Re: [pfSense] OpenVPN road warrior how to for 2.0

2011-10-04 Thread Vick Khera
On Tue, Oct 4, 2011 at 12:14 AM, Nenhum_de_Nos math...@eternamente.info wrote: for 1.2.3 it works great, but I always get cert problem in 2.0 :( The config imported from 1.2.3 works fine for us. I think we had to manually re-import the certificate authority, though. Memory fades.

[pfSense] how to route ipsec connected traffic to remote vpn endpoint and back

2011-10-28 Thread Vick Khera
I followed http://forum.pfsense.org/index.php?PHPSESSID=eqvfsk9c6dar52lncgb39gc0s7/topic,24752.msg130558/topicseen.html#msg130558 to set up iPhone IPsec vpn. This works splendidly (once I granted permission to the new user to create VPN login). However, since the iOS can only make one vpn

Re: [pfSense] Odd circumstances

2011-11-16 Thread Vick Khera
On Tue, Nov 15, 2011 at 7:22 PM, Mehmasarja mehmasa...@gmail.com wrote: Finally, I notice the pfSense appliance responds very slowly and suspect there may be a hardware issue. I'll check it's dmesg. did you try re-installing pfSense to clean out any stuff that the bad packages may have left

Re: [pfSense] Ipad Road Warrior + VPN (secure connection) to my home network??

2011-12-09 Thread Vick Khera
I followed the step-by-step on this page. The only thing it missed was that you have to enable the User - VPN - IPsec xauth Dialin property on the user you create in pfSense. Works wonderfully, and waay more secure than PPTP ever will was or will be.

[pfSense] copying over users to new install

2012-01-27 Thread Vick Khera
I'm setting up a new firewall in a new location, and moving the VPN service we use from the old to new locations. I need to move the list of users, but I do not know all of their passwords, naturally. I exported the system configs and I see the users in there with hashed passwords. If I upload

Re: [pfSense] copying over users to new install

2012-01-27 Thread Vick Khera
On Fri, Jan 27, 2012 at 12:20 PM, Vick Khera vi...@khera.org wrote: I exported the system configs and I see the users in there with hashed passwords.  If I upload this to the new server after removing all the other stuff I do not want changed, will it do as I expect and leave the other

Re: [pfSense] Backup from HD, restore do CF

2012-02-06 Thread Vick Khera
On Sun, Feb 5, 2012 at 5:28 PM, Diego Barrios s...@techsystem.com.br wrote: Can i install nanobsd 1GB image on my Alix, Backup the config from the PC and Restore it on my ALIX? I don`t care about the RRD graphs, logs, etc... only my VPN users and useful settings. You will need to edit the

Re: [pfSense] PFsense to PFsense IPSEC VPN and VOIP

2012-02-06 Thread Vick Khera
On Mon, Feb 6, 2012 at 3:44 AM, Gavin Will gavin.w...@exterity.com wrote: Routing and firewall rules are correct and I can access both networks fine. The voip phone registers and can make a call but both ends cannot hear each other each other. The VOIP phones at my remote locations (VPN with

Re: [pfSense] Mounting memsticks

2012-02-27 Thread Vick Khera
On Sat, Feb 25, 2012 at 3:44 AM, Warren Baker war...@decoy.co.za wrote: On Fri, Feb 24, 2012 at 9:48 PM, David Miller dmil...@metheus.org wrote: Is there a way to mount a memstick on a mac and see the file system(s). Given its roots I'd think the mac would understand freebsd file systems and

Re: [pfSense] Move instance from X to Y, cold spare.

2012-04-23 Thread Vick Khera
On Mon, Apr 23, 2012 at 4:36 PM, Karl Fife karlf...@gmail.com wrote: In the scenario where the hardware interfaces are NOT the same, is it possible to do something simple like search/replace the configuration file, substituting the interface names?  Is there any reason to believe that process

[pfSense] incoming load balancer docs notes

2012-04-27 Thread Vick Khera
Reading http://doc.pfsense.org/index.php/Inbound_Load_Balancing I find a couple of issues, which seem to be changes in 2.0. 1) the default probe is 10 seconds, not 5. There is no way to tweak that. 2) there is no sticky option The commentary about 1.2 implementation using NAT and issues with

Re: [pfSense] HA and ifstated

2012-05-14 Thread Vick Khera
Isn't this automatic with CARP? On Mon, Apr 30, 2012 at 4:35 AM, Pedro Serotto pedro.sero...@yahoo.es wrote: With ifstated I can catch the fault and demote the carp interface to guarantee the service continuity. How can I do that in pfsense ? ___

Re: [pfSense] CISCO VPN CLIENT 5.0.07.0410 CONNECTION TO PFSENSE 2.0.1

2012-05-16 Thread Vick Khera
On Tue, May 15, 2012 at 5:39 PM, Antonio Cortes Alhambra (INCATEL) antonio.cor...@incatel.cl wrote: someone has found the right combination of parameters settings to achieve the connection from a CISCO VPN CLIENT 5.0.07.0410 and pfSense 2.0.1 There are instructions for making the Cisco IPsec

Re: [pfSense] Rule processing optimization - states

2012-05-22 Thread Vick Khera
On Thu, May 17, 2012 at 2:37 PM, Ugo Bellavance u...@lubik.ca wrote: I would like to make sure my rules in the best order.  I understand that the rules are processed from top to bottom, so I should place the rules that are most used at top.  However, how long lasts a state?  I just want to

[pfSense] modern hardware selection

2012-05-29 Thread Vick Khera
Looking through the forums and mailing list archives, I see recommendations for the following two devices to handle my network throughput: Hacom Mars system http://www.hacom.net/catalog/mars-ii-pfsense-1u-server and Netgate FW-7535 http://store.netgate.com/Netgate-FW-7535-1U-P1695C84.aspx Both

Re: [pfSense] modern hardware selection

2012-05-29 Thread Vick Khera
Also, I have three IPsec VPNs connecting to other data centers and the main office, which need to push at peak 40Mbps for a couple of hours a day during backups. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list

[pfSense] failover sync question

2012-06-13 Thread Vick Khera
I have a pair of firewalls set up with pfsync. pfSense 2.0.1/i386. I'm pushing a lot of connections and traffic, so had to bump the number of states in the Advanced - Firewall/NAT tab. This increased number did not show up on the backup firewall. Ditto for unchecking the disable nat reflection

Re: [pfSense] Slightly OT: Accessing pfSense webinterface via reverse proxy

2012-06-18 Thread Vick Khera
On Mon, Jun 18, 2012 at 9:49 AM, Giles Coochey gi...@coochey.net wrote: I'm not sure whether the URL re-write will work when HTTPS is in use. Apache's SSL proxy uses CONNECT, so it doesn't terminate your SSL connection. Thus, it cannot decode or rewrite anything within. If you want it to work,

Re: [pfSense] failover sync question

2012-06-22 Thread Vick Khera
On Wed, Jun 13, 2012 at 6:19 PM, Chris Buechler c...@pfsense.org wrote: You have to enable synchronize states on the secondary too or it won't accept them. FirewallVIPs, CARP settings tab. Thanks for this tip. I thought perhaps my problem was that I was sharing an interface for this, and the

[pfSense] supermicro SOL console

2012-06-22 Thread Vick Khera
So I just figured this nifty trick out. I provisioned a pair of servers based on supermicro X9SC motherboard, which has a built-in ILOM processor, and that provides a serial-over-lan serial port in addition to other administrative features. It was exceptionally easy to convince pfsense to use

Re: [pfSense] supermicro SOL console

2012-06-29 Thread Vick Khera
On Fri, Jun 22, 2012 at 12:17 PM, Jim Pingle li...@pingle.org wrote: Use /boot/loader.conf.local - that won't get overwritten. The other two will. Based on this, my revised configuration is to create /boot/loader.conf.local: hint.uart.2.at=isa hint.uart.2.port=0x3E8 hint.uart.2.flags=0x10

Re: [pfSense] Network freezes on IBM x3550, Broadcom NICs

2012-06-29 Thread Vick Khera
On Thu, Jun 28, 2012 at 9:07 PM, Paul Gear p...@gear.dyndns.org wrote: Server hardware: IBM x3550, Xeon E5405 2 GHz, 2 GB RAM, 2 x 300 GB 10K RPM SAS HD in hardware RAID 1, 2 x Broadcom NetXtreme II BCM5708 1000Base-T (B2) About two weeks ago I had to put into production a temporary hacked

Re: [pfSense] pfSense vs JunOS

2012-07-03 Thread Vick Khera
On Sun, Jul 1, 2012 at 3:33 PM, Chris Buechler c...@pfsense.org wrote: The level of service we provide is on par or better than commercial vendors. For most of our customers, much better, because commercial vendors will rule out the firewall and tell you to have a nice day I'll confirm that

Re: [pfSense] ipsec HA

2012-07-17 Thread Vick Khera
On Mon, Jul 16, 2012 at 12:44 PM, Pedro Serotto pedro.sero...@yahoo.eswrote: I try to set up multiple VPN gateways in a redundant configuration, allowing for transparent failover of VPN connections without any loss of connectivity. I find my IPsec tunnels transfer from primary to secondary

Re: [pfSense] ipsec HA

2012-07-18 Thread Vick Khera
On Wed, Jul 18, 2012 at 4:11 AM, Pedro Serotto pedro.sero...@yahoo.eswrote: Everything migrate correctly but not ipsec. What is your remote IPsec device? Is it pfSense as well? That is my situation and the connection flips over rather quickly. ___

Re: [pfSense] Accessing web-interface on WAN network

2012-07-31 Thread Vick Khera
On Mon, Jul 30, 2012 at 6:10 PM, pfsense-supp...@madcyclist.org.uk wrote: I have a pfSense 2.0 box connected to an ASDL modem running as a MPoA bridge. Basically the ADSM modem does some unspecified manipulation and presents the public IP to the LAN connection via DHCP along with gateway

Re: [pfSense] pfsync Synchronize Peer IP best practice

2012-09-11 Thread Vick Khera
On Tue, Sep 11, 2012 at 8:40 AM, Pedro Serotto pedro.sero...@yahoo.eswrote: which value do you usually set in pfsync Synchronize Peer IP ? The other peer pfsync ip address ? Is it right to leave empty ? When I set this up with a dedicated NIC just for the pfsync, I left it blank as hinted on

Re: [pfSense] pfsync Synchronize Peer IP best practice

2012-09-11 Thread Vick Khera
On Tue, Sep 11, 2012 at 9:36 AM, Pedro Serotto pedro.sero...@yahoo.eswrote: I have a dedicated NIC too. But, do you set the remote ip, on every side or only on the master side. Is right that the session migrate only from master to slave and never from slave to master ? You set the remote

Re: [pfSense] Cisco IPSEC configuration

2012-09-14 Thread Vick Khera
On Wed, Sep 12, 2012 at 3:47 PM, Ian Bowers iggd...@gmail.com wrote: posting instructions on doing it could cause trouble. Trouble for whom? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] OpenVPN client for iPad

2012-10-04 Thread Vick Khera
On Wed, Oct 3, 2012 at 5:48 AM, Raúl Sampedro raul.sampe...@grupocarreras.com wrote: App embebed in IOS. And these are the right instructions, step-by-step. http://forum.pfsense.org/index.php?PHPSESSID=eqvfsk9c6dar52lncgb39gc0s7/topic,24752.msg130558/topicseen.html#msg130558 The only thing I

Re: [pfSense] Internet thru IPsec VPN

2012-10-12 Thread Vick Khera
I believe it depends on the client. For example, the when i used ipsecuritas on the mac, it only routed the VPN destination thru the vpn. the IPsec client on iOS routes all traffic via the VPN. On Thu, Oct 11, 2012 at 12:45 AM, Luis Carrión luic...@gmail.com wrote: Heloo folks, Just a

Re: [pfSense] Alix 2D3 with pfSense 2.1

2012-11-21 Thread Vick Khera
On Tue, Nov 20, 2012 at 4:58 AM, Eugen Leitl eu...@leitl.org wrote: ~85 Mbps max. Not going to fill a 100 Mb pipe, but will work. Thanks, that will do plenty. I think you will find it barely handling that load. Will you have any VPN connections or a lot of firewall rules? We were unable to

Re: [pfSense] PfSense 1.2.2 to 2.0 Release and Digium Switchvox remote phone issue

2012-12-10 Thread Vick Khera
On Mon, Dec 10, 2012 at 10:05 AM, Steve Spencer sspen...@kdsi.net wrote: The remote phones in question are not using NAT, but are publicly addressed. Local phones on our LAN continue to work just fine. The firewall is at the local end and sits between the cloud and the switchvox server. When

Re: [pfSense] Multi WAN CARP

2013-01-11 Thread Vick Khera
On Mon, Jan 7, 2013 at 7:46 PM, WolfSec-Support supp...@wolfsec.ch wrote: any hint will be welcome You want your pfSense boxes to be mostly identical, and symmetrically configured. That is, you want BOTH ISPs connected to both firewall boxes, and have them share the inbound gateway route via

Re: [pfSense] Firmware bug in Intel Ethernet Controllers

2013-02-07 Thread Vick Khera
On Wed, Feb 6, 2013 at 5:10 PM, Moshe Katz mo...@ymkatz.net wrote: I saw this today and figured I would bring it to everyone's attention. I figured that there are definitely people on this list who use Intel NICs that are affected and may have just the right traffic to trigger the problem.

Re: [pfSense] Samba4 package and extend services with pfsense

2013-02-26 Thread Vick Khera
On Tue, Feb 26, 2013 at 7:49 AM, Luiz Gustavo Costa luizgust...@luizgustavo.pro.br wrote: I have worked in the Samba4 package for pfsense, not only act as a domain member, but also act as a domain controller and i see this as an opportunity to extend the pfsense to be more than a firewall and

Re: [pfSense] Dual WAN Failover to gateway default

2013-03-05 Thread Vick Khera
On Tue, Mar 5, 2013 at 3:57 AM, may...@maykel.sytes.net wrote: Hi, I need configure the pfsense for output traffic WAN1, but when WAN1 down I like redirect traffic to WAN2 and viceversa. I like only use WAN1 for activity connections and if WAN1 down, the traffic redirect to WAN2. I have 2

Re: [pfSense] help

2013-04-09 Thread Vick Khera
On Tue, Apr 9, 2013 at 3:49 AM, eyobe kebede e...@dbu.edu.et wrote: to 197.156.75.54 and default gateway of 10.130.42.65 As Luis points out, this makes no sense. What is the netmask they told you to use for the WAN address? The gateway must be within that network block defined by the netmask

Re: [pfSense] help

2013-04-09 Thread Vick Khera
On Tue, Apr 9, 2013 at 11:19 AM, Jim Pingle li...@pingle.org wrote: His ISP may have just forgotten to give him the proper gateway. But on the outside chance they really do expect him to use that 10.x address as the gateway, it may still be possible. http://redmine.pfsense.org/issues/972

Re: [pfSense] Prevailing wisdom on Hyperthreading?

2013-04-12 Thread Vick Khera
On Fri, Apr 12, 2013 at 4:18 PM, Nathan C. Smith nathan.sm...@ipmvs.comwrote: A couple years ago when the topic of CPU hyper threading came up I remember folks being advised to disable it. Is that still the prevailing wisdom and current best practice? I never explicitly disable it anymore,

Re: [pfSense] CARP / VIP Failover Queries (NAT sessions and no preempt?)

2013-04-15 Thread Vick Khera
On Sat, Apr 13, 2013 at 3:58 PM, James Bensley jwbens...@gmail.com wrote: If I am connect to a LAN host from outside using SSH for example, and I pull out the master, my SSH sessions stops working. Do the boxes not sync NAT tables and states etc? I loose any active TCP connections. I had

Re: [pfSense] CARP / VIP Failover Queries (NAT sessions and no preempt?)

2013-04-16 Thread Vick Khera
On Tue, Apr 16, 2013 at 8:48 AM, James Bensley jwbens...@gmail.com wrote: Does anyone have any ideas about some sort of no preempt option for CARP so that if the master fails, and everything switches over to the You would need to adjust the advskew on the old master to be higher than that of

Re: [pfSense] CARP / VIP Failover Queries (NAT sessions and no preempt?)

2013-04-16 Thread Vick Khera
to the firewall device. https://github.com/postwait/vippy On Tue, Apr 16, 2013 at 10:41 AM, James Bensley jwbens...@gmail.com wrote: On 16 April 2013 14:41, Vick Khera vi...@khera.org wrote: There is no election protocol where they are considered equal and defer to the other if it is up

Re: [pfSense] help

2013-04-23 Thread Vick Khera
On Sat, Apr 20, 2013 at 5:46 AM, eyobe kebede e...@dbu.edu.et wrote: but 10.134.192.154 is the WAN ip and 10.130.42.65 is default gate way Given that 10.134.192.154 is your WAN IP, and the netmask they gave you is 255.255.255.252, the *ONLY* other IP you can directly reach is 10.134.192.153.

Re: [pfSense] help

2013-04-28 Thread Vick Khera
On Wed, Apr 24, 2013 at 10:36 AM, eyobe kebede e...@dbu.edu.et wrote: public ip 197.156.75.54 our side and 197.156.75.53 ISP side Well, now you have just shared some new information. Try this: set your public IP to 197.156.75.54 and the default route to the .53 address, and the netmask to

Re: [pfSense] Conditional Routing question

2013-04-29 Thread Vick Khera
On Mon, Apr 29, 2013 at 10:51 AM, Oliver Hansen oliver.han...@gmail.comwrote: I'm also interested in a solution for this. I also have a VPN provider that uses OpenVPN. I tried to set up some policy routes after adding the OpenVPN connection but I didn't have much luck. I'm pretty sure the

Re: [pfSense] Remote office redundancy

2013-05-23 Thread Vick Khera
On Thu, May 23, 2013 at 11:17 AM, Peter Milazzo peter.mila...@somersetcapital.com wrote: My questions are, do I need to setup a second IPsec tunnel for the cable connection (which I believe you can't do) if it fails over and what will the routing look like? Is there a better way to set this

Re: [pfSense] Remote office redundancy

2013-05-23 Thread Vick Khera
On Thu, May 23, 2013 at 11:42 AM, Chris Bagnall pfse...@lists.minotaur.ccwrote: I wonder if you could, for example, create two OpenVPN connections which run at all times - WAN1 to WAN1 and WAN2 to WAN2, then load balance or failover between those? Still, what happens if site 1 wan1 goes

Re: [pfSense] high load on LAN iface in CARP - LAN master becomes backup

2013-07-05 Thread Vick Khera
On Wed, Jul 3, 2013 at 5:45 PM, Adrian Zaugg a...@ente.limmat.ch wrote: In our network there are two gateways configured with CARP. It runs all well, as it should, except if I produce heavy load, something like 80-100MByte/s on the gateway, CARP switches (just) the LAN interface of the master

Re: [pfSense] high load on LAN iface in CARP - LAN master becomes backup

2013-07-08 Thread Vick Khera
On Mon, Jul 8, 2013 at 5:45 AM, Adrian Zaugg a...@ente.limmat.ch wrote: Whatever slow hardware I may have, it should work steady, but maybe just slower. And in my opinion the slave should take over completely not just the LAN interface, but that's another discussion. I agree with this

Re: [pfSense] OpenVPN site to site connection

2013-08-01 Thread Vick Khera
On Wed, Jul 17, 2013 at 9:16 AM, Peter Milazzo peter.mila...@somersetcapital.com wrote: there. So there is already an IPsec tunnel running (which I disable) and 2 WAN connections using gateway group for failover. Could there be some sort of conflict with the IPsec even though I disable it?

Re: [pfSense] Newbie questions

2013-08-09 Thread Vick Khera
On Thu, Aug 8, 2013 at 3:44 PM, lar...@angelichost.net wrote: Side question: are there iPhone/iPad/Android apps that will allow VPN access so I can get into the management interfaces while on the road? Yes. The built-in cisco ipsec client on iOS works great with pfSense, following these

Re: [pfSense] Site to Site VPN issue in PFsense

2013-08-19 Thread Vick Khera
On Wed, Aug 14, 2013 at 7:07 AM, pratap koppal pratap.kop...@gmail.comwrote: My head office and along with two branch office deployed with pfsense. Head Office and one of Branch office deployed with PFsense 2.0.1, and other branch office PFsense 2.0.3. My branch offices are linked with HO

Re: [pfSense] Site to Site VPN issue in PFsense

2013-08-19 Thread Vick Khera
On Mon, Aug 19, 2013 at 12:12 PM, pratap koppal pratap.kop...@gmail.comwrote: Im using openvpn as site to site, still im facing same problem as mentioned. On the home office, configure your OpenVPN to listen on all interfaces, not just one of the WAN links. Then have the remote offices just

Re: [pfSense] insert a pfsense box to handle high network load (botnet attack)

2013-09-05 Thread Vick Khera
It entirely depends on the hardware you use for pfSense as to how much load it can handle. I for one, push a sustained 60-70Mbps, with bursts of 120Mbps or more on a fairly hefty Xeon 64-bit server with 16GB of RAM. I have mostly simple rules, several IPSec and OpenVPN endpoints, and about 8

Re: [pfSense] rrd error after upgrade to 2.1

2013-10-09 Thread Vick Khera
On Wed, Oct 9, 2013 at 8:11 AM, İhsan Doğan ih...@dogan.ch wrote: I'll try to upgrade to 64-bit again. What will happen: the upgrade will finish, but there's no way for the system to tell you or auto-reboot. Once you're sure it is done, you need to reset the machine to reboot it.

Re: [pfSense] SIP problems.

2013-10-10 Thread Vick Khera
Can you configure your phones to use do a keepalive ping? It sounds like the states are timing out. On Wed, Oct 9, 2013 at 5:44 PM, palesius . pales...@gmail.com wrote: To take a break from all the NSA talk... I'm having some trouble routing traffic over an openvpn tunnel between two

Re: [pfSense] Syncing alias lists

2013-10-10 Thread Vick Khera
The HA facility of pfSense will sync various configs. Look at the checkboxes to determine what gets synced to see if that is suitable for your need. On Thu, Oct 10, 2013 at 10:13 AM, Chris Bagnall pfse...@lists.minotaur.ccwrote: Greetings list, Does anyone know if it's possible to 'sync'

Re: [pfSense] Syncing alias lists

2013-10-10 Thread Vick Khera
On Thu, Oct 10, 2013 at 10:32 AM, Chris Bagnall pfse...@lists.minotaur.ccwrote: In this scenario, the client has units at different sites (not all in the same country, even). Oh, glossed over that part. :( Perhaps you could have a script that fetched the aliases configuration and pushed it

Re: [pfSense] fail2ban

2013-10-10 Thread Vick Khera
On Thu, Oct 10, 2013 at 10:37 AM, Jostein Elvaker Haande jehaa...@gmail.com wrote: I've talked to the development team about this in the past, and what I was told back then was this: with 1.3, you could achieve an API like behavior with using curl or similar tools, but this would be close to

Re: [pfSense] SIP problems.

2013-10-14 Thread Vick Khera
On Mon, Oct 14, 2013 at 11:11 AM, palesius . pales...@gmail.com wrote: sorry, I'm using the qualify option in asterisk, which i believe sends a request over the SIP connection periodically. Interesting.. I thought that was only for qualifying remote servers. You *really* want your phone's to

Re: [pfSense] NAT-port-forwading problem in combination with SIP/RTP/VoIP

2013-10-15 Thread Vick Khera
On Tue, Oct 15, 2013 at 7:48 AM, Claudio Thomas claudio.tho...@ezi.dewrote: So my guess is that NAT+Portforwarding is not working correctly. Can anyone help? Thanks, Claudio PS: annexed some details... asterisk - siproxd 0.8.0_2/pfSense 2.1(i386) - sipgate 10.150.0.14 -

Re: [pfSense] NAT-port-forwading problem in combination with SIP/RTP/VoIP

2013-10-15 Thread Vick Khera
On Tue, Oct 15, 2013 at 10:04 AM, Claudio Thomas claudio.tho...@ezi.dewrote: BTW: What do you mean with client and not peer? Allowed sip-types are peer, user or friend (http://www.voip-info.org/wiki/view/Asterisk+sip+type ) My asterisk (actually it is Switchvox GUI running asterisk

Re: [pfSense] SIP problems.

2013-10-16 Thread Vick Khera
On Wed, Oct 16, 2013 at 3:21 AM, Hannes Werner jgoe...@gmail.com wrote: I'm facing Asterisk problems whenever pfsense gets a new IP from my WAN. And Asterisk reconnects to my operator when I reset the states. This is really an annoying problem and it only happens with pfsense, What is it in

Re: [pfSense] newsyslog: No such file or directory

2013-10-17 Thread Vick Khera
curious. i have email notifcations on, but I do not receive errors from cron. i wonder why. the newsyslog binary seems to not be on the system. normally on freebsd it is in /usr/sbin. seems like an error to me. i'd just comment out that line in /etc/crontab. pfsense uses a different kind of

Re: [pfSense] website and upgrade procedure

2013-11-05 Thread Vick Khera
On Tue, Nov 5, 2013 at 9:39 AM, Curtis Maurand cmaur...@xyonet.com wrote: I'm sure there are going to be gotchas. Is there a procedure in the docs to moving a configuration to a new hardware platform? I'm assuming that I should install the current version on the new hardware, get the

Re: [pfSense] website and upgrade procedure

2013-11-06 Thread Vick Khera
On Tue, Nov 5, 2013 at 2:21 PM, Curtis Maurand cmaur...@xyonet.com wrote: I'm assuming you used a live CD or an installation CD? Yes, that is what I did. I used the live CD to install onto the new hardware. Then I plugged my laptop into it using a direct ethernet cable (you may need a

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-06 Thread Vick Khera
On Wed, Nov 6, 2013 at 12:53 AM, Thinker Rix thinke...@rocketmail.comwrote: Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all VPN traffic (openVPN)? Woud pfSense benefit from this in any other way, too? pfSense lists the AES-NI as a supported option for crypto

Re: [pfSense] Motherboard compatibility

2013-11-07 Thread Vick Khera
On Wed, Nov 6, 2013 at 9:24 AM, Paul Mather p...@gromit.dlib.vt.edu wrote: If those figures that the hardware producer provided are correct, it would mean that I could run pfSense 2.1 only on the C204 board, since pfSense 2.1 is based on FreeBSD 8.3, and the C222 board is only compatible

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-07 Thread Vick Khera
On Wed, Nov 6, 2013 at 8:29 AM, Jim Thompson j...@netgate.com wrote: There are reports that FreeBSD doesn't support AES-NI very well. I'm thinking it is either zero gain, or negative gain. On pfSense 2.1-RELEASE (aka FreeBSD 8.3 with OpenSSL 1.0.1e) we see: % /usr/local/bin/openssl speed

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-07 Thread Vick Khera
On Wed, Nov 6, 2013 at 11:04 AM, Thinker Rix thinke...@rocketmail.comwrote: What do you think is the reason for your VPN traffic maxing out at 20Mpbs (I assume that your connection is not the traffic bottle neck, right?), although your CPUs are almost idle? I'm fairly sure it is the office

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-07 Thread Vick Khera
On Thu, Nov 7, 2013 at 9:44 AM, Vick Khera vi...@khera.org wrote: CLEARLY it is killer fast for larger blocks. I just pondered this for a few minutes... I think openssl's summary numbers are misleading. They give you the time per CPU seconds used. So while the CPU is not doing the computations

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-07 Thread Vick Khera
On Thu, Nov 7, 2013 at 9:54 AM, Jim Pingle li...@pingle.org wrote: Also see the How To Test tab and other data here: https://docs.google.com/spreadsheet/ccc?key=0AojFUXcbH0ROdE15eHB4dndHTXZYcU1mQm9Dc3V2elEusp=sharing The sheet could really use some more data, so anyone who has an AES-NI

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-07 Thread Vick Khera
On Thu, Nov 7, 2013 at 9:54 AM, Jim Pingle li...@pingle.org wrote: The sheet could really use some more data, so anyone who has an AES-NI capable system, feel free to run through the tests and help fill out the sheet. :-) /usr/bin/openssl speed -evp aes-128-cbc -elapsed The 'numbers' are in

Re: [pfSense] Motherboard compatibility

2013-11-07 Thread Vick Khera
On Thu, Nov 7, 2013 at 10:05 AM, Thinker Rix thinke...@rocketmail.comwrote: So if I understand you right, even if I use pfSense 2.1 (FreeBSD 8.3) on a motherboard with a brand new chipset (Intel C222) and CPU (e.g. Core i3 / Haswell) it should work, eventhough FreeBSD 8.3 is older than those

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

2013-11-11 Thread Vick Khera
Did you get the sense people with the relevant skill were open to a bounty for implementing the necessary fixes? On Mon, Nov 11, 2013 at 1:36 PM, Jim Thompson j...@netgate.com wrote: I was at the FreeBSD Vendor Summit last week, and raised the AES-NI issue as important to be solved in the

Re: [pfSense] Load balancing IMAPs / POP3s / HTTPs

2013-11-22 Thread Vick Khera
On Fri, Nov 22, 2013 at 12:12 PM, Nikos Zaharioudakis nza...@gmail.comwrote: Are there any hints and tips on how to do this? Are there things that I should have in mind? I found 2 different balancer solutions in the distribution of pfsense. One which is built in and ha-proxy. Should I use one

Re: [pfSense] OpenVPN clients

2013-12-02 Thread Vick Khera
Yes, you set it up for mobile clients and it will let multiple remote computers connect and assign a single IP address to each from a pool. It works exactly the same as in 1.2.3. On Mon, Dec 2, 2013 at 7:40 PM, Nenhum_de_Nos math...@eternamente.infowrote: hail, is there a kind of server on

Re: [pfSense] Apple Messages Blocked

2014-01-15 Thread Vick Khera
On Tue, Jan 14, 2014 at 3:01 PM, Paul Galati paulgal...@gmail.com wrote: I have tried searching the forums for find a fix to allow Apple Messages app to successfully connect using Audio, Video, or Screen Sharing. It just works for me. I have pfSense protecting my home network, sitting behind

Re: [pfSense] Apple Messages Blocked

2014-01-15 Thread Vick Khera
On Wed, Jan 15, 2014 at 11:02 AM, Jim Thompson j...@netgate.com wrote: Turning on UPNP might make things better. It just works for me, too. Come to think of it, I do have UPNP turned on for my home LAN, too. So yeah, do that :) ___ List mailing list

Re: [pfSense] Recent FreeBSD Security Vulnerabilities

2014-01-21 Thread Vick Khera
On Mon, Jan 20, 2014 at 3:27 PM, Moshe Katz mo...@ymkatz.net wrote: 2014-01-14 FreeBSD-SA-14:03.opensslhttp://security.FreeBSD.org/advisories/FreeBSD-SA-14:03.openssl.asc pfSense 2.1 release is running OpenSSL 0.9.8y (at least on my machine), which is not reported

Re: [pfSense] package download stuck

2014-01-22 Thread Vick Khera
I get error that it cannot reach pfsense.com, both for updates and packages. On Wed, Jan 22, 2014 at 11:39 AM, kol k_...@hotmail.com wrote: Checking for package installation... Downloading http://files.pfsense.org/packages/amd64/8/All/dansguardian-2.12.0.3-amd64.pbi... 26%

Re: [pfSense] Multiple OpenVPN Servers

2014-02-26 Thread Vick Khera
Just turn off the carp on the master during your maintenance. The backup should just take over for it. That's what I do. OpenVPN is pretty robust when this happens and just renegotiates the connection. On Tue, Feb 25, 2014 at 5:26 PM, Adam Williams a...@spreedly.com wrote: Hello folks, I

[pfSense] verizon USB data modem

2014-02-27 Thread Vick Khera
I see on the supported USB 3g/4g modem list that there is the Pantech UML290. VZ currently sells the UML295. Has anyone had luck with the latter? It is so difficult to determine the actual internal hardware to see if there's that much difference. The scant information I can find on the net

Re: [pfSense] verizon USB data modem

2014-02-28 Thread Vick Khera
On Thu, Feb 27, 2014 at 10:29 PM, Oliver Hansen oliver.han...@gmail.comwrote: Hi Vick, I have used the Pantech UML290 on Verizon. It looks like VZW still sells the UML290 on their web site but I have not had experience yet with the UML295. I may get ahold of one sometime in the near future so

Re: [pfSense] verizon USB data modem

2014-03-05 Thread Vick Khera
On Sat, Mar 1, 2014 at 5:44 PM, Chris Buechler c...@pfsense.org wrote: If you want more flexibility, a Mifi with a wireless card in the firewall to connect to it and use as a WAN is another option. Easier to travel with a Mifi if you want to take it on the road with you. I wouldn't hesitate

Re: [pfSense] screen package for pfsense

2014-03-10 Thread Vick Khera
On Mon, Mar 10, 2014 at 10:57 AM, Moshe Katz mo...@ymkatz.net wrote: However, if you are writing the output to a file and not directly to the screen, you can probably just use nohup (which my firewall machine seems to already have) to keep the process running. (Something like this: nohup

Re: [pfSense] http://pfsense.org/ip.php and wget

2014-03-19 Thread Vick Khera
On Wed, Mar 19, 2014 at 5:51 AM, Brian Candler b.cand...@pobox.com wrote: is happy, so my guess it's a problem with wget 1.13.4 - maybe it doesn't do SNI. In that case, the solution is to change to a less broken client. Try: Indeed that is the case. wget is complaining about properly chained

Re: [pfSense] Fwd: website_issues_pfsense

2014-03-19 Thread Vick Khera
On Wed, Mar 19, 2014 at 3:49 AM, rajan agarwal rajanagarwa...@gmail.comwrote: Seems like it is a problem with mod_security for apache module, do you have it installed in your setup?? Also, if you share the logs, it will be more helpful for the people here :) If you are saying that remote

Re: [pfSense] Odd symptoms from embedded 2.1-RELEASE

2014-03-19 Thread Vick Khera
On Wed, Mar 19, 2014 at 2:17 PM, Ryan Coleman ryanjc...@me.com wrote: 95% of HTTP traffic does not pass. In fact if you load Yahoo.com it stalls when it hits a new hostname (s.yimg.com , for example, as part of their CDN). two ideas: 1) is your DNS resolver working? 2) can you network ping

Re: [pfSense] (no subject)

2014-03-19 Thread Vick Khera
because clicking the link at the bottom of every message you get from the list is too hard? On Wed, Mar 19, 2014 at 2:25 PM, robert gledhill robert...@gmail.comwrote: Remove me ___ List mailing list List@lists.pfsense.org

Re: [pfSense] Odd symptoms from embedded 2.1-RELEASE

2014-03-19 Thread Vick Khera
if you refresh does it load? see if you are running out of states. boost that limit. On Wed, Mar 19, 2014 at 2:28 PM, Ryan Coleman ryanjc...@me.com wrote: Yes, I can resolve (and ping) all sorts of FQDNs. On Mar 19, 2014, at 1:24 PM, Vick Khera vi...@khera.org wrote: On Wed, Mar 19

Re: [pfSense] restoring nanobsd config to full install

2014-03-26 Thread Vick Khera
it should work. it will prompt you for the new NICs to map into WAN/LAN and you're good to go. On Wed, Mar 26, 2014 at 12:16 AM, David Burgess apt@gmail.com wrote: I have a config backup from a pfsense 2.1 i386 nanoBSD install that I have tried to restore to a new pfsense 2.1 amd64 full

Re: [pfSense] The Heartbleed Bug, CVE-2014-0160

2014-04-08 Thread Vick Khera
On Tue, Apr 8, 2014 at 9:50 AM, mayak ma...@australsat.com wrote: this is a nightmare -- NSA is having a field day with this. how long has it been around? http://heartbleed.com full FAQ for ya. ___ List mailing list List@lists.pfsense.org

Re: [pfSense] The Heartbleed Bug, CVE-2014-0160

2014-04-08 Thread Vick Khera
there are two installed versions of openssl on the system. the base which is used by the stock freebsd software, such as the ssh server, and then the packaged version which all the additional software (http server, openvpn, ipsec/setkey) uses: # /usr/bin/openssl version OpenSSL 0.9.8y 5 Feb 2013

Re: [pfSense] pfsense versions

2014-04-08 Thread Vick Khera
On Tue, Apr 8, 2014 at 1:19 PM, Nenhum_de_Nos math...@eternamente.info wrote: I found one mirror that has older files, looking one by one, and I am mirroring it on my server. Is there any policy on that ? An official site for this ? the license is pretty liberal, so it should be ok. at one

Re: [pfSense] Remote office redundancy

2014-04-09 Thread Vick Khera
I just dug up this old thread to implement IPsec and OpenVPN failover coming to my main office from a remote location. The main office already has a gateway group for the two different ISPs, so my first step is to set up a dynamic DNS for it. This is where I get stuck... the RFC2136 client

Re: [pfSense] Remote office redundancy

2014-04-09 Thread Vick Khera
On Wed, Apr 9, 2014 at 10:57 AM, Seth Mos seth@dds.nl wrote: Uhm, yeah, oversight on my part when I built this. Also, I didn't have a RFC2136 server to talk to. So instead of adding something broken I didn't add it at all. If you can tell me where the moving parts are, I will try to build

Re: [pfSense] Routing additional networks from remote ipsec pfsense

2014-04-17 Thread Vick Khera
On Thu, Apr 17, 2014 at 10:43 AM, Márcio Merlone marcio.merl...@a1.ind.br wrote: Route from 10.0.2.0/24 to 10.0.0.0/24 is auto from VPN config, working fine. What about 10.0.2.0/24 - 10.0.1.0/24? Thanks and sorry if this is too dummy. :) you add a second Phase 2 entry to the IPsec tunnel.

[pfSense] vzw uml290

2014-04-17 Thread Vick Khera
At the advice of the group here, I installed a VZW UML290 usb modem about a week and a half ago. This has worked pretty well as a backup line since then. Starting yesterday, PPP won't negotiate anymore. The logs show the authentication succeeds, but then the negotiation fails many times.

  1   2   3   >