Re: [pfSense] Recent FreeBSD Security Vulnerabilities

On Mon, Jan 20, 2014 at 3:27 PM, Moshe Katz wrote: > 2014-01-14 > FreeBSD-SA-14:03.openssl >> > > pfSense 2.1 release is running OpenSSL 0.9.8y (at least on my machine), > which is not reported

Re: [pfSense] Apple Messages Blocked

On Wed, Jan 15, 2014 at 11:02 AM, Jim Thompson wrote: > Turning on UPNP might make things better. "It just works" for me, too. > Come to think of it, I do have UPNP turned on for my home LAN, too. So yeah, do that :) ___ List mailing list List@lists.p

Re: [pfSense] Apple Messages Blocked

On Tue, Jan 14, 2014 at 3:01 PM, Paul Galati wrote: > I have tried searching the forums for find a fix to allow Apple Messages > app to successfully connect using Audio, Video, or Screen Sharing. It "just works" for me. I have pfSense protecting my home network, sitting behind a NAT from Verizo

Re: [pfSense] OpenVPN clients

On Tue, Dec 3, 2013 at 5:06 AM, Nenhum_de_Nos wrote: > I know how to do it on older versions, but can't figure it out on 2.x. Is > there any guide ? > Basically these settings: Create a new OpenVPN "server". I call mine "Roaming Clients" Server Mode: Remote Access SSL/TLS Protocol: UDP Device M

Re: [pfSense] OpenVPN clients

Yes, you set it up for mobile clients and it will let multiple remote computers connect and assign a single IP address to each from a pool. It works exactly the same as in 1.2.3. On Mon, Dec 2, 2013 at 7:40 PM, Nenhum_de_Nos wrote: > hail, > > is there a kind of server on openvpn on pfsense that

Re: [pfSense] Load balancing IMAPs / POP3s / HTTPs

On Fri, Nov 22, 2013 at 12:12 PM, Nikos Zaharioudakis wrote: > Are there any hints and tips on how to do this? Are there things that > I should have in mind? I found 2 different balancer solutions in the > distribution of pfsense. One which is built in and ha-proxy. Should I > use one or the other

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

Did you get the sense people with the relevant skill were open to a bounty for implementing the necessary fixes? On Mon, Nov 11, 2013 at 1:36 PM, Jim Thompson wrote: > I was at the FreeBSD Vendor Summit last week, and raised the AES-NI > issue as "important to be solved in the next six months".

Re: [pfSense] Motherboard compatibility

On Thu, Nov 7, 2013 at 10:05 AM, Thinker Rix wrote: > So if I understand you right, even if I use pfSense 2.1 (FreeBSD 8.3) on a > motherboard with a brand new chipset (Intel C222) and CPU (e.g. Core i3 / > Haswell) it should work, eventhough FreeBSD 8.3 is older than those > technologies and migh

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On Thu, Nov 7, 2013 at 9:54 AM, Jim Pingle wrote: > The sheet could really use some more data, so anyone who has an AES-NI > capable system, feel free to run through the tests and help fill out the > sheet. :-) > /usr/bin/openssl speed -evp aes-128-cbc -elapsed The 'numbers' are in 1000s of byt

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On Thu, Nov 7, 2013 at 9:54 AM, Jim Pingle wrote: > Also see the "How To Test" tab and other data here: > > https://docs.google.com/spreadsheet/ccc?key=0AojFUXcbH0ROdE15eHB4dndHTXZYcU1mQm9Dc3V2elE&usp=sharing > > The sheet could really use some more data, so anyone who has an AES-NI > capable sys

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On Thu, Nov 7, 2013 at 9:44 AM, Vick Khera wrote: > CLEARLY it is killer fast for larger blocks. I just pondered this for a few minutes... I think openssl's summary numbers are misleading. They give you the time per CPU seconds used. So while the CPU is not doing the computations, th

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On Thu, Nov 7, 2013 at 8:51 AM, Vick Khera wrote: > I'm thinking it is either zero gain, or negative gain. On pfSense > 2.1-RELEASE (aka FreeBSD 8.3 with OpenSSL 1.0.1e) we see: > Hm. So reading more, I learn that AES-NI will only be used with -evp on openssl, and openvpn uses

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On Wed, Nov 6, 2013 at 11:04 AM, Thinker Rix wrote: > What do you think is the reason for your VPN traffic maxing out at 20Mpbs > (I assume that your connection is not the traffic bottle neck, right?), > although your CPUs are almost idle? > I'm fairly sure it is the office Comcast connection. Ev

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On Wed, Nov 6, 2013 at 8:29 AM, Jim Thompson wrote: > There are reports that FreeBSD doesn't support AES-NI very well. > I'm thinking it is either zero gain, or negative gain. On pfSense 2.1-RELEASE (aka FreeBSD 8.3 with OpenSSL 1.0.1e) we see: % /usr/local/bin/openssl speed aes-256-cbc Doing

Re: [pfSense] Hardware requirements for gigabit wirespead

On Wed, Nov 6, 2013 at 11:27 AM, Eugen Leitl wrote: > > Broadcom Corporation NetXtreme BCM5723 Gigabit Ethernet PCIe (rev 10) > > Are these borderline reliable with FreeBSD/pfSense? I've had a > Broadcom chips work pretty well with FreeBSD. Intel chips are still first choice, as Intel themselves

Re: [pfSense] Motherboard compatibility

On Wed, Nov 6, 2013 at 9:24 AM, Paul Mather wrote: > > If those figures that the hardware producer provided are correct, it > would mean that I could run pfSense 2.1 only on the C204 board, since > pfSense 2.1 is based on FreeBSD 8.3, and the C222 board is only compatible > from FreeBSD 9.1 and u

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

On Wed, Nov 6, 2013 at 12:53 AM, Thinker Rix wrote: > Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all > VPN traffic (openVPN)? > Woud pfSense benefit from this in any other way, too? > pfSense lists the AES-NI as a supported option for crypto acceleration. pfSense will

Re: [pfSense] website and upgrade procedure

On Tue, Nov 5, 2013 at 2:21 PM, Curtis Maurand wrote: > I'm assuming you used a live CD or an installation CD? > Yes, that is what I did. I used the live CD to install onto the new hardware. Then I plugged my laptop into it using a direct ethernet cable (you may need a crossover depending on you

Re: [pfSense] website and upgrade procedure

On Tue, Nov 5, 2013 at 9:39 AM, Curtis Maurand wrote: > I'm sure there are going to be gotchas. Is there a procedure in the docs > to moving a configuration to a new hardware platform? I'm assuming that I > should install the current version on the new hardware, get the > configuration onto it

Re: [pfSense] newsyslog: No such file or directory

curious. i have email notifcations on, but I do not receive errors from cron. i wonder why. the newsyslog binary seems to not be on the system. normally on freebsd it is in /usr/sbin. seems like an error to me. i'd just comment out that line in /etc/crontab. pfsense uses a different kind of loggi

Re: [pfSense] SIP problems.

On Wed, Oct 16, 2013 at 3:21 AM, Hannes Werner wrote: > I'm facing Asterisk problems whenever pfsense gets a new IP from my WAN. > And Asterisk reconnects to my operator when I reset the states. This is > really an annoying problem and it only happens with pfsense, > What is "it" in "it only hap

Re: [pfSense] NAT-port-forwading problem in combination with SIP/RTP/VoIP

On Tue, Oct 15, 2013 at 10:04 AM, Claudio Thomas wrote: > BTW: What do you mean with "client" and not "peer"? Allowed sip-types are > peer, user or friend (http://www.voip-info.org/wiki/view/Asterisk+sip+type > > ) > My asterisk (actually it is Switchvox GUI running asterisk underneath) is acting

Re: [pfSense] NAT-port-forwading problem in combination with SIP/RTP/VoIP

On Tue, Oct 15, 2013 at 7:48 AM, Claudio Thomas wrote: > So my guess is that NAT+Portforwarding is not working correctly. Can > anyone help? > > Thanks, Claudio > > PS: annexed some details... > > asterisk <-> siproxd 0.8.0_2/pfSense 2.1(i386) <-> sipgate > 10.150.0.14 <-> 10.150.0.158/(pub-ip cen

Re: [pfSense] SIP problems.

On Mon, Oct 14, 2013 at 11:11 AM, palesius . wrote: > sorry, I'm using the qualify option in asterisk, which i believe sends a > request over the SIP connection periodically. > Interesting.. I thought that was only for qualifying remote servers. You *really* want your phone's to turn on keep ali

Re: [pfSense] SIP problems.

t; > > On Thu, Oct 10, 2013 at 10:05 AM, Vick Khera wrote: > >> Can you configure your phones to use do a keepalive ping? It sounds like >> the states are timing out. >> >> >> >> On Wed, Oct 9, 2013 at 5:44 PM, palesius . wrote: >> >>> To

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

On Thu, Oct 10, 2013 at 1:19 PM, Jim Thompson wrote: > > Is there any mechanism to insert ciphers into Pfsense that are not > currently supported? > > You have the source code. > > I, for one, am uninterested in non standards-compliant (and thus > interoperable) implementations. > I personally c

Re: [pfSense] fail2ban

On Thu, Oct 10, 2013 at 10:37 AM, Jostein Elvaker Haande wrote: > I've talked to the development team about this in the past, and what I was > told back then was this: with 1.3, you could achieve an API like behavior > with using curl or similar tools, but this would be close to impossible > with

Re: [pfSense] Syncing alias lists

On Thu, Oct 10, 2013 at 10:32 AM, Chris Bagnall wrote: > In this scenario, the client has units at different sites (not all in the > same country, even). > Oh, glossed over that part. :( Perhaps you could have a script that fetched the aliases configuration and pushed it to the other sites using

Re: [pfSense] Syncing alias lists

The HA facility of pfSense will sync various configs. Look at the checkboxes to determine what gets synced to see if that is suitable for your need. On Thu, Oct 10, 2013 at 10:13 AM, Chris Bagnall wrote: > Greetings list, > > Does anyone know if it's possible to 'sync' alias lists across pfSen

Re: [pfSense] SIP problems.

Can you configure your phones to use do a keepalive ping? It sounds like the states are timing out. On Wed, Oct 9, 2013 at 5:44 PM, palesius . wrote: > To take a break from all the NSA talk... > > I'm having some trouble routing traffic over an openvpn tunnel between two > pfsense firewalls. A

Re: [pfSense] rrd error after upgrade to 2.1

On Wed, Oct 9, 2013 at 8:11 AM, İhsan Doğan wrote: > I'll try to upgrade to 64-bit again. > What will happen: the upgrade will finish, but there's no way for the system to tell you or auto-reboot. Once you're sure it is done, you need to reset the machine to reboot it. __

Re: [pfSense] insert a pfsense box to handle high network load (botnet attack)

It entirely depends on the hardware you use for pfSense as to how much load it can handle. I for one, push a sustained 60-70Mbps, with bursts of 120Mbps or more on a fairly hefty Xeon 64-bit server with 16GB of RAM. I have mostly simple rules, several IPSec and OpenVPN endpoints, and about 8 virtua

Re: [pfSense] Site to Site VPN issue in PFsense

On Mon, Aug 19, 2013 at 12:12 PM, pratap koppal wrote: > Im using openvpn as site to site, still im facing same problem as > mentioned. > On the home office, configure your OpenVPN to listen on all interfaces, not just one of the WAN links. Then have the remote offices just shift the endpoint. Be

Re: [pfSense] Site to Site VPN issue in PFsense

On Wed, Aug 14, 2013 at 7:07 AM, pratap koppal wrote: > My head office and along with two branch office deployed with pfsense. > Head Office and one of Branch office deployed with PFsense 2.0.1, and other > branch office PFsense 2.0.3. My branch offices are linked with HO through > site-to-site op

Re: [pfSense] Newbie questions

On Thu, Aug 8, 2013 at 3:44 PM, wrote: > Side question: are there iPhone/iPad/Android apps that will allow VPN > access so I can get into the management interfaces while on the road? > Yes. The built-in "cisco" ipsec client on iOS works great with pfSense, following these directions: http://fo

Re: [pfSense] OpenVPN site to site connection

On Wed, Jul 17, 2013 at 9:16 AM, Peter Milazzo < peter.mila...@somersetcapital.com> wrote: > there. So there is already an IPsec tunnel running (which I disable) > and 2 WAN connections using gateway group for failover. Could there be > some sort of conflict with the IPsec even though I disable it

Re: [pfSense] high load on LAN iface in CARP -> LAN master becomes backup

On Mon, Jul 8, 2013 at 5:45 AM, Adrian Zaugg wrote: > Whatever slow hardware I may have, it should work steady, but maybe just > slower. And in my opinion the slave should take over completely not just > the LAN interface, but that's another discussion. > I agree with this statement. All or noth

Re: [pfSense] high load on LAN iface in CARP -> LAN master becomes backup

On Wed, Jul 3, 2013 at 5:45 PM, Adrian Zaugg wrote: > In our network there are two gateways configured with CARP. It runs all > well, as it should, except if I produce heavy load, something like > 80-100MByte/s on the gateway, CARP switches (just) the LAN interface of > the master to backup. All

Re: [pfSense] Remote office redundancy

On Thu, May 23, 2013 at 11:42 AM, Chris Bagnall wrote: > I wonder if you could, for example, create two OpenVPN connections which > run at all times - WAN1 to WAN1 and WAN2 to WAN2, then load balance or > failover between those? Still, what happens if site 1 wan1 goes down, and site 2 wan 2 goes

Re: [pfSense] Remote office redundancy

On Thu, May 23, 2013 at 11:17 AM, Peter Milazzo < peter.mila...@somersetcapital.com> wrote: > My questions are, do I need to setup a second IPsec tunnel for the cable > connection (which I believe you can't do) if it fails over and what will > the routing look like? Is there a better way to set t

Re: [pfSense] Conditional Routing question

On Mon, Apr 29, 2013 at 10:51 AM, Oliver Hansen wrote: > I'm also interested in a solution for this. I also have a VPN provider > that uses OpenVPN. I tried to set up some policy routes after adding the > OpenVPN connection but I didn't have much luck. > I'm pretty sure the vpn client configurati

Re: [pfSense] help

On Wed, Apr 24, 2013 at 10:36 AM, eyobe kebede wrote: > public ip 197.156.75.54 our side and 197.156.75.53 ISP side > Well, now you have just shared some new information. Try this: set your public IP to 197.156.75.54 and the default route to the .53 address, and the netmask to 255.255.255.252.

Re: [pfSense] help

On Sat, Apr 20, 2013 at 5:46 AM, eyobe kebede wrote: > but 10.134.192.154 is the WAN ip and 10.130.42.65 is default gate way Given that 10.134.192.154 is your WAN IP, and the netmask they gave you is 255.255.255.252, the *ONLY* other IP you can directly reach is 10.134.192.153. Your network add

Re: [pfSense] CARP / VIP Failover Queries (NAT sessions and no preempt?)

to be adding node.js to the firewall device. https://github.com/postwait/vippy On Tue, Apr 16, 2013 at 10:41 AM, James Bensley wrote: > On 16 April 2013 14:41, Vick Khera wrote: > > There is no "election" protocol where they are considered equal and > defer to > >

Re: [pfSense] CARP / VIP Failover Queries (NAT sessions and no preempt?)

On Tue, Apr 16, 2013 at 8:48 AM, James Bensley wrote: > Does anyone have any ideas about some sort of "no preempt" option for > CARP so that if the master fails, and everything switches over to the > You would need to adjust the advskew on the old master to be higher than that of the backup (cur

Re: [pfSense] help

On Tue, Apr 16, 2013 at 4:53 AM, eyobe kebede wrote: > hi here I have got some information in our router configuration. the ip > address is 10.134.192.154 and the subnet mask is 255.255.255.252. how could > I configure this to include 197.156.75.54 as public IP > The network defined by that IP a

Re: [pfSense] CARP / VIP Failover Queries (NAT sessions and no preempt?)

On Sat, Apr 13, 2013 at 3:58 PM, James Bensley wrote: > If I am connect to a LAN host from outside using SSH for example, and > I pull out the master, my SSH sessions stops working. Do the boxes not > sync NAT tables and states etc? I loose any active TCP connections. > I had this problem until

Re: [pfSense] Prevailing wisdom on Hyperthreading?

On Fri, Apr 12, 2013 at 4:18 PM, Nathan C. Smith wrote: > A couple years ago when the topic of CPU hyper threading came up I > remember folks being advised to disable it. Is that still the prevailing > wisdom and current best practice? > I never explicitly disable it anymore, but I am not sure w

Re: [pfSense] help

On Tue, Apr 9, 2013 at 11:19 AM, Jim Pingle wrote: > His ISP may have just forgotten to give him the proper gateway. But on > the outside chance they really do expect him to use that 10.x address as > the gateway, it may still be possible. > > http://redmine.pfsense.org/issues/972 > > Not support

Re: [pfSense] help

On Tue, Apr 9, 2013 at 3:49 AM, eyobe kebede wrote: > to 197.156.75.54 and default gateway of 10.130.42.65 As Luis points out, this makes no sense. What is the netmask they told you to use for the WAN address? The gateway must be within that network block defined by the netmask and IP.

Re: [pfSense] PfSense System - Memory Leak?

On Wed, Mar 20, 2013 at 11:58 AM, Mikey van der Worp wrote: > How is it possible that an pfSense machine of mine crashes without > anything to see.. No errors… etc! Ethernet ports are up.. But not > receiving/sending any data.. And it looks like a memory leak… This was with > version 2.0.1 of pfSe

Re: [pfSense] Dual WAN Failover to gateway default

On Tue, Mar 5, 2013 at 3:57 AM, wrote: > Hi, I need configure the pfsense for output traffic WAN1, but when WAN1 > down I like redirect traffic to WAN2 and viceversa. I like only use WAN1 > for activity connections and if WAN1 down, the traffic redirect to WAN2. > > I have 2 WAN with ip static. I

Re: [pfSense] Samba4 package and extend services with pfsense

On Tue, Feb 26, 2013 at 7:49 AM, Luiz Gustavo Costa < luizgust...@luizgustavo.pro.br> wrote: > I have worked in the Samba4 package for pfsense, not only act as a > domain member, but also act as a domain controller and i see this as an > opportunity to extend the pfsense to be more than a firewall

Re: [pfSense] Firmware bug in Intel Ethernet Controllers

On Wed, Feb 6, 2013 at 5:10 PM, Moshe Katz wrote: > I saw this today and figured I would bring it to everyone's attention. I > figured that there are definitely people on this list who use Intel NICs > that are affected and may have just the right traffic to trigger the > problem. > > http://blo

Re: [pfSense] CARP Sync States - Not the same on both hosts?!?

On Tue, Jan 22, 2013 at 11:24 AM, Tim Nelson wrote: > I have two hosts in a CARP setup, working as expected for failover. States > are set to sync between the primary system and the secondary system. > However, when I look at the state table of the slave system, it does not > match that of the ma

Re: [pfSense] CARP Master/Slave Status Change Notification

the SMTP alerts will tell you when a carp cluster change occurs, but no details on what exactly it was. they also tell you about other events such as when one member of a gateway group goes down (but not when it comes back up, curiously). not sure what else, as those are the only two types of fai

Re: [pfSense] Multi WAN & CARP

On Mon, Jan 7, 2013 at 7:46 PM, WolfSec-Support wrote: > any hint will be welcome > You want your pfSense boxes to be mostly identical, and symmetrically configured. That is, you want BOTH ISPs connected to both firewall boxes, and have them share the inbound gateway route via CARP as well. Ie,

Re: [pfSense] PfSense 1.2.2 to 2.0 Release and Digium Switchvox remote phone issue

On Mon, Dec 10, 2012 at 10:05 AM, Steve Spencer wrote: > The remote phones in question are not using NAT, but are publicly > addressed. Local phones on our LAN continue to work just fine. The firewall > is at the local end and sits between the cloud and the switchvox server. > When you say, "goin

Re: [pfSense] Alix 2D3 with pfSense 2.1

On Tue, Nov 20, 2012 at 4:58 AM, Eugen Leitl wrote: > > ~85 Mbps max. Not going to fill a 100 Mb pipe, but will work. > > Thanks, that will do plenty. > I think you will find it barely handling that load. Will you have any VPN connections or a lot of firewall rules? We were unable to sustain tha

Re: [pfSense] Question about accessing two pfSense boxes in Fail-over mode

On Wed, Nov 7, 2012 at 12:33 PM, j...@millican.us wrote: > The problem is that on the edge boxes I can only get to the primary, the > slave is inaccessible. The only difference I can see is which zone the > interface I am trying to access is in, WAN vs LAN. The access rules are the > same on bot

Re: [pfSense] Internet thru IPsec VPN

I believe it depends on the client. For example, the when i used ipsecuritas on the mac, it only routed the VPN destination thru the vpn. the IPsec client on iOS routes all traffic via the VPN. On Thu, Oct 11, 2012 at 12:45 AM, Luis Carrión wrote: > Heloo folks, > > Just a question, where in Pf

Re: [pfSense] OpenVPN client for iPad

On Wed, Oct 3, 2012 at 5:48 AM, Raúl Sampedro wrote: > App embebed in IOS. > And these are the "right" instructions, step-by-step. http://forum.pfsense.org/index.php?PHPSESSID=eqvfsk9c6dar52lncgb39gc0s7&/topic,24752.msg130558/topicseen.html#msg130558 The only thing I changed was in pfSense was

Re: [pfSense] apinger gateway down

On Tue, Sep 18, 2012 at 5:11 PM, sl...@webii.net wrote: > Hi, > > Once in a while we got such errors: > > apinger: : WANGW(x.x.x.1) *** WANGWdown *** > apinger: ALARM: WANGW(x.x.x.1) *** WANGWdown *** > apinger: alarm canceled: WANGW(x.x.x.1) *** WANGWdown *** > > What were the timestam

Re: [pfSense] Cisco IPSEC configuration

On Wed, Sep 12, 2012 at 3:47 PM, Ian Bowers wrote: > posting instructions on doing it could cause trouble. Trouble for whom? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsync Synchronize Peer IP best practice

On Tue, Sep 11, 2012 at 9:36 AM, Pedro Serotto wrote: > I have a dedicated NIC too. > > But, do you set the remote ip, on every side or only on the master side. > > Is right that the session migrate only from master to slave and never from > slave to master ? > You set the remote IP on both boxes

Re: [pfSense] pfsync Synchronize Peer IP best practice

On Tue, Sep 11, 2012 at 8:40 AM, Pedro Serotto wrote: > which value do you usually set in pfsync Synchronize Peer IP ? > The other peer pfsync ip address ? > Is it right to leave empty ? > When I set this up with a dedicated NIC just for the pfsync, I left it blank as hinted on the configuration

Re: [pfSense] CARP and IPsec tunnel settings

On Thu, Aug 2, 2012 at 2:56 PM, bsd wrote: > I wanted to know if part of the solution was to set in phase 1 proposal "My > identifier --> IP address : Ip.wan.carp" > > I have read that in a post, but since I am now away from the data center > where It is hosted, I wanted to have a confirmation o

Re: [pfSense] Not connect ipsec vpn remote with local network different to LAN

On Wed, Aug 1, 2012 at 6:00 AM, Maykel Franco Hernández wrote: > I try configure the ipsec for remote connection. I need write in the local > network in phase 2 a local network different to LAN. But, I configured the > local network in phase 2 a ip different to LAN and not appear the button > conn

Re: [pfSense] Accessing web-interface on WAN network

On Mon, Jul 30, 2012 at 6:10 PM, wrote: > I have a pfSense 2.0 box connected to an ASDL modem running as a MPoA > bridge. Basically the ADSM modem does some unspecified manipulation and > presents the public IP to the LAN connection via DHCP along with gateway > etc. information allowing the pfS

Re: [pfSense] vCloud Director Howto: Load balancing with free pfSense

On Mon, Jul 23, 2012 at 8:48 AM, Eugen Leitl wrote: > We have to setup the pools and virtual servers feature, it’s a > nice-to-have to set up the “monitors” option which is also available (more > about that in the To Do paragraph and the end of this article). > > In the pools options you have to

Re: [pfSense] ipsec HA

On Wed, Jul 18, 2012 at 4:11 AM, Pedro Serotto wrote: > Everything migrate correctly but not ipsec. > What is your remote IPsec device? Is it pfSense as well? That is my situation and the connection flips over rather quickly. ___ List mailing list Lis

Re: [pfSense] ipsec HA

On Mon, Jul 16, 2012 at 12:44 PM, Pedro Serotto wrote: > I try to set up multiple VPN gateways in a redundant configuration, > allowing for > transparent failover of VPN connections without any loss of > connectivity. > I find my IPsec tunnels transfer from primary to secondary pfSense box within

Re: [pfSense] pfSense vs JunOS

On Sun, Jul 1, 2012 at 3:33 PM, Chris Buechler wrote: > The level of service we provide is on par or better than commercial > vendors. For most of our customers, much better, because commercial > vendors will rule out the firewall and tell you to have a nice day > I'll confirm that their support

Re: [pfSense] supermicro SOL console

On Fri, Jun 29, 2012 at 2:50 PM, Adam Thompson wrote: > One thing... SuperMicro IPMI BMCs should redirect COM1 if the internal > connections are cabled properly... in which case the standard Embedded > distro would work properly. These have a full lights-out-manager on them. Maybe those are dif

Re: [pfSense] Network "freezes" on IBM x3550, Broadcom NICs

On Thu, Jun 28, 2012 at 9:07 PM, Paul Gear wrote: > Server hardware: IBM x3550, Xeon E5405 2 GHz, 2 GB RAM, 2 x 300 GB 10K > RPM SAS HD in hardware RAID 1, 2 x Broadcom NetXtreme II BCM5708 > 1000Base-T (B2) > About two weeks ago I had to put into production a temporary hacked together server as

Re: [pfSense] supermicro SOL console

On Fri, Jun 22, 2012 at 12:17 PM, Jim Pingle wrote: > Use /boot/loader.conf.local - that won't get overwritten. The other two > will. > Based on this, my revised configuration is to create /boot/loader.conf.local: hint.uart.2.at="isa" hint.uart.2.port="0x3E8" hint.uart.2.flags="0x10" hint.uart.

[pfSense] supermicro SOL console

So I just figured this nifty trick out. I provisioned a pair of servers based on supermicro X9SC motherboard, which has a built-in ILOM processor, and that provides a serial-over-lan serial port in addition to other administrative features. It was exceptionally easy to convince pfsense to use tha

Re: [pfSense] failover sync question

On Wed, Jun 13, 2012 at 6:19 PM, Chris Buechler wrote: > > You have to enable "synchronize states" on the secondary too or it > won't accept them. Firewall>VIPs, CARP settings tab. Thanks for this tip. I thought perhaps my problem was that I was sharing an interface for this, and the boxes in qu

Re: [pfSense] pfSense Setup - Slow GUI & DNS?

On Fri, Jun 22, 2012 at 7:02 AM, Mark Tinka wrote: > The machine is still in "setup mode", so it's not connected > to the Internet. However, it seems that a quick web GUI > loves DNS (confirmed via pfSense state table), which, > obviously, isn't up yet. This seems to be a recurring theme > when I

Re: [pfSense] Slightly OT: Accessing pfSense webinterface via reverse proxy

On Mon, Jun 18, 2012 at 9:49 AM, Giles Coochey wrote: > I'm not sure whether the URL re-write will work when HTTPS is in use. Apache's SSL proxy uses CONNECT, so it doesn't terminate your SSL connection. Thus, it cannot decode or rewrite anything within. If you want it to work, you need to term

[pfSense] failover sync question

I have a pair of firewalls set up with pfsync. pfSense 2.0.1/i386. I'm pushing a lot of connections and traffic, so had to bump the number of states in the Advanced -> Firewall/NAT tab. This increased number did not show up on the backup firewall. Ditto for unchecking the "disable nat reflection

Re: [pfSense] modern hardware selection

Also, I have three IPsec VPNs connecting to other data centers and the main office, which need to push at peak 40Mbps for a couple of hours a day during backups. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list

[pfSense] modern hardware selection

Looking through the forums and mailing list archives, I see recommendations for the following two devices to handle my network throughput: Hacom "Mars" system and Netgate FW-7535 B

Re: [pfSense] Rule processing optimization - states

On Thu, May 17, 2012 at 2:37 PM, Ugo Bellavance wrote: > I would like to make sure my rules in the best order.  I understand that the > rules are processed from top to bottom, so I should place the rules that are > most used at top.  However, how long lasts a state?  I just want to know > whether

Re: [pfSense] CISCO VPN CLIENT 5.0.07.0410 CONNECTION TO PFSENSE 2.0.1

On Tue, May 15, 2012 at 5:39 PM, Antonio Cortes Alhambra (INCATEL) wrote: > someone has found the right combination of parameters settings to > achieve the connection from a CISCO VPN CLIENT 5.0.07.0410 and pfSense 2.0.1 There are instructions for making the Cisco IPsec VPN client built into iPho

Re: [pfSense] pfsense hardware for a proxy, 1U w/ 12" depth

On Thu, May 3, 2012 at 4:29 PM, Chuck Mariotti wrote: > Specifically... if I VPN into the firewall (PPTP), I can't seem to be able to > access the IP-KVM. > If I remote into a machine behind the firewall...  then try access the IP-KVM > from that machine... it works fine. > > I posted this issue

Re: [pfSense] HA and ifstated

Isn't this automatic with CARP? On Mon, Apr 30, 2012 at 4:35 AM, Pedro Serotto wrote: > With ifstated I can catch the fault and demote the carp interface to > guarantee the service continuity. > > How can I do that in pfsense ? ___ List mailing list Li

[pfSense] incoming load balancer docs notes

Reading http://doc.pfsense.org/index.php/Inbound_Load_Balancing I find a couple of issues, which seem to be changes in 2.0. 1) the default probe is 10 seconds, not 5. There is no way to tweak that. 2) there is no "sticky" option The commentary about 1.2 implementation using NAT and issues with

Re: [pfSense] Move instance from X to Y, cold spare.

On Mon, Apr 23, 2012 at 4:36 PM, Karl Fife wrote: > In the scenario where the hardware interfaces are NOT the same, is it > possible to do something simple like search/replace the configuration file, > substituting the interface names?  Is there any reason to believe that > process would be less t

Re: [pfSense] Mounting memsticks

On Sat, Feb 25, 2012 at 3:44 AM, Warren Baker wrote: > On Fri, Feb 24, 2012 at 9:48 PM, David Miller wrote: >> Is there a way to mount a memstick on a mac and see the file system(s). >> >> Given its roots I'd think the mac would understand freebsd file systems and >> partitions, but even a boota

Re: [pfSense] pfSense help with creating rules

On Fri, Feb 10, 2012 at 11:00 AM, Jason T. Slack-Moehrle wrote: > I am a little confused at how I would know if they are handing me a /29 or > just 5 IP's? > > range: 75.xx.xx.25 - .29 > subnet: 255.255.255.248 (which is /29, IIRC) > GW: 75.xx.xx.30 Comcast has routed that /29 to your cable mode

Re: [pfSense] PFsense to PFsense IPSEC VPN and VOIP

On Mon, Feb 6, 2012 at 3:44 AM, Gavin Will wrote: > Routing and firewall rules are correct and I can access both networks fine. > The voip phone registers and can make a call but both ends cannot hear each > other each other. The VOIP phones at my remote locations (VPN with IPSec) work well wit

Re: [pfSense] Backup from HD, restore do CF

On Sun, Feb 5, 2012 at 5:28 PM, Diego Barrios wrote: > Can i install nanobsd 1GB image on my Alix, "Backup" the config from the PC > and "Restore" it on my ALIX? > > I don`t care about the RRD graphs, logs, etc... only my VPN users and useful > settings. You will need to edit the network configur

Re: [pfSense] copying over users to new install

On Fri, Jan 27, 2012 at 12:20 PM, Vick Khera wrote: > I exported the "system" configs and I see the users in there with > hashed passwords.  If I upload this to the new server after removing > all the other stuff I do not want changed, will it do as I expect and > leave th

[pfSense] copying over users to new install

I'm setting up a new firewall in a new location, and moving the VPN service we use from the old to new locations. I need to move the list of users, but I do not know all of their passwords, naturally. I exported the "system" configs and I see the users in there with hashed passwords. If I upload

Re: [pfSense] Require help with basic 2.0.1 setup involving a virtual IP

On page 4, where you create your carp VIP, you must specify netmask for the WAN, not /32. How is it that your hme0 interface got from DHCP the same IP you thing you're creating as a virtual IP? That makes no sense. These need to be separate addresses in the same subnet. Does your VIP work befor

Re: [pfSense] relayd fails to start after 2.0.1 upgrade

On Tue, Dec 27, 2011 at 4:34 AM, Andrew Mitchell wrote: > Doh! Found the issue... was closed but never opened for > whatever reason. Works now! In XML, that is a combo "Open + Close" tag. Close tags look like for example. ___ List mailing list List@l

Re: [pfSense] Ipad Road Warrior + VPN (secure connection) to my home network??

I followed the step-by-step on this page. The only thing it missed was that you have to enable the "User - VPN - IPsec xauth Dialin" property on the user you create in pfSense. Works wonderfully, and waay more secure than PPTP ever will was or will be. http://forum.pfsense.org/index.php?PHPS

Re: [pfSense] Odd circumstances

On Tue, Nov 15, 2011 at 7:22 PM, Mehmasarja wrote: > Finally, I notice the pfSense appliance responds very slowly and suspect > there may be a hardware issue. I'll check it's dmesg. did you try re-installing pfSense to clean out any stuff that the bad packages may have left behind? _

Re: [pfSense] how to route ipsec connected traffic to remote vpn endpoint and back

On Fri, Oct 28, 2011 at 1:05 PM, Vick Khera wrote: > I followed > http://forum.pfsense.org/index.php?PHPSESSID=eqvfsk9c6dar52lncgb39gc0s7&/topic,24752.msg130558/topicseen.html#msg130558 > to set up iPhone IPsec vpn.  This works splendidly (once I granted > permission to the ne

<    1   2   3   4   >