Re: [pfSense] boot/loader.conf.local deleted upon reboot

[PiBa]

Looks like everything that has the word 'console' in there gets deleted 
from loader.conf.local..


I suppose the 'platform' is not one of these.?:
    if ($specific_platform['name'] == 'RCC-VE' ||
        $specific_platform['name'] == 'RCC' ||
        $specific_platform['name'] == 'SG-2220') {
        $data[] = 'comconsole_port="0x2F8"';


Op 16-5-2018 om 14:48 schreef Vick Khera:

I run pfSense on an official pfSense branded C2758 system. It has a BMC
controller that permits me to use a serial over LAN to COM2. In order to
make the system console connect to COM2, the following line needs to be
added to loader.conf or loader.conf.local:

comconsole_port="0x2F8"

in addition to enabling the serial console via the GUI.

I've run it this way for years with prior versions of pfSense. It seems now
with version 2.4.3 (possibly earlier 2.4.x, not sure) upon reboot the
/boot/loader.conf.local file gets deleted. Thus the symptoms are that you
create the file, reboot and get serial console, but the file gets removed
during the boot. So on your next boot, no console over SoL.

Ideally, there would be a menu on the GUI for serial console to select the
COM port, but I requested that forever ago and it doesn't seem to be
important enough to get implemented.

The /etc/inc/pfsense-utils.inc file appears to try to filter the
loader.conf.local to remove duplicate settings and delete it if it ends up
empty.  This is done by the function load_loader_conf() which seems like it
does the right thing but clearly it is not including the above line and
thus the file gets deleted. It is easily reproduced by just putting that
single line above into the file and rebooting pfSense.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] routing between subnets at same Interface - configuration not working on 2.4.1

[PiBa]

Hi Fabian,

Why do you have those routes all pointing to the local lan-ip .?
Also the opt2 interface using a gateway pointing to the opt2-ip doesn't 
make sense to me..
For the Virtual-IP's for each subnet, they are all 'local' networks and 
should not need any routes to be explicitly defined either. Even though 
that might be implied by the 'do not filter same interface 
static-routes' firewall setting description... (That should stay enabled 
though).


I think (most of) those routing / gateway related settings might cause 
more harm than to something good.. i would opt to remove them and see if 
things improve..


Regards,
PiBa-NL

Op 14-5-2018 om 10:39 schreef Fabian Bosch:

Hi - Attachements not working so here is the XML Plaintext:




    17.9
    
    
        normal
        pfSenseOne
        xy.zz
        
            all
            
            system
            1998
        
        
            admins
            
            system
            1999
            0
            page-all
        
        
            admin
            
            system
            admins
$2b$10$C8yZ8UYAa1OHML2Ij/yBZeU4vOD1TLJe5LVsDniaqmNS.VpRghPUe 


            0
            user-shell-access
            
            2
            
            
            pfSense.css
        
        2000
        2000
0.pfsense.pool.ntp.org
        
            https

5af55220d03bc
            
            2
            2
            pfSense.css
            1e3f75;
        


        hadp
hadp
hadp
        
            weekly
        
        Europe/Amsterdam
        115200
        serial
        enabled
        

500
        
        
        en_US
yes
yes
yes
        1.1.1.1
    
    
        
            
            em0
            
            
            
            
            1.1.1.254
            28
            dhcp6
            
            0
            bk
wan 


        
        
            
            em1
            
            
            192.168.100.1
            24
        
        
            em2
            
            
            
            
            1.1.2.250
            28
        
        
            em3

            192.168.99.1
            32
            PublicWiFi_GW
            
        
    
    
        
            192.168.111.0/24
            GW_LAN
            
        
        
            192.168.210.0/24
            GW_LAN
            
        
        
            192.168.114.0/24
            GW_LAN
            
        
        
            192.168.110.0/24
            GW_LAN
            
        
    
    
        
            
            
                192.168.100.200
                192.168.100.254
            
        
    
    
        
            
                ::1000
                ::2000
            
            assist
            medium
        
    
    
        
        
        public
    
    
        
    
    
        1
        
            reverse
        
    
    
        
            automatic
        
    
    
        
            pass
            inet
            
            lan
            010101
            
                lan
            
            
                
            
        
        
            pass
            inet6
            
            lan
            010102
            
                lan
            
            
                
            
        
        
            
            1526032752
            pass
            lan
            inet
            
            
            
            
            
            
            
            
            
            icmp
            any
            
                
            
            
                
            
            
            
            
                1526032752
admin@192.168.100.200
            
            
                1526032899
admin@192.168.100.200
            
        
        
            
            1526031689
            pass
            opt1
            inet
            
            
            
            
            
            
            
            
            
            udp
            
                
            
            
                opt1ip
                1194
            
            
            
                1526031689
admin@192.168.100.200
            
            
                1526031689
admin@192.168.100.200
            
        
yes
        
            
        
    
    
    
    
    
    
        
            1,31
            0-5
            *
            *
            *
            root
            /usr/bin/nice -n20 adjkerntz -a
        
        
            1
            3
            *
            *
            0
            root
            /usr/bin/nice -n20 
/etc/rc.update_bogons.sh

        
        
            */60
            *
            *
            *
            *
            root
            /usr/bin/nice -n20 /usr

Re: [pfSense] Maximum CARP Addresses?

[PiBa]

Hi JD,

Op 15-2-2018 om 20:35 schreef ad^2:

Hello all,

I read in the forum (h_t_t_p_s://forum.pfsense.org/index.php?topic=109346.0)
the 255 VHID limitation in CARP is no longer an issue in recent versions. I
cannot find any documentation to support it.

I have a need to host a lot more than 255 virtual IP addresses.

Can someone confirm or deny this. If it's true point me to the
documentation that states this. If not, is there a way around it?

Thanks in advance,

JD
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Does the pfSense box have more than 255 interfaces/vlans?
If you need multiple virtual IP's on 1 interface, you can define 
multiple ip aliases under a single CARP ip. Maybe that helps..


The forum states that the old "Stacked IP Alias VIPs must be inside the 
same subnet as the CARP VIP upon which they are placed." and that that 
is nolonger the case.

The limit of max 255 is still there afaik..

Regards,
PiBa-NL

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] routing between subnets at same Interface - configuration not working on 2.4.1

[PiBa]

Hi Fabian,

Have you set?:
System/Advanced/Firewall & NAT: "Static route filtering, Bypass firewall 
rules for traffic on the same interface"


As for your 'static routes', i'm not sure what purpose they serve.. 
Routing between subnets known on a pfSense interface is 'automatic'.


Regards,
PiBa-NL

Op 30-1-2018 om 9:57 schreef Fabian Bosch:

Hello,

I cannot switch from Version 2.3.3 to 2.4.1 because of the routing at 
the same interface.
I transfered the backup.xml from machine A (2.3.3) to machine B 
(2.4.1) and everything worked fine but the routing between Subnets 
assigned at LAN-Interface.
There are multiple subnets set up via VirtualIPs and there are static 
routes to each of the subnets via the native LAN-Gateway Adress e.g 
route 192.168.110.0/24 via GW_LAN(192.168.100.1) and assigned 
VirtualIP in this case 192.168.110.1
Since this configuration runs well on 2.3.3 I wanted to ask whether 
there are major changes in default handling of traffic at the same 
interface. In 2.3.3 you don't need firewall-rules to allow traffic 
between subnets at the same interface - did this change in 2.4.1?


Thanks!

Fabian
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HTTP/HTTPS filtering with Pfsense+Squid+Squidguard for cell phones

[PiBa]

Hi,

Op 11-10-2017 om 23:15 schreef Chris Bagnall:

On 11 Oct 2017, at 21:05, Adam Cage  wrote:

Dear Chris, I need the Squid proxy to filter traffic working with
Squidguard. The guest cell phones will be authenticated to my WiFi, and
after that they can go to HTTP/HTTPS web sites with zero configuration
because I can't tell my guests to setup a CA certificate, a proxy IP and
port in their phone's browsers or whatever at all. So I need a transparent
proxy.

What you’re asking isn’t possible without installing a certificate on the 
client device(s) - and with good reason: you’re effectively performing a 
man-in-the-middle attack; something SSL/TLS was designed to prevent.

In order to proxy SSL traffic, you need to effectively decrypt it at the proxy, 
then re-encrypt it using a new private key. Obviously you can’t re-encrypt it 
using the original key, because you don’t have access to the private key, hence 
the need for your own certificate installed on the client device.

So you have two choices: either install the certificate on the client, or 
accept that you aren’t going to be able to do more than the most basic 
filtering on HTTPS traffic - that is to say, by IP address or FQDN.

Kind regards,

Chris


If only domain name filtering (/ reporting?) is needed then the "Splice 
all" option should work i guess..


The help (i) for "SSL/MITM Mode" on squid config page in pfSense 
contains the following:


"*Splice All:*
This configuration is suitable if you want to use theSquidGuard package 
<https://doc.pfsense.org/index.php/SquidGuard_package>for web filtering.
All destinations will be spliced. SquidGuard can do its job of denying 
or allowing destinations according its rules, as it does with HTTP.

You do/not/need to install the CA certificate configured below on clients.
Content filtering (such as Antivirus)/will not/be available for SSL sites.
"

Regards,

PiBa-NL

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] rules were ignored.

[PiBa]

Hi Greg,

Nothing weird i could spot.. Besides that most wifi rules are kinda 
duplicated. (Some with 'S/SA' others without.)
It doesn't explain why it 'should?' under some circumstance change the 
rules. If that's what happened in the first place.. I guess we will not 
know for sure anytime soon. :/


Regards,
PiBa-NL

Op 21-8-2017 om 21:40 schreef greg whynott:

Hi PiBa,

- The rules are applied inbound from wifi zone on the pfs interface.
- inside is defined by an alias which describes all our internal 
RFC1918 networks.  Without the use of an exclusion operator.
- transparent http proxy is configured for the wifi network. As 
mentioned,  while it was experiencing the issue, it was passing all 
IP,  including ICMP at the time to inside destinations,  I don't think 
squid is in the way here.  No other application proxies are configured.


Below is a dump of the rules on the interface.  The Alias are correct 
and describe our internal networks.



The policy was working originally and again post reboot.  I don't 
think its a rule definition issue.   Beyond extra services being added 
to the 'guest policy' alias group, there have been no changes in 
relation to the wifi zone.         I was logging to the splunk server 
but sadly I see my trial license has expired,  I'll come back to that 
another time..



[2.3.4-RELEASE][root@tor-net-fw1]/root: pfctl -sr | grep igb2
scrub on igb2 all fragment reassemble
block drop in log on ! igb2 inet from 10.101.133.0/24 
<http://10.101.133.0/24> to any

block drop in log on igb2 inet6 from fe80::a236:9fff:fe05:56a8 to any
pass in quick on igb2 inet proto udp from any port = bootpc to 
255.255.255.255 port = bootps keep state label "allow access to DHCP 
server"
pass in quick on igb2 inet proto udp from any port = bootpc to 
10.101.133.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on igb2 inet proto udp from 10.101.133.1 port = bootps 
to any port = bootpc keep state label "allow access to DHCP server"
pass in quick on igb2 inet proto tcp from any to  port 
= http flags S/SA keep state label "USER_RULE: HTTP on WebMail"
pass in quick on igb2 inet proto tcp from any to  port 
= https flags S/SA keep state label "USER_RULE: HTTPS on WebMail"
block drop in quick on igb2 inet from any to  label 
"USER_RULE: Block traffic to inside networks."
pass in quick on igb2 inet proto tcp from any to any port = pop3 flags 
S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = 8080 flags 
S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = imap flags 
S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = nntp flags 
S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = 3689 flags 
S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = ssh flags 
S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = http flags 
S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = https 
flags S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = imaps 
flags S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = smtps 
flags S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = domain 
flags S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = pop3s 
flags S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = 9339 flags 
S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = isakmp 
flags S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = ntp flags 
S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = sip flags 
S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 inet proto tcp from any to any port = time flags 
S/SA keep state label "USER_RULE: Default Guest Policy For WIFI"
pass in quick on igb2 i

Re: [pfSense] rules were ignored.

[PiBa]

Hi,
As you probably know pfSense rules don't apply to 'zones' as some 
firewalls do..
So I'm wondering what is the actual rules set for the configuration of 
these 3 items on wifi?


1. Allow from wifi to inside webmail server on port 443/80.
2. Block all from wifi to inside any any.
3. Allow from wifi to internet any any.

Okay first one is easy, its a simple pass rule with a specific destination.
The second one, is a bit more interesting, how is 'inside' defined?
And then the third could be most prone to mistake, how did you define 
'to internet' ? Like 'destination NOT 192.168/16' or something similar?

Also are any proxy's or other gateway/advanced configurations used?
Though only reason i think something might 'disapear' or change kinda 
spontaneous is if the rules have a gateway defined that went down.


Can you describe the rules in detail?

Regards
PiBa-NL

Op 21-8-2017 om 19:20 schreef greg whynott:

First time for me as well.  I want to believe it was induced by human,  but
there is no evidence of on the surface.   Perhaps there is something in the
logs which would indicate what happened,  but I'm not sure for how long
those rules went dark.

  I'm deploying an instance of zabbix in the wifi zone to test inward
readability,  the DMZ's already have zabbix hosts so will configure those
to do so as well.I failed to mention in OP,   this issue was only
related to the wifi zone.  The DMZ/inside/outside policies were functioning
as expected.

-greg




On Mon, Aug 21, 2017 at 12:45 PM, Moshe Katz  wrote:


I know that negative experience isn't so helpful to diagnose an issue, but
we have a very similar setup that's been in place for over 10 years, and
we've never seen such a thing.

Moshe



On Mon, Aug 21, 2017 at 12:09 PM, greg whynott 
wrote:


I'm not seeking help but rather thought I'd share an experience we had

last

week which has caused quite a hit on the confidence levels of pfSense.

I tried to find where it may of been human error but seen no evidence of
such.  Happy to upload logs to any member of the team should they care to
investigate for their own reasons.



We have pfsense with 5 zones connected to the internet via gigabit, all
physical interfaces.  From time to time we'll saturate the line for days

at

a time,  keeping pfsense busy (media co).

Zones:
Inside
Outside
WiFi
DMZ1
DMZ2



The zone of concern is the WiFI zone.   Its rule set is very simple.

1. Allow from wifi to inside webmail server on port 443/80.
2. Block all from wifi to inside any any.
3. Allow from wifi to internet any any.


This was tested when the policy was put into place last winter and
functioned as expected. Fast forward,  140 days up-time at this

point.


Helpdesk staff informs me people on the wifi are able to mount internal
CIFS shares and browse internal web resources.

I look at it,  verify this is the case using tcpdump on the wifi
interface.

look at the rules,  disable and re-enable them,  nothing changes.

There is an update waiting to be applied.  We apply the update and

reboot.

(in hind sight, wish we didn't but were getting the "fix asap!!" message)

when it comes up again,  all is back to "normal".  Policy is being
respected.


It seems as if at some point the policy stopped working,  even a

flip/flop

of the rule set didn't help.  No one has made changes in that zone since
the device was deployed.


As you can imagine this is a cause of huge concern for us.  I've been

using

pfSense for about 11 years and this was quite the blow..  I hope it was
something we did,  but I can't think of how things could become so broken
that disabling the rule then re enabling it did nothing to correct...


Has anyone else experienced policy 'failing' after a period of time?

take care,
greg
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HAproxy URL Redirect

[PiBa]

Hi Daniel,
For https its not possible without serving a valid certificate for the 
requested domain or requirering the user to click through warnings..
Setup acme package for all your domains together with haproxy and get 
the certs for free (assuming publicly reachable sites) .?.


Other than that you can use acl's to match foo/foobar hostnames and then 
perform a action to redirect..


Regards,
PiBa-NL

Op 5-5-2017 om 21:48 schreef Daniel:

Hi there,

i have a hopefully a quick questions ;)

I have serval Domains and just one SSL Certificate. I bought a Certificate for 
bar.com

Now I have foo.com and foobar.com on the same Loadbalancer (HAProxy on  pfSense)
I just wanted to Redirect all URLs to bar.com. How can I setup this rule?

--
Grüsse

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Routing between interfaces

[PiBa]

Op 11-2-2017 om 17:24 schreef Matthew Pounsett:

On 11 February 2017 at 08:48, PiBa  wrote:


Make sure that 'internal' traffic is not pushed out over the gatewaygroup
to the WAN interfaces.
So create pass rules above the pbr>gatewaygroup rules, to allow internal
trafffic to just take the regular routes.


Ahh.. that sounds like a likely cause of my trouble.  Thanks.

Admittedly after only looking for about two minutes, I don't immediately
see how to implement your solution, though.  Gateway groups and firewall
rules are managed in separate places in the UI, so it's not clear to me how
to get firewall rules "above" the gateway group rules.  I'll be out most of
the day but I can play with that some more tonight and tomorrow to see if
anything pops out at me.

Thanks for your help,
Matt
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Alright so your using floating rules for the pbr part i guess :).
In that case you could try and filter those match rules to only affect 
traffic that has a destination on 'the internet'.
Create a alias that has local networks like 192.168/16 172.16/12 10/8 
and your routed block. Then only apply the floating rules that push 
traffic out a gateway group to traffic that does NOT have that alias as 
a destination.


Regards,
PiBa-NL

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Routing between interfaces

[PiBa]

Make sure that 'internal' traffic is not pushed out over the 
gatewaygroup to the WAN interfaces.
So create pass rules above the pbr>gatewaygroup rules, to allow internal 
trafffic to just take the regular routes.


Op 11-2-2017 om 3:06 schreef Matthew Pounsett:

I've been employing a terrible hack where I had an IP alias on my LAN
interface in order to allow me to use multiple subnets on the same physical
network.  I'm trying to correct that, but i'm running into problems with
routing between interfaces.

My network looks like this:

   DSL service (pppoe) ---| |-- LAN1 (10.0.1.0/24)
  |-- pfsense --|
   Cable service (em3) ---| |-- LAN2 (216.235.10.32/28)

There's one more RFC1918 LANs than shown, but I'm trying to keep this
explanation simple and clear.

I have Gateway Groups and NAT rules that result in the following:

1) Anything sourced from the routable block goes out the DSL service
interface without being NAT'd, unless the DSL is down in which case it gets
NAT'd out the cable interface
2) Anything sourced from an RFC1918 address is NAT'd and load balanced out
the two interfaces

pfsense has built what looks like a sane routing table on the firewall:
# netstat -rn -f inet
Routing tables

Internet:
DestinationGatewayFlags  Netif Expire
default216.235.0.20   UGS  pppoe0
10.0.1.0/24link#10U  em0_vlan
10.0.1.1   link#10UHS lo0
10.0.6.0/24link#2 U   em1
10.0.6.1   link#2 UHS lo0
127.0.0.1  link#8 UH  lo0
135.23.141.64/27   link#4 U   em3
135.23.141.77  link#4 UHS lo0
216.235.0.20   link#11UH   pppoe0
216.235.8.92   link#11UHS lo0
216.235.10.32/28   link#9 U  em0_vlan
216.235.10.33  link#9 UHS lo0


The weird thing is, if I do a traceroute from one of the routable addresses
to an RFC1918 address on LAN1, I get responses from routers outside my
network on the DSL service, implying that pfsense isn't doing interface
forwarding internally.

% ifconfig en0
en0: flags=8863 mtu 1500
options=b
ether 00:25:00:f3:86:4f
inet6 fe80::225:ff:fef3:864f%en0 prefixlen 64 scopeid 0x4
inet 216.235.10.37 netmask 0xfff0 broadcast 216.235.10.47
nd6 options=1
media: autoselect (1000baseT )
status: active
% netstat -rn | grep default
default216.235.10.33  UGSc   30  599 en0
% traceroute 10.0.1.43
traceroute to 10.0.1.43 (10.0.1.43), 64 hops max, 52 byte packets
  1  agg2.tor.egate.net (216.235.0.24)  5.173 ms  4.967 ms  4.698 ms
  2  vl501.ge-0-0-0.bdr2.tor.egate.net (216.235.0.133)  4.725 ms  4.998 ms
  5.363 ms
  3  ge-1-1-0.407.bb4.yyz1.neutraldata.net (204.16.202.170)  6.239 ms !N
  5.170 ms !N  5.815 ms !N

And from a host in the RFC1918 space I get nothing at all useful, which is
probably not surprising.

% netstat -rn -f inet
Routing tables

Internet:
DestinationGatewayFlagsRefs  Use  Netif Expire
default216.235.10.33  UGS 0  583 em0.69
10.0.1.0/24link#7 U   0   60 em0.42
10.0.1.2   link#7 UHS 00lo0
10.0.6.0/24link#2 U   0   62em1
10.0.6.3   link#2 UHS 00lo0
127.0.0.1  link#6 UH  00lo0
216.235.10.32/28   link#8 U   0 1299 em0.69
216.235.10.34  link#8 UHS 00lo0

% ifconfig em0.42
em0.42: flags=8843 metric 0 mtu 1500
options=103
ether 00:80:2a:e8:37:89
inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
inet6 fe80::280:2aff:fee8:3789%em0.42 prefixlen 64 scopeid 0x7
nd6 options=29
media: Ethernet autoselect (1000baseT )
status: active
vlan: 42 parent interface: em0
% traceroute -i em0.42 216.235.10.37
traceroute to 216.235.10.37 (216.235.10.37), 64 hops max, 52 byte packets
  1  * * *
  2  * * *
  3  * *^C


Any ideas what I've missed?  Things I should try to troubleshoot further?
Thanks in advance,
Matt
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] haproxy crl modification requires service reload

[PiBa]

Its expected behavior.. Packages are not (yet) notified of certificate 
changes, so cannot easily decide if a reload is required. Might come in 
a future version :)


Op 15-8-2016 om 21:06 schreef T:

Hello,

2.3.2-RELEASE (amd64) + haproxy.

I use haproxy with certs based authentication.
As described in the title, modification of CRL list requires reload of
haproxy service in order to
reflect changes(openssl crl -inform PEM -text -noout -in
/var/etc/haproxy/clientcrl_ha_proxy.pem; confirm this)

Is this a bug, misconfiguration or expected bahavior?(CC me please)

Regards,
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DMZ not working since upgrade 2.3

[PiBa]

.rev.sfr.net.51615: 
Flags [.], ack 22, win 513, length 0
18:09:12.737138 IP 192.168.101.254.2223 > 196.222.21.93.rev.sfr.net.51615: 
Flags [P.], seq 1:22, ack 22, win 513, length 21

4- From the client point of view to the working WAN access from the begining 
until the end (connexion then a few commands and deconnexion) :

root@MacBook-de-Jean-Laurent:~$ tcpdump -i en0 port 2223
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:09:12.626154 IP 192.168.10.50.51615 > 
184.196.154.77.rev.sfr.net.rockwell-csp3: Flags [S], seq 4029864830, win 65535, 
options [mss 1460,nop,wscale 5,nop,nop,TS val 334217159 ecr 0,sackOK,eol], length 0
18:09:12.666015 IP 184.196.154.77.rev.sfr.net.rockwell-csp3 > 
192.168.10.50.51615: Flags [S.], seq 2831647839, ack 4029864831, win 65535, 
options [mss 1460,wscale 8,sackOK,eol], length 0
18:09:12.666099 IP 192.168.10.50.51615 > 
184.196.154.77.rev.sfr.net.rockwell-csp3: Flags [.], ack 1, win 8192, length 0
18:09:12.666537 IP 192.168.10.50.51615 > 
184.196.154.77.rev.sfr.net.rockwell-csp3: Flags [P.], seq 1:22, ack 1, win 8192, 
length 21
18:09:12.705914 IP 184.196.154.77.rev.sfr.net.rockwell-csp3 > 
192.168.10.50.51615: Flags [.], ack 22, win 513, length 0
18:09:12.754171 IP 184.196.154.77.rev.sfr.net.rockwell-csp3 > 
192.168.10.50.51615: Flags [P.], seq 1:22, ack 22, win 513, length 21
Both sides from captures 3 and 4 show each packet arriving as such it 
all works fine ;)

I hope these complete captures can tell you more what’s happening ?

I have no special packages installed, had only iperf and nmap for testing 
purposes… and just uninstalled but it changed nothing :(

I have absolutely not any exotic or special configuration like limiters/shapers 
and absolutely no VPN at the moment, no IPSEC, OPENVPN nor anything else… on 
the other pfsense box I have openvpn installed but the symptoms aren’t 
different so I don’t think it’s related.

I really don’t understand what’s happening here but the fact that on both my 
pfsenses I have some WAN redirections or DMZ that are working and that are not 
the only factor that changes here is the internet provider and maybe it’s not 
hardware related but I would think that it’s some kind of network setting 
somewhere that could help me. And we should not forget that before the upgrade 
on the version 2.3 it was working on one of the box for sure ! (the other 
wasn’t installed at the moment)

In my opinion it’s something silly like mtu for exemple but making my life a 
hell !
Mtu can be troublesome, but i think the syn-ack would make it through 
even if the mtu is a bit off.. Anyway MTU seems to be a proper 1500 at 
the ovh side.

I know it’s a long long mail with a lot of informations but if someone can help 
me with that I would be so much grateful !!!

Thank you for those who are reading :)
Best regards,


Jean-Laurent Ivars
Responsable Technique | Technical Manager
22, rue Robert - 13007 Marseille
Tel: 09 84 56 64 30 - Mobile: 06.52.60.86.47
Linkedin <http://fr.linkedin.com/in/jlivars/>   |  Viadeo 
<http://www.viadeo.com/fr/profile/jean-laurent.ivars>   |  www.ipgenius.fr 
<https://www.ipgenius.fr/>

Not really sure what the issue is just yet.
Hope some of my comments help get you closer ;)

You might also try calling ovh and try to see if maybe they are blocking 
something.?.


Regards,
PiBa-NL

Le 25 juin 2016 à 16:47, PiBa  a écrit :

Hi Jean-Laurent,

Op 25-6-2016 om 10:37 schreef Jean-Laurent Ivars:

This is logs generated by tcpdump from the same client machine when I try to 
access the firewall thru working internet access provider :

port 2223
16:55:04.501509 IP 46.105.230.225.39304 > 192.168.101.254.2223: Flags [P.], seq 
29:701, ack 22, win 32844, length 672
16:55:04.501652 IP 192.168.101.254.2223 > 46.105.230.225.39304: Flags [P.], seq 
22:910, ack 701, win 508, length 888
port 1
16:58:51.821691 IP 192.168.101.254.1 > 46.105.230.225.5829: Flags [P.], seq 
209411:210119, ack 2393, win 513, length 708
16:58:52.058014 IP 46.105.230.225.5829 > 192.168.101.254.1: Flags [.], ack 
210119, win 32673, length 0

Both these captures are in the 'middle' of a already working connection, but 
does show it 'works' at that time.. To compare it to the capture below better 
start capturing before initiation the connection :) .

And there the same command output when I try to access from one that is not 
working :

Port 2223
16:53:13.240166 IP 46.105.230.225.19480 > 192.168.101.254.2223: Flags [S], seq 
3864438539, win 8192, options [mss 1460,nop,nop,sackOK], length 0
16:53:13.240306 IP 192.168.101.254.2223 > 46.105.230.225.19480: Flags [S.], seq 
2492220538, ack 3864438540, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], 
length 0
Port 1
16:56:39.864021 IP 46.105.230.225.41932 > 192.168.101.254.1: Flags [S], seq 
2837326484, win 819

Re: [pfSense] DMZ not working since upgrade 2.3

[PiBa]

Hi Jean-Laurent,

Op 25-6-2016 om 10:37 schreef Jean-Laurent Ivars:

This is logs generated by tcpdump from the same client machine when I try to 
access the firewall thru working internet access provider :

port 2223
16:55:04.501509 IP 46.105.230.225.39304 > 192.168.101.254.2223: Flags [P.], seq 
29:701, ack 22, win 32844, length 672
16:55:04.501652 IP 192.168.101.254.2223 > 46.105.230.225.39304: Flags [P.], seq 
22:910, ack 701, win 508, length 888
port 1
16:58:51.821691 IP 192.168.101.254.1 > 46.105.230.225.5829: Flags [P.], seq 
209411:210119, ack 2393, win 513, length 708
16:58:52.058014 IP 46.105.230.225.5829 > 192.168.101.254.1: Flags [.], ack 
210119, win 32673, length 0
Both these captures are in the 'middle' of a already working connection, 
but does show it 'works' at that time.. To compare it to the capture 
below better start capturing before initiation the connection :) .

And there the same command output when I try to access from one that is not 
working :

Port 2223
16:53:13.240166 IP 46.105.230.225.19480 > 192.168.101.254.2223: Flags [S], seq 
3864438539, win 8192, options [mss 1460,nop,nop,sackOK], length 0
16:53:13.240306 IP 192.168.101.254.2223 > 46.105.230.225.19480: Flags [S.], seq 
2492220538, ack 3864438540, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], 
length 0
Port 1
16:56:39.864021 IP 46.105.230.225.41932 > 192.168.101.254.1: Flags [S], seq 
2837326484, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:56:39.864169 IP 192.168.101.254.1 > 46.105.230.225.41932: Flags [S.], 
seq 1993261464, ack 2837326485, win 65228, options [mss 1460,nop,wscale 
7,sackOK,eol], length 0
These SYN [S] and SYN-ACK [S.] packets are the normal start of a tcp 
connection. Sofar nothing strange during connection initiation, there 
should follow a 3rd ACK [.] packet after which there would follow some 
useful data exchange like in the first working captures.. But i guess 
you keep seeing these same two [S] and [S.] packets repeating.?
You have performed these captures on the LAN interface, could you repeat 
them on the WAN interface to confirm that the [S.] is properly send back 
on that same interface the client send the request on? Also if its 
possible to capture on the client device it would be interesting to see 
if the [S.] arrives there properly.

I use pcengine APU system, the model is AMD G-T40E Processor with 3 NIC ( I 
believe It could be something related to a NIC setting somewhere but really 
don’t know)

Is someone encounter the same issue than me ? maybe it’s just a setting in the 
NIC driver ?

I don't expect it to be hardware/driver related at this moment..

Do you have any packages installed? Snort or Suricata can sometimes 
unexpectedly block traffic you do want.. Or other configurations like 
limiters/shapers or openvpn/ipsec networks can possibly interfere..


Regards,
PiBa-NL
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] [Bulk] Strange problem with HAProxy failing after WAN IP changes

[PiBa]

Hi,
Afaik, haproxy does not and did not reload on a wan-ip change on either 
pfSense version.

There are a few options though.
-make haproxy frontend listen on 'any'
-or use a portforward to forward incoming traffic to 127.0.0.1 , haproxy 
could then be listening on localhost:80.

Regards,
PiBa-NL

Op 2-5-2016 om 15:55 schreef Dominique Kaspar:

Hi,

we have a strange problem on our PFSense since we migrated to 2.3. We use the 
HAProxy package to enable external access to several of our webservices 
(webmail, taiga, wiki, kimai, owncloud) running on VMs in our LAN. In order to 
do that, we have configured several frontends as well as several backends, and 
all is working well - until the daily reset of the WAN IP happens (we get a 
dynamic IP from out provider): then, HAProxy just fails to do its job until we 
manually reload the service.

It seems to me that PFSense 2.3 has changed the way it reloads the haproxy 
service after the WAN IP changes. Since this behavior is new to 2.3 (in 2.2.6, 
this worked out-of-the-box), I am fairly sure there is a configuration out 
there that can deal with this specific problem, but I can't seem to find it. 
Can someone point me in the correct direction?



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] [Bulk] Re: Upgrade to 2.3

[PiBa]

Op 20-1-2016 om 14:45 schreef J. Echter:

Am 20.01.2016 um 14:35 schrieb Brian Caouette:
 
Ive been following the forum discussions on 2.3 and was confident the packages I used were ready for 2.3 so I bit the bullet and upgraded. I find all my failed packages with the same error on attempt to reinstall. Can't create  anydbm file.pm  all per related. Has anyone solved this yet? Attempts at freeradius2, lightsquid, squid, and squid guard all have this exact error.
Is that the exact error? It doesn't tell me much, anyway i tried to 
install squid on 2.3 today, and after configuring basic settings that 
seems to at least start.. Ive not 'upgraded' from 2.2.x though, have 
upgraded through quite a few 2.3 alpha/beta snapshots.. Anything you can 
tell about the environment? x86 or x64 ? nanobsd?


Perhaps try a clean 2.3 installation, and then restore your existing 
config on it.?



Sent from my U.S. Cellular® Smartphone
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



Hi,

isn't this alpha/beta update?
Yes 2.3 is currently a beta, doesn't mean people may not ask a question 
about it right? ;) Yes 'some' errors are to be expected, but issue above 
seems to be 'bigger'..

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] [Bulk] Re: darkstat

[PiBa]

Package still seems to exist available for installation on my 2.2.5 box.
If its already installed its nolonger listed between the available 
packages.. Maybe looking in the wrong place?


Op 8-11-2015 om 16:36 schreef Ryan Coleman:

 From October 16 (Subject: "Bandwidth graph”):


Was it darkstat?  https://unix4lyfe.org/darkstat/ 


Packages are maintained by independent coders.




On Nov 7, 2015, at 8:11 PM, Josh Karli  wrote:

Hello all!

Anyone know what happened to the darkstat package? Had it installed on pfsense 
2.2.4 x64, upgraded to 2.2.5 and it's gone. If it's no longer supported, anyone 
have any suggestions on another pfsense package that also lets you drill down 
to see traffic types by IP address?


Cheers!
Josh Karli
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] GUI performance on an ALIX 2d3

[PiBa]

Probably this caused it workaround also there, as written in 
"https://doc.pfsense.org/index.php/2.2.4_New_Features_and_Changes";


 * The forcesync patch for#2401
   is still considered harmful
   to the filesystem and has been kept out. As such, there may be some
   noticeable slowness with NanoBSD on certain slower disks, especially
   CF cards and to a lesser extent, SD cards. If this is a problem, the
   filesystem may be kept read-write on a permanent basis using the
   option on*Diagnostics > NanoBSD*. With the other above changes, risk
   is minimal. We advise replacing the affected CF/SD media by a new,
   faster card as soon as possible.#4822
   


Erik Anderson schreef op 13-8-2015 om 23:28:

Hello all -

I've been running pfSense on my ALIX 2d3 happily for many years now.
For the most part, it still does its job well. However, with most
recent release, any changes made in the GUI take a *long* time to
commit. By long I mean ~2 minutes. That's how long it takes from
clicking "Save" to the screen refresh and the "Apply changes" button
showing up.

Is this slow GUI performance to be expected? Was there some change in
v2.2.4 that would have caused this?

I realize that the 2d3 board is getting quite long in the tooth, so
perhaps this is just something I need to deal with until I finally
cave in and purchase an SG-2220.

Thank you!
-Erik
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] [Bulk] Problems with migrating from pfsense 2.1.5 to 2.2.2 - no translation or filter rules loaded

[PiBa]

Try running:
pfctl -f /tmp/rules.debug
This should reload the rules, but likely trows an error..
I think you might have some 'invalid' alias table content.

Seb Auriol schreef op 24-6-2015 om 13:00:

Hi all,

I have installed pfSense 2.2.2 on new hardware (four Dell 1950 blade servers).  
I took the config from the old hardware running 2.1.5 and put it on the new 
hardware and adjusted the NIC assignments.  It works fine on three of them, but 
the 'primary' in the HA cluster is not loading the firewall and nat rules.  So 
the result of the command below starts:

pfctl -vvsa | less
FILTER RULES:
No queue in use

STATES:


On the secondary, the output from the same command starts:
pfctl -vvsa | less
TRANSLATION RULES:
@0(0) no nat proto carp all
   [ Evaluations: 3328  Packets: 0 Bytes: 0   States: 0 
]
   [ Inserted: pid 19405 State Creations: 18446735278790537528]
@1(0) nat-anchor "natearly/*" all


The result of the problem is that NAT isn't working (and probably all packet 
filtering).  Routing is working fine.


A possibly related issue (but if you want to respond to this pfBlocker issue, 
replying to my forum post may be better: 
https://forum.pfsense.org/index.php?topic=88443.msg530471#msg530471):


We had pfBlocker installed on the old firewalls, but the package is not 
available on 2.2.x as it has been replaced with pfBlockerNG.  However, we still 
have the config in for pfBlocker and it should be removed.  I tried running the 
php script written by the author of the new package here:
https://forum.pfsense.org/index.php?topic=88443.0

But it doesn't work (maybe it worked on 2.2.0).  The output was:

Removing pfBlocker from the pfSense Configuration file

Removed pfblocker
Removed pfblockerlists
Removed pfblockertopspammers
Removed pfBlocker Menu Entry

Fatal error: Call to undefined function getUserEntry() in 
/etc/inc/config.lib.inc on line 501


I then removed the pfBlocker rules from the WAN (as they were still there), but 
I still have the menu item, and the rest of the config as you see below:

[2.2.2-RELEASE][r...@primary.test.mydomain.org]/tmp: grep "pfblocker" /conf/config.xml | 
grep -v "pfblockerng"
 
https://127.0.0.1:443/pfblocker.php?pfb=pfBlockerBadguys
 
https://127.0.0.1:443/pfblocker.php?pfb=pfBlockerTopSpammers
 /usr/local/bin/php -q /usr/local/www/pfblocker.php 
cron
 Configure pfblocker
 /pkg_edit.php?xml=pfblocker.xml
 
 
 
 
 
 
 /pkg_edit.php?xml=pfblocker.xml&id=0


Any ideas on where to look next?
  
Kind regards,


Seb
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] reverse proxy situation

[PiBa]

HAProxy package is 'currently' maintained by me, though maybe not highly 
active, last week i added OCSP as an option in the -devel version. 
Should get available in some time in the -1_5 version as well. Anyway it 
offers quite some options, SSL-offloading, SNI, host-header/SNI backend 
selection, others.. If something important is missing from the webgui, 
and i think its usefull / easy to add, send me a mail and in time i 
might add it. Also if something doesn't work properly, ill try and fix 
it.. I do try to keep the package somewhat clean of an enormous amount 
of options that will rarely be used.. And most 'advanced' options can be 
added in the various 'textbox fields' as well..


Here an example of how haproxy can do http 1 ip to multiple backends:
https://docs.google.com/document/d/1YflytSq7P8oZBSCVUKWS1v2P0CdShbxeCsbTZ59JCRo/pub

In your case with https its a little different, and there is the option 
to use SNI to forward TCP connections as is (IE on XP does not support 
SNI, and maybe others if that matters for you...), or configure 
ssl-offloading and process the actual http on haproxy, then the choice 
to reencrypt the connection to backend or not.. And possibly mes up the 
webapplication logic that wants to redirect to https again..


Pros:
-Acls for backend selection
-SSL/SNI support in various ways
-Nice stats page
-Session-stickiness, TCP forwarding, i think relatively low cpu usage, 
others..

Cons:
-If you need 'rewriting' of the body of a html page then haproxy is not 
going to do that for you. Haproxy can only insert/modify/remove 
http-headers.

-Also if you want 'caching' this is not something haproxy will do.

As for the other packages ive not really used them much. So cant really 
comment.., perhaps take a look at the github activity to see if and how 
actively they are changing.? Though few commits can mean its very stable 
and feature complete. It can also mean its not being actively 
maintained. So still doesnt say much..


Greets PiBa-NL

Adam Thompson schreef op 31-5-2015 om 16:04:

Reverse proxy.  Need to multiplex multiple publicly-accessible, secure, 
websites running on private IPs from a single public IP.
It *is* hard to write that both succinctly and unambiguously!
-Adam

On May 31, 2015 8:54:14 AM CDT, Espen Johansen  wrote:

Actually. Are you looking for reverse proxy or a user proxy. I'm
confused
after reading your mail a few times.

Brgds, Espen
31. mai 2015 15:35 skrev "Espen Johansen" :


Exclude varnish its primarily made for frontend LB proxy.

søn. 31. mai 2015, 15:32 skrev Adam Thompson :


Oh, shoot, that's a good point - I probably do need SNI support for

SSL.

I may be able to get a wildcard cert, but that will be an issue one

way or

another.

Varnish doesn't support SSL at all, although I could theoretically

do it

with stunnel and a wildcard cert.
Squid does support SSL, but appears to require wildcard cert.
Squid3 *may* support SNI, can't tell.
Haproxy supports SNI; hopefully the pfSense package is new enough to
include that.
Apache supports SNI, supposedly.

So I'm still left with a (overly, IMHO) large list.
I could also just port-forward TCP/{80,443} to a host behind the

firewall

and do everything there, too.

Argh, too many options, not enough clarity on which packages are
supported vs. which ones are semi-orphaned.

-Adam

On May 30, 2015 11:12:01 PM CDT, Travis Hansen



wrote:

If you're looking for pure proxy frontend I'd stick with haproxy or
apache (I use haproxy).
haproxy provides load balancing and can do other things besides
strictly http(s) such a pure tcp and transparent proxy stuff.
Apache provides some things like mod_rewrite (I assume the pfsense
build comes with that) etc that aren't easily done with haproxy.
I could be wrong but if you're looking for SSL offloading (I ensure

all

traffic goes over SSL) varnish and squid would be out of the
picture. Travis Hansen
travisghan...@yahoo.com


On Saturday, May 30, 2015 8:25 PM, Adam Thompson
 wrote:


I need to run a reverse proxy on a pfSense gateway - multiple

websites,

one public IP, the usual reason.
However, I see there's a larger selection available than the last

time

I
looked.

It appears we now have:
* Apache w/mod_security-dev v0.43 / 0.22
* haproxy-1_5 v0.23
* haproxy-devel v0.24
* Proxy Server w/mod_security v0.1.7 / 0.22.999
* squid
* squid3
* varnish3

1. Have I missed any?
2. Are "Apache w/mod_security-dev" and "Proxy Server

w/mod_security"

essentially the same thing?
3. For relatively simple cases (straightforward

hostname-to-internal-IP

mapping), is there any compelling reason to use one over another on
pfSense 2.2 today?  FWIW, this firewall is relatively underpowered
(PowerEdge 1750, dual 2.4GHz P4-era Xeons).

--
-Adam Thompson
  athom...@athompso.net
  +1 (204) 291-7950 - cell
  +1 (204) 489-6515 - fax

__

Re: [pfSense] [Bulk] Re: [Bulk] Invalid IP range allowed in firewall alias, breaks ruleset

[PiBa]

Yes the test could probably be edited to catch such probably unintended 
ip like names.. If you can supply a patch for it on github it will 
probably get pulled (eventually), but i think there are other issues 
that might be more important to have than avoiding all kind of user errors..
If a host-name cannot be resolved it cannot be used by pf.. Sofar no 
discussion i think.
As for the other entries in the alias, they should still function as 
before i would imagine.. Are you saying thats not the case?


Steve Yates schreef op 20-4-2015 om 19:51:

I hear you, but until there are valid TLDs for ".(number)-(number)" perhaps that 
test could be edited?  Or possibly print "WARNING: what you entered was detected as a hostname 
but might have been intended as an IP block, and if we can't resolve the hostname, rules will not 
pass traffic for any other listed IPs in this alias" or similar?

Reading what I just wrote, what happens if a valid hostname ever can't 
be resolved in the future?  The rule stops working then also?

--

Steve Yates
ITS, Inc.


PiBa wrote on Mon, Apr 20 2015 at 12:27 pm:


Problem is that what you typed validates as a valid 'hostname'..

Steve Yates schreef op 20-4-2015 om 17:52:

I had a situation this weekend where I wanted to add another IP range to an

existing alias.  I entered x.x.x.75-99 which the eagle eyed among you will 
notice
is invalid syntax (should be x.x.x.x75-x.x.x.99).  pfSense 2.2.1 didn't complain
about that when adding it or applying the rules, but traffic stopped and I 
finally
found an error logged in the System/Resolver log of all places:

filterdns: failed to resolve host x.x.x.75-99 will retry later again.

There were no other errors logged that I can find.  I would like to suggest

pfSense validate alias input to catch that invalid entry format and make it a 
tad
more idiot-proof.  :)

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] from LAN to OPT1, pfsense forces all http connections to https

[PiBa]

Go to System/Advanced/Adminaccess then disable the "WebGUI redirect".
That is still receiving traffic on *:80 and redirecting to the webgui port..

Bob McClure Jr schreef op 20-4-2015 om 19:09:

On Mon, Apr 20, 2015 at 09:52:20AM -0400, ED Fochler wrote:

You may be getting overruled by the self protecting hidden rules of pfsesne.

System -> Advanced -> [Admin Access] -> Anti-lockout

That sounds like what I want, but the text for that option gives a
dire warning that it could lock me out if I don't have the right
firewall rule in place, but I'm unclear what rule I should use.  I
have all the rules that are associated with the WAN->OPT1 NAT
forwards.


Alternatively, Services -> DNS Forwarder -> host overrides … could
point internal machines to the DMZ address instead of the outside
address when they lookup the name.

I didn't see that option.  Bear in mind that I'm not using the pfsense
DHCP or DNS.  I'm using dnsmasq on the LAN.

Since I've determined that I can get to the DMZ via the internal IP, I
may just toss in the towel and list all the web sites in my local
DNS.  Ugh.  That's so unclean.


It is possible that you are just trying to do too many things with a
single IP address to safely make them all happen.  Disabling
PFSense’s idiot-proofing features may be your best path forward.

Some sage said that any system that keeps you from doing something
stupid will also keep you from doing something clever.


And do your link testing with wget or checklink.  Web browsers often
cache a http_redirect in a kind of permanent manner, not even look
at the server for changes.  wget doesn’t have enough of a brain to
suffer from such brain damage.

ED.



On 2015, Apr 19, at 11:13 PM, Bob McClure Jr  wrote:

On Sun, Apr 19, 2015 at 07:51:24PM -0700, Kenward Vaughan wrote:

On 04/19/2015 06:37 PM, Bob McClure Jr wrote:
...


Now if anyone has a clue about this apparent Firefox brain damage, I'm
all ears.  I just restarted Firefox, and it's still hosed.

Well, I take back what I took back, that is, Firefox brain damage.  I
just discovered that two other applications fail the same way.  The
other affected apps are wget and checklink.  The latter is a Perl link
checker from W3C that uses the LWP::RobotUA, LWP::UserAgent, and
Net::HTTP::Methods modules.  I can work around the wget problem, but a
checklink failure is a show-stopper.  We use that to check for broken
links in new and modified web pages.  Those two apps are run from the
file server on the LAN to the web sites on the DMZ (OPT1).  The
Firefox problem is on my workstation on the LAN.  Both of those are
Linux CentOS machines.  Interestingly enough, my wife's Win7 Firefox,
also on the LAN, does not have a problem.

I'm lobbing this back into pfsense's court.


My first check is to hide the default user profile (make a new one
to use without copying over anything from the old), and see if that
takes care of things.  If it does, then selectively pull back in
Good Things (passwords, etc).

Thanks for the hint, but it appears not to be (just) a Firefox
problem.


Kenward
--
In a completely rational society, the best of us would aspire to be
_teachers_ and the rest of us would have to settle for something less,
because passing civilization along from one generation to the next
ought to be the highest honor and the highest responsibility anyone
could have. - Lee Iacocca

Cheers,
--
Bob McClure, Jr.

Cheers,


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] [Bulk] Invalid IP range allowed in firewall alias, breaks ruleset

[PiBa]

Problem is that what you typed validates as a valid 'hostname'..

Steve Yates schreef op 20-4-2015 om 17:52:

I had a situation this weekend where I wanted to add another IP range to an 
existing alias.  I entered x.x.x.75-99 which the eagle eyed among you will 
notice is invalid syntax (should be x.x.x.x75-x.x.x.99).  pfSense 2.2.1 didn't 
complain about that when adding it or applying the rules, but traffic stopped 
and I finally found an error logged in the System/Resolver log of all places:

filterdns: failed to resolve host x.x.x.75-99 will retry later again.

There were no other errors logged that I can find.  I would like to suggest 
pfSense validate alias input to catch that invalid entry format and make it a 
tad more idiot-proof.  :)

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] [Bulk] updating & testing packages?

[PiBa]

Applying the diffs to your current pfsense install would work, can use 
the system patches package for that.

Just copying modified files to the pfsense box works as well.
Or setting up a local repository to install the changed package from is 
another option.. (preferred if you going to change 
installation/uninstallation functions.., though a little tricky to get 
going..)


For getting changes commited just sending a github pullrequest is 
usually enough.. (you do need to agree to the ICLA agreement before 
changes will get pulled) If your changes aren't pulled adding a 
corresponding redmine ticked sometimes helps.


Other than that, it just takes some time to get requests pulled, 
sometimes it takes only hours, other times it takes a week or longer..


p.s.
The d...@lists.pfsense.org might be a better place for dev related 
questions.. Though it is a bit quiet..


Adam Thompson schreef op 18-4-2015 om 20:07:

I need to test some of the recent fixes to the OpenBGPd package.
Other than manually applying the diff(s) to the currently-installed 
files, how would I go about generating the package and installing it 
on my system?
Also, what's the process for submitting changes to packages?  Just do 
a pull request on the github project?




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] [Bulk] Re: "Packages are currently being reinstalled in the background." since last night... nothing showing on the console...

[PiBa]

There is also a chance that 'something' went wrong during package 
installation and the php process got terminated..
In diagnostics/backuprestore you can press the 'clear lock' and 
'reinstall all packages' buttons to solve that.. Some packages just 
cannot be installed during booting due to some include files might not 
be loaded in advance..


Could you list what packages exactly you had installed before the upgrade.?

Ryan Clough schreef op 18-3-2015 om 20:15:
The documentation for updating pfSense firmware recommends noting and 
removing all installed packages before updating[1]. Then, after a 
successful update, reinstall the packages that were noted. I have had 
very good success using this method however, I updated to 2.2.1 last 
night without removing installed packages and after the reboot it took 
about 2 hours for my Intel(R) Atom(TM) CPU C2758 @ 2.40GHz with a 
7200RPM pfSenseMirror to complete the package re-installation. Other 
than a little hiccup with Sarg; all is well. I would, if you can, just 
wait it out.


[1] https://doc.pfsense.org/index.php/Upgrade_Guide

Ryan Clough
Information Systems
Decision Sciences International Corporation 



On Wed, Mar 18, 2015 at 2:55 AM, Tiernan OToole 
mailto:tier...@tiernanotoole.ie>> wrote:


Morning all.

Since i like being on the "bleeding edge" of technology, as soon
as the new version of PFSense 2.2.1 was released yesterday, i
downloaded and installed it on my existing 2.2 box. I told it to
do a full backup before installing, waiting about 10 min and heard
my server reboot (2 or 3 beeps, then lots of fans, then about 5
min later the usual PFSense "boot" charms).

I was looking at the boot sequence over KVMoIP and it started to
install packages in the background. this took another 10 min...
and all was good.

This morning i logged into the box (both over kvm and web
interface) and the web gives me the following notice:

Packages are currently being reinstalled in the background.
Do not make changes in the GUI until this is complete.

but there is nothing showing on the console... Im not in the house
currently, so rebooting is iffy (and i wont have KVM access if i
do reboot). is it a good idea to reboot if this shows? any idea
whats going on here?

Thanks.

--Tiernan



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



This email and its contents are confidential. If you are not the 
intended recipient, please do not disclose or use the information 
within this email or its attachments. If you have received this email 
in error, please report the error to the sender by return email and 
delete this communication from your records.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] [Bulk] IP Alias -vs- Proxy ARP for NAT

[PiBa]

Says it all: https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
Which is better, that depends on what you need it to do.

Tim Hogan schreef op 8-3-2015 om 13:48:
I am setting up my firewall to do 1:1 NAT with a block of public IP 
addresses.  I have found several posts about setting up 1:1 NAT and 
some of them say to use Proxy ARP when creating the Virtual IP and 
others say to use IP Alias.  Can someone full explain the difference 
between the two and offer an opinion as to which would be better to use?


Regards
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] [Bulk] Re: default firewall rules

[PiBa]

Dont forget to move host-overrides / domain-overrides , and set the 
'Harden Glue' on dnsresolver/advanced settings.


Sean schreef op 5-3-2015 om 3:49:


LOL. That simple eh?
Thanks.

On Mar 4, 2015 8:27 PM, "Randy Bush" > wrote:


> Pardon the hijack but if I was using dnsmasq and upgraded to 2.2
and wanted
> to use unbound instead whats the best way to switch? (Note:
already did
> the upgrade to 2.2).

services / dns forwarder / disable
services / dns resolver / enabla



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] [Bulk] Re: NAT Port Forward to IP in subnet host with different default gateway

[PiBa]

Chris Bagnall schreef op 22-2-2015 om 18:34:

On 22/2/15 5:07 pm, Jason Pyeron wrote:
Other than changing the default gateway on that host, how can I port 
forward SSH to that host?


If you know the source IP (or range) of the traffic, you might be able 
to set a static route on the host to send traffic to  
via the pfSense rather than the default gateway.


So if your source traffic is from 1.2.3.0/24, LAN on your pfSense is 
192.168.0.254 and your host is on 192.168.0.10, you'd create a rule on 
that host as follows:


route add -net 1.2.3.0/24 gw 192.168.0.254

(obviously that's a Linux example, but there's no reason to stop you 
doing the same thing on a Windows, Mac, or indeed just about any other 
host that'll allow you to manipulate the routing table)


Kind regards,

Chris
Other option is to configure a outbound nat rule on the lan interface 
for the destination to that host so pfSense will nat traffic comming 
from outside to the lan-ip of pfSense before sending it to the 
destination host. That way all traffic will seem to be comming from 
pfSense and the host will know the route back, as it is on the 
link-local subnet. Any logs or other permission logic that tries to 
distinguish between client-ip's will be useless though..

Greets,
PiBa-NL
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] [Bulk] Re: openvpn - how do i nat the vpn segment?

[PiBa]

Check you have 'manual outbound nat' selected, otherwise the manual 
rules dont apply..
As to view the actual pf rules created you can look at the file 
/tmp/rules.debug using for example the menu option diagnostics/editfile.


Or run pfctl -sn on ssh/console to view nat rules.

Antonio Prado schreef op 20-1-2015 om 18:11:

On 1/20/15 4:27 PM, Randy Bush wrote:

i do not know how to dump the NAT and firewall rules to text, darn it.

randy,
backup -- [Firewall Rules | NAT] -- download

that's conf to text (xml), not so compact and viewer friendly tho
--
antonio

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] [Bulk] Re: DNS-based inbound NAT?

[PiBa]

HAProxy can also be used for this.

Brian Henson schreef op 14-12-2014 20:13:
I second using a reverse proxy for this. You can use the squid package 
or even use the Mod_security and proxy pass directive


On Sun, Dec 14, 2014 at 1:44 PM, Yehuda Katz > wrote:


HTTP Host headers are not even seen by the firewall unless some
type of Deep Packet Inspection is running or the firewall is the
destination and runs a proxy to the other servers.

The alias method suggested will not work in this case (as you
found) because pfSense does not check the host headers.

Squid might be able to do the job, but I don't think the pfSense
package of squid supports multiple FQDNs (Fully Qualified Domain
Names).
A quick look at the settings page shows only options for proxy by
path, not by full URL.
Once you install the plugin, look under Services -> Reverse Proxy
for the settings.

- Y


On Sun, Dec 14, 2014 at 1:29 PM, Mike Bobkiewicz
mailto:sec...@commobil.de>> wrote:

Hello,
we have a problem: we´re running a pfSense 2.1.5 firewall with
a single WAN address in front of a DMZ zone with two web
servers. What we now want to do is that pfSense redirects a
http call to server1.example.com 
to webserver 1 and a http call to server2.example.com
 to webserver 2.
We have found two threads on the pfSense board but we couldn´t
make them run.
First thread mentioned to add aliases for the dns names and
create redirect nat rules. That doesn´t work because pfSense
seams to replace the dns entries from the aliases at run time
so the first matching rule is the winner: when
server1.example.com  is the first
rule webserver 1 answers for both server1.example.com
 and server2.example.com
. After moving the rule for
server2.example.com  before the
server1 rule webserver 2 answers all calls.
The second thread mentions to install the squid3 3.1.20
package and to use it´s reverse proxy function but we can´t
figure out where to find it in the settings.
Any help or advice is highly welcome.

Best regards,

Mike Bobkiewicz
___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] [Bulk] OpenVPN & Non-admin users.

[PiBa]

-using the OpenVPNManager (there is a checkbox to include it in the 
installer in the openvpnexport package)


Karl Fife schreef op 1-12-2014 21:37:
I'd like to poll how others have dealt with the issue of non-admin 
Windows users running OpenVPN (TUN) for remote access.


If you recall, non-admin users don't have the privileged of inserting 
a routes, so even though the tunnel is is established, it won't be 
used without an explicit route.


I've read all of the scenarios, from running the client as a service, 
disabling username/password, creating client shortcuts with elevated 
privilege etc, using the Viscosity client for windows (only needs 
admin to be installed, not to be used).


If you feel like showing off your astute reasoning, which route did 
you take and why?



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

[PiBa]

Hi Guy's,

Anyone care to test if this fixes the issue?

I dont have a pppoe myself , but do think everyone with a changing wan 
ip is affected by old udp states that stay alive long after a outbound 
natted ip has changed..
I think there is no danger in dropping all states that use that specific 
old ip, as it nolonger is used by pfSense and you wouldnt know where 
might exist now..


Place the code below in the file /etc/rc.newwanip at the bottom of the 
file just before the ?>

--
if (is_ipaddr($oldip) && $curwanip != $oldip) {
/*  Reset states that are using the wan-ip, for example outbound natted
udp traffic would otherwise stay natted using the old wan-ip */
mwexec_bg("/sbin/pfctl -k $oldip");
}
--
Please report back if this fixes the issue, or if any unwanted 
side-effects occur..
Ive send a pull-request for pfSense 2.2 containing this change: 
https://github.com/pfsense/pfsense/pull/1299/files


p.s. im not a 'pfSense dev' , just a user and contributer.. use it at 
your own risk ;)..

Greets PiBa-NL

Espen Johansen schreef op 28-9-2014 19:26:


If this is to be implemented it should be a tick box on each 
interfance. Dropping all states if you want to move a cable/reroute it 
is not a good idea.
This needs to be user controllable or only affect interface if 
is_interface_type=pppoe.


Just my 2 cents.

-lsf

28. sep. 2014 19:19 skrev "Hannes Werner" <mailto:jgoe...@gmail.com>> følgende:


I would like to repeat Vassilis questions:

Has this been implemented? Could this be implemented? Do the pfsense
dev's need some more info? Can we help with testing?

On Sat, Sep 27, 2014 at 1:02 PM, Vassilis V. mailto:bigracc...@gmx.net>> wrote:
> ADSL over PPPoE with constant changing IPs is the standard in some
> countries, we do not have such connections because we chose them
and we
> like the challenge..
>
> Reading again the whole bug report, there seems to be alot of people
> affected by this and Tom De Coninck has made alot of effort to
figure
> out what might be the issue.
>
> In the last post of Tom, he comes to a very exact conclusion:
> "I think this proves that pfsense not only needs to kill states
on 'WAN
> DOWN' , but also on 'WAN UP'. I can't see how it could work
otherwise"
>
> Has this been implemented? Could this be implemented? Do the pfsense
> dev's need some more info? Can we help with testing?
>
> Vassilis
>
>
> Hannes Werner wrote on 26.09.2014 22 :53:
>> Thanks Vassilis,
>>
>> I've these settings already - without any success.
>>
>> On Fri, Sep 26, 2014 at 9:03 PM, Vassilis V.
mailto:bigracc...@gmx.net>> wrote:
>>>
>>>
>>> Hannes Werner wrote on 26.09.2014 16 :51:
>>>> thank you very much Giles, but unfortunately it doesn't help.
>>>>
>>>> anyone here who is using asterisk behind pfSense on a dynamic
IP WAN
>>>> successfully?
>>>>
>>>
>>> Hello Hannes!
>>>
>>> I have also used asterisk behind a dynamic PPPoE WAN. I had
the exact
>>> same issues that the bug report is describing.
>>>
>>> I tried different ways to get it to work and I found that some
solutions
>>> work with some providers, but fail at others. There seems to
be alot of
>>> black magic involved when configuring SIP to work in such a
configuration :)
>>>
>>> What worked best was to set nat=no and externip=.
>>> I had also not done any port forwards whatsoever on pfsense, 
outgoing

>>> NAT was set to automatic.
>>>
>>> I certainly cannot explain why it was working that way!
>>>
>>>
>>> Hope it helps!
>>> Vassilis
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org <mailto:List@lists.pfsense.org>
>>> https://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org <mailto:List@lists.pfsense.org>
>> https://lists.pfsense.org/mailman/listinfo/list
>>
> ___
> List mailing list
> List@lists.pfsense.org <mailto:List@lists.pfsense.org>
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org <mailto:List@lists.pfsense.org>
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] [Bulk] Re: Https proxy squid3 squidguard squid3 not working

[PiBa]

Hi Mohan,

I think it needs SNI forwarding from client-request to squid-request 
which seems that is not yet implemented in squid.

see: http://wiki.squid-cache.org/Features/SslPeekAndSplice

I think currently something like this is happening:
openssl s_client -connect gmail.com:443 | grep subject
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com

While when the proper SNI value would have been send a different 
certificate would be returned:

openssl s_client -connect gmail.com:443 -servername gmail.com | grep subject
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=gmail.com

That means google is using SNI to determine what certificate to send 
back, and squid is probably sending the wrong or no SNI extension in the 
request for a server-certificate.


Short of implementing those changes, getting them merged into a main 
branche and getting it released, there is no workaround.. There seems to 
be some work going on for that though.. If you can compile squid 
yourself on FreeBSD 8.3 you might be able to use that specific 
development branch.


My two cents,
PiBa-NL

Nicola Ferrari (#554252) schreef op 22-9-2014 8:24:
That's the correct behaviour: you're gettings cert warning because you 
are doing https filtering, so your pfsense needs to "inspect" https 
traffic: this is a sort of "man in the middle", so the browser detect 
that the source cert is varied in his CommonName field.


Usually I don't use https filtering. If I need to filter HTTPS for 
some reason, I simply work in a whitelisting configuration: https 
traffic is denied exept for allowed domains.


N


Il 19/09/2014 17:49, A Mohan Rao ha scritto:

Hello experts,

I m struggling with https filtering anybody have idea how to i
configured it all other sites r working good but google and some other
reputed sites r given certificate errors a already check with ie Firefox
and chrome etc.
Same error.

Pls give idea how i resolve this prob.

Thanks
Mohan



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list






___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] [Bulk] Added ntopng.pbi via command line, how do I add to webui?

[PiBa]

Hi Wade,

A set of binary's from a repository might be enough for a plain FreeBSD 
install. But that wont install the webgui components that are written 
and added specifically for pfSense.


To install a pfSense package including webgui integration use these:

 * Shell scripts to add and remove packages from the command line

pfSsh.php playback installpkg "Some Package"
pfSsh.php playback uninstallpkg "Some Package"
pfSsh.php playback listpkg

https://doc.pfsense.org/index.php/2.1_New_Features_and_Changes#SH.2FPHP_Shell_Scripts

Greets PiBa-NL


Wade Blackwell schreef op 18-9-2014 1:48:

Good afternoon all,
  I added ntopng to my platform via command line and restarted the 
webconfigurator. I was expecting to see the package show up under 
diagnostics, as it did on my other platform that I installed the 
package via webui package installer, but it doesn't. Is there a way to 
add that? Searches on this topic have been inconslusive. Thanks, 
install looked like this;


[2.1.5-RELEASE][r...@firewall.domain.com 
<mailto:r...@firewall.domain.com>]/usr/local/pkg(21): pbi_add 
--no-checksig ntopng-1.1_1-amd64.pbi

Verifying Checksum...OK
Extracting to: /usr/pbi/ntopng-amd64
Adding group: redis
Adding user: redis
Installed: ntopng-1.1_1

-W

Wade Blackwell
Solutions Architect
(D) 805.457.8825
(C) 805.400.8485
(S) coc.wadeblackwell


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] [Bulk] limiter per IP without listing IP individually

[PiBa]

Hi Greg,

With limiters you can put a mask, just make sure you put the correct 
source/destination address, you can view if it properly creates multiple 
limiter 'trackers' in diagnostics/limiterinfo. You need to make some 
traffic flow for that, and create a few rules that push traffic through 
the created limiter..


As written on the limiter config page:
"Mask
If 'source' or 'destination' slots is chosen, a dynamic pipe with the 
bandwidth, delay, packet loss and queue size given above will be created 
for each source/destination IP address encountered, respectively. This 
makes it possible to easily specify bandwidth limits per host."


Greets PiBa-NL

greg whynott schreef op 12-9-2014 17:07:

Hello,

I have a pfsence box with about 300 people behind and 5 network 
segments.   The internet port is 100 megabits. I'd like to limit each 
IP to 5 megabits up/down.


There is a lot of references how to do this per IP by listing each IP 
as a single host with limiters,  but that would mean creating 100's of 
rules.


Is there a method to achieve the same results by listing a network and 
netmask and have it apply the limits each unique LAN IP automatically?



thanks for your time,
greg





___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] [Bulk] Re: Another OPT1 routing question

[PiBa]

You wrote "I did correct the MAC address for OPT1," , please note that 
it is normally not needed to configure the MAC addresses of networkcards 
inside the pfSense webgui. (only sometimes if you want to avoid some ISP 
arp-cache update issue when changing hardware) make sure to remove that 
setting if you still have it but want to have pfSense use the same mac's 
that the (virtual) nic really have. I suspect that this is now causing 
the 'duplicate' mac on the pfSense interfaces.


Greets PiBa-NL

compdoc schreef op 10-8-2014 16:21:

em1 third MAC address (up) <-- shouldn't that be the second MAC address?


Are you saying two interfaces have the same mac address even after
reassignment? That's not right.



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] [Bulk] Re: Web Server Load Balance

[PiBa]

Hi Satvinder,

You could try and put some 'outbound nat' rules on the interface that 
points to the server more or less like this: source:LAN destination:LAN 
translateIP:LAN-ip (assuming the server lives on the LAN..) it should 
nat requests to the IP of pfSense.. And allow replies to travel back the 
expected route..


That would however 'mask' the real client ip to that of pfSense.. (for 
those clients coming from the lan)


To find where traffic fails to arrive you could inspect traffic with 
'tcpdump' and check if Syn and SynAck packets travel the same proper 
routes, and are properly natted where applicable.



Another option could be found in a totally different direction.. You 
might want to look into the haproxy(-devel) package.. It needs an update 
though, would be nice if one of the devs could make the 1.5.3 version 
available for pfSense 2.1 (maybe through using pfPorts normal /haproxy/ 
folder? as 2014Q2 branche in ports doesnt have that version.)..
That package is aimed at providing website load-balancing, and also has 
some nice options like sticky sessions based on cookie's and or other 
information.. It does however take a little more processing as both 
request and reply need to go through haproxy..


Greets PiBa-NL

Satvinder Singh schreef op 6-8-2014 19:44:

Hi,
I have tried having the Virtual Server on a different subnet and 
created rules in the firewall, but still doesn't work. I have tried 
having all 3 (2 Nodes + Virtual Server) then creating a NAT for the 
virtual server bt still doesn't work, any help would be greatly 
appreciated.


Thanks
Satvinder Singh 

Security Systems Engineer
satvinder.si...@nc4worldwide.com 
804.744.9630 x273 direct
703.989.8030 cell
www.NC4worldwide.com <http://www.NC4worldwide.com>


<http://www.linkedin.com/company/nc4> 



From: Vick Khera mailto:vi...@khera.org>>
Reply-To: pfSense Support and Discussion Mailing List 
mailto:list@lists.pfsense.org>>

Date: Tuesday, July 29, 2014 at 11:49 AM
To: pfSense Support and Discussion Mailing List 
mailto:list@lists.pfsense.org>>

Subject: Re: [pfSense] Web Server Load Balance


On Mon, Jul 28, 2014 at 11:53 AM, Satvinder Singh 
<mailto:satvinder.si...@nc4worldwide.com>> wrote:


Am I missing something?


The load balancer is sending the packets using the original IP.  Since 
all machines can directly connect to each other, the reply goes 
directly from VM1 to VM2 rather than back via the load balancer.


There's no way around this. If they were on different networks, it 
would either "just work" or you could get around it via adding a 
custom NAT rule to cause the original request to be rewritten to the 
load balancer's IP, and then it will work.


Disclaimer: This message is intended only for the use of the 
individual or entity to which it is addressed and may contain 
information which is privileged, confidential, proprietary, or exempt 
from disclosure under applicable law. If you are not the intended 
recipient or the person responsible for delivering the message to the 
intended recipient, you are strictly prohibited from disclosing, 
distributing, copying, or in any way using this message. If you have 
received this communication in error, please notify the sender and 
destroy and delete any copies you may have received.



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Host Connectivity on a Specific Subnet

[PiBa]

Please note that dns configuration options can add route's. (what 
gateway is configured behind the dns, if any?)


/* setup static routes for DNS servers. */
https://github.com/pfsense/pfsense/blob/master/etc/inc/system.inc#L159

Greets PiBa-NL

Espen Johansen schreef op 13-7-2014 0:44:

Other packages?
OpenVPN?

Please list all your installed packages and I´ll have a look.
Or remove them one by one until the "automagic" route add stops.

You can always try to grep /* for the IP in question. But it might be 
part of a DB file for a pkg. I´t might not be plain text.

Cant help you remote as I´m on vacation with flaky 3G mobile.



On Sun, Jul 13, 2014 at 12:37 AM, Stefan Maerz 
<mailto:stefan.ma...@thecommunitypartnership.org>> wrote:


No 3rd party routing installed.

-Stefan


On 7/12/2014 5:19 PM, Espen Johansen wrote:


Only thing I can think of is that a package with a seperate
config file installs it. Do you have quagga/openbgp or any other
routing package running/installed?

12. juli 2014 23:58 skrev "Stefan Maerz"
mailto:stefan.ma...@thecommunitypartnership.org>> følgende:

Thanks again Espen. I can't find anything in
/cf/conf/config.xml related to this address *and* routing.
The  tag area is also empty like the
webconfiguration indicates.

more /cf/conf/config.xml | grep -n 10.144.1.8

outputs:

221: 10.144.1.8
385: 10.144.1.8
1055: 10.144.1.8
1059: 10.144.1.8
1061: 10.144.1.8

Line 385 is related to a DNS forwarder.

I could write an init script to kill the route, but it seems
it comes back every 20 minutes or so. And since I have no way
of knowing precisely when the route is re-enabled, I would
need to run a cronjob every second or so. And even that is
not a great solution -- I'd reinstall before that. I'd really
prefer a more elegant solution if possible.

Any other ideas? Am I searching for the wrong thing?

Best Regards,
-Stefan

On 7/12/2014 2:46 AM, Espen Johansen wrote:


You might take a look in the cf/conf/config.xml .if it
persists it should originate from there. Just do a search
for the IP.

12. juli 2014 05:04 skrev "Stefan Maerz"
mailto:stefan.ma...@thecommunitypartnership.org>> følgende:

A quick route del -host 10.144.1.8 and my network is
100% functional.

However, still one problem remains. The route del
command is not persistent when I reboot. How do I get
rid of it? System>Routing>Routes indicates that no
static routes are set up. Is there a routing
configuration file somewhere?




___
List mailing list
List@lists.pfsense.org <mailto:List@lists.pfsense.org>
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org  <mailto:List@lists.pfsense.org>
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org <mailto:List@lists.pfsense.org>
https://lists.pfsense.org/mailman/listinfo/list




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense openvpn Road Warrior

[PiBa]

Manually pushing routes from the advanced section is in general not 
needed if the 'local network(s)' is filled in in the WebGui.


Holger Bauer schreef op 19-3-2014 10:44:

Hi Mohan,

make sure you have appropriate rules under firewall>rules, openvpn tab 
to allow access. Also make sure your routing is working correctly. You 
might need to push some routes to the clients, depending on how your 
network is setup. You can do that on the openvpn-server settings at 
the very bottom (advanced configuration), for example add the 
following there:


push "route 192.168.1.0 255.255.255.0";push "route 192.168.2.0 
255.255.255.0"


Regards
Holger


2014-03-19 10:24 GMT+01:00 A Mohan Rao >:


Hello Team,

Hello,
 i have configured openvpn road warrior also client is properly
connected
 from outside internet network.
 but not able to access server end network and servers's.
 can anybody give any help where is do any wrong steps.

Thanks

Mohan

___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense openvpn Road Warrior

[PiBa]

On Windows Vista/7/8 Administrator permissions are required to add routes.
This either means running OpenVPNgui 'As Administrator'. Or using the 
'OpenVPNManager' program installed as a service that runs the actual 
openvpn process in the background. (there is a checkbox in the 
OpenVPNclientExporter for including the OpenVPNManager when downloading 
the complete 'setup.exe')
Adding the routes is still something the openvpn process itself needs to 
do though. If that 'sometimes' fails i dont know what could cause that..


rajan agarwal schreef op 19-3-2014 11:26:

Hi Bryan,

I also maintain a setup of a couple of hundred roadwarriors. One of 
the problems i constantly face is that the management interface which 
allows normal users to run openvpn in windows doesn't work 
sometimes.(Failed to add routes error) Causing the same problem as 
mohan. Is it because of some bug or something? I end up providing 
network configuraton operators group membership then which sort of we 
dont want to.



On Wed, Mar 19, 2014 at 3:49 PM, Bryan D. > wrote:


On 2014-Mar-19, at 2:24 AM, A Mohan Rao mailto:mohanra...@gmail.com>> wrote:

> Hello Team,
>
> Hello,
> i have configured openvpn road warrior also client is properly
connected
> from outside internet network.
> but not able to access server end network and servers's.
> can anybody give any help where is do any wrong steps.
>
> Thanks
>
> Mohan

I've been working on trying to document a fairly complete
pfSense/iOS IPSec/OpenVPN with iOS 7 VPN on-demand.  Though I
still have the on-demand stuff to write up, the rest of it's there
so some of it may be of use:

http://www.derman.com/blogs/Setting-Up-iOS-OnDemand-VPN

It's quite new, so feel free to let me know of any issues,
suggestions, etc.


___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] [Bulk] Re: Multiple static IPs from one ISP - Virtual IPs? - Trying this again

[PiBa]

To allow traffic to 'hit' pfSense services that are available on the wan 
you don't need port forward rules.

Only creating firewall rules should suffice for that.

Only if your running 2 machines for failover, it makes sense to use CARP.

If you want to be able to ping pfSense or run services on pfSense itself 
that use the secondary ip's then make them 'IP-Alias' Otherwise you 
might also give proxy-arp a try..


After that you can either use portforwards or 1on1 natting to make 
webservers and other devices reachable by those ip addresses. Which 
still also require firewall rules to allow traffic. (portforwards 
automatically create them if you allow it to, 1on1 does not..)


Greets PiBa

Bryan D. schreef op 3-3-2014 21:29:

Is the VIP CARP or IP Alias?

... according to the VIP capabilities chart, they're the only VIP kinds that 
can do ICMP:
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses?

Since we don't allow ping-response, I thought I'd test this theory.  All 3 of 
the following worked (LAN routing to internal system was previously setup):

- I first created a Port Forward rule to allow pfSense to respond to WAN pings:
WAN  ICMP  *  *  WAN address  *  127.0.0.1  *  WAN pings to pfSense

- Then I created a Port Forward rule to allow pfSense to respond to pings on 
one of the static VIP IPs:
WAN  ICMP  *  *  x.12  *  127.0.0.1  *  static VIP pings to pfSense

- Then I created a Port Forward rule to allow an internal system (which has a 
system-level firewall that's configured to respond to pings) to respond to the 
ping:
WAN  ICMP  *  *  x.13  *  x.206  *  static VIP pings to internal system


If that's not it, then someone else needs to chime in as you've exhausted my 
knowledge in this area.


On 2014-Mar-03, at 7:59 AM, Ryan Coleman  wrote:


I’ve done this, but I won't route traffic out (NAT) until I have verifiable 
traffic coming in.

The x.2 IP simply will not ICMP ping from outside the network (and, yes, I have 
it allowed).

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Errors from packages that are no longer installed on pfsense

[PiBa]

Install "cron" package and remove the obsolete commands from there.

Howard Fleming schreef op 20-2-2014 20:32:

I am getting the following email alerts from my pfsense 2.1 box:

Subject: Cron  /usr/local/bin/vnstat -u

X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 

/usr/local/bin/vnstat: not found



Subject: Cron  /etc/ping_hosts.sh

X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 

/etc/ping_hosts.sh: not found



Subject: Cron  /usr/bin/nice -n20 newsyslog

X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 

nice: newsyslog: No such file or directory

These are the packages currently installed on the firewall:
arpwatch  2.1.a15_6 pkg v1.1.1
Backup 0.1.5
darkstat 3.0.71
Notes 0.2.4
OpenVPN Client Export Utility 1.2.4
Sarg 2.3.6_2 pkg v.0.6.3
snort 2.9.5.5 pkg v3.0.2
squid 2.7.9 pkg v.4.3.3
System Patches1.0

Any suggestions on where in the pfsense system to clean up these 
errors?  Looks like they are "holdovers" from upgrading the system 
from an earlier version of pfsense.


Thanks,
Howard


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Restoring from XML prevents VM from booting

[PiBa]

Seems to me like this should never be possible from a config upload..

Is it possible for either of you to post the config file that causes 
this to happen? (preferebly to the redmine bugtracker)
-Make sure to strip change with a texteditor all private information 
like passwords / ip's / certificate-private-keys and other stuff you 
dont want public, and doublecheck that nothing like that is left..
-Try again if the crash still happens with the modified file, and post 
it to the list with the exact configuration options of the virtual machine.


Or another option to maybe find the cause of the trouble would be to not 
restore the whole configuration file at once, but only 'parts' of it. 
Like only the interface configuration for example. To try and eliminate 
possible problem parts of the the config file in question..


Any packages installed/configured? Not that packages in a config file 
should make this happen, but still interesting to know and eliminate 
possible causes..


Stefan Baur schreef op 5-2-2014 22:15:

Am 05.02.2014 18:41, schrieb Brian Candler:

This is a really strange behaviour, I wonder if anyone has seen anything
similar.

/me raises his hand



I've just been trying to replicate a production config in a VirtualBox
VM (vbox 4.3.6, OSX 10.9.1).

I'm using KVM on Debian Linux (Wheezy/7).



I can install pfsense fine, and manually set up a LAN IP address on
vboxnet0 so that I can get into the web and use Diagnostics >
Backup/Restore to upload an existing XML config. But then the VM refuses
to boot properly. It only gets as far as:

F1  pfSense

F6 PXE
Boot:  F1
|

and then hangs at that point (vertical bar, not spinning). This is
repeatable if I reinstall and re-restore the same XML config.

I was able to workaround the problem by reinstalling, using scp to copy
/cf/conf/config.xml directly from another machine, and then reboot.

Same bug and same workaround here.



Any thoughts welcome :-)

Sorry, no solution, only a "you're not alone".

-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Question on FW log entries

[PiBa]

This will probably answer that: 
https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

PiBa-NL

Peder Rovelstad schreef op 3-11-2013 16:27:


Just a quick question for anyone who cares to reply, something I can't 
figure out.  I have the default "LAN -> Any" rule active on the LAN 
interface, but I often see block entries such as those attached, in 
this case from my kid's iPad to Google.  Other times I see blocks from 
internal hosts to servers like Akamai, for example.  If the "Any" rule 
is active, why would I see blocks?  Thanks for reading.


Peder



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list