Re: [pfSense] Limit bandwith pr user / ip
Thank you Chris! Since I am interested in this too, are there any tricks when you want to do the same but you have a multi-WAN setup, or ,probably even worse, a multi-WAN setup with different WAN bandwidth? Thank you all! Vassilis ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] States Issue with Asterisk behind pfSense
Hannes Werner wrote on 26.09.2014 16:51: thank you very much Giles, but unfortunately it doesn't help. anyone here who is using asterisk behind pfSense on a dynamic IP WAN successfully? Hello Hannes! I have also used asterisk behind a dynamic PPPoE WAN. I had the exact same issues that the bug report is describing. I tried different ways to get it to work and I found that some solutions work with some providers, but fail at others. There seems to be alot of black magic involved when configuring SIP to work in such a configuration :) What worked best was to set nat=no and externip=the local asterisk IP. I had also not done any port forwards whatsoever on pfsense, outgoing NAT was set to automatic. I certainly cannot explain why it was working that way! Hope it helps! Vassilis ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Openvpn site to site problem
Hi! Try this: pfsense2 - server: Tunnel network: 10.0.8.0/30 (no need for /24 on site2site) pfsense1 - client: Tunnel network: 10.0.8.0/30 (You can even keep it empty) Keeping or removing the remote network on the client side shouldn't be important, the difference being that if you keep it, you should see an error message that the route that has already been pushed by the server is re-issued by the client. hope it helps! Vassilis Cristian Del Carlo wrote on 19.12.2012 14:09: Hi, thanks for your help. My firewall rules are in both pfsense: Action: Pass Interface : Openvpn Protocol: Any Source: Any Destionation: Any This are my routing from firewall ( without public ip ): pfsense 1 - client: 10.0.8.1 link#10UH 0 15 ovpnc2 10.0.8.2 link#10UHS 00lo0 192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2 192.168.9.0/24 link#2 U 0 37598040em1 pfsense 2 - server: 10.0.8.1 link#9 UHS 00lo0 10.0.8.2 link#9 UH 0 72 ovpns1 192.168.8.0/24 link#2 U 0 229122em1 192.168.8.1link#2 UHS 00lo0 192.168.9.0/24 10.0.8.2 UGS 01 ovpns1 Could be a routing problem? 2012/12/19 WolfSec-Support supp...@wolfsec.ch: Hi, do you have special rules in VPN tunnel ? make sure to open OpenVPN ruleset as necessary this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels but per default normally tunnel is open anyany br stephan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bandwidth limiter
Jeremy Martijn wrote on 05.11.2012 12:42: Good morning, I have a question regarding the bandwidth limiter on pfsense. Im going to describe the current situation and what I have done so far. I want to limit every user on the network to a 20Mbit/s down/10Mbit/s upload speed and the whole network should have a 100Mbit/s download and upload speed. Limiter made Limit_In at 20Mbit/s and Limit_Out on 10Mbit/s. Firewall Rule on the LAN, with Interface LAN, Protocol TCP/UDP, Source type LAN subnet and In/Out set to Limit_Out and Limit_In. When I do a speedtest I get the 20/10 speed as I have configured it, but what I’m doubting of is this speed now set per user or for the LAN subnet? What will happen if more users connect to the LAN subnet? And if I want to limit the Whole bandwidth speed of the pipe to 100Mbit/s, how would I need to make a rule for that? Uplink is 100Mbit’s Speed per user 20Mbit/s download 10Mbit’s upload on LAN subnet. Thanks in advance. Sincerely yours, Jeremy Martijn ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Hi Jeremy for the per-user limiter, check the Mask setting: If 'source' or 'destination' is chosen, a dynamic pipe with the bandwidth, delay, packet loss and queue size given above will be created for each source/destination IP address encountered, respectively. This makes it possible to easily specify bandwidth limits per host. If you want to limit the whole subnet too, I guess you would need to make a different rule at a higher priority. Hope it helps! Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] arp: unknown hardware address format (0x0103)
Hello! I have been seeing the following message in my system log, being repeated every 20-30 seconds: kernel: arp: unknown hardware address format (0x0103) The NIC with those errors has some wireless AP's connected to it. After some searching I couldnt find any definite answer about the message, is it a broken cable somewhere, is it a bug, can I ignore it, can I get rid of the messages? Hopefully to help the search I attach a tcpdump output with the exact same timestamp as the message in the system log. Its not always the same MAC address and they are always present when the error occurs. Thank you! Vassilis (I X'ed out the last digits) tcpdump -exxn -s 0 -i em1 arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 14:59:01.171411 64:a7:69:42:XX:XX ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: [|ARP] 0x: 0103 0002 6f8c 0f09 6a94 052c 8006 70fe o...j..,..p. 0x0010: c0a8 0694 4a7d 848b cf1b 0050 b477 e721 J}.P.w.! 0x0020: 546a b0b4 5018 403d fb06 5a0d Tj..P.@=Z. 0x: 64a7 6942 0806 0103 0x0010: 0002 6f8c 0f09 6a94 052c 8006 70fe c0a8 0x0020: 0694 4a7d 848b cf1b 0050 b477 e721 546a 0x0030: b0b4 5018 403d fb06 5a0d ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Double WAN with same GW
Hi! The only difference to having different GW for each WAN is that with the same GW you need to specify a differnet monitor IP for one of the WAN interfaces. The rest of the configuration stays the same. Choose your monitor IP carefully though, if that IP ever stops responding or has a bad connection, your pfsense will assume that your WAN interface is down. Vassilis b...@todoo.biz wrote on 09.07.2012 13:25: Hello, I have seen couple of threads about dual WAN bound to the same GW. I wanted to know if there was a proper way of dealing with this ? And what you suggested ? The idea is to set up a Gateway Group and be able to define various load balancing policies… (Policy based routing) + (2 Tier 1 links) Any info about the specific manipulation we might have to do in this case are very welcome ! Even if It is to let me know that this is impossible to do ! Sincerely yours. G.B. –– - Grégory Bernard Director - --- www.osnet.eu --- -- Your provider of OpenSource appliances -- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Forwarding an external port according to user
David Brown wrote on 10/24/2011 02:34 PM: Using a VPN is certainly a possibility - our road warriors who use a laptop as a main computer use a VPN (OpenVPN), and I use a VPN from my home machine regularly to access everything in the network here. Where VPNs are the right solution, they are what we use. But I see two disadvantages of VPNs. They give too much access. Obviously firewall rules can be added to limit access in some ways, but it is somewhere between difficult and impossible to get the right balance between security and functionality here. How do I set up firewalls that lets the user access company files on a server from their home machine without also opening these files to whatever malware they've installed? I can proscribe rules and regulations for computers on the company network, I can monitor them for suspicious behaviour, and do regular checks. But I can't do that for people's home computers. I can do so on a limited basis for a few users, especially for those with company laptops that they use from home or outside, but it is not scalable in general. I cant agree that VPN's give too much access. The way the VPN in pfsense is configured, it gives exactly the amount of access that you allow. Having a VPN connection that allows only to connect to port 5900 on a certain PC is a piece of cake. If you want to offer samba to your users, you shouldnt really port forward the ports to WAN. Even if you limit the source IP it feels somehow wrong to do it :) But its more of a general question if you want to give them access to samba or not, the tool you want to use (port forward or VPN) doesnt matter. The other disadvantage of a VPN is that the we use a lot of specialised software - people can't easily install it on their home machines. They may also need different sorts of access to different machines - trying to get routine and firewalling rules that allow this over a VPN without being too permissive is hard. I didnt clearly describe the solution I proposed, they would still use VNC to work on their work PC. They would just tunnel it through the VPN and have only access to port 5900 on their PC. With VNC, both these issues are solved, since they are effectively working on their company desktops. Obviously running VNC over a VPN would improve the security, since everything is encrypted, and it would be possible to set that up. In particular, it would be easier to set OpenVPN rules to say only port 5900 is allowed, than to try to give all the required firewall rules to let users get local access from home machines to the company systems. Exactly! :-) And it would be alot easier to configure/expand/maintain/monitor in the future But encrypting VNC over a VPN is not really necessary - it is probably easier to use UltraVNC (or any other VNC with encryption built-in). It is also not much of a security issue since most employees have the same ISP as the company - there is very little possibility of eavesdropping or other attacks. I also use VNC alot but personally I wouldnt do it in the open via a port forward. There might be some fancy software that offers encryption but personally I prefer to tunnel it through a VPN for security reasons. I trust OpenVPN with certificates far more than UltraVNC with encryption. Having OpenVPN installed on the home PC really isnt a problem, even for Windows users. You can have ready-to-deploy zip files with the config and the certificates ready for each user. They wouldnt have to remember any passwords and via the firewall rules you could make sure they only have access to the VNC port. Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN
Most of the times I have had trouble with the routing and not with the firewall rules. Check if the client has the correct gateway set for the LAN subnet and check if the push route is added correctly. A traceroute from the client can help you see if the packets are being send through the VPN tunnel. If it is actually the firewall blocking, you should be able to see the block in the firewall log. Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN
Hi Tim! I havent been using pfsense for very long, but under Firewall-Rules you should have a tab OpenVPN. Try putting there some rules, it works for me. Setting up an extra interface used to be done in older pfsense version, no idea if its still valid. Maybe someone more experienced can give some info on that. Hope it helps! Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN
Jim Pingle wrote on 12.10.2011 23:55: In 2.0 each interface is renamed in a unique way so you do not need dev tun or any similar entries in the options. You can assign the interfaces if you want (set an IP type of 'none' on them) and filter individually if you want, too. I run with two of mine assigned and 3+ more unassigned and have no issues. Hi Jim Thank you for the info! Would the rules on the assigned tabs have priority over the unassigned OpenVPN Tab? Or is the unassigned Tab bypassed as long as there is a assigned one? I noticed the unique renaming, is it also stable? E.g. ovpns1 will always be the same server as written in () next to it? Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
