Re: [pfSense] Is pfSense the Best Open Source Firewall/IDS/IPS in the World?

[Vick Khera]

On Fri, May 25, 2018 at 4:56 AM, Turritopsis Dohrnii Teo En Ming <
tdteoenm...@gmail.com> wrote:

> Questions are:
>
> (1) Is pfSense, coupled with Snort IDS, the best open source
> firewall/IDS/IPS in the world?
>

It is my preferred one, for sure, and I have used it for multiple office
locations and my data center for many years. The word "best", however, has
no real meaning without context. You need to specify your environment and
your requirements to decide which software is the optimal choice.


> (2) Is pfSense on par with commercial firewall appliances, including
> Cisco ASA, Cisco Sourcefire, Fortigate, SonicWall, etc?
>
>
Again, you have to define your requirements. Likely for most small to
medium sized organizations basic needs, pfSense will be comparable to the
other commercial offerings.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] memstick-2.4.3-RELEASE-amd64.img debugflags needed for ZFS

[Vick Khera]

On Wed, May 23, 2018 at 4:10 PM, Jason Hellenthal 
wrote:

> Sorry for the long subject but has anyone experienced in the ZFS install
> for a mirrored setup of two disks that you need to set
> kern.geom.debugflags=16 to allow shooting yourself in the foot just to get
> the kernel to stop denying you access to the disks ?
>
>
> The UFS install works as intended.
>

You don't want to use GEOM mirror underneath ZFS. You want ZFS to do the
mirror of two individual disks. What exactly is preventing you from adding
the second drive to the zroot pool?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] boot/loader.conf.local deleted upon reboot

[Vick Khera]

On Wed, May 16, 2018 at 2:03 PM, PiBa  wrote:

> Looks like everything that has the word 'console' in there gets deleted
> from loader.conf.local..
>
> I suppose the 'platform' is not one of these.?:
> if ($specific_platform['name'] == 'RCC-VE' ||
> $specific_platform['name'] == 'RCC' ||
> $specific_platform['name'] == 'SG-2220') {
> $data[] = 'comconsole_port="0x2F8"';
>
>
No, sadly it is not. It is "Super Micro C2758" which has both a physical
COM1 and a virtual COM2, so you can't really force the choice upon someone.

Reading the code, I don't see how all "console*" lines would be removed,
but maybe I misunderstand how the pattern matching is working.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata

[Vick Khera]

On Wed, May 16, 2018 at 10:50 AM, WebDawg  wrote:

> I upgrade via the console now.  Not to say that the GUI is broken, but
> I must have been a victim of when it was.  I have seen what kpa is
> talking about in that forum thread too.  It is why I always ssh in and
> update from console.
>

Wow. I call that a high risk upgrade method. Once it logs you out of ssh,
you just sit there and hope it comes back up. You need to hook your serial
port (or virtual serial port if you have a BMC that supports that) up as
the real device console so you can monitor the entire process.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] boot/loader.conf.local deleted upon reboot

[Vick Khera]

I run pfSense on an official pfSense branded C2758 system. It has a BMC
controller that permits me to use a serial over LAN to COM2. In order to
make the system console connect to COM2, the following line needs to be
added to loader.conf or loader.conf.local:

comconsole_port="0x2F8"

in addition to enabling the serial console via the GUI.

I've run it this way for years with prior versions of pfSense. It seems now
with version 2.4.3 (possibly earlier 2.4.x, not sure) upon reboot the
/boot/loader.conf.local file gets deleted. Thus the symptoms are that you
create the file, reboot and get serial console, but the file gets removed
during the boot. So on your next boot, no console over SoL.

Ideally, there would be a menu on the GUI for serial console to select the
COM port, but I requested that forever ago and it doesn't seem to be
important enough to get implemented.

The /etc/inc/pfsense-utils.inc file appears to try to filter the
loader.conf.local to remove duplicate settings and delete it if it ends up
empty.  This is done by the function load_loader_conf() which seems like it
does the right thing but clearly it is not including the above line and
thus the file gets deleted. It is easily reproduced by just putting that
single line above into the file and rebooting pfSense.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata

[Vick Khera]

I just did the upgrade from the console from 2.4.3 to 2.4.3_1 with no
problems in the upgrade. I run on an official pfSense brand C2758 device.

On Tue, May 15, 2018 at 11:28 PM, John Kline  wrote:

> Many of us a e seeing this.
> See:https://forum.pfsense.org/index.php?topic=147853.0
>
>
>
>
> On Tuesday, May 15, 2018, 7:53 PM, Steve Yates  wrote:
>
> I upgraded two routers from 2.4.2 to 2.4.3 and today to 2.4.3_1.  One is
> an SG-3100 and one is a PC.  On both, both times, the upgrade almost
> immediately fails, but if I try again it works.  I click the pending-update
> icon on the dashboard to go to System Update and it detects the update.  I
> start and I get:
>
> ">>> Updating repositories metadata... done.
> 2.4.3_1 version of pfSense is available"
>
> Then a red bar at the top of the page, "System update failed!"
>
> If I click the already-highlighted System Update tab again, confirm the
> update, it then immediately installs.
>
> Is anyone else seeing this?
>
> --
>
> Steve Yates
> ITS, Inc.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Host override without host part

[Vick Khera]

On Thu, Apr 12, 2018 at 4:03 AM, Marco  wrote:

> Hi,
>
> I need assistance setting up a host override. I successfully set up
> a host override for the www host:
>
>   # Services → DNS → Resolver → General Settings →  Host Overrides
>   # works fine
>   www.foobar.com → 10.0.10.10
>
> However, I also need an override for the domain part:
>
>   # how to do that?
>   foobar.com → 10.0.10.10
>
> I can't leave the host part empty. Pfsense doesn't allow for that.
> Any ideas?
>

Works for me. pfSense 2.4.3.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Vick Khera]

On Thu, Mar 8, 2018 at 3:00 PM, Walter Parker  wrote:

> Are the FreeBSD 10.2 instructions (
> https://www.netgate.com/docs/platforms/rcc-dff-2220/freebsd.html) still
> valid for 11.1?
>
>
>- Connect the console cable (I have that setup)
>- Boot from from a memstick image plugged into the USB port
>- From the Menu select 3, Escape to the loader prompt
>- Enter the following commands
>   - set comconsole_port=0x2F8
>   - set comconsole_speed=38400
>   - set hint.uart.0.flags=0x0
>   - set hint.uart.1.flags=0x10
>   - set console=comconsole
>   - boot
>- Select shell or LiveCD from the FreeBSD installer menu
>- Run tunefs
>
> Or does the 2.4 memstick installer give one an escape to shell option?
>

The hint lines for uart flags are unnecessary but harmless since FreeBSD 10.

The image does have a "live" mode where it runs entirely in ramdisk, but
nothing will let you set the serial port to the second port. You will have
to use these settings to use the second port.

You could try just booting to single user mode and run the tunefs. I don't
remember if that works or not for the boot volume with FreeBSD 11.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Vick Khera]

On Thu, Mar 8, 2018 at 11:10 AM, Zandr Milewski  wrote:

> As someone who has spent easily 100 hours troubleshooting, rebuilding, and
> restoring UFS based Netgate boxes that have to function in environments
> with less-that-datacenter grade power availability, I'll take "potential
> corruption in corner cases" over "1 in 4 chance it won't come back from a
> power cycle"
>
> *Any* journaled filesystem is an improvement.
>

Journaling on UFS is just one setting away. Boot single user from USB, then
run "tunefs -j enable /dev/da0" for your boot device da0. Done. I don't
know why FreeBSD does not recommend this for the boot volume, but I think
as long as you never fill up the disk you're ok. I've no had issues with
it.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Vick Khera]

On Wed, Mar 7, 2018 at 8:18 PM, Walter Parker  wrote:

> don't use ECC. Can anyone show why my solution should switch file systems
> (given that I'm keeping my existing hardware) without changing the subject?
> I've read many of the scare stories from FreeNAS and they all seem to end
> up as a call to authority or a "fine, risk your data" without actually
> answering the question.
>
>
The most important feature I use in ZFS is the snapshots. Combined cleverly
with datasets and quotas, they make for very easy management of disk
resources when needed. The FreeNAS model of boot environments is awesome,
and I hope pfSense takes those up as well. It makes upgrades less stressful
when you can just click a button to revert.

As for the ECC, see this study
https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/35162.pdf
for example. It is slightly old, but RAM hardware is not that much advanced
since then. Basically, if you have a few gigs of RAM in your machine, it
*will* produce bit errors.  There are other studies that back this up too,
and they are more recent.

Personally, I don't understand why any computer, desktop or server, made
these days is without ECC. My desktop has 16GB RAM with room for 16 more.
I'm sure there are flipped bits in some of my work somewhere, but I'll
never really know. If I'm lucky, the flipped bits are on unused sections of
code loaded from the disk into RAM.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Vick Khera]

On Wed, Mar 7, 2018 at 2:04 PM, Walter Parker  wrote:

> without ECC. If there is a time bomb, then it exists for all file systems
> running on computers without ECC. As this one of multiple backups for the
> system, the risks are acceptable.
>
> If you have an actual failure method that makes ZFS worse, I'd love to see
> the details. Then I could publish a paper and be "Internet famous.


Yes, this is true. However, other file systems do not offer *any* hint of
telling you when your data is corrupt on the platter like ZFS will. So if
you know you don't have ECC protection, then you should not expect your
data to be protected end to end. If you have ECC and a "regular" file
system, the same is true. You just never know.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Vick Khera]

On Tue, Mar 6, 2018 at 6:51 PM, Peder Rovelstad 
wrote:

> Here's a ZFS tuning guide if you have not seen.
> https://wiki.freebsd.org/ZFSTuningGuide
>
> But only goes to v9.
>

You 100% do not want nor need to turn on de-dupe. Especially on a boot
volume of pfSense.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Vick Khera]

Here's my simple backup script function. Just stick it into a /bin/sh
script (should work in bash too) and call it once per pfSense instance.
I've been using this for years to backup my production firewalls.

pfsense_config()
{
local FWNAME FWURL FWPASS CSRF CSRF2 COOKIEFILE PFDATE
FWNAME="$1"
FWPASS="$2"

FWURL="https://${FWNAME}";
COOKIEFILE=`mktemp -t cookies`
PFDATE=`date +%Y%m%d%H%M%S`

printf "Downloading Firewall Config for $FWNAME\n"

CSRF=`curl -k -L -c ${COOKIEFILE} ${FWURL}/diag_backup.php | grep
"name='__csrf_magic'" | head -1 | sed 's/.*value="\(.*\)".*/\1/'`
CSRF2=`curl -k -L -c ${COOKIEFILE} -b ${COOKIEFILE} -d
"login=Login&usernamefld=admin&passwordfld=$FWPASS&__csrf_magic=${CSRF}"
${FWURL}/diag_backup.php | grep "name='__csrf_magic'" | head -1 | sed
's/.*value="\(.*\)".*/\1/'`
curl -k -b ${COOKIEFILE} -d
"Submit=download&donotbackuprrd=checked&__csrf_magic=${CSRF2}" -o
config-$FWNAME-$PFDATE.xml ${FWURL}/diag_backup.php
rm -f ${COOKIEFILE}
}


You call it like this:

pfsense_config firewall.example.com mySecr3tPassword

and it stores the backup XML in a file based on the date and firewall name.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ZFS on 2.4.2

[Vick Khera]

You don't need to export the pool on shutdown. Even an unclean shutdown
should survive automatically on the reboot.

I can't think of a reason ZFS would fail like you describe.

On Wed, Feb 21, 2018 at 12:23 PM, Walter Parker  wrote:

> Hi,
>
> I have 2.4.2 installed on an SG-2220 from Netgate [nice box]. I just bought
> a 6TB powered USB drive from Costco and it works great (the drive has its
> own power supply and a USB hub). I want to use it take ZFS backups from my
> home server.
>
> I edited /boot/loader.conf.local and /etc/rc.conf.local to load ZFS on boot
> and created a pool and a file system. That worked, but the memory ran low
> so I restricted the ARC cache to 1G to keep a bit more memory free and
> rebooted. When the system rebooted it did not remount the pool (and
> therefore the file system) because the pool what marked as in use by
> another system (itself). That means that the pool was not properly
> exported/umounted at shutdown.
>
> Taking a quick look a rc.shutdown, I notice that it calls a customized
> pfsense shutdown script at the beginning and then exits. Is there a good
> place in the configuration where I can put/call the proper zfs shutdown
> script so that the pool is properly stopped/exported so that it imports
> correctly on boot?
>
>
> Walter
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D.
> Brandeis
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] best ipsec cipher for aes-ni on sg-8860

[Vick Khera]

If you're going to use IPSec mobile client with an iPhone, it does not seem
to propose the GCM variants of AES, only the CBC ones with SHA2.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.4 consistently crashes daily

[Vick Khera]

Oh, so you're not running it on hardware, but inside ESXi? Then I have no
more ideas for you. You should mention these things when asking for help,
by the way.


On Mon, Nov 20, 2017 at 8:12 AM, Liwei  wrote:

> Thanks for the quick reply. It is a Supermicro 5018A-FTN4 based on
> the A1SRi-2758F which contains an Atom C2758. RAM tests are fine. This
> machine also contains a few other VMs which are running fine.
>
> By the way, I missed out reporting the crash itself:
>
> Fatal trap 12: page fault while in kernel mode
> cpuid = 2; apic id = 02
> fault virtual address = 0x60
> fault code = supervisor read data, page not present
> instruction pointer = 0x20:0x80cbcb0f
> stack pointer = 0x28:0xfe02390bf070
> frame pointer = 0x28:0xfe02390bf070
> code segment = base 0x0, limit 0xf, type 0x1b
> = DPL 0, pres 1, long 1, def32 0, gran 1
> processor eflags = interrupt enabled, resume, IOPL = 0
> current process = 12 (irq267: vmx0)
>
> On Mon, 20 Nov 2017 at 20:55 Vick Khera  wrote:
>
> > On Mon, Nov 20, 2017 at 7:36 AM, Liwei  wrote:
> >
> > >
> > > Anyone has any idea what's going on? Restoring to pfSense 2.3 seems
> > to
> > > solve this problem, so it is more likely a software than hardware
> issue.
> > >
> > >
> > What's your hardware? Have you tested your RAM using memtest86?
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> --
> Clear Skies,LiweiCo-Founder, CTO
>
> TinyMOS
>
>
> <http://tinymos.com/> <https://www.facebook.com/thetinymos/>
> <https://www.instagram.com/thetinymos/> <https://twitter.com/thetinymos>
>
> 21 Heng Mui Keng Terrace, Level 1 The Hangar, Singapore 119613
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.4 consistently crashes daily

[Vick Khera]

On Mon, Nov 20, 2017 at 7:36 AM, Liwei  wrote:

>
> Anyone has any idea what's going on? Restoring to pfSense 2.3 seems to
> solve this problem, so it is more likely a software than hardware issue.
>
>
What's your hardware? Have you tested your RAM using memtest86?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ASRock E3C236D2I+Pentium G4560 vs SM A1SRi-C2758F

[Vick Khera]

There are wide-spread reports of ASRock C2750D4I board failures in the
FreeNAS forums. I've suffered from it. Not sure if that applies to the
board you are considering.

There are also wide-spread reports of issues with the Supermicro board you
are considering. I have 4 of these in service for 3+ years with no issues.
I recently closed down one of my offices and have a spare pfSense branded
C2758 system if you're interested.

Personally, I'd go with the Supermicro solution. They easily handle Gigabit
WAN.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.4 with ZFS, will it solve corrupt systems

[Vick Khera]

On Sat, Aug 5, 2017 at 9:07 AM, Jim Pingle  wrote:

> On 8/5/2017 8:59 AM, Arthur Wiebe wrote:
> > This is more out of curiosity to verify that I'm correct, with pfSense
> 2.4
> > using ZFS will that solve the issue where an SG appliance will stop
> booting
> > because of a corrupt filesystem and require a reinstall?
> >
>

ZFS can only protect you from on-disk corruption if you have multiple
copies of your data. So you either need mirror or raidz with multiple
drives, or set the number of copies per block to a number higher than 1 on
a single disk.


> > I've had too many cases where for whatever reason a box was shutdown
> > improperly (could be the client unplugging it for example) and the system
> > became corrupt and worked fine after re-installing the OS.
>
>
ZFS is very robust against this particular scenario, because the on-disk
state is always consistent.

The UFS file system journaling is also very robust against this, but does
on occasion need a manual fsck to clean up. I've never had a system corrupt
itself so bad that I had to re-install (running FreeBSD for 18+ years on
dozens of machines).


>
> >
> > I'm hoping that ZFS with it's data integrity and rollback features will
> > solve this issue.
> >
> > Am I right? And if so we should consider re-installing existing
> > installations with pfSense 2.4 so that it installs using ZFS?
>
> ZFS is self-healing and though we have not been able to reproduce the
> corruption issues seen by some with UFS, all evidence points to ZFS not
> being susceptible to those problems.
>
>
Will pfSense on a single-disk install set the copies per block to > 1 to
afford additional protection against corruption? Seems like a small price
to pay given how little disk pfSense needs and how big SSDs are these days.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Vick Khera]

Nice. Thanks for the explanation. My IPv6 knowledge is slowly being built
up. Not having IPv6 at my home router makes it hard to play with. I've not
had the courage to bring "live" my direct allocation at the data center yet.

On Wed, Aug 2, 2017 at 10:22 PM, Adam Thompson 
wrote:

> Sadly, yes.  Partly due to providers like OVH who don't "get" prefix
> delegation.
> Also, how else do you multi-home without running BGP?  (Keeping in mind
> that the overwhelming majority of networks around the world have no access
> to BGP.)  That's one of the specific use cases for Network Prefix
> Translation.  (I don't have the RFC handy, sorry.)
> -Adam
>
> > -Original Message-
> > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick
> > Khera
> > Sent: August 2, 2017 21:20
> > To: pfSense Support and Discussion Mailing List 
> > Subject: Re: [pfSense] IPv6 1:1 NAT problems
> >
> > Is NAT even a thing with IPv6?
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Vick Khera]

Is NAT even a thing with IPv6?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] RFC2136 Dynamic DNS doesn't update when the "Public IP" option is set

[Vick Khera]

On Thu, May 11, 2017 at 3:40 PM, Julian Heisz 
wrote:

> Are you using the default public IP finder (forget the specific term
> pfSense uses and not in a position to check at the moment) or do you have a
> custom one set up? I have a custom one set up, which works for other DDNS
> but may for some reason not work here.
>

All I did was fill out the form on the RFC2136 client page and check the
"use public IP" box. This has been working for me for a couple of years in
this configuration.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Wifi

[Vick Khera]

1. Assign a static IP for the device to control via the DHCP server. Force
the device to re-fetch its IP so it can get this new dedicated address.
2. create a schedule entry in the Firewall -> Schedules configuration. For
example, 4pm - 8pm Sunday through Thursday (I call this "school
afternoons").
3. Create a "block" rule on the LAN. open the "advanced" options and select
your schedule from the menu for schedules.
4. save and apply the rules.

On Thu, May 11, 2017 at 12:22 PM, Alfredo Tapia Sabogal <
alfred.ta...@gmail.com> wrote:

> Hello everyone, hope some of you have any step by step how to control the
> wifi access with  time restriction for internet access.
>
> Thank you so much!!!
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] RFC2136 Dynamic DNS doesn't update when the "Public IP" option is set

[Vick Khera]

On Thu, May 11, 2017 at 1:06 AM, Julian Heisz 
wrote:

> This appears to be an issue with pfSense, however the wiki suggests that I
> use the forum or mailing list before submitting a ticket in Redmine. Of
>

"works for me". My DNS server runs BIND 9. My pfSense sits behind a NAT
from the FiOS router at home, and my backup link via LTE at the office is
behind a NAT from the LTE to ethernet adapter. Both work great.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for silent and powerful pfsense hardware

[Vick Khera]

On Tue, Mar 28, 2017 at 12:50 PM, Matthew Hall 
wrote:

> > The only silent systems I have are based on the Atom C2758 processor,
> and I
> > do not think those will handle a full gigabit connection at full speed.
>
> This isn't right, the SG-2440 can do it.
>

I stand corrected. Thanks for the additional info.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for silent and powerful pfsense hardware

[Vick Khera]

On Tue, Mar 28, 2017 at 9:00 AM, Eero Volotinen 
wrote:

> Well, I don't know PPS values :) This is just home gigabit connection for
> .. surfing/movies/4K streaming :)
>

Oh, well I don't think you'll need much more than one of the models Netgate
sells, then, aside from their lowest end offering. I think it will be
*very* hard for you to use the full gigabit of bandwidth with that workload.

If you want to build it yourself, I will suggest starting with a basic
Supermicro "barebones" system based on the C2758 processor. They come with
a fan, but it almost never runs and is very very quiet. Just add RAM and
boot disk -- these support the SATA DOM's supermicro sells, and off you go.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for silent and powerful pfsense hardware

[Vick Khera]

On Tue, Mar 28, 2017 at 2:59 AM, Eero Volotinen 
wrote:

> Looking for pfsense hardware that can handle 1000M/1000M internet
> connection with NAT.
>

I would recommend at least a Xeon processor base system for that traffic.
Really, the limit is PPS; do you know what that would be? Any system using
a Xeon will not be silent. I use a pair of high end custom-built boxes at
my data center, and they can push this kind of traffic, though my usual
sustained is only in the 200Mbps range.

The only silent systems I have are based on the Atom C2758 processor, and I
do not think those will handle a full gigabit connection at full speed.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] SIP through IKEv2-tunnel

[Vick Khera]

You only need siproxyd if you have multiple SIP clients inside your network
trying to talk outside.

SIP should work just fine in your situation where your PBX software and
your client are within the same VPN and do not block any traffic.

That is, I have a situation like this and it works just fine:

Internet <- pfSense NAT <- Switchvox <- local LAN clients

remotes  -> pfSense VPN -> Switchvox


I can't tell from the OP's original description how the connections are
configured.


On Mon, Mar 20, 2017 at 6:10 AM, Eero Volotinen 
wrote:

> maybe you need something like this
> https://doc.pfsense.org/index.php/Siproxd_package
>
> Eero
>
> 20.3.2017 11.56 ap. "Martin Fuchs"  kirjoitti:
>
> > Hi !
> >
> > I have a Fritz!Box (router) connected to the internet (no other
> > possibility).
> >
> > In i have NATted ESP, GRE, 4500, 500, 1701, ... to a pfSense VM.
> >
> > This pfSense VM just operates as a VPN-Gateway.
> >
> > I have set up the routes in the Fritz!Box for the dial-in networks to the
> > pfSense.
> >
> >
> > I can connect via IKEv2 and browse internat services.
> >
> > I have a Fritz!App (SIP-Client) on my phone.
> >
> > This app connects to the Fritz!Box (which provides a SIP-connection)
> > successfully.
> >
> >
> > When I try to make a call, the other phone rings BUT no party cann hear
> > the other.
> >
> >
> > It seems to me like a RTP-issue.
> >
> >
> > On the pfSense i have Advanced Outbound NAT configured with no NAT-Rules.
> >
> > The firewall-rules allow IPSec to LAN (any service).
> >
> > I'm running pfSense 2.3.3p1 with one interface.
> >
> >
> > Does anyone have any idea or some hint for me ?
> >
> >
> > regards,
> >
> > martin
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Running newer then released?

[Vick Khera]

Ha... I read that as something you wrote yourself. Curious...


On Fri, Mar 3, 2017 at 9:17 AM, Stephen Shkardoon 
wrote:

> Not the number, rather the message: "The system is on a later version than
> the official release.". Isn't this misleading? Isn't it on the *same*
> version as the official release?
>
> On Sat, Mar 4, 2017 at 3:10 AM, Vick Khera  wrote:
>
> > What number exactly are you fretting about?
> >
> > As of Feb 16, FreeBSD 10.3-p16 was current, and pfsense 2.3.3 was and is
> > still current.
> >
> >
> > On Fri, Mar 3, 2017 at 9:07 AM, Stephen Shkardoon <
> > step...@zxsecurity.co.nz>
> > wrote:
> >
> > > The issue is that the message displayed is, exactly:
> > > ```
> > > 2.3.3-RELEASE (amd64)
> > > built on Thu Feb 16 06:59:53 CST 2017
> > > FreeBSD 10.3-RELEASE-p16
> > >
> > > The system is on a later version than
> > > the official release.
> > > ```
> > >
> > > So I am guessing there's just a file to update somewhere or similar
> that
> > > was missing from the release process?
> > >
> > >
> > > On Sat, Mar 4, 2017 at 2:48 AM, Arno Gramatke 
> wrote:
> > >
> > > > 2.3.3 is the current release, isn’t it?
> > > >
> > > > https://blog.pfsense.org/?p=2325 <https://blog.pfsense.org/?p=2325>
> > > >
> > > > > Am 03.03.2017 um 14:45 schrieb Yılmaz Bilgili <
> > li...@yilmazbilgili.com
> > > >:
> > > > >
> > > > > 03-03-2017 15:38 tarihinde Doug Lytle yazdı:
> > > > >> My home pfSense is reporting:
> > > > >>
> > > > >> 2.3.3-RELEASE (amd64)
> > > > >> built on Thu Feb 16 06:59:53 CST 2017
> > > > >> FreeBSD 10.3-RELEASE-p16
> > > > >>
> > > > >> The system is on a later version than
> > > > >> the official release.
> > > > >
> > > > > Same with me.
> > > > >
> > > > > ___
> > > > > pfSense mailing list
> > > > > https://lists.pfsense.org/mailman/listinfo/list
> > > > > Support the project with Gold! https://pfsense.org/gold
> > > >
> > > > ___
> > > > pfSense mailing list
> > > > https://lists.pfsense.org/mailman/listinfo/list
> > > > Support the project with Gold! https://pfsense.org/gold
> > > >
> > >
> > >
> > >
> > > --
> > > *Stephen Shkardoon*
> > > Security Consultant - ZX Security Limited
> > >
> > > Email: step...@zxsecurity.co.nz | Web: www.zxsecurity.co.nz
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
>
>
>
> --
> *Stephen Shkardoon*
> Security Consultant - ZX Security Limited
>
> Email: step...@zxsecurity.co.nz | Web: www.zxsecurity.co.nz
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Running newer then released?

[Vick Khera]

What number exactly are you fretting about?

As of Feb 16, FreeBSD 10.3-p16 was current, and pfsense 2.3.3 was and is
still current.


On Fri, Mar 3, 2017 at 9:07 AM, Stephen Shkardoon 
wrote:

> The issue is that the message displayed is, exactly:
> ```
> 2.3.3-RELEASE (amd64)
> built on Thu Feb 16 06:59:53 CST 2017
> FreeBSD 10.3-RELEASE-p16
>
> The system is on a later version than
> the official release.
> ```
>
> So I am guessing there's just a file to update somewhere or similar that
> was missing from the release process?
>
>
> On Sat, Mar 4, 2017 at 2:48 AM, Arno Gramatke  wrote:
>
> > 2.3.3 is the current release, isn’t it?
> >
> > https://blog.pfsense.org/?p=2325 
> >
> > > Am 03.03.2017 um 14:45 schrieb Yılmaz Bilgili  >:
> > >
> > > 03-03-2017 15:38 tarihinde Doug Lytle yazdı:
> > >> My home pfSense is reporting:
> > >>
> > >> 2.3.3-RELEASE (amd64)
> > >> built on Thu Feb 16 06:59:53 CST 2017
> > >> FreeBSD 10.3-RELEASE-p16
> > >>
> > >> The system is on a later version than
> > >> the official release.
> > >
> > > Same with me.
> > >
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
>
>
>
> --
> *Stephen Shkardoon*
> Security Consultant - ZX Security Limited
>
> Email: step...@zxsecurity.co.nz | Web: www.zxsecurity.co.nz
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Documentation about acme

[Vick Khera]

On Thu, Feb 16, 2017 at 5:12 PM, Travis Hansen 
wrote:

> The certs should show up in System -> Cert Manager -> Certificates
> If DNS works for you great, otherwise you may be interested in the
> following links for integration with haproxy (at least haproxy running on
> pfSense):
>

There is no other way to get a cert for a hostname that maps to a
non-routable IP. You have to do it via DNS. Neither HTTP nor TLS challenge
will be workable.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Vick Khera]

On Thu, Jan 26, 2017 at 3:12 PM, Vick Khera  wrote:

> ahci_load="YES"
>

Indeed, this line is leftover from olden days. This is not necessary
anymore with the FreeBSD 10.x kernel.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Vick Khera]

On Thu, Jan 26, 2017 at 12:17 PM, Karl Fife  wrote:

> Would you mind sharing a snapshot of your Rangeley-optimized tunables?
>
> IIRC there are un-editable tunables that show on your tunables page that
> are not called out in the XML config.
>
> Thanks Vick
>
>
This is the /boot/loader.conf from one my C2758 systems from Netgate
(though they were pfSense branded when I bought them):

autoboot_delay="3"
vm.kmem_size="435544320"
vm.kmem_size_max="535544320"
kern.ipc.nmbclusters="0"
boot_multicons="YES"
boot_serial="YES"
console="comconsole,vidconsole"
comconsole_speed="115200"
hw.usb.no_pf="1"

and /boot/loader.conf.local:

kern.cam.boot_delay="1"
ahci_load="YES"
kern.cam.boot_delay=1
kern.ipc.nmbclusters="100"
hw.igb.rxd=4096
hw.igb.txd=4096
hw.igb.max_interrupt_rate=32000
hw.igb.num_queues=8
hint.uart.1.flags="0x10"
hint.uart.0.flags="0x00"
comconsole_port="0x2f8"
legal.intel_ipw.license_ack=1


I configured the serial console to talk to the SoL console provided by the
built-in IPMI controller (that's the uart bits). I don't recall which parts
other than those were default as system shipped vs. anything I may have
changed. My notes are unclear on these.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Vick Khera]

On Wed, Jan 25, 2017 at 4:01 PM, Karl Fife  wrote:

> I recently did a virgin install of 2.3.2 nano on an older atom (a Soekris
> 6501), and found there were no tunables for kern.ipc.nmbclusters nor
> kern.ipc.nmbufs.  Maybe it's a nano/full-install difference?I would
> think most people running the a Rangeley board are running the full
> version.  We will also begin running the full version with 2.4, (ZFS copies
> = 2) :-)


I think the Nano vs full install may be your way to look. Also, my system
is running Netgate-tuned pfSense, so it is entirely possible they added the
bump to nmbclusters. Even though my configs to not specify a value for it,
it is set in /boot/loader.conf.

I'm 99.44% sure this system was upgraded from 2.2 to 2.3, and not a fresh
install of 2.3.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Vick Khera]

On Wed, Jan 25, 2017 at 1:10 PM, Karl Fife  wrote:

> pfsense 2.2.6 was running without issue on our Supermicro A1SRi-2758F
> rangeley board (Intel Atom C2758)
>

Are you sure you didn't hard-code them before in the system tunables
section under 2.2? On my C2758 system (exact same motherboard) running
pfSense 2.3.2-RELEASE-p1, these are the values:

kern.ipc.nmbclusters: 100
kern.ipc.nmbufs: 1019445

and I've not tuned them at all.

What did you have to set them to? I have no additional NICs aside from the
4 built-in.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] system CA certificate generator change

[Vick Khera]

I just made a new certificate using my own CA with the UI in pfsense
2.3.2-p1 for one of my firewalls. It appears that how it is generated does
not allow Chrome or Firefox to recognize it by the CN, only the aliases.

A certificate I generated using the UI in 2014 does however, work with the
aliases and the CN.

They appear to be produced very differently then vs. now:

Subject: C=US, ST=Maryland, L=Rockville, O=Khera Communications
Inc/emailAddress=kh...@example.com, CN=rockville-fw-a/subjectAltName=DNS:
rockville-fw-a.int.example.com,DNS:rockville-fw-a.example.com

but now we get:

Subject: C=US, ST=Maryland, L=Rockville, O=Khera Communications
Inc/emailAddress=kh...@example.com, CN=ashburn-fw-a.example.com

and lower down the aliases in the X509v3 extensions area are the aliases:

X509v3 Subject Alternative Name:
  DNS:ashburn-fw-a, DNS:ashburn-fw-a-prv

Did I do something differently/incorrectly? I filled out the form the
obvious way.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Aliases grouping

[Vick Khera]

On Wed, Dec 7, 2016 at 2:56 PM, Luc Paulin  wrote:

> For curiosity how do you manage the aliases naming ?  Do you have some sort
> on naming convention depending of the aliases is an IP/Host/Network and or
> if it's and aliase of aliases ?
>

I tend to use names like "DeveloperHosts" and "WebserverPorts" where the
last part describes what it is. But the GUI makes it easy for you and only
presents what's sensible for auto-fill in each place you can use one.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense + carp + ha

[Vick Khera]

I use commodity x86 (64-bit) hardware. I tend to make my pairs
identical, so I know the backup can handle the load if the primary
keels over. There's no hard requirement for that, though.


On Tue, Nov 15, 2016 at 3:19 PM, Eero Volotinen  wrote:
> Hi List,
>
> What are requirements for pfsense ha clustering? does any of x86 hardware
> work with ha? does hardware need to be identical?
>
> --
> Eero
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense default firewall configuration

[Vick Khera]

On Tue, Nov 15, 2016 at 3:17 AM, user49b  wrote:
> I have heavily modified my IPcop configuration and just wanted to know if
> pfSesnse's default firewall configuration is good enough.

The default is deny everything inbound, and allow everything outbound.
Nobody can say what's "good enough" for you without knowing your
requirements.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Diagnosing System lag

[Vick Khera]

On Sun, Oct 23, 2016 at 1:38 PM, Ryan Coleman  wrote:
> Why? 57,265 pings sent. 57,625 pings received.

If you get more pings than you send, someone thinks they're you. Find
out who is sharing the IP and fix that.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Diagnosing System lag

[Vick Khera]

You get that same lag from all devices?

I agree you should investigate the wires and switches. Try wiring your
computer directly to the LAN port on the APU and see if you get any
delays.

On Sat, Oct 22, 2016 at 2:41 PM, Ryan Coleman  wrote:
> I had in the past.. but I’ll admit right now… I’m not in the spot to check. I 
> will do when I get home tonight (I live 90 miles from this customer)
>
>
>> On Oct 22, 2016, at 1:35 PM, WebDawg  wrote:
>>
>> did you look at the freebsd system logs?
>>
>> On Sat, Oct 22, 2016 at 1:32 PM, Ryan Coleman  wrote:
>>> Because I blamed it on the local phone company. :)
>>>
>>> Ping time, as you can see in the quoted text, hits up to 48 seconds. I 
>>> cannot get it to reply and I am not seeing anything in the logs.
>>>
>>> It’s not the switch - rebooting does not resolve. Switching ports is not 
>>> viable for testing at the time of the issue because of VLANs.
>>>
>>> I honestly suspect it’s the firewall hardware failing more than anything 
>>> else.
>>>
>>> —
>>> Ryan
>>>
>>>
 On Oct 22, 2016, at 1:06 PM, WebDawg  wrote:

 Whoa.  2 years?  Why are you just looking at it now?

 Do you have any other ports you could try your lan cables in?  Is
 something else using that IP?

 Why do you say hangs, no web ui access?  No logs?

 I mean it could be anything.

 On Sat, Oct 22, 2016 at 12:40 PM, Ryan Coleman  
 wrote:
> My NetGate APU installation hangs, seemingly randomly… and has for most 
> of the two years since purchase and installation.
>
> How might I diagnose these issues?
>
>> --- 10.20.0.1 ping statistics ---
>> 296 packets transmitted, 271 packets received, 8.4% packet loss
>> round-trip min/avg/max/stddev = 1.274/9254.705/48807.578/16024.851 ms
>
> Many of the lost packets easily came in late. 48 seconds for pings? The 
> network seems to be fine - rebooting switches does not effect the issue. 
> It will resolve itself after 3-4 minutes but our radio in the bar is fed 
> over the net so it gets frustrating at times.
>
> Thanks!
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
>>>
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lightning strike

[Vick Khera]

On Thu, Oct 13, 2016 at 6:25 PM, Walter Parker  wrote:
> Problem is that all of the current OS do this sort of renumbering (I'd have
> to check, but I think it could be a hardware/driver issue). IIRC Linux
> systems have had this sort of problem in even greater measure than the
> BSDs. The plug and play nature of USB has caused issues for most systems

Current versions of CentOS/RedHat hard-wire ethernet names. You have
to go dig in and find some file that has the mappings and delete them
if you do something like replace a motherboard with embedded NICs,
otherwise it makes all new ethernet device names for you. The mapping
is base on MAC address.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] dpinger data collection

[Vick Khera]

I'm trying to trace how the data gets from dpinger into the RRD file
and ultimately into the UI.

I see dpinger is writing to a socket, but I cannot for the life of me
find what process is reading that socket and writing to the RRD file.

How does that happen?

My ultimate goal is to see if I can convince pfsense to monitor other
arbitrary IPs to debug certain conditions like VPN slowness. I want to
monitor the "quality" of the other endpoint of the openvpn
connections, for example.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries?

[Vick Khera]

On Fri, Sep 30, 2016 at 12:57 PM, Doug Lytle  wrote:
> On 09/30/2016 11:53 AM, Steve Yates wrote:
>>
>> So you could keep your list somewhere else on a web server.
>
>
> This is what I do.
>
> And I grab the list from
>
> http://www.wizcrafts.net/chinese-iptables-blocklist.html
>
> Once a month
>

Isn't this more or less what pfBlockerNG does for you automatically?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] shaper wizard LAN queues

[Vick Khera]

Is there a reason the traffic shaper makes queues on the LAN? None of
the firewall rules it makes references the LAN queues. Is it just for
my future use convenience?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] shaper questions

[Vick Khera]

I'm reading over the shaper guide at
https://doc.pfsense.org/index.php/Traffic_Shaping_Guide and I find I
still have some confusion. The document seems to be in need of some
updating.

There are no definitions of what the scheduler types FAIRQ and CODELQ
are not defined. What would be their use cases?

The document still refers to the Layer 7 shaping, but when you follow
the link it says that feature does not exist since version 2.2. It
doesn't seem like that even needs to be linked anymore.

When I used the wizard to set up some simple queues (voip, smtp, IMAP,
and IPSEC) to test it out, it created a handful of floating rules to
map traffic into the queues. I do not see any rule for what to do with
the rest of the traffic. Does not all traffic need to be sent through
the queues in order for them to be effective? Should I update my
catch-all LAN rule to use a queue? This part is very fuzzy in my mind
right now.

The wizard does not have an OpenVPN option for the VPN section. Is
this because you can run it on any port or because there is something
about OpenVPN that does not let it work. I'm thinking I would just
need to add a rule that matches my port numbers and IPs and it should
work.

The wizard only seems to make outbound rules (based on the comment)
for everything except IPSEC. Looking at the rules, for example on
SMTP, they seem to match both directions. It says "direction = any"
and the only filter is destination port 25, so it should work for
incoming SMTP connections I would think.

Do I need to define queues on all interfaces if I want to control
outbound traffic? Can I just define them on the LAN interface and put
the rules on the LAN tab? Or do I define them on the WAN?

The document states that shaping is not capable of setting an upper
limit on bandwidth. If this is the case, what for is the "Max
bandwidth for queue." settings in the "Service Curve" settings panel
for a queue? I need this capability, but I also use pfsync so I cannot
use the limiters.

What is the incantation for evenly distributing http/https among the
users? That is, if one person is uploading a large file over the web
to some remote service, how to let the others still get their fair
share of traffic? Does this happen with the queues automatically?

Thanks for any answers to these questions and any tips you may have to offer.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Export user account/password issue

[Vick Khera]

On Wed, Sep 14, 2016 at 10:44 AM, Satish Patel  wrote:
> How do i convert old style password to new FreeBSD style password in
> master.passwd file?  is it possible with pwd_mkdb?

You cannot; they are one-way hashes. The first part of the resulting
string identifies which hash method was used. I forget where the
default choice is set. Some file in /etc does it.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for perfect pfsense box for home?

[Vick Khera]

My home office is protected by a Netgate APU box (which it seems they
have replaced with some other device at the low end now). It is a
little pricey, but they offer great support and it supports the
project in the best way.

On Wed, Aug 3, 2016 at 3:37 AM, Eero Volotinen  wrote:
> Any ideas where to find perfect pfsense box for home usage.
>
> Must be cheap and silent? netgate device? shuttle box?
>
> --
> Eero
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Installation issues of latest release (2.3.2) resolved?

[Vick Khera]

On Sat, Jul 30, 2016 at 12:19 AM, Jim Thompson  wrote:
> As a reminder, pfSense 2.4 will not support i386, and will not support the
> 'nano' image.

Does this imply that we will need to do a full re-install on our
Netgate APU's or will there be a clean self-upgrade process?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Installation issues of latest release (2.3.2) resolved?

[Vick Khera]

On Fri, Jul 29, 2016 at 10:37 PM, Ryan Coleman  wrote:
> So does this effect APUs running the AMD64 architecture?

I updated from 2.3.1 to 2.3.2 the APU at my home office with zero
problems. It just took a good long time to clone the boot slice before
updating, which also took a long time. The actual downtime was minimal
as it does boot really fast.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPv6 being used for NTP even though IPv6 is not configured

[Vick Khera]

According to the System/Advanced/Networking page, there is an option
to prefer IPv4. However, it says this: "if IPv6 is configured and a
hostname resolves IPv6 and IPv4 addresses, IPv6 will be used."

I do not have IPv6 configured -- all my interfaces are statically
configured. The only IPv6 I see is the automatic link-local address
assigned to each interface. Is that enough to convince pfSense that it
is "configured"?

The symptom I'm seeing is that one of the remote NTP servers I sync
with returns both IPv6 and IPv4 addresses, and NTP is preferring the
v6 address which does not work here.

If I check the box to enable the "prefer IPv4" it does indeed select
the IPv4 address. So something is misleading pfSense to thinking v6 is
enabled, at least for NTP.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 502 Bad Gateway

[Vick Khera]

On Thu, Jul 7, 2016 at 2:16 PM, Bill Arlofski 
wrote:

> I guess I will remove it the next time this happens and see if there is any
> change.
>

It seems to me you should remove it *before* to see if you avoid it
happening.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

[Vick Khera]

On Wed, Jun 8, 2016 at 2:41 PM, Jeremy Bennett 
wrote:

> If you won't have mobile users, IPSec could be a viable option.
>

iPhone mobile VPN works great with IPSec, no additional software needed. It
is all built in. Do not know about Android.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

[Vick Khera]

On Wed, Jun 8, 2016 at 6:31 AM, David White  wrote:

> I didn't think I would have to setup a new server / port for each remote
> office. I thought that, with the SSL/TLS setup, I could have a single
> server and configure it so that clients can see & interact with each other.
>

When you configure the OpenVPN server side, you need to specify the remote
IP network. How will you do that for 20 different remote sites with one
server config?

The IPSec config will be much cleaner, I think, and much lower overhead.

With either case, make sure you have hardware crypto support (usually that
means AES-NI feature in your CPU) and choose the ciphers that are supported
by it, specifically AES128 (or AES256) with SHA. The clients could probably
get away without the hardware acceleration, but if you are pushing lots of
traffic through the hub then you will need it.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

[Vick Khera]

On Tue, Jun 7, 2016 at 3:03 PM, David White  wrote:

> I know that this can be done, but I've never actually done it. Are there
> some good resources I can review, besides
> https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site
>
> ? For branch offices,
>

If you can manage it, and the remotes are on static IPs, I'd suggest trying
IPSec.

If you are going with OpenVPN, then you basically will need to set up one
"server" per remote, each on its own port number. I like to only open the
firewall to that port from the IP of the remote that will use it. Depending
on how many you have and how tight you want it, you could just make an
alias of all the ports and an alias of all the remote IPs and set up one
rule to allow all of that at one shot.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FreeBSD on uFW

[Vick Khera]

On Wed, Jun 1, 2016 at 5:58 PM, Jim Thompson  wrote:

> you prefer ‘m1cr0Wall’, perhaps?
>

I'm totally the wrong person to brand a product.


>
> Netgate used to have a m1n1wall product (which shipped with m0n0wall at
> first, then pfSense).
>

I remember that...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FreeBSD on uFW

[Vick Khera]

On Wed, Jun 1, 2016 at 4:54 PM, Jim Thompson  wrote:

> Vick, no, it’s not in the Netgate storefront (yet).  There are a handful
> of boards in the world.  This one is on my desk at home.
> https://twitter.com/gonzopancho/status/738098254890471424
>
>
>
>
Cool. I found the original twitter thread too. Wasn't sure exactly what it
was, but glad to see you took the banana request seriously. :)

The name will confuse the heck out of people. Right now when you google uFW
you get stuff about some linux firewall software.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FreeBSD on uFW

[Vick Khera]

What is a uFW? Google is not my friend (keeps finding some stupid firewall
package for linux) and I see nothing on the netgate storefront that seems
to be it.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec nat issue

[Vick Khera]

On Wed, May 25, 2016 at 8:54 PM, Lyle  wrote:

> The other end has a conflict with our LAN addressing(192.168.1.0/24).  So
> in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24
>
> for the local Network.  NAT/BINAT network of 192.168.85.0/24.  Their
> remote network is 192.168.75.0/24.
>

So if they have a conflicting 192.168.1.0/24 network on their end already,
how the heck do they expect traffic to *your* version of that network to
get routed to you? That is, if they type "ping 192.168.1.42" which network
is it supposed to go to? I don't see how some Sonicwall magic could make
that happen either.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Unbound connections: excessive???

[Vick Khera]

On Sun, May 22, 2016 at 8:26 PM, Bryan D.  wrote:

> Is it normal to have this kind of increase in the number of UDP DNS-port
> states when moving to unbound with this kind of configuration?
>

One would expect that a dns resolver would have to communicate with
hundreds if not thousands of other hosts depending on how busy and diverse
the clients are. You can always try running unbound in forwarding mode and
see if your states drop down.

Personally, I think worrying about this is a waste of your time.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.6 HA to 2.3 Upgrade Advice

[Vick Khera]

On Tue, May 10, 2016 at 4:55 PM, Mike Montgomery 
wrote:

> I have two servers, setup in high availability that are currently running
> 2.2.6.  I have been running 2.3 at home and my test servers and am ready to
> upgrade the office to 2.3 as well.  I have been reading several upgrade
> guides, as to which one to upgrade first, but would like to see if anyone
> has upgraded a HA setup yet successfully?
>

Here is how I upgrade mine, whatever the upgrade versions:

1) upgrade the backup firewall
2) on primary, in CARP Status, enter persistent backup mode (the button on
the right side of the top row)
3) wait a moment or two to let the VPNs and traffic move from the primary
to the backup (usually a few seconds at most)
4) upgrade primary at your leisure
5) on primary, un-click the persistent backup mode button.

This usually works really well. However, when I did this 2.2 -> 2.3 upgrade
Monday at my data center, my terminal window into my management server had
its ssh connection severed right when the primary was booted. I suspect
there is some race between the networking starting and the thing that sets
the persistent backup mode, but this only happened to me once.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Aggregated WAN traffic

[Vick Khera]

On Tue, May 10, 2016 at 9:45 AM, Randy Morgan  wrote:

> Having said that there is some question in my mind as to how this actually
> works.  Some of what I read indicates that the aggregation actually causes
> the LAGG port to, effectively, operate on QOS functionality, meaning that
> it cycles between the two links based on available bandwidth.
>

>From my understanding, a single connection will not use both links, but
multiple connections will be load balanced among them. Thus, don't expect a
single file download to be able to use all 20Mbps of the bandwidth.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3_1 ?

[Vick Khera]

On Thu, May 5, 2016 at 3:05 PM, Jim Thompson  wrote:

> it’s documented that you need to (re)start NTP manually.
>

Where would one learn this? The update page doesn't say anything about
"after applying this update, do XYZ". That would be the ideal place, IMO.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3_1 ?

[Vick Khera]

On Thu, May 5, 2016 at 9:47 AM, Jeppe Øland  wrote:

> This install is running a 4G NANO image ... maybe there's a problem with
> that?
>

I just did the update on a nano image system (netgate, not vanilla pfsense)
and had success other than having to manually restart ntpd.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3_1 ?

[Vick Khera]

On Tue, May 3, 2016 at 11:24 AM, Jeppe Øland  wrote:

> Does this update actually work?
>
> After hitting install and crunching for a while, it showed "firmware
> installation failed!" at the top.
>

I just did the upgrade and it succeeded. However, ntpd was not restarted on
either of the two systems upgraded. I had to manually restart ntpd.

My guess on the "pfSense" package is all that does is bump the displayed
release number.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Site to Site VPN behind nat

[Vick Khera]

On Sun, May 1, 2016 at 8:18 PM, Dane Reugger  wrote:

> I've seen this done with Aruba but not sure it's possible with PfSense but
> if it is I would love a guide to get it going.
>

Use OpenVPN. It doesn't care at all about the NAT. Many guides online for
setting up whole network VPN over OpenVPN.

On pfSense server, you create one "server" entry per remote LAN you want on
its own dedicated port. Open up the firewall to allow connections and
you're good to go.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] NTP Drift file not retained (NanoBSD) and "clipping" of

[Vick Khera]

On Fri, Apr 22, 2016 at 5:10 PM, Karl Fife  wrote:

> Obviously not retained in the case of an abend, but notably ALSO not
> retained during a normal reboot.  Is there a strategic reason this hard-won
> calibration is not retained?


I agree this should be preserved the same way the RRD files and DHCP leases
are.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Monitor (RRD) all 0 data on 2.3

[Vick Khera]

oh never mind. i first read you did an upgrade. that is a weird symptom...

On Thu, Apr 21, 2016 at 8:21 AM, Vick Khera  wrote:

>
> On Thu, Apr 21, 2016 at 1:53 AM, Gé Weijers  wrote:
>
>> I just performed a clean install of 2.3 on an AMD64 PC. Everything is
>> fine,
>>
>
> Was your prior install 32-bit? When you switch/upgrade from 32 to 64 bit
> the RRD graphs break.
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Monitor (RRD) all 0 data on 2.3

[Vick Khera]

On Thu, Apr 21, 2016 at 1:53 AM, Gé Weijers  wrote:

> I just performed a clean install of 2.3 on an AMD64 PC. Everything is fine,
>

Was your prior install 32-bit? When you switch/upgrade from 32 to 64 bit
the RRD graphs break.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] cannot backup one device

[Vick Khera]

I have 5 pfSense devices: one at my home office, and two set up in pairs at
my data center and main office respectively. The data center are running
stock pfSense on beefy hardware; the others are all Netgate units running
Netgate pfSense.

Since the most recent update added CSRF checking, I updated my config file
backup script according to
https://doc.pfsense.org/index.php/Remote_Config_Backup (using cURL rather
than wget) and this works just great for all but the home office unit. I'm
running my script that calls curl from my Mac desktop at the main office.
All access is over VPN connections (or the local LAN) to private IP
addresses.

On my home office unit, the second HTTP GET returns an error page saying
the CSRF token was incorrect. The others return the dashboard page (which
is the expected result after submitting a login). Because it fails at that
step, the final fetch of the actual config file fails as well.

I've spent all morning trying to figure out what's different with this
unit's configuration and I just cannot see it. I concentrated on the
general config and advanced config screens.

There are two major visible differences in the initial HTTP GET:

First, the CSRF token looks different. On the working units, it looks like
this:

csrfMagicToken =
"sid:a25852be7ba6a2a00b9eeab807389bf3b65ad28b,1460041532;ip:46ff0619e5d874ac44652f9eb04813c13621faf8,1460041532"

On the failing unit it looks like this:

csrfMagicToken = "sid:1d1800a1f646e0f14788b8b1a0bc0aff6fdbbc2a,1460041531"

Secondly, the PHPSESSID cookie on the failing units is not set as "HTTPS"
only, whereas on the other units it is.

Any ideas would be appreciated. I'm running pfSense 2.2.6.

Here's my testing script which just fetches from one working and the
failing unit.

--cut here--
#!/bin/sh

readonly PFDATE=`date +%Y%m%d%H%M%S`
readonly VKFW="vkfirewall.example.com"
readonly ASHBURNFWA="rockville-fw-a.example.com"
readonly USBCFGDIR="/tmp"


FWPASS="xx"

pfsense_config()
{
local FWNAME FWURL CSRF CSRF2 COOKIEFILE
FWNAME="$1"
FWURL="https://${FWNAME}";
COOKIEFILE=`mktemp -t cookies`

printf "Downloading Firewall Config for $FWNAME"

curl -k -L -c ${COOKIEFILE} -o $USBCFGDIR/$FWNAME-1.html ${FWURL}/
#CSRF=`curl -k -c ${COOKIEFILE} ${FWURL}/ | grep "name='__csrf_magic'"
| sed 's/.*value="\(.*\)".*/\1/'`
CSRF=`cat $USBCFGDIR/$FWNAME-1.html | grep "name='__csrf_magic'" | sed
's/.*value="\(.*\)".*/\1/'`
echo c=$CSRF
curl -k -L -c ${COOKIEFILE} -d
"login=Login&usernamefld=admin&passwordfld=$FWPASS&__csrf_magic=${CSRF}" -o
$USBCFGDIR/$FWNAME-2.html ${FWURL}/diag_backup.php
#CSRF2=`curl -k -c ${COOKIEFILE} -d
"login=Login&usernamefld=admin&passwordfld=$FWPASS&__csrf_magic=${CSRF}"
${FWURL}/diag_backup.php | grep "name='__csrf_magic'" | sed
's/.*value="\(.*\)".*/\1/'`
CSRF2=`cat $USBCFGDIR/$FWNAME-2.html | grep "name='__csrf_magic'" | sed
's/.*value="\(.*\)".*/\1/'`
echo c2=$CSRF2
curl -k -b ${COOKIEFILE} -d
"Submit=download&donotbackuprrd=checked&__csrf_magic=${CSRF2}" -o
$USBCFGDIR/config-$FWNAME-$PFDATE.xml ${FWURL}/diag_backup.php
cat ${COOKIEFILE}
rm -f ${COOKIEFILE}
}

printf "Downloading Firewall Configuration\n\n"

pfsense_config $VKFW

printf "\n\n"

pfsense_config $ASHBURNFWA
--cut here--
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] APinger times wrong after a few hours

[Vick Khera]

On Wed, Feb 24, 2016 at 8:28 PM, Jim Thompson  wrote:

> Apinger is… not very good.
>
> This is why we’ve gone to dpinger in pfSense software v2.3


Yay. I'll be glad to not have that PoS software being critical to my
infrastructure.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense for high-bandwith environments

[Vick Khera]

On Tue, Feb 23, 2016 at 9:01 PM, Jim Thompson  wrote:

> Fun fact, this ’Netflix’ success is using the AES-GCM code that Netgate
> co-developed with the FreeBSD Foundation for use with IPsec.
>
> https://lists.freebsd.org/pipermail/freebsd-security/2014-November/008029.html
>
>
>
> Fun fact #2, a future variant of that work will leverage QuickAssist.
> http://store.netgate.com/QuickAssist-and-Other-Cards-C210.aspx
>
>
>
> Fun fact #3, we can achieve much higher PPS with the router we’re writing
> (leverages DPDK) and netmap-fwd than you can with
> fastforward.  (Where Chelsio NICs make life a bit more complex.)
> https://github.com/Netgate/netmap-fwd/blob/master/netmap-fwd.pdf
>
>

All I can say is "wow" and "thank you". Very impressive work! I look
forward to the netmap-fwd the most.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Maximum number of established connections per host questions

[Vick Khera]

On Tue, Feb 2, 2016 at 4:28 PM, Ugo Bellavance  wrote:

> I think that when an IP address hits the limit, the packets are dropped by
> the default rule, right?
>

Yes, this is what I observe. I use this technique (max connections per
time) to throttle SSH connections to the few hosts that I allow public SSH
connections.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Best automated configuration backup options for 2.1.5?

[Vick Khera]

Here's my config file backup script bits for pfSense:

curl -k -c ${COOKIEFILE} -d
"login=Login&usernamefld=admin&passwordfld=$FWPASS"
https://${FWHOST}/diag_backup.php
curl -k -b ${COOKIEFILE} -d "Submit=download&donotbackuprrd=checked"
-o config-${FWHOST}.xml https://${FWHOST}/diag_backup.php

where COOKIEFILE is some secure temp file name. the rest of the
variables should be obvious.

As I recall, this works for 2.0 and up. Definitely works for the most
current release.

On Mon, Dec 14, 2015 at 4:14 PM, Volker Kuhlmann  wrote:
> The configuration is stored in a single file I thought.
> rsync, ssh, and cron should take care of that easily.
>
> If you pull it from the pfsense box you could create a new,
> unpriviledged user with read access to a copy of the ocnfig file. That
> way your backup system doesn't need to know the firewall's main
> password.
>
> Volker
>
> --
> Volker Kuhlmann is list0570 with the domain in header.
> http://volker.top.geek.nz/  Please do not CC list postings to me.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Hostname resolution of OpenVPN-connected clients

[Vick Khera]

On Thu, Nov 12, 2015 at 5:20 AM, Marco  wrote:

> > Setting up BIND 9 to manage a dynamic zone is not very difficult.
>
> Do I need an additional BIND instance besides the unbound that's
> already running on the pfSense box?
>

unbound != bind. I do not know anything about setting up dynamic zones in
unbound. i know how to do it in bind9.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Hostname resolution of OpenVPN-connected clients

[Vick Khera]

On Wed, Nov 11, 2015 at 2:46 AM, Marco  wrote:

> How to access the mobile hosts via the same hostname regardless if
> they are connected to the LAN or VPN?
>

Via some form of dynamic DNS perhaps? It seems it should be possible to
have the openvpn client run some script that will register its current IP
into a BIND server via RFC2136 update. Setting up BIND 9 to manage a
dynamic zone is not very difficult.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] github.com/google/google-authenticator/ on pfSense 2.2x

[Vick Khera]

I haven't tried it but pfSense uses the exact same pam login process. So
chance are pretty much as high as possible of it working.

On Thu, Oct 15, 2015 at 9:48 AM, Ryan Coleman  wrote:

> So… you don’t know how well it will work in pfSense, then.
>
>
> > On Oct 14, 2015, at 3:34 PM, Vick Khera  wrote:
> >
> > and only on FreeBSD servers (not pfSense)
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] github.com/google/google-authenticator/ on pfSense 2.2x

[Vick Khera]

The freebsd port for GA works great. I've only ever used it for SSH logins
when no public key is used, and only on FreeBSD servers (not pfSense).

The only files you really need from the package are

/usr/local/bin/google-authenticator
/usr/local/lib/pam_google_authenticator.so

The configuration for PAM is trivial too.


On Tue, Oct 13, 2015 at 8:30 AM, Olivier Mascia  wrote:

> Hello,
>
> Could someone give me pointers on environment needed for me to experiment
> with building Google Authenticator PAM module for pfSense 2.2.4 (amd x64) ?
>
> The code I'm talking about is here:
>
> git clone https://github.com/google/google-authenticator/
>
> I'm only concerned with the libpam sub-directory.
>
> I can build it and use it successfully with freeradius, on a LinuxMint
> 17.2 environment. And can get pfSense to refer to that box, successfully.
> Though I would like to experiment the same using the freeradius available
> as a package for pfSense and adding this PAM on it.
> I guess I first need to setup a development environment en BSD, then I
> should be flying?
> Are there some recommended guidelines for porting and debugging (if
> needed) things to the specific BSD environment of pfSense 2.2x?
>
> --
> Meilleures salutations, Met vriendelijke groeten,
> Best Regards. Olivier Mascia, integral.be/om
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense IP stack crashing.

[Vick Khera]

On Wed, Oct 7, 2015 at 8:20 AM, Bryant Zimmerman  wrote:

>  Any ideas would be appreciated. This units has been stable for 3 years
> only rebooted when upgrades occur. This is so out of character for this box
> and I need to figure this out ASAP.
>

I will vote hardware failure, possibly intermittent. Diagnostics don't
always pick up everything.

Many times it is the power supply, but it could be the NIC itself.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] client VPN on IOS

[Vick Khera]

On Tue, Sep 15, 2015 at 9:18 AM, Ray Bagby  wrote:

> Anyone have any luck connecting iphone via VPN?
>

Yes, with the built-in Cisco VPN client. Works great unless you have
pfSense 2.2.3 (older and newer work ok)
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.2.4, Services: Dynamic DNS client

[Vick Khera]

On Tue, Sep 8, 2015 at 8:14 AM, Chris Bagnall 
wrote:

> Would you be willing to share your RFC2136/bind9 config?
>

Here's a copy of my notes:

Dynamic DNS Update
<http://projects/confluence/display/INF/Dynamic+DNS+Update>

   - Created by Vick Khera <http://projects/confluence/display/~khera>,
   last modified on Nov 10, 2014
   
<http://projects/confluence/pages/diffpagesbyversion.action?pageId=5603398&selectedPageVersions=5&selectedPageVersions=6>


To support the ever-changing IP address that FiOS issues, dynamic DNS is
configured under the domain dyn.khera.org to work with RFC2136 clients.
The pfSense firewall is able to function as such a client, and to use these
dynamic host names within firewall rules to permit the client to move IP
yet still retain services via the firewall.
Initial Configuration

This configuration is based on that  from
http://www.shakabuku.org/writing/dyndns.html and
https://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS.


*named.conf zone file additions*
1
2
3
4
5
6
7
8
9
include "../dyn-keys.conf";
zone "dyn.khera.org" {
type master;
file "../dynamic/dyn.khera.org";
update-policy {
grant *.dyn.khera.org. self dyn.khera.org. A ;
grant dyn-control zonesub ANY;
};
};



This defines the dynamic zone, which will be periodically written to the
dynamic/dyn.khera.org zone file. Line 1 includes by reference the list of
keys we will allow to update the zone. Line 6 permits keys of the name
format *.dyn.khera.org to update entries of that name only. That is,
foobar.dyn.khera.org key is only permitted to update A and  records for
the domain name foobar.dyn.khera.org and nothing else. The line 7
permissions allows our master control key to update any record in this
zone. Also, in khera.org zone, an entry for dyn.khera.org NS
kci.kcilink.com was
created to send all requests for the dynamic zone to the primary server.

The key for the "dyn-control" is generated using this command:
ddns-confgen -k dyn-control

The resulting key then copied to the top of the dyn-keys.conf file and to
the dyn-control.key file for use with nsupdate command.

Create an empty zone file dyn.khera.org and run rndc reload to load the new
configuration.
Manual Zone Manipulation

Manual control of the zone is done via the nsupdate command. From time to
time, bind will write the dynamic/dyn.khera.org file with the current set
of entries. Between those writes, a journal file is kept to avoid losing
updates.
*Adding an Entry*
# nsupdate -k dyn-control.key
> server localhost
> update add test.dyn.khera.org 60 a 192.168.1.10
> send
*Delete an Entry*
# nsupdate -k dyn-control.key
> server localhost
> update delete test.dyn.khera.org a
> send
Adding Client

To add a client, newhost.dyn.khera.org, first create a key:
ddns-confgen -k newhost.dyn.khera.org -a hmac-md5

Copy the key into the dyn-keys.conf file and execute rndc reload to load
the new key into memory.

The client will then use the following settings:

   - Server: kci.kcilink.com
   - Hostname: newhost.dyn.khera.org
   - Key name: newhost.dyn.khera.org
   - Key: hmac key just generated
   - Key Type: host
   - TTL: 60

The configuration will permit the use of the key name newhost.dyn.khera.org
 to *only* update the A and  records for the domain name
newhost.dyn.khera.org. Any other updates using that key will be denied.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.2.4, Services: Dynamic DNS client

[Vick Khera]

On Mon, Sep 7, 2015 at 9:24 PM, Ryan Coleman  wrote:

> How do you get this to function with Dyn.com (formerly DynDNS.com <
> http://dyndns.com/
>
> >)? I have the paid domain and I’ve gotten CenturyLink DSL modems to
> negotiate the IP without issue before but I cannot seem to figure out the
> configuration for pfSense.
>

You'd have to ask Dyn if they can make host names within your own domain
dynamic. The dynamic DNS configuration in pfSense is for working with their
existing dynamic DNS domains, like foo.dyndns.org.

Personally, I set up my own personal domain (which I self-host in BIND9) to
work with the RFC 2136 client within pfSense. It involved having a
sub-domain to hold the dynamic parts for easier management. I did not spend
the effort to figure out if I could mix and match static and dynamic domain
names in the top level.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.2.4, Services: Dynamic DNS client, and HE.net service types

[Vick Khera]

On Mon, Sep 7, 2015 at 2:37 PM, David Christensen  wrote:

> Do they refer to Hurricane Electric (he.net
>
> )?
>

yes.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense no access to web configurator from internal network

[Vick Khera]

On Sat, Aug 8, 2015 at 5:01 AM, Alfredo Tapia Sabogal <
alfred.ta...@gmail.com> wrote:

> Vick, Thank you for your prompt response, i change my LAN IP address to
> 192.168.1.40/24 and the WAN to 192.168.0.10 /24 so when I go to the
> internet
> explorer and I wrote the LAN ip address or I ping tolds me that the host is
> unreachable so the web configurator doesn’t load should I do something else
> ? my laptop ip address is 192.168.0.4 /24 even when I ping the LAN/WAN is
> not reachable what should I do please help!!!
>

So your laptop is on the WAN not the LAN. You cannot expect it to reach the
LAN if it is not on the same network. Are you very new at networking?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense no access to web configurator from internal network

[Vick Khera]

On Thu, Aug 6, 2015 at 1:12 PM, Alfredo Tapia Sabogal <
alfred.ta...@gmail.com> wrote:

> internal network (LAN) em1 far as I did well, but I have some problems with
> my IP's range of IP's from my provider are 192.168.0.1 (router) in the
> PFSENSE I assigned the network card for the WAN 192.168.0.10 IP DHCP and
> for
> the LAN (INTERNAL Network ) I put 192.168.0.20 and give that addresses for
>

You will have to set the IP for the LAN to something else via the console,
or run in a mode disconnected from the LAN so your desktop can talk to the
pfSense LAN IP.

You can't have the same networks on both LAN and WAN.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with load vpn status

[Vick Khera]

Perhaps pay someone to debug it for you? The pfSense folk sell support
contracts that are reasonably priced.

On Thu, Jul 30, 2015 at 11:18 AM, Edward Josette Ortega Salas <
edward.jose...@gmail.com> wrote:

> Hi.
>
> So.. what would it be your recomendation?..  the other weird thing is
> that.. that happen it just with ipsecc status bar, the rest work just fine.
>
> Thanks again
>
> 2015-07-30 10:25 GMT-04:30 Vick Khera :
>
> > On Wed, Jul 29, 2015 at 3:18 PM, Edward Josette Ortega Salas <
> > edward.jose...@gmail.com> wrote:
> >
> > > Yes, it was quick:
> > >
> > > -  For setkey -D its took:  0.253u 0.276s 0:31.37 1.6% 93+178k 0+0io
> > 0pf+0w
> > > - And  for setkey -DP:  0.017u 0.008s 0:00.02 50.0% 204+408k 0+0io
> 0pf+0w
> > >
> > >
> > > And.. we are talking about 157 vpn, So what can we do with this delay?,
> > do
> > > you need another parse code or additional information for solve this?
> > >
> >
> > Not being a PHP developer, I couldn't say why it takes so long to
> generate
> > that page from the output of setkey, but I'd definitely narrow my search
> > for the problem to the PHP code.
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Connect pfSense as client to a Hotel WLAN?

[Vick Khera]

On Thu, Jul 30, 2015 at 4:10 AM, Seth Mos  wrote:

> The current crown goes to the Dlink DIR510L which is a dual band travel
> router with dual radios (dual band) and a 4Ah battery for charging
>

The DLink DIR505 has been in my travel bag for a few years. It makes life
very easy when traveling. I should check out if the 510 is worth upgrading.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with load vpn status

[Vick Khera]

On Wed, Jul 29, 2015 at 3:18 PM, Edward Josette Ortega Salas <
edward.jose...@gmail.com> wrote:

> Yes, it was quick:
>
> -  For setkey -D its took:  0.253u 0.276s 0:31.37 1.6% 93+178k 0+0io 0pf+0w
> - And  for setkey -DP:  0.017u 0.008s 0:00.02 50.0% 204+408k 0+0io 0pf+0w
>
>
> And.. we are talking about 157 vpn, So what can we do with this delay?, do
> you need another parse code or additional information for solve this?
>

Not being a PHP developer, I couldn't say why it takes so long to generate
that page from the output of setkey, but I'd definitely narrow my search
for the problem to the PHP code.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with load vpn status

[Vick Khera]

On Wed, Jul 29, 2015 at 10:24 AM, Edward Josette Ortega Salas <
edward.jose...@gmail.com> wrote:

> Status -> Ipsec, i have between 15 and 20min delay  for show the
> information.
>

How long do these commands take to run on the command line:

setkey -D
setkey -DP

If these are quick, I'd suspect that the UI code that parses this output is
inefficient and taking a long time.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Vick Khera]

On Tue, Jul 28, 2015 at 4:12 PM, Moshe Katz  wrote:

> Again,  I agree with you that this shouldn't affect your score.  I am
> simply explaining why they do it.
>

based on this explanation, i agree. there's no reason for them to demand
your certificate also signs any other domain name as long as it signs the
one to which they are connecting and testing.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Vick Khera]

On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman 
wrote:

> I have an issue with Qualy’s: They ding my certification because I have
> domain.com
>
> 
> > on it and not www.domain.com
>
> 
> > (multi-site cert).
>
> That’s not a reason to lower a score on security.
>

The only way I can make sense of your sentence is that they are dinging you
for having a certificate that does not match the name of the site you are
visiting because one has "www." and the other does not. That seems to be
reasonable for them to ding you.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSEC Tunnel with NAT not working under 2.2.3

[Vick Khera]

On Tue, Jul 7, 2015 at 8:39 AM, compdoc  wrote:

> The same thing happened to me. I had to change the Encryption algorithm
> from
> AES256 to 3DES to get it to work.
>

Another option is to disable the AES-NI hardware acceleration in 2.2.3.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] iphone roaming client stopped routing

[Vick Khera]

On Wed, Jul 1, 2015 at 12:25 PM, Vick Khera  wrote:

> With pfSense 2.2.3, the iPhone connects to the pfSense firewall to
> negotiate the VPN. The status seems to be normal and as far as I can tell
> all the IPSec bits are in order. Nothing unexpected in the logs. SAD and
> SPD look fine to me.
>

For the list archives: there is a bug in 2.2.3 using AES-256 encryption
with hardware accelerated crypto via AES-NI kernel module. Disabling the
latter (and rebooting) solves the problem. 2.2.4 will fix this, hopefully
soon.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Issues with IPsec and 2.2.3

[Vick Khera]

On Sun, Jul 5, 2015 at 12:03 PM, Ryan Coleman  wrote:

> Neither my desktop nor my mobile (OS X 10.10.3 and iOS 8.3) are able to
> negotiate on a previously-functioning IPsec configuration. Only change I
> can determine right now is the updated OS of the firewall to CURRENT.
>

I had the issue with iPhone IPSec connection not routing any packets, but
negotiating properly otherwise. It turns out there is a bug in 2.2.3 with
respect to using AES-256 encryption and having the AES-NI hardware
acceleration enabled. Release 2.2.4 expected soon will fix this.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Loading pfSense on Netgate 1U rack mount server c2758

[Vick Khera]

Are you trying to put the CD ISO image on the USB stick? That doesn't work.
You have to use the memstick image. This is not like some linux distros
where you use the CD image like this.


On Thu, Jul 2, 2015 at 2:31 PM, Paul Upson 
wrote:

> I recently purchased this device and am now trying to load pfSense onto it
> using a usb stick. Each time the load fails with the following error.
> Mounting from cd9660:/dev/iso9660/PFSENSE fails with error 19. I found a
> post that said to add the command "set kern.cam.boot_delay="1" but it
> doesn't change the result. I need a resolution soon.
>
> Thanks
>
> *Paul Upson*
> IT Support Manager
> Westmoreland Museum of American Art @rt 30
> 4764 State Route 30, Greensburg, PA 15601
> 724-261-9982
> thewestmoreland.org
>
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] iphone roaming client stopped routing

[Vick Khera]

For years I've had the iPhone roaming client IPSec configuration (using the
Cisco IPSec built-in client for iPhone). It has always worked great. I set
it up using the instructions on the pfSense forums.

With pfSense 2.2.3, the iPhone connects to the pfSense firewall to
negotiate the VPN. The status seems to be normal and as far as I can tell
all the IPSec bits are in order. Nothing unexpected in the logs. SAD and
SPD look fine to me.

However, no packets are routing. I cannot access *any* resource inside or
outside the VPN from my device. Normally all traffic is sent to the VPN
server in this configuration.

Clearly something changed with the roaming client use case with the recent
updates to IPSec.

Has anyone else noticed this on the upgrade? What's the fix?


SPD:
SourceDestinationDirectionProtocolTunnel endpoints192.168.101.10.0.0.0/0[image:
direction]ESP70.192.205.232 -> X.Y.208.2120.0.0.0/0192.168.101.1[image:
direction]ESPX.Y.208.212 -> 70.192.205.232
SAD:
SourceDestinationProtocolSPIEnc. alg.Auth. alg.DataX.Y.208.21270.192.205.232
ESP096c1f12rijndael-cbchmac-sha10 B
70.192.205.232X.Y.208.212ESPc61812ferijndael-cbchmac-sha10 B

Overview status:
DescriptionLocal IDLocal IPRemote IDRemote IPRoleReauthAlgoStatusX.Y.208.212
X.Y.208.212
Port: 4500 NAT-T XAuth: user1
70.192.205.232
Port: 7009 IKEv1
responder 7 hours AES_CBC:256
HMAC_SHA1_96:0
PRF_HMAC_SHA1
MODP_1024
established
2 minutes ago [image: Disconnect]
[image:
Disconnect]

Local subnetsLocal SPI(s)Remote subnetsTimesAlgoStats0.0.0.0/0
Local: c61812fe
Remote: 96c1f12 192.168.101.1/32
Rekey: 42 minutes
Life: 57 minutes
Install: 2 minutes AES_CBC:256
HMAC_SHA1_96:0
IPComp: none Bytes-In: 0
Packets-In: 0 : 126
Bytes-Out: 0
Packets-Out: 0 : 0 [image: Disconnect]

 iPhone Roaming Clients X.Y.208.212 X.Y.208.212 iphoneUnknown
Awaiting connections



The configs are as follows:

Tunnel Phase1:
 Key exchange: V1
 IPv4
 Authentication: Mutual PSK + Xauth
 Mode: Aggressive
 Identifyer: My IP address
 Peer Identifier: Distinguished name, iphone
 PSK: <64-byte hex value>
 Encryption: AES-256, SHA1
 DH Key group: 2
 NAT Traversal: auto
 DPD: 10seconds/5 tries

Phase2:
 Mode: tunnel IPv4
 Local Network: Type: address, Address 
 NAT Type: 
 Protocol: ESP
 Algorithms: AES-256, SHA1
 PFS key group: off

On the mobile client tab:
 Authentication: Local Database, system
 Virtual address pool: 192.168.101.0/24
 Network list: unchecked
 Save Xauth PW: allowed
 DNS Domain: int.kcilink.com
 DNS Servers: 192.168.97.97; 8.8.4.4
 other options off.

On the iphone:
 server: DNS name of my pfsense WAN interface
 account/password: properly set
 no certificate
 Group name: iphone (matches Peer Identifier above)
 Secret: (matches PSK 64-byte key above)
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Improving OpenVPN performance

[Vick Khera]

On Wed, Jul 1, 2015 at 10:40 AM, Jon Gerdes  wrote:

> Your first job is to establish a real baseline.  That is: How fast can
> you really move data between the two sites without any tunnels?  You may
> have to be creative with NATting and other tricks to get a system at
> each end to see the other.
>

After you have done this do some of these things. These are all things I
had to try to debug a horribly performing OpenVPN tunnel (about 10% of raw
baseline in one direction only, other direction was line speed).


   - Turn on/off the network offloading switches: checksum, TCP
   segmentation, LRO. Do this one at a time. For APU you want checksum offload
   disabled, but the others on in normal use. Disable here only to satisfy
   yourself that they are not the culprit.
   - Try different ciphers. AES-128-CBC is great and works with the
   hardware cryptodev engine in modern CPUs.
   - turn on/off BSD cryptodev (you already did this one)
   - Try TCP instead of UDP (likely will be slower, though)
   - change the MTU size to be smaller on the VPN link using the advanced
   OpenVPN configurations
   - use NULL encryption to rule out slow CPU crypto (you've already done
   this one)
   - Switch to IPSEC to rule out some crazy on intermediate routers between
   endpoints
   - Use port 443/TCP for same reason as above.

For me, none of this made a difference and I gave up. Until the one day
that my primary firewall WAN NIC died on the motherboard. The failover box
took over and suddenly OpenVPN was running at line speed between the two
endpoints. It turns out in my case that the NIC had started to fail a few
months before, and the only symptom was outbound wrapped packets, either
OpenVPN or IPSEC, would be lost frequently and retransmitted. Nonetheless,
the above tricks should help you optimize your connection once you
determine your raw baseline speed.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WRAP and pfsense

[Vick Khera]

On Tue, Jun 9, 2015 at 9:12 AM, Jim Pingle  wrote:

> Between that and the age of the hardware, I'd not trust them in the wild
> at this point for that role. The WRAP went EOL in 2007, and the ALIX
> isn't far off. The newest WRAP would still be 8 years old.
>
>
To this point, I have some retired ALIX systems if anyone wants them. Two
of the netgate dual-board systems in a 1U enclosure, and 1 in a red box
enclosure (I have to find this one...)  Ping me off-list.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WRAP and pfsense

[Vick Khera]

On Tue, Jun 9, 2015 at 12:37 AM, Cheyenne Deal 
wrote:

> I know that wrap boards are not supported on pfsense but I was wondering if
> anyone know if a way of installing a os on it and getting it to be a vpn
> end point.
>

There are instructions hiding somewhere online for hacking the boot code on
pfSense 1.x to work with the WRAP board. I did it once. It involved using
virtualbox and a USB adapter for the CF card as I recall. Something about
disabling "packet" mode on the boot.

I have some notes on virtual box booting CF with serial console here and
the post linked in it:
http://vivek.khera.org/mini-blog/serialconsoleaccessinvirtualbox

I don't have my notes on disabling packet mode.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP - Communication between Master and Slave over which NIC?

[Vick Khera]

Your mixing two separate things.

The SYNC is the firewall configuration and states synchronization between
the two machines.

CARP sends special "i'm alive" packets on the same NIC for which it is
configured. That's the only way to tell if the other server's connection to
this network is alive. It is independently tested for each NIC/network.

One does not require the other, but together they make for some nice
redundancy configurations.


On Fri, Jun 5, 2015 at 11:05 AM, Hubschmid Lukas (s) <
lukas.hubsch...@students.fhnw.ch> wrote:

> Hello everybody,
>
> Following scenario:
> - 2 pfSense nodes with two NICs each
> - both nodes are connected directly with a cable using one NIC (let's call
> this NIC SYNC)
> - both nodes are connected to the client network using the second NIC
> (let's call this NIC LAN)
> - 1 node is master (active), 1 node is slave (passive)
> - CARP is configured to use the SYNC link for synchronization
> - master node IP on LAN: 192.168.1.2
> - slave node IP on LAN: 192.168.1.3
> - Virtual IP on LAN: 192.168.1.1
> - All clients can communicate with both pfSense nodes (NIC LAN) on layer 2
> - Now the weird thing: the LAN NICs of both pfSense nodes CANNOT
> communicate on layer 2 (don't ask, it's because of VXLAN)
>
> How does the slave detects if the master has lost connection to LAN? Do
> they do this only via the SYNC link?
> Or does the slave node sends periodically probe messages over the LAN NIC
> to check if LAN NIC of the master node is still reachable?
>
> KR,
> Lukas
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold