Re: [pfSense] SIP problems.

Are you using symmetric RTP? if not, try that along with a keep alive option. As the RFC for it states it should be a default - shame it isn't on many systems. it fixes a lot of snags for me. I have a phone - Cisco 504G - on my desk that can go weeks without making/taking a call and yet just

Re: [pfSense] SIP problems.

tw (which i assume is the RTP), I'm loosing all > connectivity (which I'm assuming means my Sip session is down). > > > On Mon, Oct 14, 2013 at 5:12 AM, Jon Gerdes wrote: > >> Are you using symmetric RTP? if not, try that along with a keep alive >> optio

Re: [pfSense] IPSEC bug in 2.1

>>> > There exists an IPSEC bug in pfSense 2.1 > > When the router's modem is restarted, the IPSEC tunnel fails to come back > up. > > This bug is documented in the following places by numerous people: > > https://redmine.pfsense.org/issues/3321 > http://forum.pfsense.org/index.php/topic,69235

Re: [pfSense] PFSense OpenVPN General Q

#x27;t for a minute believe that I can keep the 5is out or any other well funded state agency or a sufficiently well motivated cracker but I'm buggered if script kiddies will get past me. Cheers Jon Blueloop Ltd Jon Gerdes | Senior Consultant Blueloop House Ilchester Road Yeovil

[pfSense] Migrating from /32 + /29 to just /29

having to go back to split horizon DNS again which would mean resurrecting BIND and a complicated views setup - the horror! Blueloop Ltd Jon Gerdes | Senior Consultant Blueloop House Ilchester Road Yeovil Somerset BA21 3AA Tel: 01460271055 Web: www.blueloop.net Registered Address : Blueloop House

Re: [pfSense] Migrating from /32 + /29 to just /29

On Thu, 2014-06-12 at 23:23 +0100, Chris Bagnall wrote: > On 12/6/14 11:06 pm, Jon Gerdes wrote: > > As far as I can tell, the only downside is I lose another address to act > > as the gateway. > > Can anyone spot any flaws with this method or is it a general practice? > &

Re: [pfSense] Migrating from /32 + /29 to just /29

On Fri, 2014-06-13 at 18:13 +0100, Brian Candler wrote: > On 12/06/2014 23:06, Jon Gerdes wrote: > > My new ISP only provides a /29 from which WAN always gets the first one > > via PPPoE. > > > > I put the second address from the /29 onto an interface and the > >

Re: [pfSense] NetFlow analysis tools

On Thu, 2015-01-15 at 17:08 +0100, b...@todoo.biz wrote: > Hello, > > I would like to know which flow-tools you are using in conjunction with > pfflowd / netflow > > I am particularly interested in GUI back-end. > > If you have any good pointer, that would really be helpful. > > > > Sinc

Re: [pfSense] 2.2-RELEASE now available!

2.2 Cheers cmb 'n' troops. Great piece of work. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2 Packages

On Fri, 2015-01-30 at 15:07 -0500, Brian Caouette wrote: > Where is a good place to monitor for package updates for 2.2? I had to > revert back to 2.1.5 after a fatal error shut me down. Talk to the lists, forums, IRC (probably somewhere). The core distro has a pretty good changelog and bug track

Re: [pfSense] issues registering Cisco VoIP phone through pfSense

> > I can get the soft phone on the workstation to work through the > firewall to register to the asterisk server and make call to the LAN > phone but cannot get the cisco phone to work to do the same. I have > tried also turning on SIProxd and nothing changes. Any help would be > much appreci

Re: [pfSense] issues registering Cisco VoIP phone through pfSense

On Sun, 2015-02-01 at 17:56 +, Jon Gerdes wrote: > > > > I can get the soft phone on the workstation to work through the > > firewall to register to the asterisk server and make call to the LAN > > phone but cannot get the cisco phone to work to do the same. I have &

Re: [pfSense] issues registering Cisco VoIP phone through pfSense

On Sun, 2015-02-01 at 18:20 +, Jon Gerdes wrote: > On Sun, 2015-02-01 at 17:56 +0000, Jon Gerdes wrote: > > > > > > I can get the soft phone on the workstation to work through the > > > firewall to register to the asterisk server and make call to the LAN > &

Re: [pfSense] Multi-WAN port forwarding

On Thu, 2015-02-12 at 21:13 +, Tiernan OToole wrote: > Thanks for the tip Chris (Doh!) but tried setting it to UDP and still no > luck... > > --Tiernan > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris L > Sent: Thursday 12 February 2015

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

On Wed, 2015-02-18 at 06:38 +, Chuck Mariotti wrote: > >That's definitely the cable modem's NAT getting confused. If you can get the > >phones to randomize their source ports on their OpenVPN traffic, that might > >resolve. I'm not sure if that's possible on those phones. In stock OpenVPN,

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

On Fri, 2015-02-20 at 06:03 +, Chuck Mariotti wrote: > >You could try TCP for the OpenVPN if the phones will support it. The vast > >majority of your traffic will be UDP so you wont get the joy of TCP in TCP > >exponential standoffs. > > > >Cheers > >Jon > > The phones do support TCP (an op

Re: [pfSense] AlienVault plugin for pfSense

On Mon, 2015-06-22 at 11:10 -0400, Peter Milazzo wrote: > Hello all, > > I wanted to see if anyone is using AlienVault and has gotten a plugin to > work with pfSense. > > Thank you, > Peter Milazzo Peter I've just quickly waded through the marketing material and I'm not sure what a plugin woul

Re: [pfSense] 2.2.3-RELEASE Now Available!

On Thu, 2015-06-25 at 01:19 -0500, Chris Buechler wrote: > For those who aren't on the announce list and don't follow the blog: > https://blog.pfsense.org/?p=1810 This has fixed a *lot* of IPSEC issues for me so far, 50 odd P1s with an assortment of devices at the other end. Thank you. __

Re: [pfSense] Internal Clock Broke

On Thu, 2015-06-25 at 22:54 -0400, Brian Caouette wrote: > > Anyone else notice the clock is broke on 2.2.3? Anything time related is > seriously off. It seems to be about 4 hours early. I also notice the > time/date change today. It went from the 25th to the 26th and back to the > 25th. Ca

Re: [pfSense] Clock errors

On Sun, 2015-06-28 at 14:14 -0400, Brian Caouette wrote: > > Update of the clock problem. I've corrected the time zone as was > mentioned by another list member. Apparently there was a glitch with > the .3 update. Although the time on the dash board is correct the > logs all have bad times

Re: [pfSense] Improving OpenVPN performance

On Wed, 2015-07-01 at 15:16 +0100, Chris Bagnall wrote: > Greetings list, > > I'm trying to improve OpenVPN performance on a site-to-site link I have > between 2 pfSense boxes. > > I am currently only getting around 7Mbps each way via the OpenVPN > tunnel, measured by running iperf back and for

[pfSense] Dangling IPSEC tunnel

Hello I am trying to fix up an IPSEC tunnel that fails to pass traffic. My end is pfSense 2.2.4. I tried disabling it but as the following shows: [shell prompt]/var/etc/ipsec: grep "con31000" ipsec.conf (no output) [shell prompt]/var/etc/ipsec: ipsec status | grep "con31000" con31000[10223

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

On Tue, 2015-08-18 at 23:04 -0400, Ted Byers wrote: > On our latest penetration test, our pfsense machines were flagged as having > a SSL/TLS Diffie-Hellman Modulus <= 1024 Bits, allegedly making it > vulnerable to Logjam. This is for the web server on the pfsense machine, > used to administer it.

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

On Wed, 2015-08-19 at 08:45 -0400, Ted Byers wrote: > On Wed, Aug 19, 2015 at 4:38 AM, Jon Gerdes wrote: > > Finally, although it is good practice to scan your gear I trust you > > usually have a firewall rule that prohibits access to the web > > configurator console exce

Re: [pfSense] Using pfSense with an external proxy appliance

On Thu, 2015-09-03 at 09:53 -0500, Erik Anderson wrote: > Hello, > > Shortly I'm going to need to deal with a situation I've never had to > sort out before - using pfSense to redirect outbound HTTP(S) from > clients to an iPrism proxy/filter appliance. > > We're running pfsense v2.2.4. > > Is th

Re: [pfSense] OpenVPN and TOTP?

On Mon, 2015-10-05 at 22:22 +0200, Olivier Mascia wrote: > Dear all, > > Have you heard of any support (add-on?) for time based one time > passwords support in OpenVPN? Along the lines of RFC6238 so it could > be used with Google Authenticator, Microsoft Authenticator, and the > countless alike m

Re: [pfSense] Latency issues with 2.2.25 Release

On Wed, 2015-11-11 at 07:47 -0800, Wade Blackwell wrote: > Good morning list, >I recently upgraded to *2.2.5-RELEASE * (amd64) on a VMware > stack > and noticed that my Wan latency shot up by about 100ms rtt. Nothing > else on > the box had changed. I reverted to a pre-upgrade snapshot and

Re: [pfSense] 2.2.6 and IPv6 RA

On Fri, 2016-01-22 at 12:15 +0100, Antonio Prado wrote: > On 1/22/16 11:02 AM, Seth Mos wrote: > > > on a fresh installed box, IPv4 configured on 2 NICs (WAN and > > > LAN), IPv6 > > > not configured, pfSense starts advertising itself as IPv6 gateway > > > on LAN > > > using its link-local address

Re: [pfSense] Planning upgrade from 2.0.1-RELEASE to 2.2.6-RELEASE

On Wed, 2016-01-27 at 00:04 -0500, Ugo Bellavance wrote: > Hi, > > We're in the process of planning the upgrade of our main site's > pfSense  > firewall. It is currently running 2.0.1-RELEASE and we want it to be > at  > the latest version.  It is running in a VMWare VM (amd64). As it is a VM you

Re: [pfSense] PFSense and Kibana

On Sat, 2016-06-18 at 11:07 +0200, Daniel Eschner wrote: > Hi there, > > i run Suricata on a pfSense. I Try to build some Dashboards. For the > First everthing seems running but it seems i have Problems with > domains like linux-nerd.de > In the Dashboard its shown as linux

Re: [pfSense] 502 Bad Gateway

On Tue, 2016-07-05 at 13:19 -0400, Bill Arlofski wrote: > Hi everyone... > > I noticed after one of the recent upgrades to the 2.2.x "RELEASE" > series > everything works perfectly fine for a while but then, I get "502 Bad --- snip > > So, I am suspecting that the php-fpm process

Re: [pfSense] Unexplained reboots

If it has an iLO then that may provide some insights in its logs and possibly a crash screen if there is one.  They quite often default to "ASR" when they decide the OS watchdog has died Configure syslog to ship all logs to a remote machine.  Make sure all clocks are in sync Does pfSense offer up

Re: [pfSense] Netgate Firmware

It might be worth putting a press release style post here as well anyway.   Your mailing list may not be perfect and some people have a nasty habit of registering things with their own email address instead of a group address/alias and then moving on. Thir account gets deleted and that box that d

Re: [pfSense] Netgate Firmware

pson wrote: > I tend to be careful about spamming the pfSense list with things that > aren't directly related to pfSense. > > Jim > > On Mon, Mar 20, 2017 at 7:13 PM, Jon Gerdes > wrote: > > It might be worth putting a press release style post here as well > >

Re: [pfSense] Netgate Firmware

ils. I don’t frequent the forums. But I am aware of an > “alleged” chip issue, which I believe my unit is susceptible to. > > Can someone provide a link to a relevant forum thread? > > Thanks, > Richard > > > > On Mar 20, 2017, at 7:37 PM, Jon Gerdes > > wrote:

Re: [pfSense] Hardware compatibility

Jimmy You really do get what you pay for. I doubt that you have bothered to quantify your time and effort in getting some low powered beastie up and running. Cost your personal time at say £20 per hour (say 25USD) - that's pretty reasonable. Now think about your options. There are quite a few

Re: [pfSense] LAN routing through multi-hopping IPSec setup

EC Add an additional Phase 2 entry on each set of tunnels: pf2 -> pf1 = tunnel A pf2 -> pf3 = tunnel B Add a Phase 2 on tunnel A for local 192.168.40/24 to remote 192.168.44/24 Add a Phase 2 on tunnel B for local 192.168.44/24 to remote 192.168.40/24 Add firewall rules to taste. Cheers Jon

Re: [pfSense] LAN routing through multi-hopping IPSec setup

Thank you for a clear and concise description of your problem. Cheers Jon On Wed, 2017-05-03 at 09:48 -0400, Eleuterio Contracampo wrote: > Thank you Jon. It works! > > -EC > > On Wed, May 3, 2017 at 6:48 AM, Jon Gerdes > wrote: > > > EC > > > > Add

Re: [pfSense] IPSec to overlapping subnet - unexpected behaviour

Not sure with IPSEC - there is a BINAT option which I think may do the job but I personally use OpenVPN for this sort of thing. I have at least six customers with 192.168.0/24 LANs and wont budge but I need to monitor their gear. Each one is mapped to 192.168.0.z -> 10.n.y.z/24, where n is consta

Re: [pfSense] IPSec to overlapping subnet - unexpected behaviour

(For the list) See: https://doc.pfsense.org/index.php/OpenVPN_NAT_subnets_with_same_IP_rang e I'm still working on it ... Cheers Jon On Fri, 2017-08-18 at 20:52 +0000, Jon Gerdes wrote: > Not sure with IPSEC - there is a BINAT option which I think may do > the > job but I

Re: [pfSense] Multi-WAN and HA. Established connections through a not default gateway are broken when I disable CARP in the master unit.

On Wed, 2017-09-27 at 00:12 +0200, dayer wrote: > Hi everyone, > > > I'm getting this behavior and I can't find the reason. I've test the > same > scenario with pfSense 2.3.4 and 2.4.0-RC and I've posted in the > forums > without reply[1]. > I'm not sure if it's a configuration error or a bug, an

Re: [pfSense] pfSense virtualisation

On Tue, 2017-10-10 at 14:16 -0700, Walter Parker wrote: > On Tue, Oct 10, 2017 at 12:57 PM, Doug Lytle > wrote: > > > > > > Or do you think I am absolutely crazy? Or maybe Just one > > > > > Hardware and > > > > one virtual? > > > > Quite a few of my firewalls are virtualized using ESXI and hav

Re: [pfSense] raise ulimit

Daniel Please could you post the exact message you get from HA Proxy and where you found it. You might want to read these: https://cbonte.github.io/haproxy-dconv/1.7/management.html#5 https://www.freebsd.org/doc/handbook/configtuning-kernel-limits.html Cheers Jon On Sat, 2017-10-21 at 22:04

Re: [pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering

Roberto NFF: Product working as designed When you use splice, you are doing a Man In The Middle (MitM) attack on your own users. Chrome is a Google product and they have enabled https ://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning and other things to detect this sort of thing. This could be s

Re: [pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering

ehaviour related to Chrome and Firefox? > > > > Thanks a lot again. > > > > ROBERTO > > > > 2017-11-02 20:47 GMT-03:00 Jon Gerdes : > > > Roberto > > > > > > NFF: Product working as designed > > > > > > When you use

Re: [pfSense] SIP Port forwarding - will the SIP Proxy help me with this?

You could create an alias for the inbound IPs for SIP/RTC and limit the source on the NAT rule with that alias. Then your WebRTC users will be unaffected because their src/dst/port triplet will not match that NAT. https://www.twilio.com/docs/api/voice/sip-interface - see IP address whitelist. C