Re: [pfSense] Bandwith Management

[Jason Pyeron]

  _  

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On
Behalf Of 3y3lop
Sent: Wednesday, May 01, 2013 19:49
To: pfSense support and discussion
Subject: [pfSense] Bandwith Management


Hii All,,

How to Configure Bandwidth Management rules in pfSense 2.0 .. Thank You

 

with google:
http://lmgtfy.com/?q=How+to+Configure+Bandwidth+Management+rules+in+pfSense
 
Do you have a more specific question?
 
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us
  -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

 
 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Packet capture

[Jason Pyeron]

 
Nice script. I am going to have to keep it in pcap format, and since that email
I have been using 2 remotely intiated ssh connections to ingest pflog0 and
bridge0 using '-s0 -w -'. My firewall load has not exceeded 0.06 sofar. Since
using ssh encrypts the data, I have no IA issues either.
 
Putting it in the rc.local could ensure that connection is under the firewall's
control to reduce the number of accounts with access.


  _  

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On
Behalf Of James Records
Sent: Wednesday, May 01, 2013 14:40
To: pfSense support and discussion
Subject: Re: [pfSense] Packet capture


Jason,

Sorry it took me a bit to get back to you.  Many years ago (and on OpenBSD) I
did something like this to get these logs off the box:



echo -n 'Starting PF Logging...'
ifconfig pflog0 up

( /usr/sbin/tcpdump -l -e -n -t -v -i pflog0 2>&1 | /usr/bin/logger -p
local0.info -t pf) &

echo 'done'


You'll want to modify your tcpdump statement to what you want to collect and
maybe send these to a new (separate) facility, but at that point you can just
point your logs to a remote server and you should be good to go.  

I think there is a way to do a rc.local on Pfsense, though I've never done this,
but with some tweaking, you can probably get this to do what you want without
the need for remote ssh access.


-- 
James Records | Principle Network Engineer 

M 425.984.4349 E ja...@northshoresoftware.com

W www.northshoresoftware.com  

 
 


On Sun, Apr 28, 2013 at 4:16 PM, Jason Pyeron  wrote:



Yeah, that is what I quoted. Once you told me about the pflog0 I googled it. It
seems that it is not just a copy of the headers that get sent to that virtual
interface, but it is really pflogd that truncates the packets when putting them
in /var/log/pflog. The page lied :)
 
So now I have pflog0 (updated all the rules to log) and the bridge0 feeding in
to the IPS/IDS. I don't think the jitter in the sequence between the two pcap
streams will matter.
 
As a side, do you think I should stream the pcap data by ssh or some other
means? Would there be a more efficient means from the firewall performance point
of view?
 
-Jason


  _  


From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On
Behalf Of James Records

Sent: Sunday, April 28, 2013 16:29 

To: pfSense support and discussion
Subject: Re: [pfSense] Packet capture


Jason, 


Take a look at this:


http://www.openbsd.org/faq/pf/logging.html



Should help you out a bit.




-- 
James Records | Principle Network Engineer 


M 425.984.4349 E ja...@northshoresoftware.com


W www.northshoresoftware.com  








On Sun, Apr 28, 2013 at 1:21 PM, Jason Pyeron  wrote:



Nice. I did not now about that.
 
"When a packet is logged by PF, a copy of the packet header is sent to a
pflog(4)
  interface along with some additional data such as the interface the packet
was transiting, the action that PF took (pass or block), etc. "
 
I will now look for a way to get it to pass the full packet, as I need to do
deep packet inspections.
 
Thanks!
 
-Jason
 



  _  

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On
Behalf Of James Records
Sent: Sunday, April 28, 2013 12:58 

To: pfSense support and discussion
Subject: Re: [pfSense] Packet capture


Jason, 

I think what you want is the pflog0 interface.


-- 
James Records | Principle Network Engineer 

M 425.984.4349 E ja...@northshoresoftware.com

W www.northshoresoftware.com  



On Sun, Apr 28, 2013 at 9:46 AM, Jason Pyeron  wrote:



Yes the interface for packet capture is nice for a interactive quick look, but
it is not a solution for an automated ingest system for 24x7 capture.
 
regarding the logs:
 
{mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 00:00:00.001738 rule 23/0(match):
block in on em0: (tos 0x0, ttl 116, id 4687, offset 0, flags [DF], proto UDP
(17), length 66)

{mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 31.222.133.87.53 > 67.90.184.35.53:
952+ [1au] ANY? ripe.net. (38)

the detail is insufficient. I tried  Show raw filter logs, but there does not
seem to be any apprciable difference. I have a backend system (IDS type of
thing) which ingests pcap data as well as syslog, in this case the syslog from
the pfSesne is to light weight.

can I sniff the bridge [BRIDGE0]?

-Jason




  _  

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On
Behalf Of Trevor Benson
Sent: Sunday, April 28, 2013 10:14
To: pfSense support and discussion
Subject: Re: [pfSense] Packet captu

[pfSense] Bandwith Management

[3y3lop]

Hii All,,

How to Configure Bandwidth Management rules in pfSense 2.0 .. Thank You

Regards,

Cyclop



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Packet capture

[James Records]

Jason,

Sorry it took me a bit to get back to you.  Many years ago (and on OpenBSD)
I did something like this to get these logs off the box:

echo -n 'Starting PF Logging...'
ifconfig pflog0 up
( /usr/sbin/tcpdump -l -e -n -t -v -i pflog0 2>&1 | /usr/bin/logger -p
local0.info -t pf) &
echo 'done'


You'll want to modify your tcpdump statement to what you want to collect
and maybe send these to a new (separate) facility, but at that point you
can just point your logs to a remote server and you should be good to go.

I think there is a way to do a rc.local on Pfsense, though I've never done
this, but with some tweaking, you can probably get this to do what you want
without the need for remote ssh access.


-- 
James Records | Principle Network Engineer

M 425.984.4349 E ja...@northshoresoftware.com

W www.northshoresoftware.com



On Sun, Apr 28, 2013 at 4:16 PM, Jason Pyeron  wrote:

> **
> Yeah, that is what I quoted. Once you told me about the pflog0 I googled
> it. It seems that it is not just a copy of the headers that get sent to
> that virtual interface, but it is really pflogd that truncates the packets
> when putting them in /var/log/pflog. The page lied :)
>
> So now I have pflog0 (updated all the rules to log) and the bridge0
> feeding in to the IPS/IDS. I don't think the jitter in the sequence between
> the two pcap streams will matter.
>
> As a side, do you think I should stream the pcap data by ssh or some other
> means? Would there be a more efficient means from the firewall performance
> point of view?
>
> -Jason
>
>  --
> *From:* list-boun...@lists.pfsense.org [mailto:
> list-boun...@lists.pfsense.org] *On Behalf Of *James Records
> *Sent:* Sunday, April 28, 2013 16:29
>
> *To:* pfSense support and discussion
> *Subject:* Re: [pfSense] Packet capture
>
>  Jason,
>
> Take a look at this:
>
> http://www.openbsd.org/faq/pf/logging.html
>
> Should help you out a bit.
>
>
> --
> James Records | Principle Network Engineer
>
> M 425.984.4349 E ja...@northshoresoftware.com
>
> W www.northshoresoftware.com
>
>
>
>
> On Sun, Apr 28, 2013 at 1:21 PM, Jason Pyeron  wrote:
>
>> **
>> Nice. I did not now about that.
>>
>> "When a packet is logged by PF, a copy of the packet header is sent to a
>> pflog(4)interface
>>  along with some additional data such as the interface the packet
>> was transiting, the action that PF took (pass or block), etc. "
>>
>> I will now look for a way to get it to pass the full packet, as I need to
>> do deep packet inspections.
>>
>> Thanks!
>>
>> -Jason
>>
>>
>>  --
>> *From:* list-boun...@lists.pfsense.org [mailto:
>> list-boun...@lists.pfsense.org] *On Behalf Of *James Records
>> *Sent:* Sunday, April 28, 2013 12:58
>>
>> *To:* pfSense support and discussion
>> *Subject:* Re: [pfSense] Packet capture
>>
>>  Jason,
>>
>> I think what you want is the pflog0 interface.
>>
>>
>> --
>> James Records | Principle Network Engineer
>>
>> M 425.984.4349 E ja...@northshoresoftware.com
>>
>> W www.northshoresoftware.com
>>
>>
>> On Sun, Apr 28, 2013 at 9:46 AM, Jason Pyeron  wrote:
>>
>>> **
>>> Yes the interface for packet capture is nice for a interactive quick
>>> look, but it is not a solution for an automated ingest system for 24x7
>>> capture.
>>>
>>> regarding the logs:
>>>
>>>
>>> {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 00:00:00.001738 rule
>>> 23/0(match): block in on em0: (tos 0x0, ttl 116, id 4687, offset 0, flags
>>> [DF], proto UDP (17), length 66)
>>>
>>> {mail} Sun Apr 28 11:07:58 EDT 2013 INFO pf: 31.222.133.87.53 >
>>> 67.90.184.35.53: 952+ [1au] ANY? ripe.net. (38)
>>>
>>> the detail is insufficient. I tried  *Show raw filter logs, but there
>>> does not seem to be any apprciable difference. I have a backend system (IDS
>>> type of thing) which ingests pcap data as well as syslog, in this case the
>>> syslog from the pfSesne is to light weight.*
>>>
>>> *can I sniff the bridge [*BRIDGE0*]?*
>>>
>>> *-Jason*
>>>
>>>  --
>>> *From:* list-boun...@lists.pfsense.org [mailto:
>>> list-boun...@lists.pfsense.org] *On Behalf Of *Trevor Benson
>>> *Sent:* Sunday, April 28, 2013 10:14
>>> *To:* pfSense support and discussion
>>> *Subject:* Re: [pfSense] Packet capture
>>>
>>>  Have you tried using the built in packet capture under diagnostics?
>>> This will clean up your ssh traffic, which is what I assume you mean by
>>> tcpdump recursice traffic. Plus you can download a pcap to examine more
>>> closely in wireshark.
>>>
>>> As for traffic denied by the firewall have you tried looking at the
>>> firewall logs?
>>>
>>> Trevor
>>> On Apr 28, 2013 5:47 AM, "Jason Pyeron"  wrote:
>>>
 I am looking to capture all the packets that are traversing and
 attempting to
 traverse the firewall.

 If I use tcpdump -i WAN I get all the packets, if I use tcpdump -i LAN
 then I
 only get the packets

[pfSense] Filter rule and bridge confusion

[Jason Pyeron]

Given: em0->bridge0->vge0

Given: ssh firewall -n 'tcpdump -i bridge0 -s0 -w -' > /tmp/firewall.pcap &

Given the following rule on em0: block, inf=em0, prot=any, src=alias/DDOS,
dst=any, log=true.

DDOS=95.211.218.211 154.35.160.11 190.93.242.93 195.93.85.27
190.93.248.140 195.214.79.8 50.7.190.51 5.135.240.134 188.138.94.227
199.217.117.55 85.25.22.137 173.242.117.161 185.8.198.10 199.217.117.54
199.19.105.126 85.25.119.6 10.210.10.155 10.210.10.157 15.185.178.177
172.28.19.29 173.236.120.174 176.58.68.177 185.6.18.222 188.161.85.117
188.161.85.16 188.161.85.166 188.161.85.213 188.161.86.124 188.161.86.14
188.161.86.170 188.161.86.222 188.161.86.251 188.161.86.73 188.161.96.13
188.165.206.93 188.66.5.70 197.133.143.21 198.245.60.38 198.245.63.55
23.24.171.209 24.155.165.107 37.8.105.251 37.8.107.197 37.8.112.255 37.8.121.244
37.8.37.230 37.8.37.45 37.8.49.85 37.8.52.59 37.8.57.174 37.8.6.136 5.39.94.62
5.9.122.174 62.75.222.104 79.172.242.199 88.198.25.35 91.121.112.136
91.121.89.80 94.23.217.26 94.23.248.122 99.39.116.218 173.242.117.187
85.25.159.16 182.140.139.251 31.222.133.87 82.145.53.238 109.3.51.194
198.46.60.218 173.236.59.101 72.252.235.17 99.251.26.83 69.122.140.60
188.165.154.75 77.102.192.158 74.192.163.109 68.170.118.24 112.203.156.92
24.140.29.205 67.11.230.142 121.152.52.118 117.79.148.42 121.54.54.136
122.149.185.24 118.42.170.254 108.61.44.114 108.249.101.28 71.51.147.57
24.185.121.232 192.210.230.227 68.33.2.103 178.63.131.134 121.152.52.154
157.55.235.142 208.98.50.2 150.70.98.50 128.9.160.51 103.3.252.22 85.214.147.66
169.229.50.3 120.101.168.2 128.9.168.85 83.220.63.167 198.5.241.54 198.5.241.54
173.46.209.136 173.46.209.180 198.5.241.54 149.154.157.248 120.28.136.159
121.152.52.144 199.217.113.202 98.119.225.15 70.115.247.135 176.227.201.34
112.198.249.40 188.165.94.210 79.255.146.190 108.78.131.190 119.252.191.52
123.243.74.136 82.240.240.28 178.33.2.175 101.165.33.54 5.9.138.50
81.218.230.147

Why do I see many packets from a few of the IPs blocked in my capture on
bridge0? Shouldn't those be blocked at em0 before the bridge?

Ex:

20751   80.507919   31.222.133.87   67.90.184.35DNS 80  Standard
query ANY ripe.net
20758   80.513292   81.218.230.147  67.90.184.15DNS 70  Standard
query ANY 

-Jason

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] SOHO Router for VPN to pfSense

[Jeremy Bennett]

I can’t speak to the advanced routing and traffic shaping stuff, but Alix + 
PFsense have been great for me. IPSec VPNs between multiple locations have been 
very reliable.

On Apr 30, 2013, at 9:23 PM, Seth Mos wrote:

> On 29-4-2013 16:01, j...@millican.us wrote:
>> On 4/29/2013 9:35 AM, j...@millican.us wrote:
>>> Hello,
> 
>>> Thank You,
>>> JohnM
>> Forgot to add that I have been looking at the Buffalo WZR-300HP. Any
>> opinions?
> 
> We almost exclusively use Draytek Vigor routers with IPsec tunnels and
> pfSense. We use Dell PowerEdge R310 servers as the endpoint.
> 
> We have about 300 tunnels, we always had the Draytek Vigor 2800VGI
> model, but are now moving forward with the Draytek Vigor 2850 model, it
> is a ADSL/VSDL combo modem, supports 3G/4G via USB stick (We use the
> Huawei E392) and also Ethernet WAN using port 4 of the gigabit LAN ports.
> 
> It's a very versatile model.
> 
> Regards,
> 
> Seth
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] SOHO Router for VPN to pfSense

[Seth Mos]

On 29-4-2013 16:01, j...@millican.us wrote:
> On 4/29/2013 9:35 AM, j...@millican.us wrote:
>> Hello,

>> Thank You,
>> JohnM
> Forgot to add that I have been looking at the Buffalo WZR-300HP. Any
> opinions?

We almost exclusively use Draytek Vigor routers with IPsec tunnels and
pfSense. We use Dell PowerEdge R310 servers as the endpoint.

We have about 300 tunnels, we always had the Draytek Vigor 2800VGI
model, but are now moving forward with the Draytek Vigor 2850 model, it
is a ADSL/VSDL combo modem, supports 3G/4G via USB stick (We use the
Huawei E392) and also Ethernet WAN using port 4 of the gigabit LAN ports.

It's a very versatile model.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list