Re: [pfSense] SIP problems.

2013-10-14 Thread Jon Gerdes
Are you using symmetric RTP? if not, try that along with a keep alive option. As the RFC for it states it should be a default - shame it isn't on many systems. it fixes a lot of snags for me. I have a phone - Cisco 504G - on my desk that can go weeks without making/taking a call and yet just

Re: [pfSense] SIP problems.

2013-10-15 Thread Jon Gerdes
session is down). On Mon, Oct 14, 2013 at 5:12 AM, Jon Gerdes gerd...@blueloop.net wrote: Are you using symmetric RTP? if not, try that along with a keep alive option. As the RFC for it states it should be a default - shame it isn't on many systems. it fixes a lot of snags for me. I have

Re: [pfSense] IPSEC bug in 2.1

2013-12-12 Thread Jon Gerdes
There exists an IPSEC bug in pfSense 2.1 When the router's modem is restarted, the IPSEC tunnel fails to come back up. This bug is documented in the following places by numerous people: https://redmine.pfsense.org/issues/3321 http://forum.pfsense.org/index.php/topic,69235.0.html

Re: [pfSense] PFSense OpenVPN General Q

2014-04-15 Thread Jon Gerdes
the 5is out or any other well funded state agency or a sufficiently well motivated cracker but I'm buggered if script kiddies will get past me. Cheers Jon Blueloop Ltd Jon Gerdes | Senior Consultant Blueloop House Ilchester Road Yeovil Somerset BA21 3AA Tel: 01460271055 Web: www.blueloop.net

[pfSense] Migrating from /32 + /29 to just /29

2014-06-12 Thread Jon Gerdes
having to go back to split horizon DNS again which would mean resurrecting BIND and a complicated views setup - the horror! Blueloop Ltd Jon Gerdes | Senior Consultant Blueloop House Ilchester Road Yeovil Somerset BA21 3AA Tel: 01460271055 Web: www.blueloop.net Registered Address : Blueloop House

Re: [pfSense] Migrating from /32 + /29 to just /29

2014-06-12 Thread Jon Gerdes
On Thu, 2014-06-12 at 23:23 +0100, Chris Bagnall wrote: On 12/6/14 11:06 pm, Jon Gerdes wrote: As far as I can tell, the only downside is I lose another address to act as the gateway. Can anyone spot any flaws with this method or is it a general practice? Certainly assigning the first IP

Re: [pfSense] Migrating from /32 + /29 to just /29

2014-06-19 Thread Jon Gerdes
On Fri, 2014-06-13 at 18:13 +0100, Brian Candler wrote: On 12/06/2014 23:06, Jon Gerdes wrote: My new ISP only provides a /29 from which WAN always gets the first one via PPPoE. I put the second address from the /29 onto an interface and the remaining four onto my externally facing

Re: [pfSense] NetFlow analysis tools

2015-01-16 Thread Jon Gerdes
On Thu, 2015-01-15 at 17:08 +0100, b...@todoo.biz wrote: Hello, I would like to know which flow-tools you are using in conjunction with pfflowd / netflow I am particularly interested in GUI back-end. If you have any good pointer, that would really be helpful. Sincerely

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

2015-02-18 Thread Jon Gerdes
On Wed, 2015-02-18 at 06:38 +, Chuck Mariotti wrote: That's definitely the cable modem's NAT getting confused. If you can get the phones to randomize their source ports on their OpenVPN traffic, that might resolve. I'm not sure if that's possible on those phones. In stock OpenVPN,

Re: [pfSense] 2.2 Packages

2015-01-30 Thread Jon Gerdes
On Fri, 2015-01-30 at 15:07 -0500, Brian Caouette wrote: Where is a good place to monitor for package updates for 2.2? I had to revert back to 2.1.5 after a fatal error shut me down. Talk to the lists, forums, IRC (probably somewhere). The core distro has a pretty good changelog and bug

Re: [pfSense] issues registering Cisco VoIP phone through pfSense

2015-02-01 Thread Jon Gerdes
I can get the soft phone on the workstation to work through the firewall to register to the asterisk server and make call to the LAN phone but cannot get the cisco phone to work to do the same. I have tried also turning on SIProxd and nothing changes. Any help would be much appreciated

Re: [pfSense] issues registering Cisco VoIP phone through pfSense

2015-02-01 Thread Jon Gerdes
On Sun, 2015-02-01 at 17:56 +, Jon Gerdes wrote: I can get the soft phone on the workstation to work through the firewall to register to the asterisk server and make call to the LAN phone but cannot get the cisco phone to work to do the same. I have tried also turning on SIProxd

Re: [pfSense] issues registering Cisco VoIP phone through pfSense

2015-02-01 Thread Jon Gerdes
On Sun, 2015-02-01 at 18:20 +, Jon Gerdes wrote: On Sun, 2015-02-01 at 17:56 +, Jon Gerdes wrote: I can get the soft phone on the workstation to work through the firewall to register to the asterisk server and make call to the LAN phone but cannot get the cisco phone to work

Re: [pfSense] Multi-WAN port forwarding

2015-02-13 Thread Jon Gerdes
On Thu, 2015-02-12 at 21:13 +, Tiernan OToole wrote: Thanks for the tip Chris (Doh!) but tried setting it to UDP and still no luck... --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris L Sent: Thursday 12 February 2015 20:36

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

2015-02-20 Thread Jon Gerdes
On Fri, 2015-02-20 at 06:03 +, Chuck Mariotti wrote: You could try TCP for the OpenVPN if the phones will support it. The vast majority of your traffic will be UDP so you wont get the joy of TCP in TCP exponential standoffs. Cheers Jon The phones do support TCP (an option on a per

Re: [pfSense] Improving OpenVPN performance

2015-07-01 Thread Jon Gerdes
On Wed, 2015-07-01 at 15:16 +0100, Chris Bagnall wrote: Greetings list, I'm trying to improve OpenVPN performance on a site-to-site link I have between 2 pfSense boxes. I am currently only getting around 7Mbps each way via the OpenVPN tunnel, measured by running iperf back and forth

Re: [pfSense] Clock errors

2015-06-28 Thread Jon Gerdes
On Sun, 2015-06-28 at 14:14 -0400, Brian Caouette wrote: Update of the clock problem. I've corrected the time zone as was mentioned by another list member. Apparently there was a glitch with the .3 update. Although the time on the dash board is correct the logs all have bad times in

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus = 1024 Bits (Logjam)

2015-08-20 Thread Jon Gerdes
On Wed, 2015-08-19 at 08:45 -0400, Ted Byers wrote: On Wed, Aug 19, 2015 at 4:38 AM, Jon Gerdes gerd...@blueloop.net wrote: Finally, although it is good practice to scan your gear I trust you usually have a firewall rule that prohibits access to the web configurator console except from

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus = 1024 Bits (Logjam)

2015-08-19 Thread Jon Gerdes
On Tue, 2015-08-18 at 23:04 -0400, Ted Byers wrote: On our latest penetration test, our pfsense machines were flagged as having a SSL/TLS Diffie-Hellman Modulus = 1024 Bits, allegedly making it vulnerable to Logjam. This is for the web server on the pfsense machine, used to administer it.

Re: [pfSense] Latency issues with 2.2.25 Release

2015-11-11 Thread Jon Gerdes
On Wed, 2015-11-11 at 07:47 -0800, Wade Blackwell wrote: > Good morning list, >I recently upgraded to *2.2.5-RELEASE * (amd64) on a VMware > stack > and noticed that my Wan latency shot up by about 100ms rtt. Nothing > else on > the box had changed. I reverted to a pre-upgrade snapshot and

Re: [pfSense] Using pfSense with an external proxy appliance

2015-09-04 Thread Jon Gerdes
On Thu, 2015-09-03 at 09:53 -0500, Erik Anderson wrote: > Hello, > > Shortly I'm going to need to deal with a situation I've never had to > sort out before - using pfSense to redirect outbound HTTP(S) from > clients to an iPrism proxy/filter appliance. > > We're running pfsense v2.2.4. > > Is

Re: [pfSense] OpenVPN and TOTP?

2015-10-05 Thread Jon Gerdes
On Mon, 2015-10-05 at 22:22 +0200, Olivier Mascia wrote: > Dear all, > > Have you heard of any support (add-on?) for time based one time > passwords support in OpenVPN? Along the lines of RFC6238 so it could > be used with Google Authenticator, Microsoft Authenticator, and the > countless alike

Re: [pfSense] PFSense and Kibana

2016-06-26 Thread Jon Gerdes
On Sat, 2016-06-18 at 11:07 +0200, Daniel Eschner wrote: > Hi there, > > i run Suricata on a pfSense. I Try to build some Dashboards. For the > First everthing seems running but it seems i have Problems with > domains like linux-nerd.de > In the Dashboard its shown as

Re: [pfSense] Planning upgrade from 2.0.1-RELEASE to 2.2.6-RELEASE

2016-01-30 Thread Jon Gerdes
On Wed, 2016-01-27 at 00:04 -0500, Ugo Bellavance wrote: > Hi, > > We're in the process of planning the upgrade of our main site's > pfSense  > firewall. It is currently running 2.0.1-RELEASE and we want it to be > at  > the latest version.  It is running in a VMWare VM (amd64). As it is a VM

Re: [pfSense] 2.2.6 and IPv6 RA

2016-01-22 Thread Jon Gerdes
On Fri, 2016-01-22 at 12:15 +0100, Antonio Prado wrote: > On 1/22/16 11:02 AM, Seth Mos wrote: > > > on a fresh installed box, IPv4 configured on 2 NICs (WAN and > > > LAN), IPv6 > > > not configured, pfSense starts advertising itself as IPv6 gateway > > > on LAN > > > using its link-local address

Re: [pfSense] 502 Bad Gateway

2016-07-07 Thread Jon Gerdes
On Tue, 2016-07-05 at 13:19 -0400, Bill Arlofski wrote: > Hi everyone... > > I noticed after one of the recent upgrades to the 2.2.x "RELEASE" > series > everything works perfectly fine for a while but then, I get "502 Bad --- snip > > So, I am suspecting that the php-fpm

Re: [pfSense] Unexplained reboots

2016-11-02 Thread Jon Gerdes
If it has an iLO then that may provide some insights in its logs and possibly a crash screen if there is one.  They quite often default to "ASR" when they decide the OS watchdog has died Configure syslog to ship all logs to a remote machine.  Make sure all clocks are in sync Does pfSense offer

Re: [pfSense] Netgate Firmware

2017-03-21 Thread Jon Gerdes
ils. I don’t frequent the forums. But I am aware of an > “alleged” chip issue, which I believe my unit is susceptible to. > > Can someone provide a link to a relevant forum thread? > > Thanks, > Richard > > > > On Mar 20, 2017, at 7:37 PM, Jon Gerdes <gerd...@b

Re: [pfSense] Netgate Firmware

2017-03-20 Thread Jon Gerdes
It might be worth putting a press release style post here as well anyway.   Your mailing list may not be perfect and some people have a nasty habit of registering things with their own email address instead of a group address/alias and then moving on. Thir account gets deleted and that box that

Re: [pfSense] Netgate Firmware

2017-03-20 Thread Jon Gerdes
; I tend to be careful about spamming the pfSense list with things that > aren't directly related to pfSense. > > Jim > > On Mon, Mar 20, 2017 at 7:13 PM, Jon Gerdes <gerd...@blueloop.net> > wrote: > > It might be worth putting a press release style post here as well

Re: [pfSense] Hardware compatibility

2017-04-07 Thread Jon Gerdes
Jimmy You really do get what you pay for. I doubt that you have bothered to quantify your time and effort in getting some low powered beastie up and running. Cost your personal time at say £20 per hour (say 25USD) - that's pretty reasonable. Now think about your options. There are quite a few

Re: [pfSense] LAN routing through multi-hopping IPSec setup

2017-05-04 Thread Jon Gerdes
Thank you for a clear and concise description of your problem. Cheers Jon On Wed, 2017-05-03 at 09:48 -0400, Eleuterio Contracampo wrote: > Thank you Jon. It works! > > -EC > > On Wed, May 3, 2017 at 6:48 AM, Jon Gerdes <gerd...@blueloop.net> > wrote: > > &

Re: [pfSense] LAN routing through multi-hopping IPSec setup

2017-05-03 Thread Jon Gerdes
EC Add an additional Phase 2 entry on each set of tunnels: pf2 -> pf1 = tunnel A pf2 -> pf3 = tunnel B Add a Phase 2 on tunnel A for local 192.168.40/24 to remote 192.168.44/24 Add a Phase 2 on tunnel B for local 192.168.44/24 to remote 192.168.40/24 Add firewall rules to taste. Cheers Jon

Re: [pfSense] Multi-WAN and HA. Established connections through a not default gateway are broken when I disable CARP in the master unit.

2017-09-27 Thread Jon Gerdes
On Wed, 2017-09-27 at 00:12 +0200, dayer wrote: > Hi everyone, > > > I'm getting this behavior and I can't find the reason. I've test the > same > scenario with pfSense 2.3.4 and 2.4.0-RC and I've posted in the > forums > without reply[1]. > I'm not sure if it's a configuration error or a bug,

Re: [pfSense] pfSense virtualisation

2017-10-10 Thread Jon Gerdes
On Tue, 2017-10-10 at 14:16 -0700, Walter Parker wrote: > On Tue, Oct 10, 2017 at 12:57 PM, Doug Lytle > wrote: > > > > > > Or do you think I am absolutely crazy? Or maybe Just one > > > > > Hardware and > > > > one virtual? > > > > Quite a few of my firewalls are

Re: [pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering

2017-11-02 Thread Jon Gerdes
Roberto NFF: Product working as designed When you use splice, you are doing a Man In The Middle (MitM) attack on your own users. Chrome is a Google product and they have enabled https ://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning and other things to detect this sort of thing. This could be

Re: [pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering

2017-11-04 Thread Jon Gerdes
e the same HTTPS behaviour related to Chrome and Firefox? > > > > Thanks a lot again. > > > > ROBERTO > > > > 2017-11-02 20:47 GMT-03:00 Jon Gerdes <gerd...@blueloop.net>: > > > Roberto > > > > > > NFF: Product working as designe

Re: [pfSense] raise ulimit

2017-10-24 Thread Jon Gerdes
Daniel Please could you post the exact message you get from HA Proxy and where you found it. You might want to read these: https://cbonte.github.io/haproxy-dconv/1.7/management.html#5 https://www.freebsd.org/doc/handbook/configtuning-kernel-limits.html Cheers Jon On Sat, 2017-10-21 at

Re: [pfSense] SIP Port forwarding - will the SIP Proxy help me with this?

2018-03-23 Thread Jon Gerdes
You could create an alias for the inbound IPs for SIP/RTC and limit the source on the NAT rule with that alias. Then your WebRTC users will be unaffected because their src/dst/port triplet will not match that NAT. https://www.twilio.com/docs/api/voice/sip-interface - see IP address whitelist.