Re: [pfSense] 10GBASE-T hardware

[Paul Mather]

On Mar 29, 2018, at 11:12 AM, Moshe Katz <mo...@ymkatz.net> wrote:

> On Wed, Mar 28, 2018 at 9:44 PM, Paul Mather <p...@gromit.dlib.vt.edu>
> wrote:
> 
>> On Mar 27, 2018, at 8:10 PM, Moshe Katz <mo...@ymkatz.net> wrote:
>> 
>> Many thanks for the information and advice.  It is much appreciated.
> 
[[...]]

>> My main issue with going the SFP+ route is that my rack uplink port is
>> still 10GBASE-T and so I'd need to find a 10GBASE-T transceiver for the
>> pfSense 10 GbE NIC and these seem difficult to find or they are 3rd party
>> or they are expensive themselves (e.g., $200--$300+).  I've also heard
>> there are thermal issues with those transceivers as there's not much
>> opportunity to build in the requisite heat sinks that 10GBASE-T appears to
>> need.  (I've noticed 10GBASE-T NICs have pretty hefty heatsinks on them.)
>> Besides that, I've not been able to find a 10GBASE-T transceiver for
>> Chelsio NICs and only 3rd party ones for Intel---e.g., by some company
>> called 10Gtek.
>> 
>> Does anyone have any advice/experience to share regarding 10GBASE-T
>> transceivers?
>> 
> 
> I don't personally have any of the Intel-compatible 10GBASE-T transceivers
> at the moment, but I have seen reports online that the 10Gtek ones are
> reliable. (In theory, any SFP+ module that conforms to the official specs
> should inter-operate with any other, but, as they say, "that's a nice
> theory".)
> As far as the heat distribution, that really should be picked up and
> handled by the network card and the server's cooling system.
> 
> 
> However, based on your response to my brother's email about being able to
> budget the Cisco switch with 10GBASE-T, I suggest that you probably
> couldn't go wrong with that simply because it's the solution with fewest
> number of parts. I would still consider the Intel card over the Chelsio
> card if you're really trying to work within a small budget, but you should
> go with whatever you think is best for you.


Many thanks for the followup information and advice.  (I'm finding that 10 GbE 
networking and above is something of an alphabet soup, so thanks for the 
cabling explanation.)

I've decided to go with my original solution of using a replacement switch with 
10GBASE-T uplink ports.  You were exactly right in that when I got a quote for 
the Cisco SG350X-48 switch it was a more attractive choice than the Netgear 
once the educational discount was applied.

Thanks again for all the help.

Cheers,

Paul.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 10GBASE-T hardware

[Paul Mather]

On Mar 27, 2018, at 8:47 PM, Yehuda Katz  wrote:

> I agree with everything my brother said except recommending the Uniquiti
> EdgeSwitch.
> We have seen a few instances of the EdgeSwitch locking up without any
> apparent reason (once we traced it to a thermal issue, but we couldn't find
> a cause for the others).
> The EdgeSwitch also only has a 1 year warranty while the Netgear you
> mentioned has a Lifetime Warranty (for whatever that is worth).
> At (insert university name here) we were happily standardizing on Brocade
> ICX switches until we hit major OSPF firmware bugs. Dell N and S series are
> good, but also more expensive than that Netgear.


Thank you for the information.  Actually, having done some more searching, our 
budget could probably also stretch to getting a Cisco SG350X-48 switch instead 
of the Netgear.  Like the Netgear, it apparently features 48 1000Base-T ports 
plus two 10GBASE-T/SFP+ combo ports + 2 10GbE SFP+ ports.  So, port-wise, the 
same as the Netgear, but likely better firmware-wise/support.  (I have 
experience with the firmware of the Cisco SG350-28 model and really like its 
feature set.)

Cheers,

Paul.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 10GBASE-T hardware

[Paul Mather]

On Mar 27, 2018, at 8:10 PM, Moshe Katz  wrote:

Many thanks for the information and advice.  It is much appreciated.

> According to the specs that I found on HP's website, your HP switch does
> not support 10Gb, only 1Gb on its mini-GBIC ports. You will definitely need
> a new switch to take advantage of 10Gb.


It's true that the mini-GBIC ports support only 1Gb, but that HP switch also 
can accommodate two(?) option modules at the rear of the switch that can be 
used to provide 10 Gb connectivity.  According to the "HP ProCurve Switch - 
What modules are available for the 2910al?" page at the HP Support site 
(https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02620659 
) you 
can get dual-port 10-GbE CX4 and 10-GbE SFP+ option modules.  Well, at least I 
suppose you could, as I'm not sure how widely available they are, and, this 
being an old switch, it may be that buying option modules from vendors with 
which $WORK are willing to purchase may result in them being prohibitively 
expensive due to them being legacy/discontinued equipment.  In my experience, 
those tend to command a premium price (except when buying via eBay).  (The SFP+ 
option module---J9008A---appears to cost $700+ on a quick search.)


> If you do get a switch that supports 10GBase-T, you should definitely
> consider the Intel X540. The vast majority of reports that I have seen say
> that it works great. (There was one report I found on a forum claiming
> performance issues, but others on the same thread said it worked fine for
> them.)


Thanks, that's very good to know.


> There are also many dual-port SFP+ cards out there (such as the Intel X520)
> that are not too expensive and support lots of different types of SFP+
> connectors. Although Intel does not make a 10GBase-T SFP+ itself, there are
> third parties that make it. You would use one of those to connect to the
> 10GbE feed into the rack and then a regular fiber SFP (or the option listed
> below) to connect to the switch.


See below for queries/concerns about obtaining a 10GBase-T SFP+ transceiver.


> To connect the pfSense to the switch, I would probably use a Direct-Attach
> cable (DAC) instead of fiber or Ethernet. Approved Optics
>  is a company that makes many OEM network
> connectors under contract and they also make their own versions of them at
> significantly reduced prices. Their DAC Finder
>  tool lets you order a cable that
> has SFP+ ends for different manufacturers (for example, an Intel end for
> your pfSense and an HP end for your switch). There's no need to worry about
> fiber or CAT7A Ethernet cables; just plug the cable in (taking care to make
> sure it is oriented correctly) and that's it.


Again, many thanks for the Approved Optics link.  That will be very useful.

I don't have any practical SFP+ experience, so maybe you or someone else can 
verify whether I am understanding this correctly: the Direct-Attach cable 
basically encapsulates a transceiver at each end with an appropriate cable 
connecting them, all in one unit?


> Since you have a limited budget, I really recommend going the
> direct-attached route. They are so much cheaper and more resilient than
> fiber, and switches with SFP+ slots are often much cheaper than switches
> with 10GbE. For example, you can get a Uniquiti EdgeSwitch with 48 Gb ports
> and 2 SFP+ ports for just around $400. These are the switches I have used
> in many of our limited-budget installations in the past (including in a
> University setting like yours seems to be from your email address) and they
> perform well. (Note that Approved Optics does not have official Ubiquiti
> cables, but many on the Ubiquiti forums report that it works with Cisco and
> other brand cables as long as they are 2 meters or shorter. In a single
> rack, that should not be an issue.)


My main issue with going the SFP+ route is that my rack uplink port is still 
10GBASE-T and so I'd need to find a 10GBASE-T transceiver for the pfSense 10 
GbE NIC and these seem difficult to find or they are 3rd party or they are 
expensive themselves (e.g., $200--$300+).  I've also heard there are thermal 
issues with those transceivers as there's not much opportunity to build in the 
requisite heat sinks that 10GBASE-T appears to need.  (I've noticed 10GBASE-T 
NICs have pretty hefty heatsinks on them.)  Besides that, I've not been able to 
find a 10GBASE-T transceiver for Chelsio NICs and only 3rd party ones for 
Intel---e.g., by some company called 10Gtek.

Does anyone have any advice/experience to share regarding 10GBASE-T 
transceivers?

Thanks again for the info.

Cheers,

Paul.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] 10GBASE-T hardware

[Paul Mather]

A 10GBASE-T port became available to us in our server rack.  The rack currently 
has a 20-node Hadoop cluster, each node having dual Intel i350 1000BASE-T NICs. 
 The Hadoop nodes connect to an old HP 2910al-48G 48-port GbE switch that, in 
turn, connects to an old Dell R310 server running pfSense that serves as the 
WAN gateway for the cluster.

It appears that the choice (not ours) of RJ45 for the 10 GbE provided for us in 
the rack will necessitate some equipment changes if we are to utilise the 10 
GbE connection.  Having done some investigation, I've decided the following 
changes are likely needed, and I would like to solicit from the list comment 
regarding any obvious blunders in the plan below:

1) I need a 10 GbE uplink capability from my switch to the pfSense gateway and 
also 10GBASE-T WAN connectivity from my pfSense gateway to the 10GBASE-T port 
in the rack.

2) The 10 GbE expansion options for the HP 2910al-48G are limited and I 
couldn't actually find any 10GBASE-T solutions (IIRC).  If I went for 10 GbE 
SFP+ in the HP 2910al-48G that would mean I would also need 10 GbE SFP+ 
capability in my pfSense gateway---likely meaning I would need two 10 GbE NICs 
(one SFP+ and one 10GBASE-T), which means...

3) It is probably cheaper (alas, we are on a budget) to buy a new switch to 
replace the HP 2910al-48G that includes 10GBASE-T uplink capability.  That 
would let me just have a single 10 GbE card for the pfSense gateway.  I think 
the Netgear GS752TX 52-port switch would be a good candidate as it includes two 
10GBASE-T ports in addition to the 48 1000BASE-T ports.

4) I am considering a Chelsio NIC for the 10GBASE-T WAN/LAN connections because 
I keep hearing these are the best-supported 10 GbE cards under FreeBSD.  I'd 
get a Chelsio T420-BT but these seem to be discontinued in favour of the 
Chelsio T520-BT.  Are there any better choices I should be considering?  Intel 
X540-T2??


So, as I said earlier, are there any glaring problems in the above plan?  (Does 
it seem sensible?)  Or, alternatively, is there a much better solution that 
I've overlooked entirely?  Constructive criticism/input is appreciated.

Thanks in advance.

Cheers,

Paul.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Paul Mather]

On Mar 6, 2018, at 12:39 PM, Walter Parker  wrote:

> On Mon, Mar 5, 2018 at 6:38 PM, Curtis Maurand  wrote:
> 
>> ZFS is a memory hog.   you need 1 GB of RAM for each TB of disk.
> 
> 
> Curtis, can you provide some more details? I have been testing this for the
> last couple of weeks and ZFS doesn't require 1G for each TB to function
> (which is the standard meaning of need).
> From my direct testing and experience 1G per TB is a rule of thumb for
> suggested memory sizing on general purpose servers. Do you have specific
> information that violating this rule of thumb will cause functional issues?
> 
> To be more blunt, was this a case of drive by nerd sniping or do you know
> something that will cause my specific use case to fail at some point in the
> future?


The "1G for each TB" sounds like the rule of thumb for when you plan to enable 
deduplication on a dataset.  ZFS deduplication can be a disastrous memory hog 
(or else completely ruin your performance if you don't have sufficient ARC 
memory/resources), which is why many people do not enable it unless they've 
made a serious conscious decision to do so.

I ran ZFS on a 1--2 GB RAM FreeBSD/i386 system for years and it was stable.  I 
have to tune KVM and restrict ARC RAM consumption, but once I did that I had no 
problems.  It's my experience that ZFS is more stable and tested on 
FreeBSD/amd64.

Cheers,

Paul.


> 
> 
> Walter
> 
> 
> 
>> On 3/1/2018 1:49 AM, Walter Parker wrote:
>> 
>>> Forgot to CC the list.
>>> 
>>> On Wed, Feb 28, 2018 at 10:13 PM, Walter Parker 
>>> wrote:
>>> 
>>> Thank you for the backup script.
 
 By my calculations, 2G should be enough. If I limit the ARC cache to 1G,
 that leaves 1G for applications & kernel memory. As I'm not serving the
 6TB
 drive up as a file server, but using it for one specific task (to receive
 the backups from one host) I figure that I don't need lots of memory. ZFS
 as a quick file server or busy server needs lots of memory to be quick.
 I've seen testing showing ZFS doing fast file copies on as little as 768M
 total system after proper memory tuning.
 
 I need ZFS because it is the only file system that can receive
 incremental
 ZFS snapshots and apply them. I have not setup the ZFS backup software
 yes,
 so I'm just using rsnapshot. First time it ran, it filled all 1G of the
 cache. I rebooted the firewall afterwards and now ZFS with 60-100M of
 usage
 (the amount of data that rsync updates on a daily basis is pretty small).
 Right now, the data from the other server is ~8.8G, compressed to 1.7G
 with
 lz4.
 
 When I get the full backup running, I will be ~1.5TB in size. ZFS
 snapshots should be pretty small and quick (as it can send just the data
 that was updated without having to walk the entire filesystem). An rsync
 backup would have to walk the whole system to find all of the changes.
 Most
 of the data on the system doesn't change (as it is a media library).
 
 I'll post back more results if people are interested, after I get the
 backup software working (I'm thinking about using ZapZend).
 
 
 Walter
 
 
 
 On Wed, Feb 28, 2018 at 8:54 PM, ED Fochler 
 wrote:
 
 I feel like I'm late in responding to this, but I have to say that 2GB of
> RAM doesn't seem like nearly enough for a 6TB zfs volume.  ZFS is great
> in
> a lot of ways, but is a RAM consuming monster.  For something RAM
> limited
> like the 2220 I'd use a different, simpler file format.  Then I'd use
> rsync
> based snapshots.
> 
> Here's my personal backup script.  :-)  I haven't tried it FROM pfsense,
> but I've used it to back up pfsense.
> 
> ED.
> 
> 
> 
> 
> 
> On 2018, Feb 21, at 12:23 PM, Walter Parker  wrote:
>> 
>> Hi,
>> 
>> I have 2.4.2 installed on an SG-2220 from Netgate [nice box]. I just
>> 
> bought
> 
>> a 6TB powered USB drive from Costco and it works great (the drive has
>> 
> its
> 
>> own power supply and a USB hub). I want to use it take ZFS backups from
>> 
> my
> 
>> home server.
>> 
>> I edited /boot/loader.conf.local and /etc/rc.conf.local to load ZFS on
>> 
> boot
> 
>> and created a pool and a file system. That worked, but the memory ran
>> 
> low
> 
>> so I restricted the ARC cache to 1G to keep a bit more memory free and
>> rebooted. When the system rebooted it did not remount the pool (and
>> therefore the file system) because the pool what marked as in use by
>> another system (itself). That means that the pool was not properly
>> exported/umounted at shutdown.
>> 
>> Taking a quick look a rc.shutdown, I notice that it calls 

Re: [pfSense] Configs or hardware?

[Paul Mather]

On Feb 19, 2018, at 10:10 AM, Eero Volotinen  wrote:

> Well. Does it require so much power, that I cannot run it on intel core2
> quad Q9400, 2.66Ghz processor (4 cores) ?


What a curious question.  It does not require "so much power" but it does 
require a minimum hardware spec, which that CPU will lack (no AESNI).

I can understand why people would be unhappy that their hardware becomes 
unsupported by a new release, but I also understand it's common in the 
computing industry and makes a lot of sense for Netgate to do this (reduced 
support costs; increased developer focus; etc.).  It's nice, also, they've laid 
out a roadmap for doing this and telegraphed clearly how they plan to support 
older hardware and for how long.  It's not like they just decided yesterday 
over a couple of pints at the pub to throw everyone without AESNI-capable CPUs 
under the bus right now.

I still have a CF NanoBSD-based pfSense installation running on Netgate 
hardware, and I appreciate they are still supporting 2.3, giving people like me 
time to migrate off to something else.

Cheers,

Paul.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Squid transparent with SSL interception - CA certificate problem

[Paul Mather]

On Feb 6, 2018, at 10:03 AM, Roberto Carna  wrote:

> Dear Alex, so there is no solution to the given problem ???
> 
> I refer to install a CA private certificate in mobile devices and let
> them navigate and use applications through a transparent proxy without
> SSL errors...


It could be that the applications and devices you consider "don't work 
correctly" are employing certificate and public key pinning (see, e.g., 
https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning 
 and 
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning 
).  It is a technique 
intended to defend against the very kind of certificate misuse in which you 
appear to be engaged.

Cheers,

Paul.


> 
> Regards,
> 
> 2018-02-06 11:35 GMT-03:00 Alex Threlfall :
>> They may be hard coded to look at only their own CA to prevent MiM attacks,
>> or use their own certificate store (for a similar behaviour).
>> 
>> Alex.
>> 
>>> -Original Message-
>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto
>>> Carna
>>> Sent: 06 February 2018 13:32
>>> To: pfSense Support and Discussion Mailing List 
>>> Subject: [pfSense] Squid transparent with SSL interception - CA
>> certificate
>>> problem
>>> 
>>> People, I've setup a transparent Squid proxy for WiFi clients. I'm using
>> SSL
>>> interception so I had to generate a CA private certificate (generated from
>>> pfSense certificate manager tab).
>>> 
>>> But when I add this CA private certificate to several Android an Iphone
>>> devices in order to proxify and filter SSL applications, some of the
>> Android
>>> devices don't work correctly: Facebook an Instagram don't load the
>> profiles
>>> and Mercadolibre doesn't open the menu. In the other Android and Iphone
>>> devices, everything works OK.
>>> 
>>> Can this problem be related to the CA certificate (maybe I have to use a
>> given
>>> digest algorithm and key lenght) or is this an Android intrinsec problem
>>> depending of OS version???
>>> 
>>> Thanks a lot.
>>> 
>>> ROBERT
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] MBR restore

[Paul Mather]

On Jun 30, 2017, at 10:11 AM, Nicola Ferrari (#554252)  
wrote:

> On 30/06/2017 16:04, Eric Landry wrote:
>> You could always write a new boot0 to your disk. If you load a FreeBSD disc 
>> and run the following command on your pfsense hard disk.
>> 
>> fdisk -B -b /boot/boot0 device
>> 
>> Where device is your pfsense drive.
>> 
>> This should do the trick.
>> 
>> Source: https://www.freebsd.org/doc/handbook/boot-introduction.html
>> 
>> Hope this helps!
> 
> Thanks to everybody!
> Sure it helps, that's what I was looking for.
> 
> Do you have any experience about what Live CD we could use to restore boot0?
> 
> This seems to be a deprecated project:
> http://livecd.sourceforge.net/
> 
> but this one seems to be more recent:
> http://www.freesbie.org/
> 
> Do you have any suggestion?


Boot a FreeBSD 10.3 installer image (either CD/DVD or memstick image), 
depending upon your hardware.  You can download them from here: 
https://www.freebsd.org/where.html 

The install media supports a "Live" mode.

Cheers,

Paul.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense twitter account making rude comments.

[Paul Mather]

On Feb 21, 2017, at 11:30 AM, Ryan Coleman  wrote:

> Not that we are anyone who would know anything about that…


The best thing to come out of this ugly spat, for me, is that I went to the 
pfSense Twitter feed to see what all the fuss was about (I'm not on Twitter) 
and discovered that pfSense 2.3.3 has just been released! :-)

I'd like to give a hearty THANKS to the pfSense project for another great 
release.

It also reminds me I really should get around to subscribing to the announce@ 
mailing list... :-)

Cheers,

Paul.

> 
> 
>> On Feb 21, 2017, at 6:21 AM, Frank Schaffhaeuser  
>> wrote:
>> 
>> Spamming mailing lists with profanity doesn't help in operating a 
>> 'successfully business' [sic].
>> 
>> Settle your dispute in private please.
>> 
>> 
>> 
>> 
>>  Original Message  
>> From: webmas...@squidblacklist.org
>> Sent: 21 February 2017 11:46 a.m.
>> To: list@lists.pfsense.org
>> Reply to: list@lists.pfsense.org
>> Subject: Re: [pfSense] pfsense twitter account making rude comments.
>> 
>> Dear Mr. Thompson.
>> 
>> I have spent the last 5 years or my life committed to creating a better 
>> blacklist, the very reason I created Squidblacklist.org was to bring a 
>> better blacklist to the world. Because I saw that shalla and 
[[... etc. ...]]

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] CAS or Shibboleth authentication?

[Paul Mather]

Does anyone know whether CAS or Shibboleth is supported as an authentication 
method by pfSense 2.3.2?  CAS is the preferred authentication method for Web 
applications at our organisation and so it would be great if pfSense could use 
it---at least with the WebGUI.

Is there anyone on the list using CAS with pfSense?

Cheers,

Paul.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for perfect pfsense box for home?

[Paul Mather]

On Aug 21, 2016, at 4:03 PM, Bryan D. <pfse...@derman.com> wrote:

> On 2016-Aug-21, at 5:50 AM, Paul Mather <p...@gromit.dlib.vt.edu> wrote:
> 
>> Even on that page it's incorrect to say it "only" offers the XG-2758.  
>> That's the only one they show in the main table on that page ...
> 
> There's likely good science behind the fact that nearly all e-stores will 
> present (often overwhelming) detail, by default, along with various filters 
> to narrow down the products of interest.
> 
> I've also experienced the "you have to make an effort to find it" aspect of 
> the pfSense store pages.  Not ideal.  Sales will be lost, as this incident 
> demonstrates.
> 
> Blaming a would-be customer for not seeing/finding something on a 
> catalog/store/marketing page is probably not a good strategy as it won't help 
> sales.


I'm not blaming any customer for anything, and, in case I wasn't overly clear 
when I said, "Not to sound like an apologist or a shill for the pfSense 
project", I don't work for nor am I in any way affiliated with the pfSense 
Store except that I am a prior customer (who figured out how to use their Web 
site).

I'll refrain from further comment on this topic as it appears to be veering 
into the more heat than light category.

Cheers,

Paul.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for perfect pfsense box for home?

[Paul Mather]

On Aug 21, 2016, at 2:56 AM, Dave Warren  wrote:

> On 2016-08-20 04:02, Jim Thompson wrote:
>>> On Aug 20, 2016, at 3:10 AM, Dave Warren  wrote:
>>> 
 On 2016-08-03 08:43, Steve Yates wrote:
 I'm being serious but what is your rationale for not using 
 pfSense's/NetGate's?
 
 https://www.pfsense.org/products/
 
 The "cheap" part (< $299)?  We tried a "build our own" approach and it's 
 tough to get a small package.  Any old PC will do just fine if one adds an 
 SSD but as someone pointed out that may use far more power in the long run.
>>> For me, it's the fact that I want to rackmount my gear, but $1,799.00 is 
>>> the cheapest option offered on pfSense.org that can rackmount.
>> You seem to have added $1000 without justification:
>> 
>> https://store.pfsense.org/SG-4860-1U/
> 
> Perhaps someone should put that on the https://pfsense.org/ website?


Not to sound like an apologist or a shill for the pfSense project, but in the 
line just above the "Products" link that you presumably clicked on, right at 
the very top of the page, is a link labelled "Store".  On the same line as the 
"Store" link is a "Partner Locator" link that goes to a page with a list of 
MSP, VAR, and Retail companies.  That might have been a good place to find 
official pfSense hardware. :-)


> I started at https://pfsense.org/, then clicked on Products, which took me to 
> https://pfsense.org/products/ which only offers 
> https://store.pfsense.org/XG-2758/ when I was looking for a new product a 
> couple weeks ago. It didn't occur to me you would have multiple incomplete 
> lists of products, so I ordered hardware elsewhere already.


Even on that page it's incorrect to say it "only" offers the XG-2758.  That's 
the only one they show in the main table on that page (which presumably is only 
a "recommended selection" of what they offer, to avoid the table becoming 
overcrowded).  If you click on the big red "PRODUCT FAMILY" link above that 
then you get a listing that includes the SG-4860-1U.  Plus all of the "MORE 
DETAILS" links in the main table take you to the pfSense Store, where, 
presumably those curious would browse further (and see that they sell, e.g., 
high availability solutions).


> Shame, I'd rather have supported pfSense, but it's too late now.


If you'd been keen on supporting the pfSense project then you'd have done well 
to read the "Official Product Comparison" section of the "Products" page you 
mention above.  It talks about the benefits of supporting the project, but, 
moreover, contains obvious links to "The pfSense Store" and "pfSense Partner".

I guess you were in a big hurry when you ordered and missed reading that? ;-)

Cheers,

Paul.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3_1 ?

[Paul Mather]

On May 5, 2016, at 9:47 AM, Jeppe Øland <jol...@gmail.com> wrote:

> So the update failed, and pfSense still says 2.3 - but NTP was indeed
> updated (but not restarted).
> 
> I then tried installing the RRD_Summary package.
> That one also said it failed, but still completed enough that the menu
> appeared and worked.
> 
> I forget if it said "failed" when I uninstalled it again ... probably did.
> 
> This install is running a 4G NANO image ... maybe there's a problem with
> that?


FWIW, the system I updated is a 4G NANO install (amd64).  The update status 
shows it is at version 2.3_1 after the update.  The only issue I encountered is 
ntpd being stopped and having to start it manually.

Cheers,

Paul.


> 
> Regards,
> -Jeppe
> 
> On Thu, May 5, 2016 at 6:26 AM, Paul Mather <p...@gromit.dlib.vt.edu> wrote:
> 
>> On May 5, 2016, at 9:13 AM, Vick Khera <vi...@khera.org> wrote:
>> 
>>> On Tue, May 3, 2016 at 11:24 AM, Jeppe Øland <jol...@gmail.com> wrote:
>>> 
>>>> Does this update actually work?
>>>> 
>>>> After hitting install and crunching for a while, it showed "firmware
>>>> installation failed!" at the top.
>>>> 
>>> 
>>> I just did the upgrade and it succeeded. However, ntpd was not restarted
>> on
>>> either of the two systems upgraded. I had to manually restart ntpd.
>> 
>> 
>> Same here.  In fact, in my case, ntpd ended up in the stopped state, and I
>> had to start it manually.
>> 
>> Cheers,
>> 
>> Paul.
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3_1 ?

[Paul Mather]

On May 5, 2016, at 9:13 AM, Vick Khera  wrote:

> On Tue, May 3, 2016 at 11:24 AM, Jeppe Øland  wrote:
> 
>> Does this update actually work?
>> 
>> After hitting install and crunching for a while, it showed "firmware
>> installation failed!" at the top.
>> 
> 
> I just did the upgrade and it succeeded. However, ntpd was not restarted on
> either of the two systems upgraded. I had to manually restart ntpd.


Same here.  In fact, in my case, ntpd ended up in the stopped state, and I had 
to start it manually.

Cheers,

Paul.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Unbound DNS Resolver doesn't listen on IP aliases even when selected in settings

[Paul Mather]

On Nov 17, 2015, at 12:45 PM, Steve Yates <st...@teamits.com> wrote:

> Paul Mather wrote on Thu, Nov 12 2015 at 1:38 pm:
> 
>> Unfortunately, with this configuration, unbound does not listen on the
>> IP aliases: it only listens on the primary IP addresses of LAN,
>> INTERNAL, and localhost.
> 
>   I don't have quite the same configuration, but with a CARP shared LAN 
> IP, it listens on that alias.  Did you check your firewall log/rules?


I don't believe it is an issue of firewall/log rules.  Unbound is simply not 
listening on those interfaces, as shown by a "sockstat -4l":

USER COMMANDPID   FD PROTO  LOCAL ADDRESS FOREIGN ADDRESS
[[...]]
unbound  unbound1123  10 udp4   10.5.5.1:53   *:*
unbound  unbound1123  11 tcp4   10.5.5.1:53   *:*
unbound  unbound1123  12 udp4   10.0.0.7:53   *:*
unbound  unbound1123  13 tcp4   10.0.0.7:53   *:*
unbound  unbound1123  14 udp4   127.0.0.1:53  *:*
unbound  unbound1123  16 tcp4   127.0.0.1:53  *:*
unbound  unbound1123  19 tcp4   127.0.0.1:953 *:*
[[...]]

Those IP addresses correspond to the primary addresses of LAN, INTERNAL, and 
localhost.  Missing are entries listening on the IP aliases, 10.0.0.1 and 
10.0.0.14.

Also, even though I also have 10.0.0.14 and 10.0.0.1 checked in the DNS 
Resolver settings, they are not included in the active 
/var/unbound/unbound.conf file:

[[...]]
# Interface IP(s) to bind to
interface: 10.5.5.1
interface: 10.0.0.7
interface: 127.0.0.1
interface: ::1
[[...]]

Only the primary addresses of the network NICs are included.

If I add "interface:" lines myself to this file and stop and start unbound from 
the command line then unbound listens correctly on the IP aliases, too.  For 
some reason, they are not making it into the unbound.conf file from the GUI 
settings page for DNS Resolver.

Cheers,

Paul.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Unbound DNS Resolver doesn't listen on IP aliases even when selected in settings

[Paul Mather]

I recently started using "DNS Resolver" on my pfSense 2.2 system, which had 
been previously using "DNS Forwarder."  The pfSense install has a WAN network 
and two local networks, LAN and INTERNAL.  The INTERNAL network has two IP 
aliases defined for it.

In DNS Resolver -> General Settings -> Network Interfaces I have LAN, INTERNAL, 
Localhost, and the two IP aliases selected; All and WAN are unselected.  In 
"Outgoing Network Interfaces" I have All selected.

Unfortunately, with this configuration, unbound does not listen on the IP 
aliases: it only listens on the primary IP addresses of LAN, INTERNAL, and 
localhost.

Is anyone else having this problem?  If so, is there a way to get unbound to 
listen on all the *selected* interfaces?

Cheers,

Paul.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Block Torrentz

[Paul Mather]

On Aug 19, 2015, at 1:32 AM, A Mohan Rao mohanra...@gmail.com wrote:
 
 sorry not clear your point...!

I believe the point is that focusing on blocking port ranges like 6881-6889 is 
horribly outdated with modern BitTorrent clients. :-)

Many BitTorrent clients will choose a random port on startup and then use 
NAT-PMP or uPnP to open it at the firewall to ensure the client is reachable.  
It's also common for BitTorrent clients to use various methods to discover 
clients (PEX, DHT, local peer discovery), and also to encrypt traffic between 
those clients.  Increasingly, people are also using VPN providers to connect to 
BitTorrent trackers or otherwise connect to swarms.

Cheers,

Paul.

 
 On Wed, Aug 19, 2015 at 1:21 AM, Espen Johansen pfse...@gmail.com wrote:
 
 Focus on layer 7. Most torrent clients use dynamic ports. And disable upnp
 as that will defeat the ports blocking as well.
 
 -lsf
 
 tir. 18. aug. 2015, 21.21 skrev A Mohan Rao mohanra...@gmail.com:
 
 Hello pfSense experts,
 
 I find out torrents ports like 6881-6889 etc.
 And create firewall block rule source lan network then destination any
 with
 torrents ports but still users can download torrents data.
 Also i created in traffic shaper layer 7 BitTorrent still not reached any
 positive result.
 Pls guide Where i m wrong or my rules not work...
 
 Thanks in advance.
 
 Mohan Rao
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 32 or 64?

[Paul Mather]

On Jan 6, 2015, at 12:57 PM, Márcio Merlone marcio.merl...@a1.ind.br wrote:

 Happy 2015 for all!
 
 I am planning to replace some Linksys boxes on remote offices with a virtual 
 pfSense in the next months and was wondering  what's recommended for a new 
 install today: 32 or 64 bits? I ask considering what's best for the mid-long 
 term, are there any 64bit-only features now or planned? Will I loose 
 something running a 32 bit version now or a few years from now?
 
 What are the advantages/disadvantages of each now and what is expected for a 
 near future? I am not asking for an in-depth analysis, but rather a general 
 overview and opinion of the main diffs.


I would recommend using a 64-bit version unless you can't.

pfSense is based on FreeBSD, and, it's fair to say, development and 
installed user base is focused more on FreeBSD/amd64 than FreeBSD/i386.

There has also been talk of of using ZFS in future pfSense, e.g., for 
boot environments and rollbacks on updates, and I would not recommend 
using ZFS on FreeBSD/i386; it's far better on FreeBSD/amd64.

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense, IPSec, and Mac OS X

[Paul Mather]

On Aug 22, 2014, at 11:38 AM, Paul Galati paulgal...@gmail.com wrote:

 thanks for your reply.  I have looked at that page already to verify my 
 initial settings were correct, and they are.  It is the final tweak that I am 
 trying to locate.  I just don’t understand why simply turning NAT-T on or off 
 would completely eliminate the login prompt.


In my setup (OS X 10.9 with IPSec client using XAuth PSK) I don't have 
to enter a login or password or shared secret because that's already in 
the OS X IPSec VPN configuration in Network Preferences.  The only time 
I am prompted to enter the password is after about an hour, presumably 
when the IPSec lifetime has expired on the client side.

When I connect from the Mac, all I get is a popup saying VPN 
Connection and buttons with Disconnect and OK.

For me, enabling or disabling NAT-T is the difference between traffic 
routing out of the pfSense box or not, i.e., the VPN working or not 
working.

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense, IPSec, and Mac OS X

[Paul Mather]

On Aug 19, 2014, at 5:19 PM, Paul Galati paulgal...@gmail.com wrote:

 Anybody on the list using Mac OS X 10.6 or later and the built in Cisco IPSec 
 Client connecting to pfSense with any reliability?  I am having a heck of a 
 time getting the expected result.  I have a couple users that want to connect 
 via IPSec and use the CUPC client to make phone calls.  When I initially 
 setup the server and client according to different how-to’s on the web, I was 
 able to connect and reach the internet as well as the internal networks and 
 make phone calls.  Later that same day without changing a single piece of 
 configuration, I am unable to connect because the negotiation failed.  It 
 continues to not respond for many hours but at some point starts to respond 
 again.  I have not been able to formulate proof of reason.  If I simply turn 
 off NAT-T in Phase 1, I am able to connect every time I have tried BUT, I am 
 not able to reach anything on the remote side despite receiving a valid IP 
 address from the mobile client config. I believe I have the appropriate 
 config in the rules for IPSec and LAN but I am not having much luck.
 
 Anybody have any insight that might be useful for me?


I'm not sure if I have any insight, but I've been using Mac OS X 10.6 
and later to connect to pfSense via the built-in IPSec client.  The 
main issue I found is that I couldn't get any traffic to flow unless I 
enabled NAT-T.  Without NAT-T enabled, the client would connect fine 
but no packets would reach it from the pfSense gateway.  With NAT-T, 
traffic would reach the client.  I posted about the issue to this list 
a few years ago 
(https://www.mail-archive.com/support@pfsense.com/msg21912.html) but 
got no response.  My solution was just to force NAT-T for all 
connections, whether the client required it or not (i.e., set NAT 
Traversal to force in the Phase 1 settings).

The other thing I've noticed with the built-in client is that enabling 
Save Xauth Password in the mode-cfg section of Mobile Clients does 
not appear to have any effect.  The Mac client will still prompt the 
user to re-enter the password after an hour.  Also, I've not had 
success in lengthening the lifetime between these prompts to re-enter 
the password, but, to be honest, I've not done much experimentation.

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ZFS warning message on local console during boot

[Paul Mather]

On Jul 30, 2014, at 5:37 AM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote:

 Hi list,
 
 I'm seeing the following warning on my pfsense 2.1.4-RELEASE (i386):
 
 ZFS WARNING: Recommended minimim kmem_size is 512MB; expect unstable
 behavior.
 Consider tuning vm.kmem_size and vm.kmem_size_max in /boot/loader.conf
 
 Currently, the values are:
 vm.kmem_size=525544320
 vm.kmem_size_max=535544320
 
 Given this machine has 1 Gigabyte of RAM, which values should I enter?

Personally, I think ZFS on i386 has become a losing proposition as of 
late.  I ran a ZFS-on-root FreeBSD/i386 10-STABLE system with 2 GB of 
RAM and it appeared to become very flaky with ZFS in its latter months 
(I eventually switched it out for a FreeBSD/amd64 system).

I had to be careful with what values for vm.kmem_size, 
vm.kmem_size_max, and vfs.zfs.arc_max I put in /boot/loader.conf 
because often certain combinations would panic the system on boot.  
Also, to use quite a bit of the available RAM for ARC required me to 
build a custom kernel with KVA_PAGES=512 set in the kernel config file.

I believe the days when FreeBSD/i386 was considered the primary, 
tried-and-tested distribution and FreeBSD/amd64 the less-tested version 
are long behind us.  If you can run FreeBSD/amd64 then you should.  If 
you can only run FreeBSD/i386 then I wouldn't recommend using ZFS with 
it.  I just don't think it gets adequate testing any more.  (YMMV.)

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] LDAP PAM auth with Local Database accounts?

[Paul Mather]

At our organisation we have a central LDAP database that contains 
administrative information.  For Unix purposes, it's only useful for 
PAM auth, as its schema does not contain the requisite Posix attributes 
required by Unix accounts.  Nevertheless, it is still very useful for 
password authentication because the 24/7 service our organisation 
provides for password reset and management can be leveraged when 
authenticating against this LDAP source.

On my FreeBSD and Linux servers, this means I can have the PAM auth 
component for services in pam.d work to do password authentication 
using the user's organisation password, yet all the account data still 
comes from local accounts on the system.  The upshot is that if the 
user forgets his or her password, they don't come to me, they go to the 
organisational 4HELP. :-)

Is it possible to use this kind of setup on pfSense 2?  It almost seems 
to work for me, but maybe I am doing something wrong.  The 
authentication part works, but, because there are no Group attributes 
in our central LDAP, the user seems to become a member of no groups 
when logging in.  This appears to throw pfSense for a loop. :-)

It would be nice if pfSense would fall back to Local Database 
attributes when LDAP doesn't provide them, or, maybe better still, if a 
new blended authentication method of LDAP auth + Local Database 
Attributes was available that used LDAP for auth but the Local 
Database for account information such as real name, groups, etc.

This latter approach is how applications such as Redmine use LDAP 
authentication.

Cheers,

Paul.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ZFS warning message on local console during boot

[Paul Mather]

On Jul 30, 2014, at 4:09 PM, Espen Johansen pfse...@gmail.com wrote:

 ZFS = FS+LVM. Its efficient in many ways. Its highly resillient to things 
 like silent data corruption ( disk FW bugs, power spikes). It has on the fly 
 checking and repair. Copy on write, snapshoting, NFSv4 native acls and a few 
 more nice things. I dont understand the bashing?
 

I swear by ZFS on my regular FreeBSD systems (though I was having 
trouble with it on FreeBSD/i386 latterly).  I don't think there's any 
bashing of ZFS per se, just a wondering why you'd use it on a 
firewall appliance that's basically a nanobsd setup at heart...

Cheers,

Paul.

 -lsf
 
 30. juli 2014 21:44 skrev Stefan Baur newsgroups.ma...@stefanbaur.de 
 følgende:
 Am 30.07.2014 um 16:43 schrieb Vick Khera:
  On Wed, Jul 30, 2014 at 9:50 AM, Paul Mather p...@gromit.dlib.vt.edu 
  wrote:
  Personally, I think ZFS on i386 has become a losing proposition as of
  late.  I ran a ZFS-on-root FreeBSD/i386 10-STABLE system with 2 GB of
  RAM and it appeared to become very flaky with ZFS in its latter months
  (I eventually switched it out for a FreeBSD/amd64 system).
 
  I cannot fathom a sensible use case for using ZFS on pfSense at all.
 
 I'm not consciously using ZFS for anything on pfSense, I *think* I
 performed the default install, but it could be using ntfs or vfat for
 all that I care. ;-) So I don't know why it's trying to use that - is it
 normal for a default pfSense install or not?
 
 I just saw the warning message and was wondering what to do about it.
 
 -Stefan
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Weird routing issue with pfSense-2.1.3-RELEASE-i386, Debian Wheezy, kvm and virtio

[Paul Mather]

On Jun 10, 2014, at 5:37 PM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote:

 Am 10.06.2014 22:52, schrieb Karsten Gorling:
 * Stefan Baur newsgroups.ma...@stefanbaur.de [140610 17:59]:
 This works all fine and dandy as long as I'm not using virtio:
 
 I had the same Problem. Essentially the VirtIO Network Drivers of
 FreeBSD are broken, you have to use another virtual Network Card.
 https://groups.google.com/forum/#!msg/mailing.freebsd.bugs/gw42Il1AX0o/3zj-gnRKgHIJ
 
 Browsing through the pfSense forum and the FreeBSD Bugtracker, I found
 that checking the Disable hardware checksum offload box on
 /system_advanced_network.php *and manually rebooting after saving*
 solved the problem for me. Haven't done any performance comparisons yet,
 though.
 
 Maybe you want to try the same? Again, it seems to be important to
 reboot pfSense manually after the change - there's no prompt telling you
 you should (all it says is  The changes have been applied
 successfully. - but they don't come to life until you reboot).


I've had problems using pf under KVM with the virtio driver, as 
reported in this thread: 
http://lists.freebsd.org/pipermail/freebsd-stable/2013-August/074637.html

In my case, it would provoke abrt crash reports on the KVM host.  I 
subsequently discovered that this did not happen when using the e1000 
driver in the FreeBSD guest, so it seems that pf in general is not a 
problem for FreeBSD guests under KVM, just the pf+virtio (vnetX) 
combination.

IIRC, I didn't notice a severe performance degradation when switching 
temporarily to the e1000 driver.  It isn't too big an issue for me 
right now because I do firewalling at the pfSense gateway and not on 
the guests.  It would be nice for the pf + virtio combination to work 
harmoniously, though, so I'd have the option of firewalling on the 
guests, too, if needed at some point.

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Problems with pfsense on ProfitBrick

[Paul Mather]

On Apr 14, 2014, at 10:36 AM, Tim Nelson tnel...@rockbochs.com wrote:

 - Original Message - 
 I'll put here the amount of info that I can before my server's
 security may be compromised.
 
 I want to install pfsense to an server that's hosted by ProfitBrick
 and using KVM as virtualization enviroment which may became a
 problem.
 
 It has two nics. One for WAN and one for LAN.
 
 The need for it is just simple as providing firewall and NAT(If
 needed.) to the local network which has some servers that are not
 and will not be on the public network directly.
 
 The install goes fine, but the problems start becaming visible when
 I'm trying to configure it.
 
 
 What type of NIC emulation is the KVM VM providing? e1000 would be best, 
 followed by virtio, then possibly rtl8139. Of course, that is coming from my 
 experience with using KVM via Proxmox VE, not KVM in a manual or 'cloud' 
 environment such as Profitbrick.

I found that I had problems with FreeBSD using pf + virtio under KVM 
but not when using pf + e1000 under KVM (under CentOS 6).  That was 
under RELENG_9.  I haven't tried RELENG_8_* or RELENG_10.  I should try 
again, to see if I still get problems.

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] The Heartbleed Bug, CVE-2014-0160

[Paul Mather]

On Apr 8, 2014, at 4:39 PM, Rainer Duffner rai...@ultra-secure.de wrote:

 
 Am 08.04.2014 um 21:04 schrieb Jim Thompson j...@smallworks.com:
 
 
 Well, that’s the point, Paul.  (You hit the nail on the head.)
 
 If you don’t have an openssl service exposed, the problem doesn’t affect you.
 
 Since normally the web GUI isn’t exposed to the WAN, the attack surface is 
 minimized.
 
 We are working at cutting a new release.
 
 
 
 Hi,
 
 according to:
 
 http://www.kb.cert.org/vuls/id/BLUU-9HY33E
 
 only FreeBSD 10 is affected.
 
 There are binary updates for FreeBSD 10 available, just no advisory-text.

The advisory is now out (FreeBSD Security Advisory
FreeBSD-SA-14:06.openssl).  It includes this line:

Affects:All supported versions of FreeBSD.

I've already updated a bunch of FreeBSD 9.2-RELEASE-p3 and 10.0-RELEASE
systems via freebsd-update.  I'm updating my 9-STABLE and 10-STABLE
systems now via a source update...

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] The Heartbleed Bug, CVE-2014-0160

[Paul Mather]

On Apr 8, 2014, at 3:04 PM, Jim Thompson j...@smallworks.com wrote:

 
 Well, that’s the point, Paul.  (You hit the nail on the head.)
 
 If you don’t have an openssl service exposed, the problem doesn’t affect you.
 
 Since normally the web GUI isn’t exposed to the WAN, the attack surface is 
 minimised.

The FreeBSD Security Advisory FreeBSD-SA-14:06.openssl states this in the 
Impact section:

=
III. Impact

An attacker who can send a specifically crafted packet to TLS server or client
with an established connection can reveal up to 64k of memory of the remote
system.  Such memory might contain sensitive information, including key
material, protected content, etc. which could be directly useful, or might
be leveraged to obtain elevated privileges.  [CVE-2014-0160]

A local attacker might be able to snoop a signing process and might recover
the signing key from it.  [CVE-2014-0076]
=

I take that to read the vulnerability being exploitable both ways, i.e., a 
malicious server could also attack a vulnerable client connecting to it via 
SSL/TLS, making the attack surface potentially much larger.

FWIW, the pre-advisory heads-up message from the FreeBSD Security Officer 
appears to back this up.  It included the following advice:

=
Users who use TLS client and/or server are strongly advised to apply
updates immediately.

Because of the nature of this issue, it's also recommended for system
administrators to consider revoking all of server certificate, client
certificate and keys that is used with these systems and invalidate
active authentication credentials with a forced passphrase change.
=

Cheers,

Paul.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] The Heartbleed Bug, CVE-2014-0160

[Paul Mather]

On Apr 8, 2014, at 9:35 PM, Paul Mather p...@gromit.dlib.vt.edu wrote:

 On Apr 8, 2014, at 3:04 PM, Jim Thompson j...@smallworks.com wrote:
 
 
 Well, that’s the point, Paul.  (You hit the nail on the head.)
 
 If you don’t have an openssl service exposed, the problem doesn’t affect you.
 
 Since normally the web GUI isn’t exposed to the WAN, the attack surface is 
 minimised.
 
 The FreeBSD Security Advisory FreeBSD-SA-14:06.openssl states this in the 
 Impact section:
 
 =
 III. Impact
 
 An attacker who can send a specifically crafted packet to TLS server or client
 with an established connection can reveal up to 64k of memory of the remote
 system.  Such memory might contain sensitive information, including key
 material, protected content, etc. which could be directly useful, or might
 be leveraged to obtain elevated privileges.  [CVE-2014-0160]
 
 A local attacker might be able to snoop a signing process and might recover
 the signing key from it.  [CVE-2014-0076]
 =
 
 I take that to read the vulnerability being exploitable both ways, i.e., a 
 malicious server could also attack a vulnerable client connecting to it via 
 SSL/TLS, making the attack surface potentially much larger.
 
 FWIW, the pre-advisory heads-up message from the FreeBSD Security Officer 
 appears to back this up.  It included the following advice:
 
 =
 Users who use TLS client and/or server are strongly advised to apply
 updates immediately.
 
 Because of the nature of this issue, it's also recommended for system
 administrators to consider revoking all of server certificate, client
 certificate and keys that is used with these systems and invalidate
 active authentication credentials with a forced passphrase change.
 =

Just as an followup and clarification to the above, the recent OpenSSL 
vulnerability Security Advisory actually covers two OpenSSL flaws.  The 
heartbleed flaw only affects FreeBSD 10 in the base OS.  All other supported 
FreeBSD releases are affected by the other flaw they describe (in the ECDSA 
Montgomery Ladder Approach implementation).

I believe pfSense users are only affected by the secondary flaw, and also any 
software in pfSense using the /usr/local/... version of OpenSSL, as mentioned 
by Vick Khera earlier.

Kudos to the pfSense team for beavering away and cranking out a fix!

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

[Paul Mather]

On Nov 6, 2013, at 1:43 PM, Jim Thompson j...@netgate.com wrote:

 
 On Nov 6, 2013, at 8:06 AM, Thinker Rix thinke...@rocketmail.com wrote:
 
 On 2013-11-06 15:29, Jim Thompson wrote:
 On Nov 6, 2013, at 7:22, Vick Khera vi...@khera.org wrote:
 
 pfSense lists the AES-NI as a supported option for crypto acceleration.  
 pfSense will use it for OpenVPN and IPsec if you tell it to. There's a 
 config setting for it.
 I'm not aware if any performance testing for AES-NI on pfSense.
 
 There are reports that FreeBSD doesn't support AES-NI very well.
 
 Thank you for this information, Jim. So I figure, that buying the Xeon just 
 for it's AES functions would (currently) be a waste of money.
 
 I can’t answer this, because I’ve not tested it.
 
 I know that the linux kernel, and openbsd both take full advantage of AES-NI 
 instructions.
 
 http://ibatanov.blogspot.com/2012/04/ipsec-performance-benchmarking-is-end.html
 http://comments.gmane.org/gmane.os.openbsd.misc/199639
 
 I know there is an implementation of AES-NI for cryptdev, but **I HAVE NOT 
 TESTED IT (nor has anyone else on the pfSense team, AFAIK).
 
 There seems to be an issue:
 http://forum.pfsense.org/index.php/topic,54008.30.html
 http://lists.freebsd.org/pipermail/freebsd-hackers/2012-May/038762.html
 
 In the meantime, it might be possible to use OpenVPN with a patched openssl 
 library to achieve the results you desire (but now you’re off into DIY land.) 
  https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
 
 That all said, we will find and fix the issue at some point.   (I’m actually 
 in San Jose for the FreeBSD Vendor Summit, and plan to bring it up as a 
 potential issue.)


Well, there's this thread from late August this year about improving AES-NI 
support that eventually kicked off into an epic kerfuffle and bike shed about 
the status of gcc in FreeBSD 10: 
http://lists.freebsd.org/pipermail/freebsd-toolchain/2013-August/000920.html

Cheers,

Paul.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Paul Mather]

On Oct 12, 2013, at 11:23 AM, Oliver Hansen oliver.han...@gmail.com wrote:

 On Sat, Oct 12, 2013 at 4:10 AM, Thinker Rix thinke...@rocketmail.com wrote:
 On 2013-10-09 19:38, Jim Thompson wrote:
 So asking the question is stupid
 
 On 2013-10-09 19:50, Jim Thompson wrote:
 IMO, this bullshit thread only serves to assist those asking the question in 
 stroking their own ego.
 
 On 2013-10-12 01:40, Jim Thompson wrote:
 Otherwise: get off my lawn.
 I'm not willing to endure this uninformed Alex Jonesian crapfest.
 Now that I'm back on US soil, I promise that if the later continues, I will 
 kill the thread. People who hijack threads will be dealt with.
 Otherwise: STFU.
 
 Nor will I endure the besmirching of pfSense's good name and trademark. 
 
 The only one who is besmirching pfSense here is: you - given that as a 
 co-owner of ESF you are an official representative of pfSense - and your 
 official communication unfortunately shows that you are a vulgarian, 
 plebeian, obscene, scurrilous goon, who insults, threatens, bullys, censors 
 and muzzles other community members, totally lacking control of himself and 
 any professional business manners whatsoever, let alone any constructive 
 discussion culture.
 
 To me it feels highly awkward and it is unsettling me a lot, that such an 
 ill-mannered, shady and dubious roughneck like you holds a key position in 
 the project that creates the security product that we use for protecting our 
 networks.
 
 I have no idea why highly respected Chris Buechler partnered with you, but it 
 might be good if you would learn a lesson from him concerning his 
 professionalism, seriousness and manners in his official communication.
 
 Bye.
 
 I can't say I agree with Thinker Rix on everything but on this I do agree. I 
 have been on this list for many years (mostly just reading) and have always 
 been impressed with the professionalism of most members who write and 
 especially those affiliated with the project. I have been quite surprised and 
 disappointed in the attitude and tone coming from Jim Thompson this last week 
 and in my opinion THAT is what reflects poorly on the project.

It may be that Jim simply saw what looked like a sock puppet come onto the list 
and start spreading FUD  about ESF and pfSense.  Normally, when you see what 
you consider to be a troll, the usually response is don't feed the troll and 
ignore the thread until it runs out of fuel.  I guess the response is 
different, though, when someone is directing FUD at your company.  Then, rather 
than annoyance and bruised egos, the damage can be more real and a more robust 
response might be warranted.

It's up to Jim how he expresses himself.  Given that Thinker Rix was doing a 
remarkable job of impersonating a troll (IMHO), I think the blunt approach is 
the pragmatic logical endpoint of that dialogue.  It's sad, but dealing with 
trolls is a sad business. :-(

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?

[Paul Mather]

On Oct 10, 2013, at 9:08 AM, Giles Coochey gi...@coochey.net wrote:

 On 10/10/2013 13:55, Ian Bowers wrote:
 On Thu, Oct 10, 2013 at 8:17 AM, Alexandre Paradis 
 alexandre.para...@gmail.com wrote:
 indeed, i vote to continue. Because you don't mind being overlooked by NSA 
 doesn't mean everybody don't care.
 
 
 
 
 On Thu, Oct 10, 2013 at 7:33 AM, Rüdiger G. Biernat 
 rgbier...@rgbiernat.homelinux.org wrote:
 This discussion about security/NSA/encryption IS important. Please go on.
 
 
 
 
 Whether or not this is an important conversation is irrelevant.  This is the 
 wrong place to have the conversation.
 
 I tried to turn this back into a product support discussion in the last 
 thread but sadly my comments were not among those cherry picked.  This 
 discussion does not suit the purpose of this list.  I see a bunch of hard 
 working people reacting to their product's integrity being continuously 
 questioned despite having all questions answered, and a few entitled 
 consumers who can't be bothered to figure out technology well enough to come 
 to their own conclusion on its integrity.As well as a bunch of people 
 that want this discussion to go someplace more appropriate.  The concerned 
 parties are not concerned enough to learn how to read code.  So you're 
 paranoid, just not paranoid enough to actually learn how to answer your own 
 questions.   
 
 Unless there is an issue someone is having making a VPN work or getting NAT 
 running right, this is the wrong place to hold this discussion.   If you're 
 having an issue with this pfSense, networking protocols, or logical 
 opertaion of the device, great!  let's talk about it!  I'm actually very 
 good at these things, and I'd like to spend time helping people with network 
 or network security related operational problems.  Otherwise, please find 
 the email addresses of all the people who shown an interest in participating 
 in this discussion, and send an email out to that list of people to discuss 
 it among yourselves.  
  
 
 *BLINK!*
 
 Incredible the way I am seeing the reaction to the initial question, and 
 trying to query very valid points are now leading me to seriously reconsider 
 the potential risk I have in continuing to use pfsense as a security tool.

Some people value the S/N ratio of mailing lists.  I believe the people asking 
for the discussion to be moved elsewhere are motivated by that.

As to people trying to query very valid points, even if we take that on face 
value, what do you or they hope to accomplish by asking the pfSense project 
directly whether they have been approached by the NSA?  The reporting around 
the leaked NSA Files has established that one of the major concerns is the 
legal apparatus that enables the NSA to approach companies whilst compelling 
those companies not to reveal the fact.  So, it's highly likely that had the 
pfSense project been approached, part of that approach would have included a 
mandate not to tell anyone.  So how could a definitive answer be obtained given 
that silence from the pfSense project COULD be interpreted to mean yes but 
doesn't definitively mean yes.  Some people have posited ways of evading such 
gag orders (e.g., 
http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch),
 but, AFAIK, they have not been battle-tested in court.

I am left wondering, therefore, what it would take for people to accept that 
pfSense is trustworthy in a good-faith sense?  The original poster in this 
thread asked for a direct answer to a straightforward question and he got it, 
yet still he continues to pursue this thread.  To what end?  People are 
outraged at the NSA revelations, but the pfSense mailing list is not the 
appropriate place to be outraged at that.  Go comment at the news outlets.  
Write your elected officials.  Support the EFF and the likes.  But what more 
can be accomplished on this mailing list?

There was an attempt to redirect the thread to something more practical and 
focused on pfSense, e.g., what now could be considered best practices settings 
to use for encryption, but it doesn't appear to be gaining much traction vs. 
this thread.  (Part of that might be due to the fact that not much practical 
information is available right now.)  As I've pointed out, the original thread 
query has been answered definitively (twice now).  The original poster has said 
that the availability of the source code for scrutiny is not sufficient, but it 
seems that ultimately that is all you have to go on in open source projects.  
It's not clear to me what response it would take to establish trustworthiness 
in pfSense for the original poster and the others that are apparently being led 
to to seriously reconsider the potential risk ... in continuing to use pfsense 
as a security tool.  Maybe if we can establish that, we can finally wrap up 
this thread as far as pfSense is concerned and get back to a pfSense-focused 
mailing list.

 The about list on 

Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?

[Paul Mather]

On Oct 10, 2013, at 10:13 AM, Thinker Rix thinke...@rocketmail.com wrote:

 On 2013-10-10 16:52, Paul Mather wrote:
 On Oct 10, 2013, at 9:08 AM, Giles Coochey gi...@coochey.net wrote:
 
 *BLINK!*
 
 Incredible the way I am seeing the reaction to the initial question, 
 and trying to query very valid points are now leading me to seriously 
 reconsider the potential risk I have in continuing to use pfsense as a 
 security tool.
 
 Some people value the S/N ratio of mailing lists.  I believe the people 
 asking for the discussion to be moved elsewhere are motivated by that.
 
 Those people should just learn how to use a mailing list properly, before 
 using one. A mailing list is *not* just I enter my daily use email address 
 somewhere and receive emails.
 For participating properly at a mailing list you need a proper mail reader 
 that is able to sort mail into conversation threads 
 (https://en.wikipedia.org/wiki/Conversation_threading).
 Then you go and pick the threads that interest you and read them. And you 
 ignore those, who do not interest you.
 Additionally it is advised to use an email address only for reading mailing 
 lists.

Thank you for the valuable information about how to use mailing lists.  I first 
started using mailing lists back in the mid/late 1980s, on the JANET network 
(British academic network)---back when the Internet was made up of networks 
like ARPA, BITNET, UUCP, and the likes and (in my case) you needed to know the 
gateway machines that would let you reach those networks and had to incorporate 
that routing into the recipients e-mail address.  I suspect those people you 
mention above actually know how to use a mailing list properly.  I know I do.  
I also know the value of good S/N ratio on technically-focused mailing lists.

 Maybe if we can establish that, we can finally wrap up this thread as far as 
 pfSense is concerned and get back to a pfSense-focused mailing list.
 
 You can switch *right at this very moment* to a discussion thread that is of 
 more interest for you and there you go!


Of course, you're right, and that is wise counsel because it reminds me of one 
of the golden rules of mailing lists: unwelcome threads persist only so long as 
people reply to them.  (This is sometimes better known by the more insulting 
adage: Please don't feed the trolls!  I'm loathe to employ that, though.)  I 
thought I was making a reasonable point, but it seems as far as I'm concerned, 
this thread has passed the point of reasonableness.  I'll leave it to you and 
your fellow concerned list members to continue mulling it over, and, in your 
case, to continue teaching your grandma to suck eggs when it comes to 
Netiquette. :-)

Cheers,

Paul.___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Frequent bge0: watchdog timeout -- resetting problems

[Paul Mather]

I'm running pfSense 2.0.3-RELEASE (i386) on a Dell 2650 rack-mount server.  I'm 
using the built-in Broadcom gigabit ethernet NICs for WAN and LAN:

bge0: Broadcom NetXtreme Gigabit Ethernet Controller, ASIC rev. 0x000105 mem 
0xfca1-0xfca1 irq 28 at device 6.0 on pci4
miibus0: MII bus on bge0
brgphy0: BCM5701 10/100/1000baseTX PHY PHY 1 on miibus0
brgphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 
1000baseT-FDX, auto
bge0: [ITHREAD]
bge1: Broadcom NetXtreme Gigabit Ethernet Controller, ASIC rev. 0x000105 mem 
0xfca0-0xfca0 irq 29 at device 8.0 on pci4
miibus1: MII bus on bge1
brgphy1: BCM5701 10/100/1000baseTX PHY PHY 1 on miibus1
brgphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 
1000baseT-FDX, auto
bge1: [ITHREAD]

bge0@pci0:4:6:0:class=0x02 card=0x01211028 chip=0x164514e4 rev=0x15 
hdr=0x00
class  = network
subclass   = ethernet
cap 07[40] = PCI-X 64-bit supports 133MHz, 512 burst read, 1 split 
transaction
cap 01[48] = powerspec 2  supports D0 D3  current D0
cap 03[50] = VPD
cap 05[58] = MSI supports 8 messages, 64 bit 
bge1@pci0:4:8:0:class=0x02 card=0x01211028 chip=0x164514e4 rev=0x15 
hdr=0x00
class  = network
subclass   = ethernet
cap 07[40] = PCI-X 64-bit supports 133MHz, 512 burst read, 1 split 
transaction
cap 01[48] = powerspec 2  supports D0 D3  current D0
cap 03[50] = VPD
cap 05[58] = MSI supports 8 messages, 64 bit 


I am having severe problems with these NICs---particularly the WAN side (bge0). 
 Under traffic (not necessarily high load), I will lose connectivity for some 
time until the NIC appears to be reset via a watchdog.  It is typical to see 
this repeated in dmesg:

bge0: watchdog timeout -- resetting
bge0: link state changed to DOWN
bge0: link state changed to UP
bge0: watchdog timeout -- resetting
bge0: link state changed to DOWN
bge0: link state changed to UP
bge0: watchdog timeout -- resetting
bge0: link state changed to DOWN
bge0: link state changed to UP
bge0: watchdog timeout -- resetting
bge0: link state changed to DOWN
bge0: link state changed to UP


In System - Advanced - Networking, I have disabled hardware checksum offload; 
hardware TCP segmentation offload; and hardware large receive offload, but this 
hasn't seemed to help.  I have seen on Google references to problems with 
Broadcom 57XX-based NICs under FreeBSD, and there are indications some work has 
been done in FreeBSD 9-STABLE to improve matters, which is obviously not 
helpful for pfSense running 8.1-RELEASE-p13.

I have checked the state table usage when this problem occurs and it is low 
(with ample free state entries available).

I have heard that disabling MSI can sometimes be helpful, but the bge driver 
does not appear to use it:

sysctl -a | grep msi
hw.bce.msi_enable: 1
hw.cxgb.msi_allowed: 2
hw.em.enable_msix: 1
hw.igb.enable_msix: 1
hw.malo.pci.msi_disable: 0
hw.pci.honor_msi_blacklist: 1
hw.pci.enable_msix: 1
hw.pci.enable_msi: 1


Has anyone run into this problem?  Can anyone offer a possible solution or 
workaround?

I have a dual-NIC expansion card in the same machine that supports fxp NICs, 
and, right now, I am tempted to switch to those, believing it is probably 
better to have stable 100BaseT than flaky 1000BaseT.  But, I'm hoping something 
can be done to make the bge ports be stable.  Any thoughts?

Cheers,

Paul.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Frequent bge0: watchdog timeout -- resetting problems

[Paul Mather]

On May 13, 2013, at 10:40 AM, Giles Coochey gi...@coochey.net wrote:

 On 13/05/2013 15:07, Paul Mather wrote:
 
 bge0: watchdog timeout -- resetting
 bge0: link state changed to DOWN
 bge0: link state changed to UP
 bge0: watchdog timeout -- resetting
 bge0: link state changed to DOWN
 bge0: link state changed to UP
 bge0: watchdog timeout -- resetting
 bge0: link state changed to DOWN
 bge0: link state changed to UP
 bge0: watchdog timeout -- resetting
 bge0: link state changed to DOWN
 bge0: link state changed to UP
 
 
 I had something similar, with a VM implementation, it seemed to go away when 
 I increased the memory on the system.


How much memory was in the increased-memory system?  The hardware I am using 
has 2 GB of RAM, which should be plenty for pfSense.  According to the RRD 
graphs, active+wired+cached memory usage is normally below 5% of total RAM at 
all times on this system.

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] timezone problem

[Paul Mather]

On Apr 17, 2013, at 10:18 AM, Moshe Katz mo...@ymkatz.net wrote:

 On Wed, Apr 17, 2013 at 8:39 AM, Cristian Ionescu-Idbohrn 
 cristian.ionescu-idbo...@axis.com wrote:
 On Wed, 17 Apr 2013, Moshe Katz wrote:
 
  Did you reboot the machine after you changed the time zone?  As I
  understand it, many system components don't see the change unless you
  restart them, and the easiest way to restart them all is to restart the
  machine.
 
 Is that true?
 That's stone age.  That's interrupting.  That's simply bad.
 Isn't that the bussiness of another OS?
 
 
 Cheers,
 
 --
 Cristian
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 Cristian,
 
 It is simply because many programs only read the system time when they start 
 running.
 This is a design choice that has to do with efficiency of checking the system 
 clock, which I've been told was slow on many older and/or embedded systems.


The time zone is only a means of affecting the output of time on the system.  
Internally, the FreeBSD kernel keeps time as UTC.  Under FreeBSD, the presence 
of the file /etc/wall_cmos_clock indicates the hardware CMOS clock (i.e., the 
one you see in the BIOS settings) is set to the local time zone (and hence 
local time).  FreeBSD then uses adjkerntz to convert local time to UTC and to 
reflect back time zone changes to the CMOS clock when instructed.

Unless I've missed something, it seems like pfSense assumes the CMOS clock is 
always set to UTC.  In that case, changing time zone is just a matter of 
setting /etc/localtime to the appropriate entry in /usr/share/zoneinfo.  AFAIK, 
unless you override it with an explicit TZ setting, library calls to format 
dates ultimately default to the time zone pointed to by /etc/localtime.  In 
such a case, changing time zone should get picked up seamlessly by running 
daemons, without need for reboot.

 The other OS it sounds like you are referring to actually does a better job 
 with changing times.  That is because things like cron (Scheduled Tasks) 
 and syslog (Event Viewer) are much more closely integrated into the 
 Operating System.  In contrast, those components on *nix systems are 
 completely independent of the OS.

On FreeBSD, cron and syslog are definitely part of the base OS.

Cheers,

Paul.___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Question about pfSense Mobile IPsec on 2.0 document

[Paul Mather]

I have been bashing my head against a wall trying to get Mobile IPSec (Mutual 
PSK + Xauth) working on pfSense 2.0.2.  As I've reported previously here, I can 
only get traffic to flow in both directions if I set NAT Traversal to Force 
instead of Enable in the Phase 1 tunnel definition.  Non-NATted connections 
will only route traffic from the client to the VPN, not vice versa.

I discovered subsequently in the pfSense Mobile IPsec on 2.0 document 
(http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0) that the description of 
how to set up Mobile IPSec on 2.0 also lists NAT Traversal: Force under the 
Phase 1 section.  Is this a hard requirement in 2.0.X?  If so, is this due to 
bugs/limitations in the version of racoon/ipsec-tools used in 2.0.X?  My 
experience of 2.0.X is that it correctly detects whether a client is behind a 
NAT for NAT Traversal: Enable but traffic only flows bidirectionally in the 
case of clients behind a NAT (i.e., NAT-T is enabled).

Does this problem still exist in 2.1?

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Problem with IPsec in 2.0.2

[Paul Mather]

I have a problem with an IPsec VPN setup in pfSense 2.0.2 that I wonder if 
anyone can help me solve.

I am trying to set up a pfSense IPsec VPN for mobile clients.  The clients will 
be using the built-in Cisco IPSec client in Mac OS X 10.7 and 10.8 to 
connect.  I have assigned the Virtual Address Pool as 192.168.5.0/24, which is 
disjoint from those on the pfSense gateway.  In my Phase 2 Tunnel definition in 
pfSense, I am using Mode: Tunnel and Local Network: LAN subnet to give 
mobile clients access to the pfSense LAN side.

Here is my problem: the setup *almost* works.  When I say almost I mean that 
mobile clients connecting from behind a NAT appear to have connectivity to the 
pfSense LAN but mobile clients not behind a NAT don't.

Here is an example: I have two test clients connecting.  One is a Mac desktop 
with direct Internet connection (wired ethernet using a public IP address) and 
the other is a Mac laptop connecting over WiFi (and a private IP address behind 
a NAT).  Both clients have identical client-side setups for the VPN in the 
networking section of System Preferences.  Both clients establish connections 
to the pfSense VPN without problem.  Tcpdump on the client side shows IPsec 
traffic being router over the respective WAN link.

If I ping a machine on the pfSense LAN side from each client I get a reply in 
the case of the Mac client behind the NAT but get Request timeout for icmp_seq 
... for the Mac client not behind the NAT.  Running tcpdump -ni enc0 icmp on 
the pfSense gateway shows ICMP echo requests incoming for both clients but only 
an outgoing ICMP echo reply response for the Mac client behind the NAT.  
Running tcpdump on the machine being pinged on the pfSense LAN I see ICMP echo 
requests and corresponding ICMP echo replies for both Mac clients.  I get the 
same when running tcpdump on the LAN interface of the pfSense gateway (i.e., I 
see matching ICMP echo request/reply crossing the LAN interface for each 
client).

So, it seems that ping requests are reaching the system on the pfSense LAN but 
the ping replies are only making it back out over the IPsec VPN tunnel to the 
Mac client that is behind the NAT.  The replies back to the client not using 
NAT-T appear to stop short at the pfSense gateway and are not encapsulated and 
sent over the IPsec tunnel.

I don't believe this is an issue of firewall rules because I would assume it 
would affect both clients in the IPsec virtual address pool.

Does anyone have any suggestions how I might get this working?  Does anyone 
have a working setup that is using the Apple Cisco IPSec client that is *not* 
operating from behind a NAT?

Any help is gratefully appreciated.

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Cisco IPSEC configuration

[Paul Mather]

On Sep 14, 2012, at 11:27 AM, Ian Bowers wrote:

 Whoever hosts the instructions.  they open themselves up for cease and desist 
 letters and potentially litigation.  
 
 Not trying to be a wet blanket, just saying...  in the open source community 
 we have to be careful and respectful of licensing.

Are you talking about a Cisco IPSEC client as implemented in Cisco hardware or 
all Cisco IPSEC clients, e.g., as implemented in iOS or Mac OS X?  I can't see 
how they'd be justified in sending cease and desist letters for instructions on 
how to configure the latter.

I know I have had problems in getting the Cisco IPSEC client to work properly 
in Mac OS X (Snow Leopard).  It works through NAT-T but not otherwise.  I sure 
would appreciate a howto/guide so I can figure out where I might be going 
wrong.  (I've posted about this problem before, without resolution: 
http://www.mail-archive.com/support@pfsense.com/msg21912.html)

Cheers,

Paul.

 
 On Fri, Sep 14, 2012 at 8:32 AM, Vick Khera vi...@khera.org wrote:
 On Wed, Sep 12, 2012 at 3:47 PM, Ian Bowers iggd...@gmail.com wrote:
 posting instructions on doing it could cause trouble.
 
 Trouble for whom?
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Non-default Frequency Probe value in gateway definition apparently wreaks havoc

[Paul Mather]

I am running pfSense 2.0.1-RELEASE (i386).  To cut a long story short, recently 
I changed the Frequency Probe setting under the Advanced section of System: 
Gateways: Edit gateway and subsequently had all kinds of trouble as a result.  
The main observed annoying phenomenon was that remote SSH connections behind 
the LAN that were open would freeze after a short amount of time (although the 
same system was still pingable).  The system log would also contain regular 
entries like this:

Aug 9 12:28:16  apinger: ALARM: Virtual(10.5.5.5) *** down ***
Aug 9 12:28:16  check_reload_status: Reloading filter
Aug 9 12:28:21  apinger: ALARM: Internet(XXX.XXX.XXX.XXX) *** down ***
Aug 9 12:28:26  check_reload_status: Reloading filter
Aug 9 12:28:29  apinger: alarm canceled: Virtual(10.5.5.5) *** down ***
Aug 9 12:28:39  apinger: ALARM: Virtual(10.5.5.5) *** down ***
Aug 9 12:28:39  check_reload_status: Reloading filter


(I'm hypothesising that the Reloading filter had the side effect of clearing 
the state table, which is what was leaving my SSH connections high and dry.)

I had been using values such as 60, 23, and 10 at various times in the 
Frequency Probe setting.  Clearing it (and hence using the default of 1 
second) immediately fixed the problem.

In case it matters, the system that was having problems with the SSH 
connections freezing was a 1:1 NAT machine at IP 10.5.5.50 on the LAN.

Are non-default Frequency Probe values a known issue in pfSense 2.0.1-RELEASE?

Cheers,

Paul.



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Recommended DynDns Service for PFsense

[Paul Mather]

On Apr 4, 2012, at 10:25 AM, David Miller wrote:

 Dyn.com's free service has been working well for me for years.
 --
 David
 
 On Wed, Apr 4, 2012 at 9:16 AM, Gavin Will gavin.w...@exterity.com wrote:
 Hi there,
 
 Can people please give me their experience / recommendations with regards to 
 a 3rd party DynDNS service that will work with PFsense.


I believe Dyn.com no longer offers creation of new free hostnames.  Existing 
free users are grandfathered in, but they're not allowing any new free hosts to 
be created.  Furthermore, if I'm reading correctly the e-mails they sent me, if 
you let your existing free hostname lapse, you won't be able to resurrect 
it---you'll have to roll over to their paid service.

Cheers,

Paul.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ssh public key in user manager (pfSense 2.0.1)

[Paul Mather]

On Jan 13, 2012, at 9:58 AM, newsgroups.ma...@stefanbaur.de wrote:

 Hi List,
 
 is there any particular reason why the user manager only accepts ssh-rsa keys 
 instead of both ssh-rsa and ssh-dss?


I pasted a ssh-dss key into the Authorized Keys area for a user in the User 
Manager and it works fine for me.  I am using 2.0.1-RELEASE.

Cheers,

Paul.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list