Re: [pfSense] DNS over TLS config for pfSense 2.2.6
Sorry, mine was indeed on 2.4.X. The daemon appeared to start up but any queries returned no records. On Thu, 5 Apr 2018, at 11:20 AM, Steve Yates wrote: > Wild guess, but did you try it in 2.4.x? > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: ListOn Behalf Of Bryan D. > Sent: Wednesday, April 4, 2018 8:01 PM > To: pfSense Support and Discussion Mailing List > Subject: [pfSense] DNS over TLS config for pfSense 2.2.6 > > Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html > --- > Applying the suggested "Custom Options" to the Unbound/DNS Resolver > configuration in pfSense 2.2.6 does not work, with logs indicating that > "forward-ssl-upstream" is invalid. > > I tried various incantations using "server:ssl-upstream: yes" > with and without "ssl-port: 853" and, although the unbound service would > then run, a DNS/host query always indicated that no hosts were found. > > Does anyone know a configuration that will work with pfSense 2.2.6? > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS over TLS config for pfSense 2.2.6
Yeah, I ran into this as well. It just caused my to not be able to resolve anything :( On Thu, 5 Apr 2018, at 11:01 AM, Bryan D. wrote: > Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html > --- > Applying the suggested "Custom Options" to the Unbound/DNS Resolver > configuration in pfSense 2.2.6 does not work, with logs indicating that > "forward-ssl-upstream" is invalid. > > I tried various incantations using "server:ssl-upstream: yes" > with and without "ssl-port: 853" and, although the unbound service would > then run, a DNS/host query always indicated that no hosts were found. > > Does anyone know a configuration that will work with pfSense 2.2.6? > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Nat between vlans
Yılmaz, Sorry, but why not attach the Airprint to both VLANs? - Jim Regards, *James Ronald* Drew Technologies, Inc. 3915 Research Park Dr Ste 10A Ann Arbor, MI 48108 734-222-5228 x617 www.drewtech.com On Fri, Mar 30, 2018 at 1:58 PM, Raphaël RIGNIER <r.rign...@leschartreux.net > wrote: > Le 30/03/2018 à 19:03, Yılmaz Bilgili a écrit : > >> Thank you for your reply. Especially IOS devices can not find others if >> they are not on the same subnet. This is why I want this way. >> >> > Native Access is difficult, as Airprint uses Bonjour Protocol wich works > only on the same subnet. > Bonjour is Multicast protocol. You'll have to play with filter Rules with > advanded "allow ip options" checked and set IGMP proxy correctly. I have > never did this on pfsense. > > The only success I had with multicast routing is with a Linux box and pimd > service. It works to deploy Os images via multicast between the server and > desktop's subnets. > > -- > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
What is the default gateway of the destination (is there a route back to pfSense)? - Jim On Mon, Feb 12, 2018 at 1:46 PM, Marcowrote: > On Mon, 12 Feb 2018 11:59:09 -0600 > Steven Spencer wrote: > > > On 02/12/2018 11:43 AM, Marco wrote: > > > On Mon, 12 Feb 2018 10:21:08 -0600 > > > Steven Spencer wrote: > > > > > >> On 02/11/2018 03:29 PM, Marco wrote: > > >>> On Sun, 11 Feb 2018 20:46:41 + > > >>> "Joseph L. Casale" wrote: > > >>> > > -Original Message- > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of > > Chris L Sent: Sunday, February 11, 2018 1:43 PM > > To: pfSense Support and Discussion Mailing List > > Subject: Re: [pfSense] Port forwards > > don't work on one machine > > > > > What interface is that taken on? Take one on the interface the > > > destination server is connected to (WLAN?) and test again. While > > > you’re capturing also do another Diagnostics > Test Port from > > > the local pfSense itself. Please include the capture of both > > > events (from outside and using test port.) > > > > > > It looks like the server is not responding. > > I'd also suggest running a capture on the destination, if it's > > actually receiving traffic and/or sending it elsewhere (routing > > rule) this will provide some insight. > > >>> I ran a wireshark on the destination and it received packets when > > >>> “port testing” from the pfSense, but not when using external > > >>> access (e.g. canyouseeme.org) > > >>> > > >>> Marco > > >>> ___ > > >>> pfSense mailing list > > >>> https://lists.pfsense.org/mailman/listinfo/list > > >>> Support the project with Gold! https://pfsense.org/gold > > >> Marco, > > >> > > >> Just curious, but what is the target machine's OS? > > > The actual server is FreeBSD, but I run the tests with a Linux > > > laptop as the behaviour is the same. > > > > > > Marco > > > ___ > > > pfSense mailing list > > > https://lists.pfsense.org/mailman/listinfo/list > > > Support the project with Gold! https://pfsense.org/gold > > > > I know you've stated that you have no firewall on these machines. So > > iptables -L shows empty on the Linux laptop > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > > No selinux in play on the Linux > > laptop > > No selinux in use. > > > I looked at your screen shots and I can't see anything that leaps > > out at me. We have a number of PfSense firewalls in use (15) > > within our organization and I've used port forwarding on every one > > of them and have never run into a problem-unless the receiving > > machine refuses the connection. > > Same here. Not that I'm a network expert, but I've set up five > pfSense installations and port forwarding has always been an easy > task which worked by just configuring the NAT rule. > > If the receiving machine refuses the connection, I would not be able > to successfully "port test" it from the pfSense box and I would see > incoming packets with wireshark (I believe). Therefore, I suspect an > issue with the port forwarding. > > > I've been bitten by selinux before and more recently, by firewalld. > > Not installed and (therefore I hope) not used. > > Thanks for the support and confirming that it's not something > obvious. Will investigate later. > > Marco > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Recipe to safely allow remote SIP phones to connect a local asterisk PBX?
Is anyone aware of a pfSense config/recipe to safely allow remote SIP phones to connect a local asterisk PBX? Regards, *James Ronald* <http://www.drewtech.com> ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Notification about soon-to-expire certificates
This would be useful, I've made a monitoring tool (still unofficial until i figure out how to get it in the proper package repo) here that I might play with and see if I can get an alert setup for this by simply loading the cert page and parsing the expire date. http://www.reddit.com/r/PFSENSE/comments/2x7gni/monitoring_pfsense_with_monitmmonit/ Jim On Fri, Jun 19, 2015 at 7:38 AM, Steve Yates st...@teamits.com wrote: Philipp Tölke wrote on Thu, Jun 18 2015 at 9:19 am: Is there a way for pfSense to warn us by email if a certificate will expire soon so that we can replace them before it's too late? Our ticketing software tracks items like that and creates a ticket for renewal. Perhaps a recurring appointment in Outlook? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] polling pfsense status for a combined dashboard
Not sure if this is exactly what your asking but I have a dashboard setup for pf logs, I made a reddit post about it a while back: http://www.reddit.com/r/PFSENSE/comments/2rlm8h/pfsense_docker_elk/ I also use nagios (which i was going to try to package in docker as well when I get around to it) which essentially uses the NRPE plugin to get some metrics out of pfsense, it does provide some graphing of cpu/memory utilization. Also I've been looking into monit lately, someone should make a monit package for pfSense :) Thanks, On Tue, Jan 27, 2015 at 8:55 AM, Wolf Noble w...@wolfspyre.com wrote: I'm sure this has been asked, but I've not found anything in the few minutes I poked around on the forums/google. I'm looking to pull some metrics from my pfSense firewall to display on a dashboard. I was wondering what my options are for API-esque access, or curl-able graph images with authentication handled by a token conveyed via a header. What are others doing? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.
Further to what Walter has said - Double NATB! ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Network Traffic Monitoring w/o Webgui
I tried hunting this package down in the webgui this morning and I wasn't able to find it. I ended up going to shell and changing the environment variable 'PACKAGESITE' using the following command 'setenv PACKAGESITE http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/`uname -m`/packages-8.1-release/Latest/. Once done, I was able to install iftop no problem. (Credit for the command goes to nooblet.org) On to the Cacti comment; that's a really good idea Walter. Having a way to manage historical data would be great. I'm fairly new to the BSD world still, how difficult is it to piece together one of these solutions. I understand that the webgui helps quite a bit but initially I've heard monitoring solutions can be a bit of a nightmare to get working properly initially. Is this something that could or should be combined with a syslog type solution so that we're not only gathering network data but also logs/health from the routers themselves? Any tips here before I dive headlong into this? Thanks, James From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chuck Mariotti Sent: April-07-14 1:04 PM To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Network Traffic Monitoring w/o Webgui It's been a few years, but a simple windows version... http://oss.oetiker.ch/mrtg/ From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Walter Parker Sent: April-07-14 2:06 PM To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Network Traffic Monitoring w/o Webgui Sorry, FOSS = Free/Open Source Software (what MRTG, Linux, FreeBSD, pfSense are, as different from what Microsoft or HP sell) Cacti is a web based system, from http://www.cacti.net/, that uses the technology that powers MRTG to build a nice web based system that monitors network equipment. Unlike MRTG, which has to be configured by hand, Cacti allows you to add hosts through the web interface (like how pfSense does all the pf stuff through the web rather than requiring you to edit config files). It is pretty simple to setup, assuming you have a FreeBSD or Linux systems and can install the package or port. I've used it on networks to monitor all of the traffic on the routers, on the servers and even on the switch ports (that requires a switch with SNMP counters, usually known as a managed switch). There are also commercial systems that do the same thing, but they quickly become expensive (1000's to 10,000's dollars) as the size of your network grows. Walter On Mon, Apr 7, 2014 at 10:47 AM, Brian Caouette bri...@dlois.commailto:bri...@dlois.com wrote: What is Cacti? FOSS? On 4/7/2014 1:42 PM, Walter Parker wrote: I'd expect that you should be able to enable SNMP, set a non default password (please don't use public) and add a firewall rule to allow UDP on port 161 to/from your mrtg server. I'd recommend using Cacti as your mrtg server (if you want a FOSS solution). Walter On Mon, Apr 7, 2014 at 10:23 AM, Brian Caouette bri...@dlois.commailto:bri...@dlois.com wrote: What about using mrtg to graph the various interfaces? Does PF support this? On 4/7/2014 12:54 PM, Jim Pingle wrote: On 4/7/2014 12:29 PM, James Caldwell wrote: Happy Monday list... Does anyone have a preferred way of monitoring over all traffic throughput for various interfaces via shell/putty instead of having to remain logged in to the webgui? I have several alix based appliances that have had their ISP connections upgraded and I am trying to remain outside the web interface as much as possible due to the load that it puts on the system. Any thoughts or experience is appreciated. The iftop package is great for this. Install it from the GUI and then from the shell run it like so: iftop -nNpPi vr0 (Serving suggestion, salt to taste) Jim ___ List mailing list List@lists.pfsense.orgmailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.orgmailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ List mailing list List@lists.pfsense.orgmailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.orgmailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Freezing Entering NAT Rules
Turned out to be bad/dieing hardware. Replaced the firewall with a new Dell server and everything is back to normal. Thanks, James From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris Buechler Sent: February-23-14 6:16 PM To: pfSense support and discussion Subject: Re: [pfSense] Freezing Entering NAT Rules On Sunday, February 23, 2014, James Caldwell jamescaldw...@hurricanecs.commailto:jamescaldw...@hurricanecs.com wrote: Has anyone ever experienced the gui hang or get very sluggish entering NAT rules and subsequently applying changes afterwards? Sounds like what would happen if you have a gateway down and state killing enabled. -- Sent from my phone, please excuse any typos or excessive brevity. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Freezing Entering NAT Rules
Has anyone ever experienced the gui hang or get very sluggish entering NAT rules and subsequently applying changes afterwards? James ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Possible MTU/PMTU/MSS issue with HE IPv6 tunnel over PPPoE DSL connection
Check again. I found that the new servers that google deployed were not working properly. They would receive the PMTU packet² packet to big² and would not scale down. They had over 200 servers that had a problem. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] cipher suites and NIST
There is a smoking gun on one of random number generators. There is strong circumstantial evidence, reason for suspicion, on suggested Suite B. AES and SHA look to be fine, but using them gives the appearance to end users that you might be playing footsie with NIST. Cryptographer Jon Callas has therefore made Twofish and Skein the default for silent circle. I recommend that everyone follow Jon Callas on symmetric cryptography, and DJ Bernstein on asymmetric cryptography. The best people are putting as much distance as possible between themselves and NIST. Oh, and about tinfoil hats: There really is a great big government conspiracy, and they really are out to get you. Tinfoil hats may not be effectual, but Bernstein's curve25519 will help. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available!
Fantastic job all, keep up the great work! My team and I are extremely appreciative as always. James -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris Buechler Sent: September-15-13 2:50 AM To: pfSense support and discussion; d...@lists.pfsense.org Subject: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available! I'm happy to announce both 2.1-RELEASE, and our new Gold Subscription, including immediate PDF download to the updated 2.1 book for subscribers! Check out the announcements on our blog. http://blog.pfsense.org/?p=712 - 2.1-RELEASE http://blog.pfsense.org/?p=718 - Gold Subscription Thanks for your support! Chris ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense cannot find suitable hard drive to install on
This may be a stupid question but are you looking in the motherboard bios or the raid card bios? Regards, James Sent from my BlackBerry From: pfu...@hushmail.com [mailto:pfu...@hushmail.com] Sent: Tuesday, June 11, 2013 10:43 PM To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] pfsense cannot find suitable hard drive to install on It seems the bios cannot see any hard drives. At this point I'm honestly not sure what to do. I tried with a third drive too, what are the chances i got 3 bad drives On 6/11/2013 at 9:21 PM, pfu...@hushmail.com wrote: Good to know it should work. If onlyi can get it to actually work. It has 2 drives which I doubt both are bad so it's got to be some configuration. I just wish I knew what I was doing. On 6/11/2013 at 9:08 PM, Moshe Katz mo...@ymkatz.net wrote: On Tue, Jun 11, 2013 at 11:48 PM, pfu...@hushmail.com wrote: I recently traded some old computer equipment for an HP Proliant DL360 G3. Its a nice little rackmount with dual Intel Xeon 2.8GHz processors 3 onboard gigabit NIC's and a PCI-X bus and 2 PCI-X expansion slots. Its light on RAM at only 512MB but thats easy to add to. So from what I could tell I should be able to get good thoughput with this machine running pfsense. I go to install as all the text flys past on my screen I notice several lines say something like acd0: FAILURE - READ BIG ILLEGAL REQUEST (some number I did not write down, not sure if this error message is relevant, I can try to catch the rest of the message and write it down if anyone needs it) I get that for about 4 or 5 lines but then everything continues fine. I select the option to install pfsense and I get an error stating I do not have any suitable IDE or SCSI drives to install pfsense on. I have two SCSI drives on, the only thing I can think is neither is big enough to install pfsense onto as they are smaller drives. I could not find hard drive space requirements online for pfsense, what does it need? The problem is HP has a warning right on the case that you are only supposed to use HP Universal U320 SCSI drives or server damage may result, which these are the only compatible drives I have. My second guess is maybe since the HP SCSI drives are so special maybe they don't work with pfsense. Any ideas? If you look around online, you will find the acd0 ... message is referring to read errors on the CD drive and that having some of these errors is entirely normal (though having too many means that either the disc is bad or the drive is bad). You might try burning a new copy of the CD, perhaps with a different brand of blank CD, to see if it helps. As far as your problem with finding an available hard drive on which to install, I doubt that it is a pfSense issue because FreeBSD 8 (on which pfSense is based) is known to work on the Proliant DL360 G3. The hard drives are not special at all - they are standard SCSI Ultra320 drives on a fancy HP sled (the only purpose of which is to make it easier to swap them). I would check if the machine is doing some kind of werid RAID setup (or has some kind of RAID misconfiguration) that is preventing drives from showing up. I would also check if there is some kind of Hard Drive health test (either built in to the BIOS or RAID controller, or on a live CD) to make sure that the drives are working properly. As far as Hard Drive size, pfSense can be installed on drives as small as 1GB (though more is recommended as log files grow over time), so the size of your drives should not be an issue. If you do need to get a new drive, the drives for this machine can be found very cheaply on eBay, as many companies are now retiring the generation of servers that used Ultra320 drives. Moshe ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Full Backup/Restore for pfSense
I'm experimenting with something like this (from pfsense box): dd if=/dev/sd0 | gzip | ssh user@host dd of=/tmp/pfsense_bkup.gzip Technically the box will boot and load the needed packages, but if your doing many boxes and package installation is slow, there is a decent need for something like this. I netboot alix boxes and grab the default pfsense embedded image over ftp and pipe it to dd to get it on the cf, but it would save me a bunch of time, if this above method works of package installs, its not that big of deal when doing 1-2 boxes but now I've got a project that is going to need ~35, so a templatized image is a much better solution for me than normal configs. -- James Records | Principle Network Engineer M 425.984.4349 E ja...@northshoresoftware.com W www.northshoresoftware.com On Sat, May 4, 2013 at 9:32 AM, Odhiambo Washington odhia...@gmail.comwrote: What I wanted is not just the config, but everything. Say I have installed packages as well and I do not want to go through that again on the next pfSense box I am building. I only want to change a few configs like LAN/WAN IP/Subnets and the names. I am thinking of a situation where I am to deploy a number of boxes which only differ in those aspects but have same functions. On 4 May 2013 18:59, Ermal Luçi ermal.l...@gmail.com wrote: On Sat, May 4, 2013 at 5:17 PM, Odhiambo Washington odhia...@gmail.comwrote: Hi Jim, Diagnostics - Backup/Restore only handles configuration backup. I am talking about the BSD dump/restore for the whole disk - if that elaborates my needs. What it does not handle when restoring a config backup to a new installation? On 4 May 2013 17:20, Jim Spaloss jspal...@gmail.com wrote: But they are included. Look under Diagnostics - Backup/Restore. This feature has been there since M0n0wall, although it's functionality has been enhanced in pfSense. On May 4, 2013 5:32 AM, Odhiambo Washington odhia...@gmail.com wrote: Again, at the risk of being so uninformed, I'd like to ask why dump/restore are not part of pfSense. Would the inclusion increase the distro size beyond expectations? I am thinking that I could use dump/restore to create several instances/installs of pfSense without necessarily having to go on an installation/customization spree for packages. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 I can't hear you -- I'm using the scrambler. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 I can't hear you -- I'm using the scrambler. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Ermal ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 I can't hear you -- I'm using the scrambler. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Full Backup/Restore for pfSense
Found this: https://github.com/pfsense/pfsense/blob/master/etc/rc.create_full_backup https://github.com/pfsense/pfsense/blob/master/etc/rc.restore_full_backup I'm modifying the create script to send the image to a remote server, but this might be exactly what I want. Would be nice to wrap some of this in the UI, but I'm doing fine with ssh access to these commands for now. -- James Records | Principle Network Engineer M 425.984.4349 E ja...@northshoresoftware.com W www.northshoresoftware.com On Sat, May 4, 2013 at 11:18 AM, Mehma Sarja mehmasa...@gmail.com wrote: dd is fine unless you have a running database, like with Snort. You'd have to employ some sort of a dump and then dd. On Sat, May 4, 2013 at 11:15 AM, Mehma Sarja mehmasa...@gmail.com wrote: This is the perfect opportunity for *someone* to write one. On Sat, May 4, 2013 at 8:17 AM, Odhiambo Washington odhia...@gmail.comwrote: Hi Jim, Diagnostics - Backup/Restore only handles configuration backup. I am talking about the BSD dump/restore for the whole disk - if that elaborates my needs. On 4 May 2013 17:20, Jim Spaloss jspal...@gmail.com wrote: But they are included. Look under Diagnostics - Backup/Restore. This feature has been there since M0n0wall, although it's functionality has been enhanced in pfSense. On May 4, 2013 5:32 AM, Odhiambo Washington odhia...@gmail.com wrote: Again, at the risk of being so uninformed, I'd like to ask why dump/restore are not part of pfSense. Would the inclusion increase the distro size beyond expectations? I am thinking that I could use dump/restore to create several instances/installs of pfSense without necessarily having to go on an installation/customization spree for packages. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 I can't hear you -- I'm using the scrambler. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 I can't hear you -- I'm using the scrambler. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Packet capture
Jason, Sorry it took me a bit to get back to you. Many years ago (and on OpenBSD) I did something like this to get these logs off the box: echo -n 'Starting PF Logging...' ifconfig pflog0 up ( /usr/sbin/tcpdump -l -e -n -t -v -i pflog0 21 | /usr/bin/logger -p local0.info -t pf) echo 'done' You'll want to modify your tcpdump statement to what you want to collect and maybe send these to a new (separate) facility, but at that point you can just point your logs to a remote server and you should be good to go. I think there is a way to do a rc.local on Pfsense, though I've never done this, but with some tweaking, you can probably get this to do what you want without the need for remote ssh access. -- James Records | Principle Network Engineer M 425.984.4349 E ja...@northshoresoftware.com W www.northshoresoftware.com On Sun, Apr 28, 2013 at 4:16 PM, Jason Pyeron jpye...@pdinc.us wrote: ** Yeah, that is what I quoted. Once you told me about the pflog0 I googled it. It seems that it is not just a copy of the headers that get sent to that virtual interface, but it is really pflogd that truncates the packets when putting them in /var/log/pflog. The page lied :) So now I have pflog0 (updated all the rules to log) and the bridge0 feeding in to the IPS/IDS. I don't think the jitter in the sequence between the two pcap streams will matter. As a side, do you think I should stream the pcap data by ssh or some other means? Would there be a more efficient means from the firewall performance point of view? -Jason -- *From:* list-boun...@lists.pfsense.org [mailto: list-boun...@lists.pfsense.org] *On Behalf Of *James Records *Sent:* Sunday, April 28, 2013 16:29 *To:* pfSense support and discussion *Subject:* Re: [pfSense] Packet capture Jason, Take a look at this: http://www.openbsd.org/faq/pf/logging.html Should help you out a bit. -- James Records | Principle Network Engineer M 425.984.4349 E ja...@northshoresoftware.com W www.northshoresoftware.com On Sun, Apr 28, 2013 at 1:21 PM, Jason Pyeron jpye...@pdinc.us wrote: ** Nice. I did not now about that. When a packet is logged by PF, a copy of the packet header is sent to a pflog(4)http://www.openbsd.org/cgi-bin/man.cgi?query=pflogsektion=4manpath=OpenBSD+5.2interface along with some additional data such as the interface the packet was transiting, the action that PF took (pass or block), etc. I will now look for a way to get it to pass the full packet, as I need to do deep packet inspections. Thanks! -Jason -- *From:* list-boun...@lists.pfsense.org [mailto: list-boun...@lists.pfsense.org] *On Behalf Of *James Records *Sent:* Sunday, April 28, 2013 12:58 *To:* pfSense support and discussion *Subject:* Re: [pfSense] Packet capture Jason, I think what you want is the pflog0 interface. -- James Records | Principle Network Engineer M 425.984.4349 E ja...@northshoresoftware.com W www.northshoresoftware.com On Sun, Apr 28, 2013 at 9:46 AM, Jason Pyeron jpye...@pdinc.us wrote: ** Yes the interface for packet capture is nice for a interactive quick look, but it is not a solution for an automated ingest system for 24x7 capture. regarding the logs: {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 00:00:00.001738 rule 23/0(match): block in on em0: (tos 0x0, ttl 116, id 4687, offset 0, flags [DF], proto UDP (17), length 66) {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 31.222.133.87.53 67.90.184.35.53: 952+ [1au] ANY? ripe.net. (38) the detail is insufficient. I tried *Show raw filter logs, but there does not seem to be any apprciable difference. I have a backend system (IDS type of thing) which ingests pcap data as well as syslog, in this case the syslog from the pfSesne is to light weight.* *can I sniff the bridge [*BRIDGE0*]?* *-Jason* -- *From:* list-boun...@lists.pfsense.org [mailto: list-boun...@lists.pfsense.org] *On Behalf Of *Trevor Benson *Sent:* Sunday, April 28, 2013 10:14 *To:* pfSense support and discussion *Subject:* Re: [pfSense] Packet capture Have you tried using the built in packet capture under diagnostics? This will clean up your ssh traffic, which is what I assume you mean by tcpdump recursice traffic. Plus you can download a pcap to examine more closely in wireshark. As for traffic denied by the firewall have you tried looking at the firewall logs? Trevor On Apr 28, 2013 5:47 AM, Jason Pyeron jpye...@pdinc.us wrote: I am looking to capture all the packets that are traversing and attempting to traverse the firewall. If I use tcpdump -i WAN I get all the packets, if I use tcpdump -i LAN then I only get the packets that made it past the firewall plus the recursive traffic of my pcap data leaving the firewall too. This is telling me I should be using another port, but still does not help me separate the pcap data into 2 buckets
Re: [pfSense] Packet capture
Jason, I think what you want is the pflog0 interface. -- James Records | Principle Network Engineer M 425.984.4349 E ja...@northshoresoftware.com W www.northshoresoftware.com On Sun, Apr 28, 2013 at 9:46 AM, Jason Pyeron jpye...@pdinc.us wrote: ** Yes the interface for packet capture is nice for a interactive quick look, but it is not a solution for an automated ingest system for 24x7 capture. regarding the logs: {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 00:00:00.001738 rule 23/0(match): block in on em0: (tos 0x0, ttl 116, id 4687, offset 0, flags [DF], proto UDP (17), length 66) {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 31.222.133.87.53 67.90.184.35.53: 952+ [1au] ANY? ripe.net. (38) the detail is insufficient. I tried *Show raw filter logs, but there does not seem to be any apprciable difference. I have a backend system (IDS type of thing) which ingests pcap data as well as syslog, in this case the syslog from the pfSesne is to light weight.* *can I sniff the bridge [*BRIDGE0*]?* *-Jason* -- *From:* list-boun...@lists.pfsense.org [mailto: list-boun...@lists.pfsense.org] *On Behalf Of *Trevor Benson *Sent:* Sunday, April 28, 2013 10:14 *To:* pfSense support and discussion *Subject:* Re: [pfSense] Packet capture Have you tried using the built in packet capture under diagnostics? This will clean up your ssh traffic, which is what I assume you mean by tcpdump recursice traffic. Plus you can download a pcap to examine more closely in wireshark. As for traffic denied by the firewall have you tried looking at the firewall logs? Trevor On Apr 28, 2013 5:47 AM, Jason Pyeron jpye...@pdinc.us wrote: I am looking to capture all the packets that are traversing and attempting to traverse the firewall. If I use tcpdump -i WAN I get all the packets, if I use tcpdump -i LAN then I only get the packets that made it past the firewall plus the recursive traffic of my pcap data leaving the firewall too. This is telling me I should be using another port, but still does not help me separate the pcap data into 2 buckets: 1: blocked 2: not blocked Any suggestions? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Packet capture
Jason, Take a look at this: http://www.openbsd.org/faq/pf/logging.html Should help you out a bit. -- James Records | Principle Network Engineer M 425.984.4349 E ja...@northshoresoftware.com W www.northshoresoftware.com On Sun, Apr 28, 2013 at 1:21 PM, Jason Pyeron jpye...@pdinc.us wrote: ** Nice. I did not now about that. When a packet is logged by PF, a copy of the packet header is sent to a pflog(4)http://www.openbsd.org/cgi-bin/man.cgi?query=pflogsektion=4manpath=OpenBSD+5.2interface along with some additional data such as the interface the packet was transiting, the action that PF took (pass or block), etc. I will now look for a way to get it to pass the full packet, as I need to do deep packet inspections. Thanks! -Jason -- *From:* list-boun...@lists.pfsense.org [mailto: list-boun...@lists.pfsense.org] *On Behalf Of *James Records *Sent:* Sunday, April 28, 2013 12:58 *To:* pfSense support and discussion *Subject:* Re: [pfSense] Packet capture Jason, I think what you want is the pflog0 interface. -- James Records | Principle Network Engineer M 425.984.4349 E ja...@northshoresoftware.com W www.northshoresoftware.com On Sun, Apr 28, 2013 at 9:46 AM, Jason Pyeron jpye...@pdinc.us wrote: ** Yes the interface for packet capture is nice for a interactive quick look, but it is not a solution for an automated ingest system for 24x7 capture. regarding the logs: {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 00:00:00.001738 rule 23/0(match): block in on em0: (tos 0x0, ttl 116, id 4687, offset 0, flags [DF], proto UDP (17), length 66) {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 31.222.133.87.53 67.90.184.35.53: 952+ [1au] ANY? ripe.net. (38) the detail is insufficient. I tried *Show raw filter logs, but there does not seem to be any apprciable difference. I have a backend system (IDS type of thing) which ingests pcap data as well as syslog, in this case the syslog from the pfSesne is to light weight.* *can I sniff the bridge [*BRIDGE0*]?* *-Jason* -- *From:* list-boun...@lists.pfsense.org [mailto: list-boun...@lists.pfsense.org] *On Behalf Of *Trevor Benson *Sent:* Sunday, April 28, 2013 10:14 *To:* pfSense support and discussion *Subject:* Re: [pfSense] Packet capture Have you tried using the built in packet capture under diagnostics? This will clean up your ssh traffic, which is what I assume you mean by tcpdump recursice traffic. Plus you can download a pcap to examine more closely in wireshark. As for traffic denied by the firewall have you tried looking at the firewall logs? Trevor On Apr 28, 2013 5:47 AM, Jason Pyeron jpye...@pdinc.us wrote: I am looking to capture all the packets that are traversing and attempting to traverse the firewall. If I use tcpdump -i WAN I get all the packets, if I use tcpdump -i LAN then I only get the packets that made it past the firewall plus the recursive traffic of my pcap data leaving the firewall too. This is telling me I should be using another port, but still does not help me separate the pcap data into 2 buckets: 1: blocked 2: not blocked Any suggestions? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] CARP / VIP Failover Queries (NAT sessions and no preempt?)
On 15 April 2013 15:29, James Bensley jwbens...@gmail.com wrote: Although my tests aren' proving successful so far. I meant to say; I am pulling a file via SCP from a host in the LAN to a host on the WAN. If I disable CARP on the master to force a fail over to the backup, there is a pause, and then pings to that LAN host resume and the SCP transfer resumes. If I then enabled CARP on the master, there is a pause, pings resume and the SCP transfer dies. SCP will fail-over from master to backup, but not back agfain. Also, SSH sessions I have to LAN hosts die in both directions. What does this sound like to you guys, a configuration error on my part perhaps? Or something else? Cheers, James. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] CARP / VIP Failover Queries (NAT sessions and no preempt?)
Hi all, I have two pfSense 2.0.2 firewalls using CARP for active / passive fail-over with virtual IPs. This is working fine; Pinging the WAN or LAN shared IP and pulling the power plug on the master causes a short delay, then the ping's resume as the backup firewall has promoted its self to master. I have two problems here, firstly: If I am connect to a LAN host from outside using SSH for example, and I pull out the master, my SSH sessions stops working. Do the boxes not sync NAT tables and states etc? I loose any active TCP connections. Secondly: When the master boots up for example when I am just pulling the power from it, it takes over control of the virtual IPs again and causes a second little outage. Is there a no preempt style option available to stop this, otherwise any outage on the master device will actually result in two outages: One when it goes down, and one when it goes up. (Also, given my first query, all my TCP connections will stop working again!). Many thanks, James. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Open Source WAN Optimization
Has anyone had any kind of success running an open source or commercial alternative to riverbed for WAN optimization? It would be great if some of solution like this was available and even better if we could run it inside of pfsense. Cheers. James ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Open Source WAN Optimization
Hi Jim, That’s very interesting. If not directly integrated into pfsense how do you envision it might take shape? What do you think of Glenn Kelley’s comment about the very impressive numbers he’s been getting using Traffic Squeezer? James From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jim Thompson Sent: April-12-13 1:32 PM To: pfSense support and discussion Cc: pfSense support and discussion Subject: Re: [pfSense] Open Source WAN Optimization On Apr 12, 2013, at 12:42 PM, Warren Baker war...@decoy.co.zamailto:war...@decoy.co.za wrote: On Fri, Apr 12, 2013 at 4:50 PM, James Caldwell jamescaldw...@hurricanecs.commailto:jamescaldw...@hurricanecs.com wrote: Has anyone had any kind of success running an open source or commercial alternative to riverbed for WAN optimization? It would be great if some of solution like this was available and even better if we could run it inside of pfsense. Cheers. There is WANProxy http://wanproxy.org/ but never used it so can't comment on its performance or how well it works. Chris and I have recently discussed adding WANproxy to the mix. Maybe not as part of pfSense, but certainly in the same mold. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.0.2 release now available
Awesome work guys, looking forward to 2.1! Regards, James Sent from my BlackBerry - Original Message - From: Chris Buechler [mailto:c...@pfsense.org] Sent: Friday, December 21, 2012 08:39 AM To: pfSense support and discussion list@lists.pfsense.org Subject: [pfSense] 2.0.2 release now available info here: http://blog.pfsense.org/?p=676 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list __ Information from ESET NOD32 Antivirus, version of virus signature database 6699 (20111210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.0.2 release now available
I'm always a little leary of the 'beta' term. Once you guys stamp it as a release quality build I'll move up to it no problem. James -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eugen Leitl Sent: December-21-12 9:37 AM To: pfSense support and discussion Subject: Re: [pfSense] 2.0.2 release now available On Fri, Dec 21, 2012 at 08:44:29AM -0700, James Caldwell wrote: Awesome work guys, looking forward to 2.1! 2.1BETA1 has been working quite well for me (at home, at least). ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list __ Information from ESET NOD32 Antivirus, version of virus signature database 6699 (20111210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 6699 (20111210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.0.2 release now available
That's great to know it's been thoroughly tested out in the wild already and still considered in beta. If it's already stable enough to run as your primary version, what's left before 2.1 goes release? James -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris Buechler Sent: December-21-12 6:37 PM To: pfSense support and discussion Subject: Re: [pfSense] 2.0.2 release now available On Fri, Dec 21, 2012 at 6:27 PM, Jim Thompson j...@netgate.com wrote: We dogfood 2.1 at BSD Perimeter as well. :-) Indeed, everywhere. We don't have any production 2.0.x installs, our office, all our colo facilities, and all our home systems are running 2.1. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list __ Information from ESET NOD32 Antivirus, version of virus signature database 6699 (20111210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Building Reports and Content Filters
Morning Everyone, Trying to figure out a good solution for monitoring users and building reports to try and enforce acceptable use policies and procedures but I would really like to avoid using any solution other than pfSense. Having asked around and checked the forums I've seen a handful of people that will use Untangle behind a perimeter pfSense machine but this is certainly not an ideal way to go, especially in more complex network environments. I've also recently seen lots of advertisements from vendors such as SonicWALL and WatchGuard about 'Next Generation Firewalls' and their ability to better manage your network traffic. I'd hate to think that they have anything the open source community has not already had for some time :). Regardless, any insight would be really appreciated. Thanks guys! James ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Building Reports and Content Filters
Basically the management at the particular client in question has asked if I can pull usage reports for a handful of users and wanted to get a rough idea how much personal browsing is taking place on company machines. I'm certainly not trying to stick my neck out into a potentially bad situation, merely trying to provide an intelligent response to someone else's inquiry. The second bit I was looking to see is a breakdown of where the traffic is coming from, such as HTTP, P2P, etc, and what IP ranges are the primary culprits as they have several VLANS. Cheers. James -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris Bagnall Sent: November-20-12 8:01 AM To: list@lists.pfsense.org Subject: Re: [pfSense] Building Reports and Content Filters On 20/11/12 2:53 pm, James Caldwell wrote: Trying to figure out a good solution for monitoring users and building reports to try and enforce acceptable use policies and procedures but I would really like to avoid using any solution other than pfSense. Having asked around and checked the forums I've seen a handful of people that will use Untangle behind a perimeter pfSense machine but this is certainly not an ideal way to go, especially in more complex network environments. I've also recently seen lots of advertisements from vendors such as SonicWALL and WatchGuard about 'Next Generation Firewalls' and their ability to better manage your network traffic. I'd hate to think that they have anything the open source community has not already had for some time :). Regardless, any insight would be really appreciated. Thanks guys! You should probably be a little more specific about precisely what sort of acceptable use policies and procedures you are trying to enforce. I'd also caution against looking for a technical solution to a social or HR percieved 'problem'. It nearly always seems to end in tears, recriminations, and other unpleasantness :-) Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FYI: MS-CHAPv2 (used in PPTP) considered totally insecure
How difficult would it be to replace PPTP implementations with OpenVPN for mobile users? James -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jim Pingle Sent: July-31-12 7:20 AM To: pfSense support and discussion Subject: Re: [pfSense] FYI: MS-CHAPv2 (used in PPTP) considered totally insecure On 7/31/2012 8:13 AM, Ugo Bellavance wrote: http://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 We were just talking about that here. WPA2 Enterprise is also broken as a result, if it's configured to use MS-CHAPv2. Somehow I doubt it will stop people from using PPTP, even though it should. PPTP was already considered quite insecure, and that didn't hold very many people back from it. OpenVPN FTW. :-) Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IP Alias and IPSec
Hi Gavin, I've 2 IPSec tunnels and both of the other ends are Cisco ASA devices so OpenVPN wouldn't be an option. It is working fine with how I've configured it now, not using PPPoE. Must just be that it's not possible with PPPoE currently with multiple IP's. Cheers, James On 31 Jul 2012, at 09:27, Gavin Will gavin.w...@exterity.com wrote: I use BT Business also as a 2nd ISP. I was in the same boat as you, the wan ip on the ppoe connection would change so creating a ipsec VPN was a pain. Eventually I just went to using openvpn and the BT connection as a client and the other static connection being the server. Works fine,however I am assuming you have PFsense at the remote end also. Gavin From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe Katz Sent: 30 July 2012 19:17 To: pfSense support and discussion Subject: Re: [pfSense] IP Alias and IPSec On Sat, Jul 28, 2012 at 1:20 PM, James Bland fastlan...@mac.com wrote: Hi all, I've got BT Business Broadband with a block of 5 IP's. I'm connecting to this using PPPoE to a router in bridge mode rather than a 2wire router. I've also got a second ISP so I'm running MultiWAN here. So the static IP's are in a different subnet than the dynamic IP. So the PPPoE interface connects with a dynamic IP. I then add my public IP's as IP Aliases in the Virtual IP section. I've tested port forwarding off one of the IP's and that works, I've tried Outbound NAT and that also works. If I tried to ping any of the statics I was getting TTL timeout issues however if say I add a 1:1 NAT on an entry with firewall rules to allow traffic ping then works fine. My issue is with IPSec off one of these IP Aliases. If I put IPSec on the WAN interface it'll try to connect to the remote site (But fail as its not coming off the IP it expects). If I change it to the virtual IP I just get racoon: ERROR: phase1 negotiation failed due to send error. So as far as I can see it just doesn't send any data out at all. I've tried turning DEBUG mode on but I'm getting no more info. I guess I'm missing some rule somewhere that I might need but I've tried fiddling and come up empty. Can anyone give me some advice on this? Cheers, James I don't know the full details, but I do know that certain Virtual Address types support/do-not-support certain features. I use ProxyARP Virtual Addresses on my systems (though I don't currently use IPSec so I don't know if switching will help you). Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FYI: MS-CHAPv2 (used in PPTP) considered totally insecure
What would this look like connecting from a windows xp/7 client. Would it still use the PPTP protocol or would it be setup differently? James -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jim Pingle Sent: July-31-12 9:31 AM To: pfSense support and discussion Subject: Re: [pfSense] FYI: MS-CHAPv2 (used in PPTP) considered totally insecure For Windows/Mac/Linux users, and Android 4.0 and above, very easy. For older Android and iOS, it requires rooting/jailbreaking to use OpenVPN. On 7/31/2012 11:11 AM, James Caldwell wrote: How difficult would it be to replace PPTP implementations with OpenVPN for mobile users? James -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jim Pingle Sent: July-31-12 7:20 AM To: pfSense support and discussion Subject: Re: [pfSense] FYI: MS-CHAPv2 (used in PPTP) considered totally insecure On 7/31/2012 8:13 AM, Ugo Bellavance wrote: http://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 We were just talking about that here. WPA2 Enterprise is also broken as a result, if it's configured to use MS-CHAPv2. Somehow I doubt it will stop people from using PPTP, even though it should. PPTP was already considered quite insecure, and that didn't hold very many people back from it. OpenVPN FTW. :-) Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IP Alias and IPSec
Hi Moshe, I got it to work in the end by changing from PPPoE to a Static IP and No NAT Config on the router. This is working with the IP Aliases just fine on IPSec now. So it would seem that Virtual IP's and IP Aliases doesn't work for local services if PPPoE is in use on that interface. I'm happy with the config as I have it now but maybe this is a bug or it cannot work and the documentation might want to mention this? Cheers, James On 30 Jul 2012, at 19:17, Moshe Katz mo...@ymkatz.net wrote: Moshe ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense vs JunOS
Absolutely, some of the best support I've had for a software solution to date. James -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of bsd Sent: July-03-12 3:24 PM To: pfSense support and discussion Subject: Re: [pfSense] pfSense vs JunOS Le 3 juil. 2012 à 21:59, Vick Khera a écrit : On Sun, Jul 1, 2012 at 3:33 PM, Chris Buechler c...@pfsense.org wrote: The level of service we provide is on par or better than commercial vendors. For most of our customers, much better, because commercial vendors will rule out the firewall and tell you to have a nice day I'll confirm that their support is excellent, and they stick with you until you have a solution or figure out that there is no solution *at all*. I'd recommend buying it even if you don't plan to use it as a way to support the project. I confirm this : support is awesome ! Live support is fast and efficient, supporting dev project is fun and useful for the community, It is great and I wish pfSense team all the best ! -- - Grégory Bernard Director - --- www.osnet.eu --- -- Your provider of OpenSource appliances -- -- OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [pfsense] dansguardian
I've been part of the pfsense lists for months but have never really spoken up about anything. I tried to implement dansguardian in v2.0.1 but failed aswell. Has anyone found a reliable best practice or guide for this? James From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of k_o_l Sent: April-26-12 2:51 PM To: list@lists.pfsense.org Subject: [pfSense] [pfsense] dansguardian I've installed squid and dansguardian in the hopes to get some filtering going, I even followed instructions highlighted below, however; my syslog keep showing dansguardian: Error connecting to proxy , I would appreciate it if anyone has any pointers for me. http://forum.pfsense.org/index.php?topic=42664.0 Sam ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Carp locking up routers.
Jason James is no longer with the School District of Milton. If you need to email the Technology Department please correct your contact list to hol...@mail.milton.k12.wi.us If you need to contact Jason James directly his contact email is jja...@janesville.k12.wi.us ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list