Re: [pfSense] Traffic routing issue

2014-12-12 Thread Oliver Hansen
What does the allow rule on the restricted vlan and the NAT rule look like?
On Dec 11, 2014 11:24 PM, Ryan Clough ryan.clo...@dsic.com wrote:

 I am hoping that one of you out there can assist me with this rather
 interesting problem I am having. Let me set the stage.

 I am running the latest stable version of pfSense:
 2.1.5-RELEASE (amd64)
 built on Mon Aug 25 07:44:45 EDT 2014
 FreeBSD 8.3-RELEASE-p16

 I am running transparent Squid and Squidguard, and all IP ranges have
 access to use the proxy.

 I have two WAN connections, each with a handful of public IPs. I have
 created an IP alias virtual IP of one of my public IPs on WAN1, which is
 used to NAT to a web server.

 We have an internal DNS server that resolves the domain name of a web
 server to the local LAN IP address. So, all computers on unrestricted VLANs
 access the web server without having to hit the pfSense router at all. This
 works as expected and the valid certificate is served and the web page
 loads.

 We have one restricted VLAN that is used for guest WiFi access and this
 VLAN is assigned external DNS servers and therefore resolve the domain name
 to the public IP.

 Now my problem. When connected to the guest WiFi on the restricted VLAN
 and attempting to access the web server on its public IP, which is assigned
 to a virtual IP on WAN1, I get served the certificate from the pfSense
 router. I can tell that this is the pfSense self-signed certificate because
 of the details of the certificate displayed in the warning. I also get this
 behavior if I force a computer on an unrestricted VLAN, using the hosts
 file, to resolve the host name of the web server to its public IP.

 What is going on here? I can provide more information if needed. Thank you
 for your time.

 Ryan Clough
 Information Systems
 Decision Sciences International Corporation
 http://www.decisionsciencescorp.com/
 http://www.decisionsciencescorp.com/

 This email and its contents are confidential. If you are not the intended
 recipient, please do not disclose or use the information within this email
 or its attachments. If you have received this email in error, please report
 the error to the sender by return email and delete this communication from
 your records.
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic routing issue

2014-12-12 Thread melvin
What you're sewing is the proxy doing what you've told it to do. When the pc on 
the lan side (any vlan) requests a connection to a server the proxy makes that 
request on its behalf and returns the packets sent back from that request.  In 
order for that to happen on a secured connection the proxy must set up a secure 
connection to he remote server (or in your case other interface server) as well 
as a separate secure connection between the proxy and the originating client 
pc. Doing it any other way requires either passing the traffic directly through 
the firewall or breaking the secure connection.  This is one of the 
consequences of doing NAT. I'm guessing the main complaint is that the firewall 
cert isn't trusted and triggers browsers. 

div Original message /divdivFrom: Ryan Clough 
ryan.clo...@dsic.com /divdivDate:12/12/2014  13:58  (GMT-05:00) 
/divdivTo: pfSense Support and Discussion Mailing List 
list@lists.pfsense.org /divdivSubject: Re: [pfSense] Traffic routing 
issue /divdiv
/divOliver,


I apologize, I should have been more clear. The problem is exhibited from all 
VLANs if I force the use of the web server's public IP. I only just discovered 
it while testing the guest WiFi on the restricted VLAN.


To answer your questions:

The pfSense router is not aware of any VLANs, we use a layer 3 switch that 
sits just inside from the pfSense router that routes traffic that must exit 
the LAN to the pfSense router.


I have attached screen shots of my port forward rule and the auto-generated 
firewall rule.


Thank you very much for your help.




Ryan Clough
Information Systems
Decision Sciences International Corporation


 
On Fri, Dec 12, 2014 at 9:15 AM, Oliver Hansen oliver.han...@gmail.com 
wrote:What does the allow rule on the restricted vlan and the NAT rule look 
like? 
 On Dec 11, 2014 11:24 PM, quot;Ryan Cloughquot; ryan.clo...@dsic.com 
 wrote:


I am hoping that one of you out there can assist me with this rather 
interesting problem I am having. Let me set the stage.


I am running the latest stable version of pfSense:
2.1.5-RELEASE (amd64)
built on Mon Aug 25 07:44:45 EDT 2014
FreeBSD 8.3-RELEASE-p16

I am running transparent Squid and Squidguard, and all IP ranges have access 
to use the proxy.


I have two WAN connections, each with a handful of public IPs. I have created 
an IP alias virtual IP of one of my public IPs on WAN1, which is used to NAT 
to a web server.


We have an internal DNS server that resolves the domain name of a web server 
to the local LAN IP address. So, all computers on unrestricted VLANs access 
the web server without having to hit the pfSense router at all. This works as 
expected and the valid certificate is served and the web page loads.


We have one restricted VLAN that is used for guest WiFi access and this VLAN 
is assigned external DNS servers and therefore resolve the domain name to the 
public IP.



Now my problem. When connected to the guest WiFi on the restricted VLAN and 
attempting to access the web server on its public IP, which is assigned to a 
virtual IP on WAN1, I get served the certificate from the pfSense router. I 
can tell that this is the pfSense self-signed certificate because of the 
details of the certificate displayed in the warning. I also get this behavior 
if I force a computer on an unrestricted VLAN, using the hosts file, to 
resolve the host name of the web server to its public IP.


What is going on here? I can provide more information if needed. Thank you for 
your time.

Ryan Clough
Information Systems
Decision Sciences International Corporation


 










 
 

This email and its contents are confidential. If you are not the intended 
recipient, please do not disclose or use the information within this email or 
its attachments. If you have received this email in error, please report the 
error to the sender by return email and delete this communication from your 
records.
___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

 
___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 
 This email and its contents are confidential. If you are not the intended 
 recipient, please do not disclose or use the information within this email or 
 its attachments. If you have received this email in error, please report the 
 error to the sender by return email and delete this communication from your 
 records.___ 
List mailing list 
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] BGP in 2.2

2014-12-12 Thread Adam Thompson
First, can anyone tell me what OpenBGPD pacakge v0.9.3 is based on? I'd 
like to switch a pair of routers from OpenBSD to pfSense, but I need 
some recent fixes in OpenBGPD that only made it in for OpenBSD 
5.5-RELEASE.  Looking at the GIT repo doesn't answer my question in any 
obvious way.
Wait, I take that back... pkg_config.8.xml.amd64 shows a version# in the 
package filename of 5.2.
How do I get that updated?  There's been a lot of work done recently, in 
the 5.4-5.5 timeframe including some critical bugfixes when using CARP.


Second, I clearly remember that in the 2.0 days, we were moving away 
from OpenBGPD to (IIRC) quagga/zebra... but OpenBGPD is the only BGP 
implementation I'm seeing now.  What happened there?


Third, is there still no way to run BGP and OSPF on the same system??

--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] OpenVPN connects fine, no internet

2014-12-12 Thread Volker Kuhlmann
On Fri 12 Dec 2014 06:19:37 NZDT +1300, Karl Fife wrote:

 The VPN should protect from all MITM attacks and snooping between
 the VPN client and server.
 
 This is a great idea, but I find that routing all traffic through
 VPN causes problems in marginal (lossy or congensted) networks.  I'm
 curious to know if others have also had this pain point, and whether
 you've had any success by simply sending VPN over TCP.

What you are seeing is the additional overhead of the VPN, both in
encapsulation and in delay. There is no way around that. I expect tcp to
be even worse (but able to detect missing packets). That's the price you
pay. Ideally I'd like to have flexible and user-friendly control over
what data goes over the VPN and which DNS is used. It happens that one
has to look up some hosts of the provider and can't tunnel the DNS,
which is always annoying.

It is possible that other VPNs, in particular IPsec, have lower
overheads.

Volker

-- 
Volker Kuhlmann
http://volker.top.geek.nz/  Please do not CC list postings to me.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list