Re: [pfSense] Limit bandwith pr user / ip

2014-11-02 Thread Vassilis V.
Thank you Chris!

Since I am interested in this too, are there any tricks when you want to
do the same but you have a multi-WAN setup, or ,probably even worse, a
multi-WAN setup with different WAN bandwidth?

Thank you all!
List mailing list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-26 Thread Vassilis V.

Hannes Werner wrote on 26.09.2014 16:51:
 thank you very much Giles, but unfortunately it doesn't help.
 anyone here who is using asterisk behind pfSense on a dynamic IP WAN

Hello Hannes!

I have also used asterisk behind a dynamic PPPoE WAN. I had the exact
same issues that the bug report is describing.

I tried different ways to get it to work and I found that some solutions
work with some providers, but fail at others. There seems to be alot of
black magic involved when configuring SIP to work in such a configuration :)

What worked best was to set nat=no and externip=the local asterisk IP.
I had also not done any port forwards whatsoever on pfsense,  outgoing
NAT was set to automatic.

I certainly cannot explain why it was working that way!

Hope it helps!
List mailing list

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Vassilis V.

Try this:

pfsense2 - server:
Tunnel network: (no need for /24 on site2site)

pfsense1 - client:
Tunnel network: (You can even keep it empty)

Keeping or removing the remote network on the client side shouldn't be
important, the difference being that if you keep it, you should see an
error message that the route that has already been pushed by the server
is re-issued by the client.

hope it helps!


Cristian Del Carlo wrote on 19.12.2012 14:09:
 thanks for your help.
 My firewall rules  are  in both pfsense:
 Action: Pass
 Interface : Openvpn
 Protocol: Any
 Source: Any
 Destionation: Any
 This are my routing from firewall ( without public ip ):
 pfsense 1 - client:   link#10UH  0   15 ovpnc2   link#10UHS 00lo0   UGS 0   45 ovpnc2 link#2 U   0 37598040em1
 pfsense 2 - server:   link#9 UHS 00lo0   link#9 UH  0   72 ovpns1 link#2 U   0   229122em1 UHS 00lo0   UGS 01 ovpns1
 Could be a routing problem?
 2012/12/19 WolfSec-Support

 do you have special rules in VPN tunnel ?
 make sure to open OpenVPN ruleset as necessary

 this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels

 but per default normally tunnel is open anyany


 List mailing list

List mailing list

Re: [pfSense] Bandwidth limiter

2012-11-05 Thread Vassilis V.

Jeremy Martijn wrote on 05.11.2012 12:42:
 Good morning,
 I have a question regarding the bandwidth limiter on pfsense.
 Im going to describe the current situation and what I have done so far.
 I want to limit every user on the network to a 20Mbit/s down/10Mbit/s
 upload speed and the whole network should have a 100Mbit/s download and
 upload speed.
 Limiter made Limit_In at 20Mbit/s and Limit_Out on 10Mbit/s.
 Firewall Rule on the LAN, with  Interface LAN, Protocol TCP/UDP, Source
 type LAN subnet and In/Out set to Limit_Out and Limit_In.
 When I do a speedtest I get the 20/10 speed as I have configured it, but
 what I’m doubting of is this speed now set per user or for the LAN
 subnet? What will happen if more users connect to the LAN subnet?
 And if I want to limit the Whole bandwidth speed of the pipe to
 100Mbit/s, how would I need to make a rule for that?
 Uplink is 100Mbit’s
 Speed per user 20Mbit/s download 10Mbit’s upload on LAN subnet.
 Thanks in advance.
 Sincerely yours,
 Jeremy Martijn
 List mailing list

Hi Jeremy

for the per-user limiter, check the Mask setting:

If 'source' or 'destination' is chosen, a dynamic pipe with the
bandwidth, delay, packet loss and queue size given above will be created
for each source/destination IP address encountered, respectively. This
makes it possible to easily specify bandwidth limits per host.

If you want to limit the whole subnet too, I guess you would need to
make a different rule at a higher priority.

Hope it helps!
List mailing list

[pfSense] arp: unknown hardware address format (0x0103)

2012-08-03 Thread Vassilis V.

I have been seeing the following message in my system log, being
repeated every 20-30 seconds:
kernel: arp: unknown hardware address format (0x0103)

The NIC with those errors has some wireless AP's connected to it.
After some searching I couldnt find any definite answer about the
message, is it a broken cable somewhere, is it a bug, can I ignore it,
can I get rid of the messages?

Hopefully to help the search I attach a tcpdump output with the exact
same timestamp as the message in the system log. Its not always the same
MAC address and they are always present when the error occurs.

Thank you!

(I X'ed out the last digits)
tcpdump -exxn -s 0 -i em1 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
14:59:01.171411 64:a7:69:42:XX:XX  ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), length 60: [|ARP]
0x:  0103 0002 6f8c 0f09 6a94 052c 8006 70fe  o...j..,..p.
0x0010:  c0a8 0694 4a7d 848b cf1b 0050 b477 e721  J}.P.w.!
0x0020:  546a b0b4 5018 403d fb06  5a0d   Tj..P.@=Z.
0x:     64a7 6942  0806 0103
0x0010:  0002 6f8c 0f09 6a94 052c 8006 70fe c0a8
0x0020:  0694 4a7d 848b cf1b 0050 b477 e721 546a
0x0030:  b0b4 5018 403d fb06  5a0d
List mailing list

Re: [pfSense] Double WAN with same GW

2012-07-09 Thread Vassilis V.

The only difference to having different GW for each WAN is that with the
same GW you need to specify a differnet monitor IP for one of the WAN
interfaces. The rest of the configuration stays the same.

Choose your monitor IP carefully though, if that IP ever stops
responding or has a bad connection, your pfsense will assume that your
WAN interface is down.

Vassilis wrote on 09.07.2012 13:25:
 I have seen couple of threads about dual WAN bound to the same GW.
 I wanted to know if there was a proper way of dealing with this ?
 And what you suggested ?
 The idea is to set up a Gateway Group and be able to define various
 load balancing policies… (Policy based routing) + (2 Tier 1 links)
 Any info about the specific manipulation we might have to do in this
 case are very welcome ! Even if It is to let me know that this is
 impossible to do !
 Sincerely yours.
 - Grégory Bernard Director -
 --- ---
 -- Your provider of OpenSource appliances --
 List mailing list

List mailing list

Re: [pfSense] Forwarding an external port according to user

2011-10-24 Thread Vassilis V.

David Brown wrote on 10/24/2011 02:34 PM:

Using a VPN is certainly a possibility - our road warriors who use a
laptop as a main computer use a VPN (OpenVPN), and I use a VPN from my
home machine regularly to access everything in the network here. Where
VPNs are the right solution, they are what we use.

But I see two disadvantages of VPNs. They give too much access.
Obviously firewall rules can be added to limit access in some ways, but
it is somewhere between difficult and impossible to get the right
balance between security and functionality here. How do I set up
firewalls that lets the user access company files on a server from their
home machine without also opening these files to whatever malware
they've installed? I can proscribe rules and regulations for computers
on the company network, I can monitor them for suspicious behaviour, and
do regular checks. But I can't do that for people's home computers. I
can do so on a limited basis for a few users, especially for those with
company laptops that they use from home or outside, but it is not
scalable in general.

I cant agree that VPN's give too much access. The way the VPN in pfsense 
is configured, it gives exactly the amount of access that you allow. 
Having a VPN connection that allows only to connect to port 5900 on a 
certain PC is a piece of cake. If you want to offer samba to your users, 
you shouldnt really port forward the ports to WAN. Even if you limit the 
source IP it feels somehow wrong to do it :) But its more of a general 
question if you want to give them access to samba or not, the tool you 
want to use (port forward or VPN) doesnt matter.

The other disadvantage of a VPN is that the we use a lot of specialised
software - people can't easily install it on their home machines. They
may also need different sorts of access to different machines - trying
to get routine and firewalling rules that allow this over a VPN without
being too permissive is hard.

I didnt clearly describe the solution I proposed, they would still use 
VNC to work on their work PC. They would just tunnel it through the VPN 
and have only access to port 5900 on their PC.

With VNC, both these issues are solved, since they are effectively
working on their company desktops.

Obviously running VNC over a VPN would improve the security, since
everything is encrypted, and it would be possible to set that up. In
particular, it would be easier to set OpenVPN rules to say only port
5900 is allowed, than to try to give all the required firewall rules to
let users get local access from home machines to the company systems.

Exactly! :-) And it would be alot easier to 
configure/expand/maintain/monitor in the future

But encrypting VNC over a VPN is not really necessary - it is probably
easier to use UltraVNC (or any other VNC with encryption built-in). It
is also not much of a security issue since most employees have the same
ISP as the company - there is very little possibility of eavesdropping
or other attacks.

I also use VNC alot but personally I wouldnt do it in the open via a 
port forward. There might be some fancy software that offers 
encryption but personally I prefer to tunnel it through a VPN for 
security reasons. I trust OpenVPN with certificates far more than 
UltraVNC with encryption.

Having OpenVPN installed on the home PC really isnt a problem, even for 
Windows users. You can have ready-to-deploy zip files with the config 
and the certificates ready for each user. They wouldnt have to remember 
any passwords and via the firewall rules you could make sure they only 
have access to the VNC port.

List mailing list

Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN

2011-10-13 Thread Vassilis V.
Most of the times I have had trouble with the routing and not with the
firewall rules. Check if the client has the correct gateway set for the
LAN subnet and check if the push route is added correctly. A
traceroute from the client can help you see if the packets are being
send through the VPN tunnel.

If it is actually the firewall blocking, you should be able to see the
block in the firewall log.

List mailing list

Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN

2011-10-12 Thread Vassilis V.

Hi Tim!

I havent been using pfsense for very long, but under Firewall-Rules you
should have a tab OpenVPN. Try putting there some rules, it works for me.

Setting up an extra interface used to be done in older pfsense version,
no idea if its still valid. Maybe someone more experienced can give some
info on that.

Hope it helps!
List mailing list

Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN

2011-10-12 Thread Vassilis V.
Jim Pingle wrote on 12.10.2011 23:55:
 In 2.0 each interface is renamed in a unique way so you do not need dev
 tun or any similar entries in the options.
 You can assign the interfaces if you want (set an IP type of 'none' on
 them) and filter individually if you want, too.
 I run with two of mine assigned and 3+ more unassigned and have no issues.

Hi Jim

Thank you for the info! Would the rules on the assigned tabs have
priority over the unassigned OpenVPN Tab? Or is the unassigned Tab
bypassed as long as there is a assigned one?
I noticed the unique renaming, is it also stable? E.g. ovpns1 will
always be the same server as written in () next to it?

List mailing list