Re: [pfSense] Is there a would it pass/what-if capability?

2013-03-20 Thread Bryan D.
preliminary) testing, but would also be good for admins to check whether they seem to have gotten things configured correctly. Bryan D. http://www.derman.com/ On 2013-Mar-20, at 2:51 AM, mayak-cq ma...@australsat.com wrote: On Tue, 2013-03-19 at 23:19 -0700, Bryan D. wrote: I've searched both

Re: [pfSense] Is there a would it pass/what-if capability?

2013-03-21 Thread Bryan D.
-if capability to be added to pfSense. While I'm a little surprised that something like this doesn't already exist, given its obvious value, I'd also guess that it'd be a rather involved task. On 2013-Mar-20, at 11:16 AM, Jim Pingle li...@pingle.org wrote: On 3/20/2013 1:58 PM, Bryan D. wrote

[pfSense] OpenVPN Keep-Alive Setting

2014-01-28 Thread Bryan D .
I hope I'm not just having a senior's moment, but I can't find any place on the GUI where the OpenVPN server's keepalive option is set but one is being generated in the server config file. I'm running pfSense 2.1 release. Couldn't find an answer via the pfSense forums or via Mr. Google nor

[pfSense] Run-Away Processing Issue

2014-02-18 Thread Bryan D.
I have a problem that I've been unable to make much progress with and could use some suggestions on how to proceed. The problem is that whenever the WAN interface link on the pfSense box goes down, pfSense goes into some sort of loop/run-away condition and requires a reboot. This problem is

Re: [pfSense] Run-Away Processing Issue

2014-02-23 Thread Bryan D.
On 2014-Feb-19, at 6:17 AM, Jim Pingle li...@pingle.org wrote: Try pfSense 2.1.1. There were some issues with link cycling in certain cases that you might be hitting which were fixed on 2.1.1. https://forum.pfsense.org/index.php/topic,71546.0.html Jim On 2/19/2014 2:07 AM, Bryan D

Re: [pfSense] multiple openvpn instance routing issue.

2014-02-26 Thread Bryan D.
understand why routing doesn't take care of it and why NAT is required for certain things to work, but this was the only way I could get it to work in my setup. Of course, I'd like to be educated if someone has an answer. Bryan D. http://www.derman.com/ On 2014-Feb-26, at 11:41 AM, Muhammad

Re: [pfSense] Multiple static IPs from one ISP - Virtual IPs? - Trying this again

2014-03-03 Thread Bryan D.
On 2014-Mar-02, at 11:52 PM, Ryan Coleman ryanjc...@me.com wrote: How do I set up multiple static addresses? I used Virtual IP to create x.2 and I can ping it internally but not externally. I’ve tried using guides I’ve found online but I cannot seem to get them to work. What I want to

Re: [pfSense] Multiple static IPs from one ISP - Virtual IPs? - Trying this again

2014-03-03 Thread Bryan D.
PiBA was correct: only the WAN rule is required for pings (learn something new every day!). My testing was via an outside network as pings always work internally, with our setup. Previously you wrote: I’ve done this, but I won't route traffic out (NAT) until I have verifiable traffic coming

Re: [pfSense] pfsense openvpn Road Warrior

2014-03-19 Thread Bryan D.
On 2014-Mar-19, at 2:24 AM, A Mohan Rao mohanra...@gmail.com wrote: Hello Team, Hello, i have configured openvpn road warrior also client is properly connected from outside internet network. but not able to access server end network and servers's. can anybody give any help where is do any

[pfSense] Unable to access via static route

2014-03-25 Thread Bryan D .
I have an issue that I've been unable to solve and could use some suggestions (or confirmation that it can't be done). Background -- The problem is that I can only access IPs on the other side of a VPN connection via a static route when on one of our LANs. Here's an overview of the

Re: [pfSense] Interface yoyo

2014-04-20 Thread Bryan D.
On 2014-Apr-20, at 12:33 AM, Volker Kuhlmann list0...@paradise.net.nz wrote: Ever since upgrading to pfsense 2.1 I have been let down by it. It looks like there are multiple issues and I am trying to separate them. One is system suicide by memory gobbling - but it's been a little tricky to

Re: [pfSense] Interface yoyo

2014-04-21 Thread Bryan D.
On 2014-Apr-21, at 6:28 AM, Jim Pingle li...@pingle.org wrote: snip'd The Spoofed MAC address issue was a problem in the past with certain drivers that sounds very similar because it got into a chicken-and-egg scenario that went a little something like this: * pfSense sets the MAC

Re: [pfSense] Network Topology - Home Lab

2014-06-29 Thread Bryan D.
to know to route all traffic for 10.0.0.1/24, 192.168.10.0/24, 192.168.20.0/24, and possibly 172.16.0.0/24 over the VPN connection). I've put up a bunch of stuff on iOS VPN with pfSense that could be of some help in this: http://www.derman.com/blogs/Setting-Up-iOS-OnDemand-VPN Bryan D. http

Re: [pfSense] Route OpenVPN traffic to the available IPSec tunnels

2014-12-26 Thread Bryan D.
On Wed, Dec 24, 2014 at 5:15 AM, Lorenzo Milesi max...@ufficyo.com wrote: Hi. Is it possible to route OpenVPN clients to the available IPSec routes? I currently have 3 IPSec tunnels on my pfSense, and seldomly I need to access those routes outiside my office. Is it possible to do so? In my

Re: [pfSense] Multiple Roadwarrior OpenVPN on my PFSense server

2015-01-20 Thread Bryan D.
On 2015-Jan-19, at 8:28 PM, Mark Wass m...@market-analyst.com wrote: snip'd I've checked my WAN firewall rules and can see that the Wizard has added an open port to 1196 in the rules. Is there some sort of rule that does not allow me to have multiple OpenVPN servers running? I have 3

Re: [pfSense] viscosity, openvpn, and pfsense

2015-01-19 Thread Bryan D.
On 2015-Jan-19, at 1:48 PM, Jeremy Porter jpor...@electricsheepfencing.com wrote: The configuration your trying to use in pfsense is TLS Authentication, which is a static (shared) TLS key. In the Server Mode box, you need to select SSL/TLS or SSL/TLS User authentication. You will need to

[pfSense] Suddenly getting pfi_table_update errors

2015-02-17 Thread Bryan D .
I have a relatively low-traffic pfSense 2.1.5 i386 setup on a system with 1.5 GB of memory that always shows 50% used. This setup has normally been reliable but, since upgrading to 2.1.5, today is the 4th time I've run into a problem after making changes to some aliases. For some reason that

[pfSense] Suddenly getting pfi_table_update errors [work-around]

2015-02-19 Thread Bryan D .
I think this issue has been solved: - issue was errors similar to: --- [ There were error(s) loading the rules: pfctl: DIOCADDRULE: Invalid argument - The line in question reads [0]: ] --- and/or an error indicating that it can't allocate memory (but there's over 50% of the memory reported as

[pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

2015-03-21 Thread Bryan D.
We've had a pfSense-to-pfSense always on IPsec VPN connecting 2 offices since 2008 (pfSense 1.2 IIRC) and it's: - been ultra reliable (if VPN is down, suspect ISP issue or pfSense box failure) - it's been quick to connect (about 1 second, almost unnoticeable) - it's worked across numerous

Re: [pfSense] VIPs : CARP vs IP Alias

2015-03-09 Thread Bryan D.
On 2015-Mar-09, at 3:34 AM, Matthias May matth...@may.nu wrote: A CARP address has it's own MAC. The IP alias shares the MAC of it's parent interface. If you change this while running, your upstream routers/switches will have the wrong MAC address for your IP cached. Sending a GARP might

Re: [pfSense] NIC Offloading Setting Questions

2015-03-05 Thread Bryan D.
On 2015-Mar-05, at 11:46 AM, Chris Buechler c...@pfsense.com wrote: The description of what's enabled/disabled got confused from Jim's earlier post I think. LRO and TSO are both disabled by default, hardware checksum offloading is enabled by default. Just for the record, Jim's message ended

[pfSense] How to troubleshoot

2015-03-10 Thread Bryan D .
I have a v2.2 64-bit config running on a Core2 Duo system. The config uses a number of aliases (including aliases that include other aliases, etc.). Rules are based upon the aliases (du-oh!). PROBLEM: if I change the name of 1 of the IP aliases, the name of the corresponding table doesn't

Re: [pfSense] Follow-Up -- VIPs : CARP vs IP Alias

2015-03-10 Thread Bryan D.
... which means that it's likely to get done. soapbox/ Thanks, again, to all who participated. On 2015-Mar-09, at 6:57 AM, Jim Pingle li...@pingle.org wrote: On 03/08/2015 06:50 PM, Bryan D. wrote: My interpretation of the nice chart and notes on https://doc.pfsense.org/index.php

Re: [pfSense] VIPs : CARP vs IP Alias

2015-03-09 Thread Bryan D.
On 2015-Mar-08, at 3:53 PM, Espen Johansen pfse...@gmail.com wrote: I beleive the key to this is proxy arp. Brgds, Espen 8. mars 2015 23:50 skrev Bryan D. pfse...@derman.com: While we're on the topic, I have a functioning v2.2 setup that uses a /29 set of static IPs: - 1 IP

Re: [pfSense] VIPs : CARP vs IP Alias

2015-03-09 Thread Bryan D.
On 2015-Mar-09, at 2:38 AM, Brian Candler b.cand...@pobox.com wrote: On 09/03/2015 09:33, Bryan D. wrote: So, for what I'm doing, an IP Alias VIP seems like it should work where a CARP VIP works -- but it doesn't appear that a Proxy ARP VIP should, since I think I'm using them

Re: [pfSense] VIPs : CARP vs IP Alias

2015-03-09 Thread Bryan D.
On 2015-Mar-09, at 3:05 AM, Chris L c...@viptalk.net wrote: On Mar 9, 2015, at 2:56 AM, Brian Candler b.cand...@pobox.com wrote: On 09/03/2015 09:51, Bryan D. wrote: So it sounds like the IPsec and OpenVPN traffic would be such traffic? IPSEC traffic is addressed *to* the firewall

Re: [pfSense] VIPs : CARP vs IP Alias

2015-03-09 Thread Bryan D.
On 2015-Mar-09, at 2:56 AM, Brian Candler b.cand...@pobox.com wrote: On 09/03/2015 09:51, Bryan D. wrote: So it sounds like the IPsec and OpenVPN traffic would be such traffic? IPSEC traffic is addressed *to* the firewall (at least the IKE stuff on udp 500 is, since it is received

Re: [pfSense] VIPs : CARP vs IP Alias

2015-03-09 Thread Bryan D.
On 2015-Mar-09, at 3:11 AM, Chris L c...@viptalk.net wrote: On Mar 9, 2015, at 3:07 AM, Brian Candler b.cand...@pobox.com wrote: On 09/03/2015 10:05, Chris L wrote: Are you saying you want different clients' IPSEC tunnels to terminate on different public IP addresses on the firewall WAN

[pfSense] VIPs : CARP vs IP Alias

2015-03-08 Thread Bryan D .
While we're on the topic, I have a functioning v2.2 setup that uses a /29 set of static IPs: - 1 IP is the gateway address and 5 IPs are usable (quite common, I believe) - one of the usable IPs is assigned to the WAN interface - the other 4 usable IPs are assigned to VIPs - the WAN IP and VIPs

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

2015-03-25 Thread Bryan D.
On 2015-Mar-23, at 7:34 AM, Christopher CUSE cc...@ccuse.com wrote: just got dropped again -- fourth time in last few hours -- something is definitely wrong. upgraded all my pfsenses to 2.2.1 over the weekend. For me, the VPN drops in the absence of end-to-end traffic ... within minutes.

Re: [pfSense] NIC Offloading Setting Questions

2015-03-04 Thread Bryan D.
benefit, I've submitted a slightly edited/formatted version of this to be included in the WiKi's applicable pfSense documentation page. Bryan D. http://www.derman.com/ ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support

Re: [pfSense] NIC Offloading Setting Questions

2015-03-04 Thread Bryan D.
On 2015-Mar-04, at 2:08 PM, Jim Thompson j...@netgate.com wrote: On Mar 4, 2015, at 2:02 PM, Bryan D. pfse...@derman.com wrote: On 2015-Mar-04, at 6:20 AM, compdoc comp...@hotrodpc.com wrote: For me, what happens after enabling or disabling those settings are immediately apparent. I

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

2015-03-23 Thread Bryan D.
FWIW, since my original report, I've noticed some other things: - since it's not yet deployed, the v2.2.1 (at both ends) site-to-site IPsec VPN has only 1 laptop and 1 wireless access point on the LAN and virtually nothing else happening on the WAN (it's tied to a cable modem) - the condition,

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

2015-03-23 Thread Bryan D.
On 2015-Mar-23, at 5:24 PM, Chris Buechler c...@pfsense.com wrote: There's nothing to go on to offer any worthwhile suggestions. IPsec logs best place to start. If you can be more specific, I'll try to help. Sorry, but I don't have enough background with IPsec to ferret things out on my

Re: [pfSense] NTP failure in 2.2.1?

2015-04-13 Thread Bryan D .
On 2015-Apr-11, at 12:51 AM, Fabian Wenk fab...@wenks.ch wrote: I had a similar problem, but already when switching from 2.1.x to 2.2. I got it working again with not selecting any interface(s) in the NTP Server Configuration. I've created a bug report

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

2015-09-05 Thread Bryan D.
On 2015-Sep-04, at 1:18 PM, David Hatch wrote: > We are having all the same symptoms above. All of our firewalls are > running 2.2.4. Everything that has 2 phase 2 entries is on IKE v2. ... > > Has anyone figured this out? ... nothing I can do will fix it short of pining >

Re: [pfSense] client VPN on IOS

2015-09-25 Thread Bryan D.
On 2015-Sep-15, at 6:18 AM, Ray Bagby wrote: > Greetings, > >Anyone have any luck connecting iphone via VPN? > You can also see: http://www.derman.com/blogs/Setting-Up-iOS-OnDemand-VPN ___ pfSense mailing list

Re: [pfSense] Routing some trafic throught OpenVPN

2015-09-25 Thread Bryan D.
On 2015-Sep-15, at 11:39 PM, Andrej Ferčič [PCklinika] wrote: > Hello! > > I am sure that this issue has been already discussed, but I can not find any > arhive. So, please give me some directions where to search or any link to > thread containig the following: > > 1.

Re: [pfSense] How to determine supported packages without installing

2016-06-17 Thread Bryan D.
On 2016-Jun-17, at 2:02 PM, Peder Rovelstad wrote: > This help? https://forum.pfsense.org/index.php?topic=8640.0 Thanks, but I don't see anything there that tells me what the current packages are for pfSense 2.3.1 Update 5 (i.e., without having to first install pfSense

[pfSense] How to determine supported packages without installing

2016-06-17 Thread Bryan D .
How does one determine the currently supported packages for the current released version of pfSense without installing pfSense, first. I did find https://doc.pfsense.org/index.php/Features_List but, since there's no stated pfSense version associated with the page and since I've found it to be

Re: [pfSense] How to determine supported packages without installing

2016-06-17 Thread Bryan D.
On 2016-Jun-17, at 4:03 PM, Steve Yates wrote: > I suspect package compatibility is not maintained on per-pfSense-version > basis. Meaning, packages worked on 2.x up until the package changes on 2.3, > and probably will work on into the future until the next breaking change.

Re: [pfSense] How to determine supported packages without installing

2016-06-17 Thread Bryan D.
On 2016-Jun-17, at 2:35 PM, compdoc wrote: > I think this is complete: > Thanks. Looks like I can proceed with an update to 2.3. Regardless, I still think there should be a way to authoritatively determine this info via the pfSense web site -- ideally, for all

[pfSense] Unbound connections: excessive???

2016-05-22 Thread Bryan D.
On pfSense 2.2.6, I switched from dnsmasq to unbound. Resolver/unbound is configured for DNSSEC (i.e., no forwarding) and has about 150 overrides to function as our internal/split DNS (with 5 domain overrides for internal/private-address reverse lookups). The "Network Interfaces" setting has

Re: [pfSense] Aggregated WAN traffic

2016-05-10 Thread Bryan D.
On 2016-May-10, at 10:14 AM, WebDawg wrote: > Usually the only thing that you > can do in this situation is put your connection at its lowest setting > and control the connection from there. The problem with this is that > the connection will always be this lowest speed.

[pfSense] IPv6 cross-LAN access problem to virtualized host

2016-05-17 Thread Bryan D .
I'm in the process of enabling IPv6 on a working IPv4 3-LAN, 2-WAN setup using pfSense 2.2.6 (I'm also in the process of testing 3.0 and did a cursory test and got the same results with our 3.0 test setup). We're getting IPv6 via a Hurricane Electric tunnel. There are 3 LANs each with a /24

Re: [pfSense] Route Issue over Ipsec

2016-08-08 Thread Bryan D.
> Good day, > > I have an issue routing related.. > > I found that page: > https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP%2C_use_syslog%2C_NTP%2C_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F > > It represent exactly what I'm having as issue.. > > I did

Re: [pfSense] pfBlockerNG: US IPv6 range size

2016-08-16 Thread Bryan D.
On 2016-Aug-16, at 8:47 AM, Gé Weijers wrote: > Hi, > > Trying to define a pfBlockerNG IPv6 alias for the US. It seems that the > GeoIP database has over a million entries, which causes a crash > > Any idea why the US ranges are this humongous? > I use pfBlockerNG and

Re: [pfSense] looking for perfect pfsense box for home?

2016-08-21 Thread Bryan D.
On 2016-Aug-21, at 5:50 AM, Paul Mather wrote: > Even on that page it's incorrect to say it "only" offers the XG-2758. That's > the only one they show in the main table on that page ... There's likely good science behind the fact that nearly all e-stores will present

[pfSense] DNS over TLS config for pfSense 2.2.6

2018-04-04 Thread Bryan D .
Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html --- Applying the suggested "Custom Options" to the Unbound/DNS Resolver configuration in pfSense 2.2.6 does not work, with logs indicating that "forward-ssl-upstream" is invalid. I tried various incantations using

Re: [pfSense] DNS over TLS config for pfSense 2.2.6

2018-04-05 Thread Bryan D.
On 2018-Apr-04, at 10:05 PM, Dave Warren wrote: > I can also confirm that 9.9.9.9@853 does work here which re-enforces that > this is a Cloudflare specific issue. - So it looks like the following config works on pfSense 2.2.6's unbound/DNS Resolver (so should work with

Re: [pfSense] DNS over TLS config for pfSense 2.2.6

2018-04-06 Thread Bryan D.
On 2018-Apr-05, at 10:47 PM, Dave Warren wrote: > Cloudflare has pushed an update, and things seem to be working from here. For > those having issues, try again now? Thanks for the "heads up." Works for me, also (i.e., on pfSense 2.2.6 configured as stated in previous