Re: [pfSense] No firewall logs on remote log server

2015-03-19 Thread ED Fochler
Same here. No firewall logs on remote syslog. Local firewall logs, yes. Other logs (dhcp, dns, system) all fine. I’ve never seen firewall rules make it to the remote syslog, though I may only have started trying in 2.1.5. i386, full install on msata SSD, soekris 6501-50. ED. On

Re: [pfSense] Design Best Practice Question

2015-03-07 Thread ED Fochler
Set your servername in apache/whatever, you’re all good. The servername needs to match the cert, the IP doesn’t matter and shouldn’t be handed out anywhere. On 2015, Mar 7, at 8:44 AM, Tim Hogan t...@hoganzoo.com wrote: Ed, I like your idea with using 1:1 NAT but just one question; If

Re: [pfSense] Design Best Practice Question

2015-03-06 Thread ED Fochler
Bridging will disable firewall and DHCP on modem, this should be expected. If it works, then you’re using it just fine. I have my DMZ hosts like that on a separate network on OPT1 with their own IP range and 1:1 nat rules. It feels more segregated that way to me than the bridging firewall

Re: [pfSense] from LAN to OPT1, pfsense forces all http connections to https

2015-04-20 Thread ED Fochler
You may be getting overruled by the self protecting hidden rules of pfsesne. System - Advanced - [Admin Access] - Anti-lockout Alternatively, Services - DNS Forwarder - host overrides … could point internal machines to the DMZ address instead of the outside address when they lookup the name.

Re: [pfSense] net5501-70 and pfsense 2.2.x

2015-05-18 Thread ED Fochler
I’m still running 2.1.5 as the 2.2 series has not been happy on my soekris boxes. Will test again soon. I’ve also stopped seeing any performance benefit from the hifn encryption card for any of my uses. Perhaps you see different, but the only supported encryption on that card (aes-cbc) is no

Re: [pfSense] Gateway failures, how to access everything behind it still so that I can debug?

2015-06-19 Thread ED Fochler
If you set up CARP, then you don’t manage outages at 4am, you manage them when you get in to work because no services went out. If you hate CARP, then just do HA Sync to a running backup VM with the uplink and downlink disconnected. Then your emergency procedure is to reboot the primary, or

Re: [pfSense] FTP issues on 1:1

2015-07-07 Thread ED Fochler
FTP is a nasty beast. There’s active, passive, and extended passive connections. You may need a client that does extended passive (epsv?) to work properly. Standard passive will hand back the server’s IP data port over the control connection, so unless PFSense is altering the packets as

Re: [pfSense] pfSense IP stack crashing.

2015-10-15 Thread ED Fochler
Yeah, that sounds like the right path. Original post mentioned DOM, which I don’t understand. I don’t know that spin-rite has any value on SSD. I would be inclined to do a fresh OS install and import the configuration to eliminate data bit rot and hacking of the OS as possible problems. I

Re: [pfSense] FTP issues on 1:1

2015-07-08 Thread ED Fochler
10.20.*.* really shouldn’t be on your wan, that’s not routable. Also, 214*256+167=54951, outside the range you say you dictated in the conf (49500-52500) I don’t think PFSense is going to provide you an ftp proxy, both because you’re not using port 21, and this document:

Re: [pfSense] Lost limiter config after upgrade

2015-12-14 Thread ED Fochler
Limiters work on 2.2.4, I’m using them. But I didn’t upgrade, I created the limiters on 2.2.4. Are you asking if limiters work? Or are you just noting that they don’t cleanly upgrade? If you create them through the GUI and link them in with the firewall rules, do they work now? ED.

Re: [pfSense] Lost limiter config after upgrade

2015-12-16 Thread ED Fochler
ugh > Information Systems > Decision Sciences International Corporation > <http://www.decisionsciencescorp.com/> > <http://www.decisionsciencescorp.com/> > > On Sun, Dec 13, 2015 at 5:29 PM, ED Fochler <soek...@liquidbinary.com> > wrote: > >> Limi

Re: [pfSense] IPSec nat issue

2016-05-26 Thread ED Fochler
I agree. I typically ssh in as root and tcpdump to get a more interactive view of the network, but packet capture should give you the same data. You should be seeing traffic even if it is rejected or dropped by your firewall rules. If you’re not seeing ping, it’s not showing up at your

Re: [pfSense] FTP trouble.

2016-02-11 Thread ED Fochler
There is also extended passive, which is much better than old standard passive as it is ipv6 friendly and less likely to get wrongly proxied. So different clients from the same network to the same server may negotiate differently and present different results. The next step would be to grab

Re: [pfSense] PFSense for high-bandwith environments

2016-02-19 Thread ED Fochler
My experience has been that intel nics are bad in the 10G space, especially under BSD. I’ve had good luck with Myricom and Chelsio on BSD, though I haven’t used either specifically on PFSense. > On 2016, Feb 18, at 1:29 PM, Rainer Duffner wrote: > > >> Am 18.02.2016

Re: [pfSense] PFSense for high-bandwith environments

2016-02-19 Thread ED Fochler
. ED. > On 2016, Feb 19, at 11:54 AM, Giles Davis <gi...@multiplay.co.uk> wrote: > > On 19/02/2016 16:19, ED Fochler wrote: >> My experience has been that intel nics are bad in the 10G space, especially >> under BSD. I’ve had good luck with Myricom and Chelsio o

Re: [pfSense] XMLRPC sync - user/password limitations? And a possible bug regarding 'admin' user

2016-04-24 Thread ED Fochler
> On 2016, Apr 24, at 7:05 PM, Olivier Mascia wrote: > > Why is there a box to enter the remote system username, when it is useless > and has to be 'admin' anyway?... :) It seems to be an incomplete feature upgrade, as the admin user has always been usable and it was

Re: [pfSense] IPsec - how to assess encryption is active?

2016-04-29 Thread ED Fochler
On a modern intel system, the intel chip itself (or AMD) has AES128 or better implemented in hardware. I get ~700Mb on sftp on my macbook air 2012 like that, so those numbers are exactly where I’d expect the CPU to be maxed out doing AES128 or AES256 encryption. That’s what hardware

Re: [pfSense] Port mapping like reverse proxy

2016-05-11 Thread ED Fochler
> > On 2016, May 11, at 1:48 AM, FrancisM wrote: > > Is there any plugins from pfsense to do this kind of configuration just > like reverse proxy. this is the scenario. I only have 1 public IP address... > I know I can achieve this using other ports (higher ports) to

Re: [pfSense] Aggregated WAN traffic

2016-05-10 Thread ED Fochler
Unless your ISP is involved, you’re not going to do link aggregation or BGP. I’m guessing you’re doing NAT on both of these WAN connections, and not just routing. In this case I would recommend separating traffic by user, or by port/protocol. I had a DSL and T1 arrangement a while ago and

Re: [pfSense] Soeckris Net5501 SSD

2016-05-18 Thread ED Fochler
Karl, There are numerous other similar answers to be found, but here’s mine: Get away from CF if you can. The modern performance and wear leveling work is in sata and DOM, those are better devices. Abandon the nano-BSD and just find the miscellaneous checkbox to put /tmp and /var in

Re: [pfSense] NAT Associated filter wrong

2016-10-20 Thread ED Fochler
For clarity, that’s just the order in which PF works. It does NAT translation to incoming traffic as a concept before it applies filter rules. It’s unusual in the world of firewall mechanisms, but it works just fine. It also allows you to explicitly allow traffic in to your port-forwarded

Re: [pfSense] High-latency when traffic reaches 80% wirespeed

2017-10-04 Thread ED Fochler
I have a similar situation and I solved it with limiters. I'm also a fan of limiters to ensure fair sharing of uplink bandwidth by internal users. I haven't tried changing system tunables though, so that solution may be better. Nothing is sent through the limiter until you create a rule that

Re: [pfSense] Rebuilding confidence

2018-05-13 Thread ED Fochler
Richard, I agree with Eero, VLANs are real security. It will require time and effort and maybe some additional equipment. If it helps you sleep at night, it's worth it. You might start with just IP groupings and rules though. I have an admin network that only has a couple of