Re: [pfSense] spd.conf and setkey
I see they know. http://www.freebsd.org/cgi/man.cgi?query=setkeysektion=8 No other alternatives to selectively route ports to an ipsec vpn? *BUGS http://www.freebsd.org/cgi/man.cgi?query=setkeysektion=8#end* The *setkey* utility should report and handle syntax errors better. For IPsec gateway configuration, *src**_**range* and *dst**_**range* with TCP/UDP port number do not work, as the gateway does not reassemble packets (can- not inspect upper-layer headers). On Wed, Feb 12, 2014 at 3:25 PM, Ermal Luçi ermal.l...@gmail.com wrote: You need to tell even racoon about this. On Wed, Feb 12, 2014 at 2:35 PM, Erik Friesen e...@aercon.net wrote: I have been trying to set up an ipsec vpn to only route from/to tcp port 80 and 440. The vpn sets up fine, but since there is no setting in the gui for ports, I have taken to hand trying some different SPDs. From the command line: setkey -FP - erases current spd's setkey -f filename - loads new file this is one I have tried - spdadd -4 192.168.0.1/32 192.168.0.0/24 any -P out none; spdadd -4 192.168.0.0/24 192.168.0.1/32 any -P in none; spdadd -4 192.168.0.0/24[any] http://192.168.0.0/24%5Bany%5D 0.0.0.0/0[80] http://0.0.0.0/0%5B80%5D tcp -P out ipsec esp/tunnel/69.27.61.178-199.19.252.164/unique; spdadd -4 0.0.0.0/0[any] http://0.0.0.0/0%5Bany%5D 192.168.0.0/24[80]http://192.168.0.0/24%5B80%5Dtcp -P in ipsec esp/tunnel/199.19.252.164-69.27.61.178/unique; and many other combinations between the []. However, a port number seems to break it, where no traffic get routed to the ipsec interface. I know this would take a bit of coding to inhibit the auto update from xml, but otherwise would this be doable if setkey/racoon?? would cooperate? Or are there other factors at play? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Ermal ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] spd.conf and setkey
Yeah expect that setkey used on pfsense is the one coming with ipsec-tools. On Thu, Feb 13, 2014 at 1:13 PM, Erik Friesen e...@aercon.net wrote: I see they know. http://www.freebsd.org/cgi/man.cgi?query=setkeysektion=8 No other alternatives to selectively route ports to an ipsec vpn? *BUGS http://www.freebsd.org/cgi/man.cgi?query=setkeysektion=8#end* The *setkey* utility should report and handle syntax errors better. For IPsec gateway configuration, *src**_**range* and *dst**_**range* with TCP/UDP port number do not work, as the gateway does not reassemble packets (can- not inspect upper-layer headers). On Wed, Feb 12, 2014 at 3:25 PM, Ermal Luçi ermal.l...@gmail.com wrote: You need to tell even racoon about this. On Wed, Feb 12, 2014 at 2:35 PM, Erik Friesen e...@aercon.net wrote: I have been trying to set up an ipsec vpn to only route from/to tcp port 80 and 440. The vpn sets up fine, but since there is no setting in the gui for ports, I have taken to hand trying some different SPDs. From the command line: setkey -FP - erases current spd's setkey -f filename - loads new file this is one I have tried - spdadd -4 192.168.0.1/32 192.168.0.0/24 any -P out none; spdadd -4 192.168.0.0/24 192.168.0.1/32 any -P in none; spdadd -4 192.168.0.0/24[any] http://192.168.0.0/24%5Bany%5D 0.0.0.0/0[80] http://0.0.0.0/0%5B80%5D tcp -P out ipsec esp/tunnel/69.27.61.178-199.19.252.164/unique; spdadd -4 0.0.0.0/0[any] http://0.0.0.0/0%5Bany%5D 192.168.0.0/24[80]http://192.168.0.0/24%5B80%5Dtcp -P in ipsec esp/tunnel/199.19.252.164-69.27.61.178/unique; and many other combinations between the []. However, a port number seems to break it, where no traffic get routed to the ipsec interface. I know this would take a bit of coding to inhibit the auto update from xml, but otherwise would this be doable if setkey/racoon?? would cooperate? Or are there other factors at play? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Ermal ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] spd.conf and setkey
No other way around the security policy? Why can't it be firewall ruled? This seems impossible, or perhaps a bug, not sure. Nearly every other commercial firewall has this ability. On Thu, Feb 13, 2014 at 10:22 AM, Ermal Luçi e...@pfsense.org wrote: Yeah expect that setkey used on pfsense is the one coming with ipsec-tools. On Thu, Feb 13, 2014 at 1:13 PM, Erik Friesen e...@aercon.net wrote: I see they know. http://www.freebsd.org/cgi/man.cgi?query=setkeysektion=8 No other alternatives to selectively route ports to an ipsec vpn? *BUGS http://www.freebsd.org/cgi/man.cgi?query=setkeysektion=8#end* The *setkey*utility should report and handle syntax errors better. For IPsec gateway configuration, *src**_**range*and *dst**_**range* with TCP/UDP port number do not work, as the gateway does not reassemble packets (can- not inspect upper-layer headers). On Wed, Feb 12, 2014 at 3:25 PM, Ermal Luçi ermal.l...@gmail.com wrote: You need to tell even racoon about this. On Wed, Feb 12, 2014 at 2:35 PM, Erik Friesen e...@aercon.net wrote: I have been trying to set up an ipsec vpn to only route from/to tcp port 80 and 440. The vpn sets up fine, but since there is no setting in the gui for ports, I have taken to hand trying some different SPDs. From the command line: setkey -FP - erases current spd's setkey -f filename - loads new file this is one I have tried - spdadd -4 192.168.0.1/32 192.168.0.0/24 any -P out none; spdadd -4 192.168.0.0/24 192.168.0.1/32 any -P in none; spdadd -4 192.168.0.0/24[any] http://192.168.0.0/24%5Bany%5D 0.0.0.0/0[80] http://0.0.0.0/0%5B80%5D tcp -P out ipsec esp/tunnel/69.27.61.178-199.19.252.164/unique; spdadd -4 0.0.0.0/0[any] http://0.0.0.0/0%5Bany%5D 192.168.0.0/24[80]http://192.168.0.0/24%5B80%5Dtcp -P in ipsec esp/tunnel/199.19.252.164-69.27.61.178/unique; and many other combinations between the []. However, a port number seems to break it, where no traffic get routed to the ipsec interface. I know this would take a bit of coding to inhibit the auto update from xml, but otherwise would this be doable if setkey/racoon?? would cooperate? Or are there other factors at play? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Ermal ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Netgate's customized pfSense release
Hi List, Having purchased several pfSense devices assembled by Netgate (m1n1wall and FW-7541), I've noticed that the pfSense pre-install image was customized with Netgate branding and the firmware auto-update mechanism was set to a Netgate URL. Has this been discussed on the list before? My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. Does anyone here have a strong opinion one way or the other? Thanks, Andrew Hull ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On Thu, Feb 13, 2014 at 9:54 AM, Andrew Hull l...@coffeebreath.org wrote: My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. Does anyone here have a strong opinion one way or the other? My first reaction is that the branding is a good thing. Netgate brings pfsense to folks who in many cases would not touch free software, but just want something that works out of the box. I've recommended the m1n1wall many times. As for the update URL, I'm a little surprised, but maybe they're just trying to track stats. In a case like this I would hope the vendor would provide a standing explanation for that behaviour and an assurance that you're getting the real thing. db ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
Am 13.02.2014 17:54, schrieb Andrew Hull: [...] I've noticed that the pfSense pre-install image was customized with Netgate branding and the firmware auto-update mechanism was set to a Netgate URL. Has this been discussed on the list before? I don't think often for what I can remember. My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. Does anyone here have a strong opinion one way or the other? No worries, that's how open source works, and in case of the BSD license there are are almost all liberties to do derivative products, as long as you follow minimal rules and trademark (pfSense and the logo are trademarks of ESF). Netgate allows you to run what image you like, other (non pfSense) appliance vendors are way less nice :-) Common guess: Beyond branding, their images may contain pre-done tuning for the hardware that makes it perform at its best without extra user intervention. In comparison, at one place I have a 3-letter brand server running pfSense and I had to spend some time on loader.conf.local and tunings to make all NICs work and work good (props to ESF staff who assisted). Quick history: BSD Perimeter moved from Kentucky (in 2012) to Texas and reinstated as ESF. Jim Thompson from Netgate (also Texas) got involved with ESF, he is actually active in both companies. That may explain why Netgate is permitted to redistribute modifed images without the need to rename the resulting product binaries or replacing the logos. (Jim, correct me I'm writing this out of my memory, I remember there was once a post or a mailing list discussion) -- Mat ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On Thursday, February 13, 2014, Andrew Hull l...@coffeebreath.org wrote: Hi List, Having purchased several pfSense devices assembled by Netgate (m1n1wall and FW-7541), I've noticed that the pfSense pre-install image was customized with Netgate branding and the firmware auto-update mechanism was set to a Netgate URL. Has this been discussed on the list before? My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. No, no, no. Custom hardware-specific images are a good thing - when done by us, as in the case of Netgate. More when I'm not on my phone. -- Sent from my phone, please excuse any typos or excessive brevity. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On Feb 13, 2014, at 12:10 PM, Chris Buechler c...@pfsense.org wrote: On Thursday, February 13, 2014, Andrew Hull l...@coffeebreath.org wrote: Hi List, Having purchased several pfSense devices assembled by Netgate (m1n1wall and FW-7541), I've noticed that the pfSense pre-install image was customized with Netgate branding and the firmware auto-update mechanism was set to a Netgate URL. Has this been discussed on the list before? I’m not sure why it would be discussed on the list. It’s an business matter between ESF and Netgate. My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. No, no, no. Custom hardware-specific images are a good thing - when done by us, as in the case of Netgate. More when I'm not on my phone. Indeed. You’ll see more of this in the future. It supports the project in a big way. Perhaps you don’t care about that, but I do. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On Feb 13, 2014, at 11:30 AM, Mathieu Simon (Lists) matsimon.li...@simweb.ch wrote: Am 13.02.2014 17:54, schrieb Andrew Hull: [...] I've noticed that the pfSense pre-install image was customized with Netgate branding and the firmware auto-update mechanism was set to a Netgate URL. Has this been discussed on the list before? I don't think often for what I can remember. My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. Does anyone here have a strong opinion one way or the other? No worries, that's how open source works, and in case of the BSD license there are are almost all liberties to do derivative products, as long as you follow minimal rules and trademark (pfSense and the logo are trademarks of ESF). Netgate allows you to run what image you like, other (non pfSense) appliance vendors are way less nice :-) Common guess: Beyond branding, their images may contain pre-done tuning for the hardware that makes it perform at its best without extra user intervention. In comparison, at one place I have a 3-letter brand server running pfSense and I had to spend some time on loader.conf.local and tunings to make all NICs work and work good (props to ESF staff who assisted). Quick history: BSD Perimeter moved from Kentucky (in 2012) to Texas and reinstated as ESF. Jim Thompson from Netgate (also Texas) got involved with ESF, he is actually active in both companies. In mid-2012, Chris approached several parties, including the principals of Netgate to investigate their interest in purchasing the interest in BSD Perimeter formerly held by Scott Ulrich. In August 2012, the principals of Netgate completed the purchase of those shares. Subsequently, Chris moved to Texas (his idea, not forced on him in any way). (To be perfectly clear on the history, Netgate was, quite literally, the first support customer of BSD Perimeter, back in 2006, and has continuously supported the project from that day until now.) That may explain why Netgate is permitted to redistribute modifed images without the need to rename the resulting product binaries or replacing the logos. (Jim, correct me I'm writing this out of my memory, I remember there was once a post or a mailing list discussion) Given that I’m managing both companies, some things get ‘shared’ (Netgate and ESF run on a common set of infrastructure (switches, servers, etc) though in some cases, the usage is exclusively ESF (e.g. the co-location at NYI.) Those of us in Austin (and there is more headcount under ESF than you might imagine) are all collocated in the same office space. That all said: 1) I really do try to keep Netgate and ESF ‘separate’ in terms of business. 2) Co-branding is permitted, and even encouraged, if done under the auspices of the ESF program directed to same. There is revenue attached that flows to ESF, and thus, directly supports the project. These releases are built on the same (identical) infrastructure, from the same tree, by ESF personnel. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. Does anyone here have a strong opinion one way or the other? In principle, perhaps, in practice probably not. I've been using pfSense for awhile now, and buying hardware from Netgate for about as long. I realize that letting someone else load the software is a potentially huge security hole (I certainly don't reimage all of the PCs I buy from major manufacturers). The impression I get is that Netgate wants to succeed as a business and pfSense wants to succeed as well, so while possible, it is unlikely that anything fishy is going on. If anyone is up to no good, someone else can uncover the conspiracy–I have neither the time nor ability. Ultimately I started buying the Alix hardware with the preloaded images to save time. The other benefit is that someone else assembles the box, and tests overall function before it leaves the factory. I don't have to discover failed equipment at the last minute. The one practical thing that I have found is that the Netgate skin does make it harder to configure VPN tunnels… something to do with the way the skin was built. Switching to the pfSense default resolves the issue. This may have been fixed already. At the end of the day, I like Netgate as a vendor and spend money with them when I can. I trust them as much as anyone can trust a business, and will continue to buy their pre-imaged PF boxes. I have no affiliation with Netgate or the pfSense organization beyond being a happy customer. Jeremy On Feb 13, 2014, at 8:24 AM, Jim Pingle wrote: On 2/13/2014 11:54 AM, Andrew Hull wrote: Having purchased several pfSense devices assembled by Netgate (m1n1wall and FW-7541), I've noticed that the pfSense pre-install image was customized with Netgate branding and the firmware auto-update mechanism was set to a Netgate URL. Has this been discussed on the list before? I believe it's been discussed before. My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. Does anyone here have a strong opinion one way or the other? It's actually a really good thing in this case. We build the images for them, and they are tailored to work well on their hardware. It's best to use the images for the specific model of hardware to ensure you get the best performance/experience. Part of this is the pfSense Certified program, and currently Netgate is the only hardware supplier with any devices that can state that qualification. Some other companies build their own images and such but don't give back to the project (or do so minimally, if at all) so there are some to watch out for. Netgate supports ESF/pfSense significantly, so if you want to support the project, support them. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] issue Downloading package from Pfsense.com
Hello all, I am Newbie, my pfsense is behind the ISP router, having a private ip of 192.x.x.x i can ping via ssh and via web console both i can also check dnslookup from console and ssh they are working fine. however when i click on available packages. i see this Unable to communicate with www.pfsense.com. Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity. any idea what i am mistaking. i even uncheck block private ip addressess option from Interfaces and WAN still i can ping to 8.8.8.8 but can not see anything in available packages tab except above error. Thanks, MYK ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue Downloading package from Pfsense.com
Can you ping domains from the pfSense box, like www.google.com ? 2014-02-13 17:19 GMT-02:00 Muhammad Yousuf Khan sir...@gmail.com: Hello all, I am Newbie, my pfsense is behind the ISP router, having a private ip of 192.x.x.x i can ping via ssh and via web console both i can also check dnslookup from console and ssh they are working fine. however when i click on available packages. i see this Unable to communicate with www.pfsense.com. Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity. any idea what i am mistaking. i even uncheck block private ip addressess option from Interfaces and WAN still i can ping to 8.8.8.8 but can not see anything in available packages tab except above error. Thanks, MYK ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Jonatas Baldin de Oliveira Consultor de TI ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On 13 February 2014 17:54, Andrew Hull l...@coffeebreath.org wrote: My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the I don't think this is a bad thing at all, I only consider it to be a sign that pfSense is starting to really get a good foothold in the market, and something not only something that tech savvy people venture into and use. I've been an avid pfSense user for years, and once I started using pfSense I've never looked back, and used it both personally as well as commercially. The thing about security related software, no matter who develops/markets/sells/distributes it, once you start using it for whatever purpose, it's all about a trust relationship that you establish. Some people don't really bother much about security, and rest on the pillow that I've heard this piece of software is really good and secure and leave it at that. Some others spend their time researching different alternatives, try to gather feedback from reviews and security related web sites and make up their mind based on that. Some take it even one step further, and establish fully working test labs where they try to the best of their abilities to test every possible usage scenarios they can come up with, and try to find weaknesses and/or flaws. Some even take it one stop further, and try to get their hands on the source code and scrutinize that. I made my mind up with a combination of all of the above, but what really pulled the scales in the direction of pfSense was in the end two factors: 1) ease of use through a really nice user interface (both web and CLI) [which was made even better with the release of 2.0 with a linked relationship between port forwards/rules] 2) the fact that whole source tree was readily available for anyone to audit and monitor The latter exposes not only the core of the product, but also the workflow and priorities of those involved in the making of pfSense. It's a level of transparency that you see more and more of, and for me personally, is nothing more but a huge neon sign saying we have nothing to hide! please trust us!, and this is what I've done. The thing that brand names as Netgear now sells out of the box products with re-imaged pfSense distributions is for me a no brainer. Not only does it increase the user base of pfSense, meaning that bugs, performance issues etc are more easily uncovered and fixed in a timely manner, but it also means that EFS generates more revenue, which goes back into funding the continued development of the free product that all of us use. As long as the current business model remains, where external funding is used to enhance pfSense as it stands today, and it remains free for everyone, I see no problems at all. EFS also has commercial support avaiable, that both helps EFS run as a company and also helps the community as a whole, which is great! We all have different needs, and some might *never* require such support. I welcome Netgear to the pfSense community as a most welcome addition, and I hope to see similar additions in the time to come. -- Yours sincerely Jostein Elvaker Haande A free society is a place where it is safe to be unpopular - Adlai Stevenson http://tolecnal.net -- tolecnal at tolecnal dot net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On 14-02-13 01:44 PM, Jeremy Porter wrote: I'm might disagree with that, because I'm the one that did that. You might also that the Netgate auto-update URL, is https: Most authorized pfSense re-brands, make customizations, include changes or limits on the package repository. Speaking with my Netgate hat on (yes I work for both companies), we chose to offer additional support packages, as such, we took the right to limit what software we support. By using our own repository we have control over what gets updated and goes out. End users that buy Netgate hardware are free to install different software, we've just tested our version and make sure it works right, out of the box for a better customer experience. The default theme can be changed from the System-General Setup menu. If you wish to change the package repository and firmware update sites, you are free to do so as well, its probably a fair bit faster to just make the changes rather than re-image. For the majority Netgate customers this is the right solution. We also sell the hardware without pfSense installed, if you wish to install it your-self. So its really a good thing, people have more choices, not less. I had no idea the relationship between ESF and Netgate was so deep. And things make much more sense now. I have loved and profited from pfSense for many years now, and Netgate has been my distributor of choice when deploying a pfSense device that I did not white-box build. I guess, without knowing the underlying relationship, my assumption incorrectly tended towards the nefarious/annoying like Verison/ATT crufting up a perfectly good Android phone. I'm happy to see that I couldn't have been more wrong. To Chris, Jeremy, Jim, and the rest of the folks from ESF and Netgate, please accept my apologies. Andy Hull ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Something like fortiGate's VDOM feature
Hey all so I've been kicking this idea around a lot over the last few months and I'm trying to make time in my schedule to start testing around with this idea however that doesn't seem possible at the moment. No sure if anyone has use the VDOM feature on Fortinet devices, however I work for a IAAS company and it is a great way to give clients their own managed firewall solution. I'd like to see about implementing something like that with PFsense. With the current releases of bsd supporting xen I think this is a pretty straight forward implementation. 1) You'd setup the dom0 or root install of pfSense and configure the interface bridges 2) Then there would be a function to create new firewall instances when needed ie for new clients, etc I imagine it would be something like this: a) create a new VM provision out 2 interfaces Outside/Inside and attach them the the bridges b) run a install of pfSense however there should be some way for the install to know what ip's and interfaces to build out for itself. 3)I'd also like a way to get into each virtual instance through the main pfSense web interface... but this brings a lot more issues if your going the xen route. This brings up the next idea... What about using jails? I have really limited experience with these so someone else could maybe elaborate? Thanks for your thoughts Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue Downloading package from Pfsense.com
But can you ping *domains* from the pfSense box, like www.google.com ? The point isn't to see if you can ping, but if ping can complete a DNS lookup and retrieve an IP successfully. This is potentially more useful than using DNS specific lookup tools, since ping will rely on the OS DNS resolution settings rather than (potentially) using it's own. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren On 2014-02-13 12:03, Muhammad Yousuf Khan wrote: Yes i can ping, here is the result from web console Diagnosticsping Ping output: PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8 http://8.8.8.8: icmp_seq=0 ttl=40 time=293.328 ms 64 bytes from 8.8.8.8 http://8.8.8.8: icmp_seq=1 ttl=40 time=295.391 ms 64 bytes from 8.8.8.8 http://8.8.8.8: icmp_seq=2 ttl=40 time=293.850 ms --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 293.328/294.190/295.391/0.876 ms On Fri, Feb 14, 2014 at 12:39 AM, Jonatas Baldin jonatas.bal...@gmail.com mailto:jonatas.bal...@gmail.com wrote: Can you ping domains from the pfSense box, like www.google.com http://www.google.com ? 2014-02-13 17:19 GMT-02:00 Muhammad Yousuf Khan sir...@gmail.com mailto:sir...@gmail.com: Hello all, I am Newbie, my pfsense is behind the ISP router, having a private ip of 192.x.x.x i can ping via ssh and via web console both i can also check dnslookup from console and ssh they are working fine. however when i click on available packages. i see this Unable to communicate with www.pfsense.com http://www.pfsense.com. Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity. any idea what i am mistaking. i even uncheck block private ip addressess option from Interfaces and WAN still i can ping to 8.8.8.8 but can not see anything in available packages tab except above error. Thanks, MYK ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Jonatas Baldin de Oliveira Consultor de TI ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On 2014-02-13 09:27, David Burgess wrote: On Thu, Feb 13, 2014 at 9:54 AM, Andrew Hull l...@coffeebreath.org wrote: My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. Does anyone here have a strong opinion one way or the other? My first reaction is that the branding is a good thing. Netgate brings pfsense to folks who in many cases would not touch free software, but just want something that works out of the box. I've recommended the m1n1wall many times. As for the update URL, I'm a little surprised, but maybe they're just trying to track stats. I'd be a little disappointed if they didn't use their own auto-update URL, since this would mean customers would end up on stock pfSense after an update, rather than Netgate's customized version, negating any tweaking Netgate may have done to make pfSense work seamlessly on their hardware. This seems like a good thing to me, and arguably the whole point of being open source and BSD licensed. Reading the other messages on the list, this arrangement definitely seems mutually beneficial for both pfSense and Netgate. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue Downloading package from Pfsense.com
On Fri, Feb 14, 2014 at 1:54 AM, Dave Warren da...@hireahit.com wrote: But can you ping *domains* from the pfSense box, like www.google.com ? The point isn't to see if you can ping, but if ping can complete a DNS lookup and retrieve an IP successfully. This is potentially more useful than using DNS specific lookup tools, since ping will rely on the OS DNS resolution settings rather than (potentially) using it's own. Thanks for sharing Dave, BTW just FYKI i am new to pfsense but not to the IT field. Ping output: PING google.com (74.125.226.233): 56 data bytes 64 bytes from 74.125.226.233: icmp_seq=0 ttl=46 time=314.505 ms --- google.com ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 314.505/314.505/314.505/0.000 ms Note my DNS are set to 8.8.8.8 AND 8.8.4.4 -- Dave Warrenhttp://www.hireahit.com/http://ca.linkedin.com/in/davejwarren On 2014-02-13 12:03, Muhammad Yousuf Khan wrote: Yes i can ping, here is the result from web console Diagnosticsping Ping output: PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=40 time=293.328 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=40 time=295.391 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=40 time=293.850 ms --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 293.328/294.190/295.391/0.876 ms On Fri, Feb 14, 2014 at 12:39 AM, Jonatas Baldin jonatas.bal...@gmail.com wrote: Can you ping domains from the pfSense box, like www.google.com ? 2014-02-13 17:19 GMT-02:00 Muhammad Yousuf Khan sir...@gmail.com: Hello all, I am Newbie, my pfsense is behind the ISP router, having a private ip of 192.x.x.x i can ping via ssh and via web console both i can also check dnslookup from console and ssh they are working fine. however when i click on available packages. i see this Unable to communicate with www.pfsense.com. Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity. any idea what i am mistaking. i even uncheck block private ip addressess option from Interfaces and WAN still i can ping to 8.8.8.8 but can not see anything in available packages tab except above error. Thanks, MYK ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Jonatas Baldin de Oliveira Consultor de TI ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing listList@lists.pfsense.orghttp://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] VPN group restrictions
Hi All, Curious to know if pfsense supports the ability to setup groups of VPN accounts and then set restrictions on the groups. Example: groups 1, 2 3 each with 5 people in the group. Those in group 1 can access servers a-c those in group 2 can access servers d-g etc I know my explanation and terminology may barely be understandable so please let me know if you need further explanation. Thanks, jungle -- --- inum: 883510009902611 sip: jungleboo...@sip2sip.info xmpp: jungle-boo...@jit.si ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On Thu, Feb 13, 2014 at 12:10 PM, Chris Buechler c...@pfsense.org wrote: On Thursday, February 13, 2014, Andrew Hull l...@coffeebreath.org wrote: Hi List, Having purchased several pfSense devices assembled by Netgate (m1n1wall and FW-7541), I've noticed that the pfSense pre-install image was customized with Netgate branding and the firmware auto-update mechanism was set to a Netgate URL. Has this been discussed on the list before? My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. No, no, no. Custom hardware-specific images are a good thing - when done by us, as in the case of Netgate. More when I'm not on my phone. In the mean time, everyone else has covered the reasoning in more detail. You want to have a proper default config in place, so if you reset to factory defaults, your interface assignments go back to where they were originally, serial console setup appropriately where relevant, etc. There also may be hardware-specific tweaks or tuning in such images. It's done to make your experience with the hardware as hassle-free as possible. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
In the mean time, everyone else has covered the reasoning in more detail. You want to have a proper default config in place, so if you reset to factory defaults, your interface assignments go back to where they were originally, serial console setup appropriately where relevant, etc. There also may be hardware-specific tweaks or tuning in such images. It's done to make your experience with the hardware as hassle-free as possible. For what it's worth, this thread has made up my mind; I was on the fence between buying a rackmount Netgate FW-7541 or white-boxing as a replacement for my Cisco 2901 (which I no longer entirely trust as a result of Snowden etc). I knew Netgate had some involvement with ESF but I didn't realise the extent of the crossover. So: thanks for the openness, guys! As an aside, it would be interesting to know specifically how the Netgate-customised builds differ from stock pfSense, but purely for educational reasons -- and I understand that this could be considered as Netgate's IP. ---tim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] VPN group restrictions
We do this by having each 'group' attached to a different OpenVPN server, each with varying degrees of access and with different root CA's. We primarily use firewall rules to limit what each VPN can access. We use a variety of tactics to attempt to find misuse and abuse (syslogging of various things, NSM, honeypots, etc). You should realize that if the VPN servers terminate into the same network and the users have access to computers/servers/services there is reasonable risk of them being able to escape their boundaries. Mike On Thu, Feb 13, 2014 at 2:54 PM, jungleboogie0 jungleboog...@gmail.comwrote: Hi All, Curious to know if pfsense supports the ability to setup groups of VPN accounts and then set restrictions on the groups. Example: groups 1, 2 3 each with 5 people in the group. Those in group 1 can access servers a-c those in group 2 can access servers d-g etc I know my explanation and terminology may barely be understandable so please let me know if you need further explanation. Thanks, jungle -- --- inum: 883510009902611 sip: jungleboo...@sip2sip.info xmpp: jungle-boo...@jit.si ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On 2/13/2014 8:08 PM, Chris Buechler wrote: No, no, no. Custom hardware-specific images are a good thing - when done by us, as in the case of Netgate. More when I'm not on my phone. In the mean time, everyone else has covered the reasoning in more detail. You want to have a proper default config in place, so if you reset to factory defaults, your interface assignments go back to where they were originally, serial console setup appropriately where relevant, etc. There also may be hardware-specific tweaks or tuning in such images. It's done to make your experience with the hardware as hassle-free as possible. To echo Tim's thoughts, thank you for this kind of openness. After reading the fist few replies to the tread I started, I thought I may have really stepped in it. However, this thread has brought out some details of the relationship between the two companies... and I'm very glad that you guys have shared this with the community. Thanks again, Andy Hull ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
