Re: [pfSense] Host Overrides in Services/DNS Forwarder not working until manual restart of DNS Forwarder Service

2017-05-15 Thread Stefan Baur
Am 15.05.2017 um 03:29 schrieb Chris L:
> Maybe this:
> "Do not use 'local' as a domain name. It will cause local hosts running mDNS 
> (avahi, bonjour, etc.) to be unable to resolve local hosts not running mDNS.”

Nope, sorry, it's not that easy.  It fails *all* entries made in that
list, even if they're used to override valid external DNS names (e.g.
when I want somehost.example.com to resolve to a 192.168.x.x internally).

Judging from the logs, it seems that during startup, dnsmasq believes
/etc/hosts is empty - it states that it read 0 hosts from there.

I now have an ugly two-step workaround:
1) Install ShellCmd package.
2) Add a shellcmd entry 'pfSsh.php playback svc restart dnsmasq'.

After that, the log file states the correct number of hosts in /etc/hosts.

Could this be some kind of weird race condition, maybe?  'dnsmasq'
starting before the hosts from the XML are added to /etc/hosts?

Hmm - even weirder - first it reports the correct number, then it's down
to 0, then it reports the correct number again twice
(the 07:43:45 entries are triggered by the workaround listed above):

May 15 07:43:43 cora dnsmasq[17417]: started, version 2.76 cachesize 1
May 15 07:43:43 cora dnsmasq[17417]: compile time options: IPv6
GNU-getopt no-DBus i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset
auth DNSSEC loop-detect no-inotify
May 15 07:43:43 cora dnsmasq[17417]: reading /etc/resolv.conf
May 15 07:43:43 cora dnsmasq[17417]: ignoring nameserver 127.0.0.1 -
local interface
May 15 07:43:43 cora dnsmasq[17417]: using nameserver 192.168.0.1#53
May 15 07:43:43 cora dnsmasq[17417]: read /etc/hosts - 7 addresses
May 15 07:43:44 cora dnsmasq[17417]: read /etc/hosts - 0 addresses
May 15 07:43:44 cora dnsmasq[17417]: exiting on receipt of SIGTERM
May 15 07:43:45 cora dnsmasq[32840]: started, version 2.76 cachesize 1
May 15 07:43:45 cora dnsmasq[32840]: compile time options: IPv6
GNU-getopt no-DBus i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset
auth DNSSEC loop-detect no-inotify
May 15 07:43:45 cora dnsmasq[32840]: reading /etc/resolv.conf
May 15 07:43:45 cora dnsmasq[32840]: ignoring nameserver 127.0.0.1 -
local interface
May 15 07:43:45 cora dnsmasq[32840]: using nameserver 192.168.0.1#53
May 15 07:43:45 cora dnsmasq[32840]: read /etc/hosts - 7 addresses
May 15 07:43:45 cora dnsmasq[32840]: read /etc/hosts - 7 addresses

Kind Regards,
Stefan Baur
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Host Overrides in Services/DNS Forwarder not working until manual restart of DNS Forwarder Service

2017-05-13 Thread Stefan Baur
Hi,

I'm seeing this on 2.3.3-RELEASE and 2.3.4-RELEASE, not sure if older
versions are affected as well.

I have multiple entries in the Services/DNS Forwarder/Host Overrides
section, all looking similar to this one:

|wpad|office.local|192.168.2.3|Microsoft Proxy Autoconfiguration|

When I attach a Client computer to any of the downstream interfaces of
this pfSense installation (it has two), I get:

nslookup wpad.office.local
Server: 192.168.134.1
Address:192.168.134.1#53

** server can't find wpad.office.local: NXDOMAIN

(192.168.134.1 is the pfSense IP on that network)

As soon as I log in to the pfSense WebGUI, go to Services/DNS Forwarder,
and hit the "circle arrow" that says "Restart Service", DNS lookups from
the clients start to work.

Upstream DNS resolving is not affected, though - trying

nslookup www.google.com

will give the correct result from the start.

This somehow doesn't look right.

Any insights? Bug in pfSense or misconfiguration on my side?

Kind Regards,
Stefan Baur
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] [OT] Re: serial port sadness

2015-02-27 Thread Stefan Baur
Am 27.02.2015 um 23:24 schrieb Sean:
 Although... you reminded me of a good story.  Once upon a time I worked
 for this startup company trying to develop a device that was programmed
 over serial.
 Some argument between owner and guy who did original dev work left us
 with a device and a crappy 16 bit dos executable to reverse engineer.
 Called a genius friend of mine and we actually rigged up a serial cable
 with two heads and many twisted wires and electrical tape that allowed
 us to sniff the data traversing it.
 So we figured out the entire command set of the device and were able to
 write a better app... 

Well, if we're already sharing war stories, this is how you flash a
Netgear router for your co-worker, when he bought the wrongly-gendered
cable and lunch break wasn't long enough to return to the store:


http://sneakpreview.stefanbaur.de/bilder/computer/routerflash.jpg

For some silly reason, the standard diameter of a regular paper clip is
specc'ed to be the same as the pins on a DB-9 connector.

Living in a 3-D world has its advantages.

-Stefan
PS: 9k6, 8N1.  Wouldn't connect at 14k4 or above.  But was sufficient to
re-flash.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] OpenVPN Non-admin users.

2014-12-01 Thread Stefan Baur
Am 01.12.2014 um 21:37 schrieb Karl Fife:
 I'd like to poll how others have dealt with the issue of non-admin
 Windows users running OpenVPN (TUN) for remote access.
 
 If you recall, non-admin users don't have the privileged of inserting a
 routes, so even though the tunnel is is established, it won't be used
 without an explicit route.

http://openvpn-mi-gui.inside-security.de/

-Stefan

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] OT: Good network switch for 10 machines?

2014-09-23 Thread Stefan Baur
Am 23.09.2014 um 20:56 schrieb Chris Bagnall:
 Be careful which model you get. Some of the newer/cheaper ones that have
 been sold as 'managed' recently don't have a web interface. They have
 some horrible management application that uses Adobe Air, only works on
 Windows, only communicates with switches on the same broadcast domain
 (so useless for any sort of routed environment) and is generally rubbish.

... and broadcasts the password in plain text. No kidding.

If you have a Windows machine where you can install the admin tool, and
you don't have to access the management interface while other devices
are plugged in (i.e. you're planning a static VLAN setup and an
interruption of service to reprogram the switch is okay for you), then
you can buy those, too.  Just beware of these ugly limitations.

The five-port model (GS105E) is nice as long as you can deal with the
limitations. Gigabit, compact form factor, nice to have in your admin
laptop bag, for example. There are even mods to run it from a battery pack.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Returned mail: Data format error

2014-09-08 Thread Stefan Baur
Am 08.09.2014 um 14:45 schrieb Bob Gustafson:
 Is anyone else on this list getting bounce notices?

That's no bounce notice, that's just another lame attempt at getting you
to open an infected attachment. Darn spammers.

-Stefan

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


[pfSense] OpenVPN not working any more after Upgrade to 2.1.4-RELEASE

2014-08-05 Thread Stefan Baur
Hi List,

my OpenVPN doesn't work any more. The OpenVPN log file on the server says:

Aug 5 14:46:53  openvpn[32895]: Exiting due to fatal error
Aug 5 14:46:53  openvpn[32895]: Cannot load certificate file
/var/etc/openvpn/server2.cert: error:0906D06C:PEM
routines:PEM_read_bio:no start line: error:140AD009:SSL
routines:SSL_CTX_use_certificate_file:PEM lib
Aug 5 14:46:52  openvpn[32895]: NOTE: the current --script-security
setting may allow this configuration to call user-defined scripts
Aug 5 14:46:51  openvpn[32895]: OpenVPN 2.3.2 i386-portbld-freebsd8.3
[SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Mar 27 2014

The root cause seems to be that my Certificate Authority has disappeared
from System  Cert Manager  CAs.

Attempting to paste the data from an old backup returns:

The following input errors were detected: This certificate does not
appear to be valid.

Do I have to re-create my CA and re-issue all certificates?
Or how do I fix this?

Kind Regards,
Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] ZFS warning message on local console during boot

2014-07-30 Thread Stefan Baur
Am 30.07.2014 um 16:43 schrieb Vick Khera:
 On Wed, Jul 30, 2014 at 9:50 AM, Paul Mather p...@gromit.dlib.vt.edu wrote:
 Personally, I think ZFS on i386 has become a losing proposition as of
 late.  I ran a ZFS-on-root FreeBSD/i386 10-STABLE system with 2 GB of
 RAM and it appeared to become very flaky with ZFS in its latter months
 (I eventually switched it out for a FreeBSD/amd64 system).
 
 I cannot fathom a sensible use case for using ZFS on pfSense at all.

I'm not consciously using ZFS for anything on pfSense, I *think* I
performed the default install, but it could be using ntfs or vfat for
all that I care. ;-) So I don't know why it's trying to use that - is it
normal for a default pfSense install or not?

I just saw the warning message and was wondering what to do about it.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] ZFS warning message on local console during boot

2014-07-30 Thread Stefan Baur
Am 30.07.2014 um 22:09 schrieb Espen Johansen:
 ZFS = FS+LVM. Its efficient in many ways. Its highly resillient to
 things like silent data corruption ( disk FW bugs, power spikes). It has
 on the fly checking and repair. Copy on write, snapshoting, NFSv4 native
 acls and a few more nice things. I dont understand the bashing?

This is a firewall, not a fileserver, where such features do indeed make
sense.  And no bashing, just saying I don't care what filesystem
pfSense uses under the hood, as long as it works.  The fact that it
spits out a warning seems to indicate that it does not work and there's
something wrong, so I came here to ask.

-Stefan

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] ZFS warning message on local console during boot

2014-07-30 Thread Stefan Baur
Am 30.07.2014 um 23:34 schrieb Jim Thompson:
 tl;dr:  I wouldn’t run ZFS… yet.
 
 I didn’t see the error message, you’re barking up a tree attempting to use it 
 right now.

Again, I don't care what FS pfSense uses under the hood as long as it
works.  I didn't make a conscious decision to install/run ZFS, I firmly
believe I picked the default options during the pfSense install and now
I'm seeing this warning.  I don't insist on using ZFS at all.  If I can
and should get rid of ZFS to get rid of the warning, just tell me how.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ZFS warning message on local console during boot

2014-07-30 Thread Stefan Baur
Am 30.07.2014 um 23:47 schrieb Jim Thompson:

JT no pfSense we produce has an installer that will make a zfs filesystem.
JT
JT Try again?

Well, mount doesn't show any mounted zfs filesystems (only ufs, devfs,
and msdosfs - the latter's where the config file is stored) which makes
this error message even more confusing - or actually, made it more
confusing until Adam Thompson's message, which just cleared things up:

AT Stefan: just ignore the message.
AT It's there because ZFS is in the pfSense kernel, even though it
isn't used today.
AT If you don't mount any ZFS file systems, and you don't tweak any of
the values, all it does is use up a bit of memory.
AT -Adam

So, I guess the issue is a non-issue.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] How to Enable/Disable DynDNS update e-mail notifiations?

2014-07-11 Thread Stefan Baur
Am 10.07.2014 16:57, schrieb Jim Pingle:

 (I'm kinda curious whether no one uses e-mail notifications in
 combination with DynDNS, or why I'm the first to notice/complain. I
 can't really imagine an everything OK e-mail being a desired feature
 for DynDNS updates, given their frequency.)
 
 It was put in due to demand. People wanted to be alerted when their IP
 address changed. For most it's a fairly infrequent event.

Over here, DSL has dynamic IPs, changing with every reconnect and at
least every 24 hours (forced dis- and reconnect by the provider).
Multiply that with 40 pfSense installations, some of them on flaky DSL
lines that reconnect more than once a day, and you can figure out why
I'm currently not a friend of this feature. ;-)

Thank you for explaining how I can disable it on my own.

Regarding the feature request, I'll see if I can make do with an
earlyshellcmd in my config files to disable that again upon each
upgrade. If it starts bothering me too much, or if I get around to it,
I'll look through the bugtracker and file a feature request if there
isn't one already.

Again, thanks for your help and your professional, helpful attitude in
your replies. :-)

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


[pfSense] How to Enable/Disable DynDNS update e-mail notifiations?

2014-07-10 Thread Stefan Baur
[I had already posted a similar message on 2014-06-27, but as it didn't
get any replies, I'm trying again, slightly rephrased]

Hi,

since upgrading to 2.1.3-RELEASE and enabling e-mail notifications under
System: Advanced: Notifications, I'm receiving an e-mail whenever the
DynDNS update script (Services: Dynamic DNS client) triggers an update.

I *do* want e-mail notifications, just not for such mundane things, only
when stuff breaks.

So how do I configure that?

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] How to Enable/Disable DynDNS update e-mail notifiations?

2014-07-10 Thread Stefan Baur
Am 10.07.2014 14:05, schrieb Ryan Coleman:
 I am not sure that’s how Dyn works? 
 As far as I understand it Dyn gets a request and it looks at the originating 
 IP address, then makes the change.

It's supposed to update the DNS entry, yes, but I don't want to receive
an e-mail notification for each successful update, that's what I'm
looking to configure.

I don't want to disable e-mail notifictions in general, to make sure I
do get notified when critical stuff happens.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] How to Enable/Disable DynDNS update e-mail notifiations?

2014-07-10 Thread Stefan Baur
Am 10.07.2014 14:16, schrieb Giles Coochey:
 On 10/07/2014 13:05, Ryan Coleman wrote:
 I am not sure that’s how Dyn works?
 As far as I understand it Dyn gets a request and it looks at the
 originating IP address, then makes the change.


 I believe that it is possible to send DynDNS updates to IPs other than
 that of the originating IP, I recall I have done that in the past with
 the dyndns client (ddclient ) script. If you don't specify a specific
 IP, it defaults to the origin source.

Yes, but that's not the question. The question is how do I
Enable/Disable e-mail notifications for DynDNS update successful,
without disabling e-mail notifications in general?

After all, I *do* want to get notified when stuff breaks. I don't need
notifications for everything is going well.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] How to Enable/Disable DynDNS update e-mail notifiations?

2014-07-10 Thread Stefan Baur
Am 10.07.2014 14:34, schrieb Ryan Coleman:
 What I am saying it Dyn is the one that controls if it is updated or not.

That's really not the point. The point is that I'm receiving alert
e-mails from *my pfSense installation*. Not from Dyn.

And the message of the alert is DynDNS updated IP Address on WAN (em0)
to xxx.xxx.xxx.xxx.

It's perfectly fine that DynDNS performed the update. I do want it to do
that, and that works perfectly. No error or problem here, no complaint.

I just don't want to receive an alert e-mail for things are going well.

It *should* email me when things break, so turn all notifications off
is not an option.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] How to Enable/Disable DynDNS update e-mail notifiations?

2014-07-10 Thread Stefan Baur
Am 10.07.2014 15:15, schrieb Jim Pingle:
 On 7/10/2014 4:27 AM, Stefan Baur wrote:
 since upgrading to 2.1.3-RELEASE and enabling e-mail notifications under
 System: Advanced: Notifications, I'm receiving an e-mail whenever the
 DynDNS update script (Services: Dynamic DNS client) triggers an update.

 I *do* want e-mail notifications, just not for such mundane things, only
 when stuff breaks.

 So how do I configure that?
 
 There is no way to selectively disable that notification at this time.
 
 If you don't mind a simple source edit, you can disable the notification
 by removing or commenting out etc/inc/dyndns.class line 1027 (on 2.1.3)
 it should start with notify_all_remote

Thank you.  I just checked, it actually appears twice, once for IPv4 and
once for IPv6 (7 lines below the first occurrence), so I'm going to
comment out both.

(I'm kinda curious whether no one uses e-mail notifications in
combination with DynDNS, or why I'm the first to notice/complain. I
can't really imagine an everything OK e-mail being a desired feature
for DynDNS updates, given their frequency.)

Is there any chance of getting this disabled or made configurable via
WebGUI checkbox in one of the next few releases?  Should I file a
bug/feature request?

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] How to Enable/Disable DynDNS update e-mail notifiations?

2014-07-10 Thread Stefan Baur
Am 10.07.2014 16:52, schrieb Peder Rovelstad:
 Just saying, but I get one email a month; my WAN on Comcast DHCP.  But if I
 did get a change, I think I'd want to know.  One more email is the least of
 my problems, lol.

Over here, DSL has dynamic IPs, changing with every reconnect and at
least every 24 hours (forced dis- and reconnect by the provider).
Multiply that with 40 pfSense installations, some of them on flaky DSL
lines that reconnect more than once a day, and you can figure out why
I'm currently not a friend of this feature. ;-)

Thanks to Jim Pingle, I now know how to turn it off.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


[pfSense] How do I set what gets reported by mail and what doesn't?

2014-06-27 Thread Stefan Baur
Hi,

one of my pfSenses just surprised me with an e-mail message

Subject: hostname - Notification
DynDNS updated IP Address on WAN (em0) to XXX.XXX.XXX.XXX

This is on 2.1.3-RELEASE.

I do want e-mail notifications, just not for such mundane things, only
when stuff breaks.

So how do I configure that?

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] skype 29 minute fail

2014-06-16 Thread Stefan Baur
Am 16.06.2014 22:50, schrieb Vick Khera:
 FWIW I just did a call with the firewall set to conservative state
 management. Still 29 minutes until voice quality fail.

I'm anything but a Skype expert, but have you tried blocking your Skype
installs from becoming supernodes?

On Windows:
HKEY_LOCAL_MACHINE\Software\Policies\Skype\Phone, DisableSupernode,
REG_DWORD = 1

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


[pfSense] Please update the pfSense Wiki with the attached note

2014-06-11 Thread Stefan Baur
Hi Jim (or anyone with editing rights on the Wiki):

Coud you please update

https://doc.pfsense.org/index.php/VirtIO_Driver_Support

by adding a note at the bottom of the Loading Kernel Modules section:

With the current (2014-06-11) state of virtio network drivers in
FreeBSD, it is necessary to check the Disable hardware checksum
offload box on /system_advanced_network.php '''and to manually reboot
pfSense after saving the setting, even though there is no prompt telling
you to do so''' if you want to be able to reach systems (at least other
VM guests, not sure if it also affects real hardware) protected by
pfSense directly from the VM host.
The whole issue seems to be related to
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=165059

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


[pfSense] Display error, 2.1.3-RELEASE-i386, network device names on CLI

2014-06-10 Thread Stefan Baur
Dear pfSense maintainers,

I decided to give the KVM/virtio support in pfsense 2.1.3-RELEASE-i386 a
spin. Looks good so far, but there's a display error when the machine
boots and tries to load the config file.

Obviously, pfSense is confused as the network device names don't match
the saved values, and shows the prompt asking for assignment of network
device names to WAN/LAN/OPT. That's to be expected, no problem so far.

But it seems that whoever came up with that prompt didn't expect device
names to be that long.

This is why they were displayed as

vtnet000:DE:AD:BE:EF:00
vtnet100:DE:AD:BE:EF:01
vtnet200:DE:AD:BE:EF:02

when it actually should read

vtnet0 00:DE:AD:BE:EF:00
vtnet1 00:DE:AD:BE:EF:01
vtnet2 00:DE:AD:BE:EF:02

Do you think you could fix that in one of the upcoming releases?

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


[pfSense] Weird routing issue with pfSense-2.1.3-RELEASE-i386, Debian Wheezy, kvm and virtio

2014-06-10 Thread Stefan Baur
Hi everyone,

I am running a Debian Wheezy host with the following setup:

bridge br0 - 192.168.133.100 - contains:
1) physical LAN interface of Host
2) virtual LAN interface of pfSense guest - 192.168.133.1

bridge br1 - 192.168.0.41 (DHCP) - contains:
1) physical WAN interface of Host
2) virtual WAN interface of pfSense guest - 192.168.0.197 (DHCP)

bridge br2 - no IP - contains:
1) virtual DMZ interface of pfSense guest - 172.16.0.2
2) virtual DMZ interface of a Debian Wheezy guest - 172.16.0.110

The system is set up in a way that once the network is configured and
up, a route is added to br0:

route add -net 172.16.0.0/12 gw 192.168.133.1

This works all fine and dandy as long as I'm not using virtio:

*** Welcome to pfSense 2.1.3-RELEASE-pfSense (i386) on cora ***

 LAN (lan)   - em1- v4: 192.168.133.1/24
 WAN (wan)   - em0- v4/DHCP4: 192.168.0.197/24
 DMZ (opt1)  - em2- v4: 172.16.0.2/12
[...]

I can connect from any client on the LAN to 192.168.133.1 as well as
from the host (192.168.133.100) itself.
I can also connect from any client on the LAN to 172.16.0.110 (due to
192.168.133.1 being set as the default gateway on the clients) as well
as from the host (192.168.133.100) itself (due to the added route).

Also, traffic between LAN, WAN and DMZ works just as expected per the
rules set in pfSense.

Now, as soon as I change everything to use virtio, following the
guidelines on https://doc.pfsense.org/index.php/VirtIO_Driver_Support
and making the corresponding changes in the guest config file on the
host (/etc/libvirt/qemu/pfsense.xml), things look like this:

*** Welcome to pfSense 2.1.3-RELEASE-pfSense (i386) on cora ***

 LAN (lan)   - vtnet1 - v4: 192.168.133.1/24
 WAN (wan)   - vtnet0 - v4/DHCP4: 192.168.0.197/24
 DMZ (opt1)  - vtnet2 - v4: 172.16.0.2/12

I can connect from any client on the LAN to 192.168.133.1 as well as
from the host (192.168.133.100) itself.

I can also connect from any client on the LAN to 172.16.0.110 (due to
192.168.133.1 being set as the default gateway on the clients).

BUT: I cannot connect to 172.16.0.110 from the host  (192.168.133.100)
itself any more.
As soon as I delete the route and manually assign 172.168.0.111 to
bridge br2 of the host, I can connect to 172.16.0.110 again. Obviously,
that's not what I want to do in production - it was just an attempt to
debug the issue.

Still, the remaining traffic between LAN, WAN and DMZ works just as
expected per the rules set in pfSense.

Any ideas as to what might be wrong? Is it a pfSense issue, a Debian
Linux issue, a kvm issue, a virtio issue?

If you need more info to debug this, just let me know.

After changing the config from non-virtio to virtio, I rebooted the
entire host, to be sure that there's no spanning tree/MAC address
detection issue or something like that. Still, the result is as
described above.
It is also repeatable - fall back to the old config, everything works,
switch to the new one, issue as described above appears.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Weird routing issue with pfSense-2.1.3-RELEASE-i386, Debian Wheezy, kvm and virtio

2014-06-10 Thread Stefan Baur
Am 10.06.2014 22:52, schrieb Karsten Gorling:
 * Stefan Baur newsgroups.ma...@stefanbaur.de [140610 17:59]:
 This works all fine and dandy as long as I'm not using virtio:
 
 I had the same Problem. Essentially the VirtIO Network Drivers of
 FreeBSD are broken, you have to use another virtual Network Card.
 https://groups.google.com/forum/#!msg/mailing.freebsd.bugs/gw42Il1AX0o/3zj-gnRKgHIJ

Browsing through the pfSense forum and the FreeBSD Bugtracker, I found
that checking the Disable hardware checksum offload box on
/system_advanced_network.php *and manually rebooting after saving*
solved the problem for me. Haven't done any performance comparisons yet,
though.

Maybe you want to try the same? Again, it seems to be important to
reboot pfSense manually after the change - there's no prompt telling you
you should (all it says is  The changes have been applied
successfully. - but they don't come to life until you reboot).

-Stefan

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Restoring from XML prevents VM from booting [SOLVED]

2014-06-08 Thread Stefan Baur
Am 06.02.2014 18:43, schrieb Brian Candler:
 I find that the one restored
 via web interface has:
 
 * an extra file /boot.config containing -D
 * extra settings in /boot/loader.conf
 
 boot_multicons=YES
 boot_serial=YES
 comconsole_speed=115200
 console=comconsole,vidconsole
 So these parameters are added blindly regardless of whether they were
 set before, is that what you're saying? If so, that sounds like a nasty
 bug to me.
 Not exactly blindly: the boot config is overwritten based on what's in
 the XML. See setup_serial_port() in /etc/inc/pfsense-utils.inc
 
 $fd = fopen($boot_config_file,w);
 ...
 if(isset($config['system']['enableserial'])) {
 fwrite($fd, -D);
 }
 ...
 if(isset($config['system']['enableserial'])) {
 $new_boot_config[] =
 'boot_multicons=YES';
 $new_boot_config[] = 'boot_serial=YES';
 $new_boot_config[] =
 'comconsole_speed=' . $serialspeed . '';
 $new_boot_config[] =
 'console=comconsole,vidconsole';

I finally had some spare time to re-visit this issue.
Turns out my config file did contain the enableserial parameter -
$DEITY knows why, because I never ran the system via serial console, in
fact, it never had one to begin with (virtual machine).

So, for everyone that doesn't understand PHP well enough to figure out
what the code snippet quoted by Brian above does ... this is what you
need to do if you want to get rid of the issue:

1) Change to the directory where your config.xml resides

2) run one of the two following commands:

# clean way of handling XML, with backup copies of config files
# requires xmlstarlet present (not the case on default pfSense install)
xmlstarlet ed -d /pfsense/system/enableserial config.xml  config.new
 cp config.xml config.old  cp config.new config.xml

# quick and dirty way operating in-place, works on default pfSense
sed -i -e '/enableserial/d' config.xml

3) if you did this in your live pfSense system, run
rm /tmp/config.cache ; /etc/rc.reload_all

Do this before triggering the upgrade process and you should be safe.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


[pfSense] [OT] Re: vmware

2014-05-28 Thread Stefan Baur
Am 28.05.2014 17:36, schrieb Adam Thompson:

 Do yourself a favor, then, and don't use VMware on it. That's akin to
 deliberately installing a Windows 2000 domain controller today...

Michael Caine voice
Some people ... just want to see the fans churn!
/Michael Caine voice

SCNR, Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] My son is able to bypass my captivate portal

2014-05-11 Thread Stefan Baur
Am 11.05.2014 21:28, schrieb Ryan Coleman:

 The simple solution is to block all outbound DNS at the firewall, but
 this can also break things (like some Google and Apple devices).
 Even broken devices usually have a fallback mode, but be careful of
 what breaks when you do this!

 Correct. Using this feature will break any client with a hard-defined
 DNS - as we found out in testing at the bar.

(Guys, could we please use proper quoting etiquette instead of
full-quoting and alternating top- and bottom-posting?)

I've never tried this in combination with a captive portal, but how
about redirecting *:53 to the pfsense DNS with a NAT rule that listens
on LAN instead of WAN?
Would that break the captive portal setup?

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Interface options for pfsense

2014-04-22 Thread Stefan Baur
Am 22.04.2014 14:19, schrieb Vick Khera:
 I disagree that is a sufficient condition, unless you restrict this
 statement to hme interfaces.

From his previous posts, I think it's pretty obvious that that is what
he meant. :-)

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Interface options for pfsense

2014-04-21 Thread Stefan Baur
Am 21.04.2014 02:13, schrieb Volker Kuhlmann:

 There is no 'doze in the house and on no account will I add a
 Billy-dependency to my infrastructure. Any manufacturer too stupid to make
 their stuff controllable by open source software can sell elsewhere.
 Period.

Well, there is http://sourceforge.net/projects/linnetx/ - but I don't
know how well that works.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Interface options for pfsense

2014-04-20 Thread Stefan Baur
Am 21.04.2014 00:32, schrieb Volker Kuhlmann:
 The frequently recommended option of using VLANs may look good for
 larger commercial networks, but just buying a VLAN capable switch costs
 more than a suitable pfsense box and brings the power budget of the
 combination to the same level as a scrapped PC - with the latter winning
 hands down on cost.

Um, no. While they're a PITA to configure (you need a Windows PC with
Adobe Air), Netgear's GS105E are dirt cheap, fanless,
5-Port-1-Gig-VLAN-capable switches. Sales price here in Germany is below
30 EUR including VAT.

I heard the 8-port model GS108E is actually easier to configure (Web GUI
instead of Adobe-Air-based proprietary tool), but I can't claim personal
experience with that, so don't take my word for it, but ask someone who
actually configured it.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Blast from the past: pfSense 1.2 / ALIX / VLANs

2014-03-24 Thread Stefan Baur
Am 24.03.2014 14:18, schrieb Chris Bagnall:
 However, the new tenant found that performance was erratic - certain
 websites loaded instantly, but others wouldn't load at all. This
 normally screams classic MTU problems, in my experience, but I normally
 see these on weird WAN connections, not on the LAN.
 
 Does anyone know if there are/were 'problems' with 1.2 and VLAN MTUs on
 ALIX platforms (ethernet driver 'vr'), and whether an update to 1.3
 might fix it? This is old hardware with only 128MB RAM, so jumping to
 2.x is optimistic.
 
 The site in question is a couple of hundred miles away from me, so 'try
 it and see' isn't really an option in this case. :-)

While I do have to admint that I don't have experience with the
particular ethernet driver you mention, I know that there are several
Unix Operating Systems where not all ethernet drivers are capable of
dealing with the added bytes that a VLAN tag brings with it.

IIRC, VLAN needs four bytes, so instead of upgrading to 1.3 you could
first try to set the MTU to 1496 instead of the usual 1500.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


[pfSense] http://pfsense.org/ip.php and wget

2014-03-19 Thread Stefan Baur
Hi List,

is there a particular reason why wgetting http://pfsense.org/ip.php
gives a blank result? Works just fine when using a regular GUI browser
like Firefox, but not on the command line with wget.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] http://pfsense.org/ip.php and wget

2014-03-19 Thread Stefan Baur
Am 19.03.2014 10:09, schrieb Stefan Baur:
 Hi List,
 
 is there a particular reason why wgetting http://pfsense.org/ip.php
 gives a blank result? Works just fine when using a regular GUI browser
 like Firefox, but not on the command line with wget.

Oh. I just noticed it's redirecting to https, and wget throws this error:

ERROR: The certificate of `www.pfsense.org' is not trusted.

What do I have to install to make it work?
I do have the ca-certificates bundle installed, but it seems you're
requiring something else?

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] http://pfsense.org/ip.php and wget

2014-03-19 Thread Stefan Baur
Am 19.03.2014 10:18, schrieb A Mohan Rao:
 Hello,
 i have configured openvpn road warrior also client is properly connected
 from outside internet network.
 but not able to access server end network and servers's.
 can anybody give any help where is do any wrong steps.

This has nothing to do with my original question, to which you posted
this as a reply. Please open a new thread with an appropriate subject
(by sending a new E-Mail to list@lists.pfsense.org, instead of hitting
reply), rather than hijacking someone else's unrelated thread. Thank
you. :-)

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] http://pfsense.org/ip.php and wget

2014-03-19 Thread Stefan Baur
Am 19.03.2014 10:51, schrieb Brian Candler:
 That's a problem I can replicate with Debian Wheezy. I find that
 
 openssl s_client -CApath /etc/ssl/certs -connect pfsense.org:443
 
 is happy, so my guess it's a problem with wget 1.13.4 - maybe it doesn't
 do SNI. In that case, the solution is to change to a less broken client

Indeed, that seems to be the problem. Thanks for pointing that out and
providing a workaround.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] http://pfsense.org/ip.php and wget

2014-03-19 Thread Stefan Baur
Am 19.03.2014 21:11, schrieb jungleboogie0:

 Just curious why you would not use curl.

Using it now, as per Brian's suggestion.

 IS your objective to get your
 current IP address?

Yes, on a machine that has no GUI, only a command line.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] http://pfsense.org/ip.php and wget

2014-03-19 Thread Stefan Baur
Am 19.03.2014 22:35, schrieb Chris Buechler:
 Oh you're one of those people that's hammering us with wget requests
 to ip.php. :p Was curious why people would be hitting it like that.
 There are a few hundred IPs that query it once a minute or so.

Um, nope. Requests get sent out once a day, when the machines reboot.
Most of them around 1:00-1:15am CE(S)T. (and with a random delay, so
they don't do it at the same time) Aside from that, it only triggers
upon a manual reboot.

Right now we're talking 3 or 4 machines, once the update propagates
(during the next few weeks, I hope), it should be around 40.

Of course, if your system can't take that load, let me know and we'll
switch to the dyndns checkip url or something else.

-Stefan
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Restoring from XML prevents VM from booting [SOLVED]

2014-02-06 Thread Stefan Baur
Am 06.02.2014 13:10, schrieb Brian Candler:
 On 05/02/2014 17:47, Espen Johansen wrote:
 Might be that serial redirection makes it show nothing.
 Yes, the serial port was the problem - thank you!

Interesting ...


 The production physical box (which this XML was pulled from) *was*
 configured to use a serial port, but the boot loader hangs if it can't
 find one inside the VM.

Mine wasn't configured to use a serial port, but still hung.


[...]

 When you restore XML via the web interface, I now see some boot loader
 settings are tweaked. Comparing a machine restored via the web interface
 versus one where I just copied config.xml, I find that the one restored
 via web interface has:
 
 * an extra file /boot.config containing -D
 * extra settings in /boot/loader.conf
 
 boot_multicons=YES
 boot_serial=YES
 comconsole_speed=115200
 console=comconsole,vidconsole

So these parameters are added blindly regardless of whether they were
set before, is that what you're saying? If so, that sounds like a nasty
bug to me.

-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Restoring from XML prevents VM from booting

2014-02-05 Thread Stefan Baur
Am 05.02.2014 18:41, schrieb Brian Candler:
 This is a really strange behaviour, I wonder if anyone has seen anything
 similar.

/me raises his hand


 I've just been trying to replicate a production config in a VirtualBox
 VM (vbox 4.3.6, OSX 10.9.1).

I'm using KVM on Debian Linux (Wheezy/7).


 I can install pfsense fine, and manually set up a LAN IP address on
 vboxnet0 so that I can get into the web and use Diagnostics 
 Backup/Restore to upload an existing XML config. But then the VM refuses
 to boot properly. It only gets as far as:
 
 F1  pfSense
 
 F6 PXE
 Boot:  F1
 |
 
 and then hangs at that point (vertical bar, not spinning). This is
 repeatable if I reinstall and re-restore the same XML config.
 
 I was able to workaround the problem by reinstalling, using scp to copy
 /cf/conf/config.xml directly from another machine, and then reboot.

Same bug and same workaround here.


 Any thoughts welcome :-)

Sorry, no solution, only a you're not alone.

-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Squid version for pfSense 2.1

2014-01-28 Thread Stefan Baur
Am 28.01.2014 17:56, schrieb Chris Bagnall:

 In this context, it's basically a method of caching things like Windows
 / Apple updates for an IT company, especially when there are 4 or 5
 engineers all working on clients' machines simultaneously. Little point
 in downloading the same update for each machine over a ~2Mbps ADSL
 connection :-)

For Windows updates, you might also want to give
http://www.wsusoffline.net/ a try. Has a downloader that works both on
Windows and Linux (possibly FreeBSD too, with the proper pacakges
installed - never tried that, though) and allows you to fetch critical
updates. You can then either offer them on a SMB share or burn ISOs.
It comes with a script (AutoIT3, but also available as precompiled EXE)
which will cycle through the list of available patches and install all
the updates needed on the particular client it is running on.


-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] Connection issues after changing from 2.0.3-RELEASE to 2.1-RELEASE

2013-12-12 Thread Stefan Baur

Hi List,

I'm kind of stumped by this.

Situation:
pfSsense with 3 Interfaces
WAN: 192.168.0.161/24 (DHCP)
LAN: 192.168.133.1/24
OPT1 (renamed DMZ): 172.16.0.2/12

What I did:
1) fresh install of 2.1-RELEASE as virtual machine (KVM on Linux host), 
with same virtual machine settings as for 2.0.3-RELEASE

2) enabled virtio network and disk devices as described on the wiki
3) loaded config of 2.0.3-RELEASE and changed interface/disk names as 
required


What I did NOT do until the issue appeared:
change any firewall rules

Issue:
After upgrading, all TCPv4 connections (and possibly UDPv4 too) between 
LAN and OPT1 (and vice versa) do not work

(Haven't tried IPv6 at all, since I don't have that configured)

What I'm trying is (as an example, http/proxy connections via 
80/8080/3128 don't work, either):

ssh from 192.168.133.100 to 172.16.0.110

Firewall log shows that the connection is being attempted and allowed:
pass Dec 12 08:51:10 LAN 192.168.133.100:51876 172.16.0.110:22 TCP:S

Result: Nothing happens, connection silently times out

Same goes for the opposite direction, I try:
ssh from 172.16.0.110 to 192.168.133.100

Firewall log shows that the connection is being attempted and allowed:
pass Dec 12 09:02:55 DMZ 172.16.0.110:52172 192.168.133.100:22 TCP:S

Result: Nothing happens, connection silently times out

On 192.168.133.100, the source machine, netstat -rn gives:
Kernel IP routing table
Destination Gateway Genmask Flags   MSS Window  irtt 
Iface

0.0.0.0 192.168.0.1 0.0.0.0 UG0 0  0 br1
172.16.0.0  192.168.133.1   255.240.0.0 UG0 0  0 br0
192.168.0.0 0.0.0.0 255.255.255.0   U 0 0  0 br1
192.168.133.0   0.0.0.0 255.255.255.0   U 0 0  0 br0

On the pfSense box, netstat -rn gives:
netstat -rn
Routing tables

Internet:
DestinationGatewayFlagsRefs  Use Netif Expire
default192.168.0.1UGS 0 7611 vtnet0
127.0.0.1  link#4 UH  0   28 lo0
172.16.0.0/12  link#3 U   017787 vtnet2
172.16.0.2 link#3 UHS 00 lo0
192.168.0.0/24 link#1 U   0 7669 vtnet0
192.168.0.152:54:00:60:93:00  UHS 019408 vtnet0
192.168.0.161  link#1 UHS 00 lo0
192.168.133.0/24   link#2 U   0 2193 vtnet1
192.168.133.1  link#2 UHS 00 lo0

Internet6:
Destination   Gateway Flags  Netif Expire
::1   ::1 UH  lo0
fe80::%vtnet0/64  link#1 Uvtnet0
fe80::5054:ff:fe60:9300%vtnet0link#1 UHS lo0
fe80::%vtnet1/64  link#2 Uvtnet1
fe80::5054:ff:fe60:9301%vtnet1link#2 UHS lo0
fe80::%vtnet2/64  link#3 Uvtnet2
fe80::5054:ff:fe60:9302%vtnet2link#3 UHS lo0
fe80::%lo0/64 link#4 U   lo0
fe80::1%lo0   link#4 UHS lo0
ff01::%vtnet0/32  fe80::5054:ff:fe60:9300%vtnet0 
Uvtnet0
ff01::%vtnet1/32  fe80::5054:ff:fe60:9301%vtnet1 
Uvtnet1
ff01::%vtnet2/32  fe80::5054:ff:fe60:9302%vtnet2 
Uvtnet2

ff01::%lo0/32 ::1 U   lo0
ff02::%vtnet0/32  fe80::5054:ff:fe60:9300%vtnet0 
Uvtnet0
ff02::%vtnet1/32  fe80::5054:ff:fe60:9301%vtnet1 
Uvtnet1
ff02::%vtnet2/32  fe80::5054:ff:fe60:9302%vtnet2 
Uvtnet2

ff02::%lo0/32 ::1 U   lo0

Funnily, when I ssh to 192.168.133.1 (the pfSense box), I can continue 
to ssh to 172.16.0.110 just fine from there.


On 172.16.0.110, the destination machine, netstat -rn gives:
Kernel IP routing table
Destination Gateway Genmask Flags   MSS Window  irtt 
Iface
0.0.0.0 172.16.0.2  0.0.0.0 UG0 0  0 
eth0
172.16.0.0  0.0.0.0 255.240.0.0 U 0 0  0 
eth0



Connections between OPT1/DMZ and WAN work just fine:
When I try:
ssh from 172.16.0.110 to 192.168.0.10

The firewall log shows:
pass Dec 12 09:19:50 DMZ 172.16.0.110:43745 192.168.0.10:22 TCP:S

And it connects just fine.

Since this is a test environment, I had no pain disabling all firewall 
rules and adding a
pass, log IPv4 * * * * * * none at the top 
of every interface ruleset.


This doesn't change a thing with regards to the TCP packages though (and 
yes, I hit the reload button):


After making this change, I can Ping from anywhere to anywhere just fine.
SSH/HTTP/Proxy still doesn't work across interfaces.
So it seems only TCP (and possibly UDP) is affected by whatever is 
causing this, while ICMP goes through (as long as there's no blocking rule).


My 

Re: [pfSense] Problems with Realtek 8168/8111 nic

2013-12-11 Thread Stefan Baur

Am 11.12.2013 16:14, schrieb Adrian Zaugg:


This device is quite new, embedded industrial design, 2GB of RAM.


A Lex Twister (http://www.lex.com.tw/product/TWISTER.html), by any chance?

They don't play along well with some brands of RAM. Not all sellers know 
about this, though. Kingston seems to be an especially problematic one 
with them (which surprised me).


-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] OpenVPN issues with iOS OpenVPN client

2013-12-04 Thread Stefan Baur

Hi List,

I'm having trouble getting an iPhone connect to my pfSense OpenVPN 
installation.


On the Server, I'm seeing:
openvpn[2371]: [remote IP here]:11125 WARNING: Bad encapsulated packet 
length from peer (1404), which must be  0 and = 1300 -- please ensure 
that --tun-mtu or --link-mtu is equal on both peers -- this condition 
could also indicate a possible active attack on the TCP link -- 
[Attempting restart...]


While the Client says:

[certificate shown here]
issued  on: 2013-11-28 22:02:23
expires on: 2023-11-26 22:02:23
signed using  : RSA+SHA1
RSA key size  : 2048 bits

2013-12-04 15:33:45 TCP recv EOF
2013-12-04 15:33:45 Transport Error: Transport error on '[my dyndns name here]: 
NETWORK_EOF_ERROR
2013-12-04 15:33:45 Client terminated, restarting in 2...
2013-12-04 15:33:47 EVENT: RECONNECTING
2013-12-04 15:33:47 LZO-ASYM init swap=0 asym=0

I'm passing
link-mtu 1300;
mssfix 1260;

to both client and server, so I don't know where the 1404 is coming from.

What am I doing wrong? And why is it that only the iPhone has trouble 
connecting, while an Android phone (using another certificate, but the 
same settings) works fine?


If you need further info (settings, more log file excerpts), please let 
me know what I should post.


This is a pfSense behind another pfSense (which is set to forward TCP 
packets on port 1194 to the second pfSense, that has OpenVPN configured) 
which in turn is attached to a SoHo DSL router (which is set to forward 
all packets to the first pfSense WAN IP), so I'm using tcp instead of 
udp and the 1300 mtu setting to avoid trouble due to multiple NATing and 
forwarding. Worked fine for Android, just the iPhone is acting up.


IoW: [DSL]---[SoHo router][pfSense #1][pfSense #2 with OpenVPN]

-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Please update the Wiki with the following information

2013-12-01 Thread Stefan Baur

Am 01.12.2013 15:28, schrieb Adam Thompson:

[FEAT VPN now available free of charge w/o time limit]

I'll note that this only became visible to me on the Play store *today*
(Sunday).  As of yesterday (Saturday), I was still seeing the Free
version and the Pro version in the Play store.


I'm not sure how Google Play handles updates. It may well be that 
they're doing staggered roll-outs, region-specific, to avoid having a 
gazillion devices trying to download a new version of an app in the same 
fraction of a second when an update goes live.
I know that they do employ such a method for Over-the-Air Android 
operating system updates.




Also, the new edition (updated Oct 27) is no longer compatible with
Android 4.x+ according to Google Play.  WTF?


Since my emulator doesn't allow me to access Google Play, I did as it 
said on the FEAT VPN web site, and downloaded it directly from there:


eclair-2013-01-23.apk for 2.x-3.x: http://www.featvpn.com/dl.php?id=1
ics-2013-01-23.apk for 4.x: http://www.featvpn.com/dl.php?id=2

I'm guessing that when you log on with a 4.x device, you'll only see the 
4.x-only version in Google Play.


-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] Please update the Wiki with the following information

2013-11-29 Thread Stefan Baur

Hi,

would somebody with editing privileges please update
https://doc.pfsense.org/index.php/Android_VPN_Connectivity#pfSense_2.0
with the following information:

FEAT VPN is now available free of charge and brings OpenVPN Connectivity 
to 2.x and 3.x Androids.


FEAT VPN works on 4.x, too, with a different .apk file. (both the 
2.x/3.x and the 4.x apks are linked on the featvpn.com web page, and 
should be available in google play, too)


4.x Androids have an official API for 3rd-Party VPN providers.

However, it seems that Androud 4.4 is missing /dev/tun, at least in 
non-rooted devices.
This means that both the VPN client already linked on the wiki page, 
https://play.google.com/store/apps/details?id=de.blinkt.openvpn, as well 
as FEAT VPN, currently *don't* work on Android 4.4. I do not know if 
Google has to push an updated OS to fix that or if it can be fixed by 
the app developers.


I've tried both OpenVPN applications mentioned above on 4.3 in Google's 
own Android emulator, they both worked fine, while on 4.4 they exhibit 
the missing-dev-tun-problem and thus don't work.


Also, I tried FEAT VPN on real hardware and can confirm that it works on 
a Motorola Milestone 2 (European-GSM Droid 2) with its stock 
Android/Motoblur versions, i.e. non-rooted. I might try an older 
Milestone 1 (Euro/GSM original Droid) if anyone is particularly 
interested in the results.


On the pfSense side of things, I always used 2.0.3-RELEASE (i386) for my 
tests.
I would expect it to work with later versions, too, but have not tested 
it yet.


-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] naive suggestion: conform to US laws

2013-10-15 Thread Stefan Baur

Am 15.10.2013 16:15, schrieb Jim Thompson:
So what excuse do I have, given that I was stone sober? (In France at 
the time, but still… sober.)


Maybe you were immersed long enough to assimilate the French attitude?
(Think French Soldier in Monty Python and the Holy Grail - 
http://www.imdb.com/title/tt0071853/quotes)


*grinning, running and ducking*

SCNR,
Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Sanity check on Routing with pfSense

2013-05-24 Thread Stefan Baur

Am 24.05.2013 22:25, schrieb Jeffrey Mealo:

Will be pfSense be running on bare metal or virtualized? pfSense has
issues running on some hypervisors including KVM.


It has? I haven't noticed any, and I'm running it on some 40-50 
machines, since 2011 or so. This is Debian Squeeze with KVM.


Care to elaborate?

-Stefan

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] 2.0.1-RELEASE, dual-WAN with loadbalancing

2013-02-19 Thread Stefan Baur

Am 19.02.2013 23:06, schrieb Stefan Baur:


You may find enabling 'sticky connections' in Advanced Settings might
do what you wish.


That's not quite where I would have searched for it, but it's great that
the feature already exists.  Thanks for the pointer! :-)


Seems I was a little trigger-happy here.  Changing the setting didn't 
alter the behavior.  I also rebooted the pfSense box just to make sure, 
but it doesn't help. :-(  And this is even happening on web sites that 
offer a keep me logged in for two weeks checkbox similar to what 
Google Mail does.  (I usually don't use these checkboxes but just gave 
it a try, to see if it changes anything.)


-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] Turning UDP broadcast into a unicast on another interface

2012-10-02 Thread Stefan Baur

Hi list,

is it possible to have pfSense act upon receiving a UDP broadcast on one 
specific port on one interface, and turn it into a unicast to a known IP 
on another interface?  And if yes, will I have to set up a second rule 
so the answer packet reaches its destination on the other interface?


-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] NATting/re-routing in the same network, is this possible?

2012-09-29 Thread Stefan Baur

Hi List,

I have multiple sites where several clients (C1...Cn) within the same 
LAN need to connect a server (S).


The pfSense box acts a router (R) at all these sites.
The router IP on the LAN side is the same everywhere.
The server IP varies from site to site, though.

Ex:

Site 1   Site 2
C1---+ C1---+
 | |
C2---+---R 192.168.0.1 C2---+---R 192.168.0.1
...  |...  |
Cn---+Cn---+
 | |
 S---+S---+
.100 .200

I would like to avoid having to configure all the clients individually, 
so I am looking for a way to let pfSense act like a NAT router.
Plan: Make the clients think they connect to the server, while in 
reality, they connect to the pfSense box that forwards the connection to 
the real server.

Reason: Central, single point of administration per site.

What I tried:

NAT rule:
rule
source
any/
/source
destination
networkopt1ip/network
port5/port
/destination
protocoltcp/protocol
target192.168.0.100/target
local-port5/local-port
interfacelan/interface
descr![CDATA[Internal portforwarding for 
server access]]/descr

associated-rule-idnat_5065cd732734e8.45732086/associated-rule-id
/rule

Firewall rule:
 rule
id/
typepass/type
interfacelan/interface
tag/
tagged/
max/
max-src-nodes/
max-src-conn/
max-src-states/
statetimeout/
statetypekeep state/statetype
os/
protocoltcp/protocol
source
any/
/source
destination
address192.168.0.100/address
port5/port
/destination
log/
descr![CDATA[Internal portforwarding for 
server access]]/descr

associated-rule-idnat_5065cd732734e8.45732086/associated-rule-id
/rule

The firewall rule is on top of the LAN rules list, and I pushed the 
apply changes button.


It does not work, though - I cannot establish a connection to the server 
by connecting to the same port on the router.


So, I guess I'm doing it wrong, or it isn't possible at all.

Could somebody please enlighten me? :-)

-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] Android VPN with pfSense

2012-09-08 Thread Stefan Baur

Hi List,

I have an Android phone that offers

- PPTP-VPN
- L2TP-VPN
- L2TP/IPSec PSK-VPN
- L2TP/IPSec CRT-VPN

(That's Android 2.2.1, but possibly with certain backports or 
vendor-specific extensions by Motorola)


I would like to connect it to my pfSense 2.0.1-RELEASE box so I have a 
secure connection with my LAN when I'm on the road.


I've found http://doc.pfsense.org/index.php/Android_VPN_Connectivity but 
I'm more confused than enlightened after reading that.
So far, I only have experience with OpenVPN, which isn't available on my 
phone (and since it has a locked bootloader, I can't root it).


What is going to be the easy and painless way of establishing a VPN 
connection between my phone and the pfSense box?


I faintly remember some protocols are less secure than others, but I 
don't remember which ones, and saw the note on the above-mentioned wiki 
page that L2TP does not encrypt traffic.  I'm taking that as a hint that 
I shouldn't be using L2TP on its own, but should I go the PPTP route or 
is one of the L2TP/IPSec combinations going to work with the components 
involved?


Thanks in advance for all your suggestions.

-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Android VPN with pfSense

2012-09-08 Thread Stefan Baur

Am 08.09.2012 10:16, schrieb Paul Gear:

I'll leave others to discuss the relative security merits of each (but
yes, L2TP by itself will not encrypt).


[...]


If you have a PPTP VPN, you should read
http://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807

I'm working on a plan to eradicate all PPTP from our network.


Thanks, that was what I had heard of.

So, from the four options I have (Being stuck on Android 2.2.1 and 
unable to root), the first two are out.


- PPTP-VPN - hacked
- L2TP-VPN - unencrypted
- L2TP/IPSec PSK-VPN
- L2TP/IPSec CRT-VPN

What about the last two options, are they possible with pfSense 
2.0.1-RELEASE, and if so, is there a howto available?


-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] DynDNS troubles, once again

2012-07-27 Thread Stefan Baur

Am 27.07.2012 12:54, schrieb Frank:

- does ist still works, if you call /etc/rc.dyndns.update manually ?

Main difference between /etc/rc.dyndns.update and wget -O- ... is
that rc.dyndns.update uses the system config.
So: wget working and rc.dyndns.update not would indicate a config error.


But why and how would it update the IP after hitting Save in the 
WebGUI, if the config was wrong?


-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] DynDNS troubles, once again

2012-07-26 Thread Stefan Baur

Am 25.07.2012 18:36, schrieb RB:


However, repeatedly firing off

fetch -q -o - http://checkip.dyndns.org | sed 's/^.*Current IP Address:
\(.*\)\/body.*$/\1/'
within the same minute doesn't error out, so it doesn't look like a limit
that's enforced by dyndns.


My only guess is that they're enforcing by trend rather than burst.
Regardless, I'll be interested to know your outcome.


Still no luck. :-( Old IP shows up as red after the nightly IP change.

You mentioned a cron job for updating; are you hijacking pfSense 
built-in functions for that or did you roll your own script that needs 
to be passed login credentials for the DynDNS provider?


-Stefan

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] DynDNS troubles, once again

2012-07-26 Thread Stefan Baur

Am 26.07.2012 23:53, schrieb Nishant Sharma:


Are you running dual WAN setup with gateway failover by any chance?


Nope, single WAN, but in private IP space, as there is another router 
above it.


-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] DynDNS troubles, once again

2012-07-26 Thread Stefan Baur

Am 27.07.2012 01:16, schrieb Jeppe Øland:

On Thu, Jul 26, 2012 at 2:14 PM, Stefan Baur
newsgroups.ma...@stefanbaur.de wrote:

- what does your log say about dyndns?


Nothing that would look helpful:
 check_reload_status: Updating all dyndns
is the only message containing the string dyn, and it only appears once
during startup.


There's got to be more in the log than just that!


Nope, there isn't... but...


Maybe (or not) this bugreport is related to your problem.
The bug is marked as resolved, but I am not sure that's actually true:
 http://redmine.pfsense.org/issues/943


Exactly from there:

This is gonna sound really stupid but:

Do me a favor and see if you maybe by accidend checked the disable checkbox 
at the top of the dyndns account settings (i did this once and it took me three days 
to notice this...)


And GH, it seems that I hit that disable checkbox some time when I 
wasn't paying attention.  Will wait for the next upstream IP change to 
confirm, but I guess that was the solution.  Fsck.


Is there a particular reason why this is check to disable and not 
check to enable?


-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Squid transparent ssl proxy

2012-07-25 Thread Stefan Baur

Am 25.07.2012 05:17, schrieb Jerome Alet:


Any idea what I'm doing wrong ?


This is what you're doing wrong:
 Now I'd like to set it up as an HTTPS transparent proxy as well.

HTTPS traffic is encrypted, and squid is lacking the proper 
keys/certificates to decrypt it.


In theory, you could set up squid with its own certificates, but that 
will turn squid into a man-in-the-middle, i.e. all your clients will 
complain that the certificate doesn't match the sites they're trying to 
access.


IOW: Just don't do it.

I'd suggest looking into browser autoconfiguration using auto.pac / 
wpad.dat files.


-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] DynDNS troubles, once again

2012-07-25 Thread Stefan Baur

Am 25.07.2012 18:02, schrieb Michael Schuh:

Hi Stefan,

you are in Germany - right?
i suggest:
most DSL-Providers spend you a firm IP-Address if you ask.
Most times it will cost you just the phone call. some will bill you 5 €.
So no more dynamic dns needed. no hussle, no troubles.

HTH


Sadly, no. That doesn't scale well (we're talking a 2-digit number of 
installations, with a lot more planned, and various providers).


-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] DynDNS troubles, once again

2012-07-25 Thread Stefan Baur

Am 25.07.2012 18:24, schrieb RB:

On Wed, Jul 25, 2012 at 10:19 AM, Stefan Baur
newsgroups.ma...@stefanbaur.de wrote:

I thought there was a maximum allowable frequency (e.g. 10 minutes)
for hitting checkip.dyndns.org, but can't currently find documentation
of that.



The limit is for hitting the update server, not for hitting
checkip.dyndns.org (but feel free to prove me wrong).


Here you go: http://dyn.com/support/developers/checkip-tool/


Okay, indeed it says so there (and I've updated my crontab accordingly). 
Thanks for pointing that out.


However, repeatedly firing off
fetch -q -o - http://checkip.dyndns.org | sed 's/^.*Current IP Address: 
\(.*\)\/body.*$/\1/'
within the same minute doesn't error out, so it doesn't look like a 
limit that's enforced by dyndns.


Anyways, I guess all I can do now is wait for the next IP update 
(probably around 4:00am CEST) and see if it works with the 10 minute 
setting.


-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] DynDNS troubles, once again

2012-07-25 Thread Stefan Baur

Am 25.07.2012 23:30, schrieb Fuchs, Martin:

I also had many problems and since I use noip now, the problems have gone...
It's still the case that dyndns updates sometimes work and sometimes not :-(


I *am* using no-ip, however, pfSense uses the checkip.dyndns.org server 
to check for the current IP (at least that's how I remember it from one 
of our Gurus on this list, probably Chris or Seth).


-Stefan

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense 2.0.1-RELEASE, Restoring partial config.xml does not work

2012-07-24 Thread Stefan Baur

Am 23.07.2012 21:44, schrieb Seth Mos:

Good news. Support for just that and a few other items have been included in 
pfSense 2.1


Thank you. What's the rough estimate for the 2.1 release date?

-Stefan

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense 2.0.1-RELEASE, Restoring partial config.xml does not work

2012-07-23 Thread Stefan Baur

Am 23.07.2012 15:10, schrieb Oliver Hansen:

Hi Stefan, I can't be sure but I think I have run into this before. Have
you tried uploading a config with ONLY those parts that you want to
change? I think it is intended to be restored from a backup that only
contained those parts.


While it indeed does work that way, it doesn't really make sense to me.

If I cannot import selected sections from a full config.xml, what would 
the select menu be good for?
And if I only have a partial config, say, I saved the aliases, then 
obviously I would want to restore the aliases from it and not the 
(non-existent) firewall rules.


IMO, this is a bug that needs to be fixed.

-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] whiltelist of mac address

2012-06-11 Thread Stefan Baur

Am 11.06.2012 15:43, schrieb Bill Yuan:

seems is it not free!


http://en.wikipedia.org/wiki/TANSTAAFL
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] pfSense product support lifecycle?

2012-04-24 Thread Stefan Baur

Hi list,

I just stumbled over a few posts mentioning the scheduled 2.1 release of 
pfSense on June 6, 2012.
This has made me wonder: Is there any centralized resource (ordinary web 
page, wiki, whatever) where one can review what Microsoft would call the 
product support lifecycle of pfSense?


In other words, I'm looking for a place that tells me when an older 
release of ofSense will stop receiving security updates, so I can plan 
my upgrades in advance.


The thing is, I rolled out 2.0.1 (upgrading from 1.2.3) between November 
2011 and February 2012, IIRC.  I'd prefer to stay on 2.0.1 for a while, 
as I don't need the IPv6 features of 2.1 just yet.  I'm just wondering 
how long after June 6, 2012 it will be safe to do so.


-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense product support lifecycle?

2012-04-24 Thread Stefan Baur

Am 24.04.2012 09:32, schrieb Chris Buechler:

Nothing formal. To date, once we put out a new release, all prior
releases will not get any updates. That will probably especially be
true going forward, with much shorter release cycles than we had from
1.2.3 to 2.0, and much fewer changes, hence much less risk of
upgrading.


In that case, I'm really curious if in-place upgrading will work for me 
on the newer releases... otherwise I see a lot more work headed my way. :-/



[...]Never seen a need for maintaining older
releases, especially given the resources it would take to do so. If
there were legit reasons (eg. anything other than I don't want to
upgrade) to stay on a particular release behind the most recent, we
would reconsider that, but historically that's never been the case.


Well, I understand that you have limited resources - we all have - but 
how about, say, a 3-month timeframe after a release, just to get more 
user feedback if the new release works as intended or might require a 
point release to patch a flaw that slipped through in the beta-testing 
phase?


I've seen things crop up like that even though stuff was tested for a 
while before being released, usually because there was one weird 
real-world scenario that didn't occur in the limited user base one has 
that is willing to run beta software on production or production-like 
systems.


So, to sum it up: I don't like the idea of being stuck on a vulnerable, 
outdated version of pfSense, but I also don't like the idea of having to 
roll out a release that I don't have a warm and fuzzy gut feeling about 
because I haven't seen it running in production for a while.


Do you see where I'm coming from? :-)

-Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] DynDNS/No-IP question, cascaded NAT

2012-01-06 Thread Stefan Baur

Am 06.01.2012 21:24, schrieb Lyle Giese:
I went the route to buy an account at Dyndns for $20/year and that 
allows 32 dyn hosts.  I give them to my customers as needed for that 
amount.  I have handed out 22 and still have 10 more available.


Doesn't that mean that all of the machines are using the same account 
info, thus the same password? What if it becomes compromised? What if 
one of your customers decides to log in to the DynDNS web site using 
that password, and changes the password, creates additional dyn hosts 
for himself or deletes / changes entires belonging to other customers?


As the customers have physical access to the pfSense boxes, there's 
nothing that keeps them from pulling the CF card and reading the config 
file using another machine, even if I'd withold the admin password from 
them (which I currently don't).


Kind Regards,
Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] DynDNS/No-IP question, cascaded NAT

2012-01-06 Thread Stefan Baur

Am 06.01.2012 21:57, schrieb Lyle Giese:
I have not checked but I doubt that pfsense would store that password 
in plain text either.


I just did, with a no-ip account. It's stored there in plain text. And 
if you think about it, anything else would just add a false sense of 
security.


Kind Regards,
Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] DynDNS/No-IP question, cascaded NAT

2012-01-06 Thread Stefan Baur

Am 07.01.2012 00:41, schrieb Ingo Schmitt:

Hi,

On 01/06/12 21:09, Stefan Baur wrote:

...
a) No-IP in regular intervals and blindly update the status - I'm
not sure if that violates No-IPs Terms of Service, though - or,
...

freeDNS allows you to update your IP by just hitting a special URL from
your WAN. http://freedns.afraid.org/


So does No-IP[1], but the question is, how often within a given time 
frame are you allowed to do so when your IP *hasn't* changed?
I remember DynDNS being rather restrictive about that when using their 
free service.


[1] see http://www.no-ip.com/integrate/request/ - myip is an optional 
parameter, your IP will default to your WAN IP if you don't set a value 
for myip


Kind Regards,
Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] Strange hard disk size issue

2011-09-23 Thread Stefan Baur

Hi list,

a bout a year and a half ago, I installed pfSense 1.2.3 in a virtual 
environment. I didn't use the VMware Image provided on the pfsense web 
site, as I am using a different virtualization solution (Linux kvm, in 
case anyone wonders).


I created the virtual environment with a 512 Megabyte virtual hard disk, 
and the system has been running smoothly ever since.


A few days ago, I tried upgrading to pfSense 2.0 and the upgrade failed 
hard - the machine just wouldn't start after a reboot.
Checking the console, I received a message that the system was unable to 
find the kernel.


So I restored the image from a backup and tried upgrading again, this 
time from the command line.

What I saw was that the system was running out of disk space:
Firmware upgrade in progress...

..
/: write failed, filesystem is full
.
/: write failed, filesystem is full
.
/: write failed, filesystem is full
.

After restoring the image to its previous state (again *sigh*), I 
decided to log in and check how much disk space is available, and df -h 
tells me:

/dev/ad0s1a248M110M118M48%/

Which makes me wonder :
1) Why did the installer only use 248M of the available 512M? Is there 
any particular reason for only using half of the available disk space, 
or did I make a mistake back when I installed the system?


2) Is there any way to recover from this situation that saves me from 
having to do a full re-install? Like, enlarging the partition/slice and 
the filesystem on it from inside the running pfSense 1.2.3 system?  
(Having to reboot it a few times during the preparations for the upgrade 
would be acceptable.)  I have to admit I'm a little spoiled from what 
I've seen with Linux and ext2/ext3 - Resize the partition, reboot so the 
kernel can figure out the new partition table, enlarge the filesystem 
while it is mounted, that's how it works there.  Surely FreeBSD has a 
similar procedure?


For those of you that want to take a closer look, I copied the output of 
various fdisk commands and made them available here:

http://pastebin.com/Mhdvgh4k

Kind Regards,
Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list