/port
> for the sync traffic since if syncing states there can be a lot of traffic
> (if not syncing state there is probably very little).  I don't think it
> needs to be identical hardware but the rules would need to copy over so it
> would need the same ports.
>
> One gotcha that caught me...under "System/High Availability
> Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a
> "Remote System Username" field.  That field is ignored, and "admin" is
> always used.
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -----Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Tuesday, November 15, 2016 2:20 PM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: [pfSense] pfsense + carp + ha
>
> Hi List,
>
> What are requirements for pfsense ha clustering? does any of x86 hardware
> work with ha? does hardware need to be identical?
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] pfsense + carp + ha

2016-11-15 Thread Eero Volotinen
Hi List,

What are requirements for pfsense ha clustering? does any of x86 hardware
work with ha? does hardware need to be identical?

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] pfsense: how to route all traffic via ipsec?

2016-11-08 Thread Eero Volotinen
how to configure this kind of setup to pfsense?

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense 2.3.x 32bit?

2016-11-03 Thread Eero Volotinen
fixed problems by reinstalling whole system with 2.3 release.

eero

2.11.2016 8.51 ip. "Eero Volotinen" <eero.voloti...@iki.fi> kirjoitti:

> Nanobsd on 2GB cf card.
>
> Eero
>
> 2016-11-02 20:18 GMT+02:00 Renato Botelho <ga...@freebsd.org>:
>
>> On 2 Nov 2016, at 15:40, Eero Volotinen <eero.voloti...@iki.fi> wrote:
>>
>> Well, it just don't find any updates. (from console or from webgui)
>>
>>
>> What is your platform? full install or nanobsd? If it’s nanobsd, which
>> size?
>>
>> --
>> Renato Botelho
>>
>>
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

  1   2   >