Re: [pfSense] Upgrade 2.2.2->2.2.3 and OpenVPN Client Export Utility

[Микаел Бак]

Hi Chris,


On 2015-07-06 20:08, Chris Buechler wrote:

On Fri, Jul 3, 2015 at 3:16 AM, Микаел Бак  wrote:

Hi list,

I run pfsense nanobsd (1g) on an old PC Engines ALIX board with 256MB RAM.

After upgrading to v2.2.3 my only installed package "OpenVPN Client Export
Utility" and its dependencies disappeared.

I tried to reinstall it, but no success.

 From the syslog:
kernel: tar: Error opening archive: Failed to open
'/usr/local/pkg/openvpn-client-export-2.3.6.tgz'
php: rc.bootup: Successfully installed package: OpenVPN Client Export
Utility.
php: rc.bootup: Finished installing package OpenVPN Client Export Utility
[snip]
php: rc.bootup: Finished reinstalling all packages.
php-fpm[83412]: /pkg_mgr_install.php: Beginning package installation for
OpenVPN Client Export Utility .
[snip]
php-fpm[83412]: /pkg_mgr_install.php: Failed to install package: OpenVPN
Client Export Utility.



What's logged in the snipped part?



Here's a cut&paste from the log without cut out snippets:

Jul 1 12:10:10  kernel:  9%
Jul 1 12:10:14  kernel:  10%
Jul 1 12:10:44  kernel:  20%
Jul 1 12:11:16  kernel:  30%
Jul 1 12:11:45  kernel:  40%
Jul 1 12:12:16  kernel:  50%
Jul 1 12:12:44  kernel:  60%
Jul 1 12:13:14  kernel:  70%
Jul 1 12:13:44  kernel:  80%
Jul 1 12:14:15  kernel:  90%
Jul 1 12:14:39 	php-fpm[24170]: /pkg_mgr.php: Successful login for user 
'admin' from: X.X.X.X
Jul 1 12:14:39 	php-fpm[24170]: /pkg_mgr.php: Successful login for user 
'admin' from: X.X.X.X
Jul 1 12:14:39 	sshlockout[24500]: sshlockout/webConfigurator v3.0 
starting up

Jul 1 12:14:44  kernel:  100%
Jul 1 12:15:55  kernel: 100%
Jul 1 12:16:00 	kernel: tar: Error opening archive: Failed to open 
'/usr/local/pkg/openvpn-client-export-2.3.6.tgz'
Jul 1 12:16:08 	php: rc.bootup: Successfully installed package: OpenVPN 
Client Export Utility.
Jul 1 12:16:08 	php: rc.bootup: Finished installing package OpenVPN 
Client Export Utility

Jul 1 12:16:08  php: rc.bootup: Finished reinstalling all packages.
Jul 1 12:16:08  check_reload_status: Syncing firewall
Jul 1 12:16:09  syslogd: exiting on signal 15
Jul 1 12:16:10  syslogd: kernel boot file is /boot/kernel/kernel
Jul 1 12:16:10  kernel: done.
Jul 1 12:16:10  kernel: done.
Jul 1 12:16:12 	php-fpm[61469]: /rc.start_packages: Restarting/Starting 
all packages.

Jul 1 12:16:13  login: login on ttyu0 as root
Jul 1 12:16:13 	sshlockout[76315]: sshlockout/webConfigurator v3.0 
starting up

Jul 1 12:16:13  login: login on ttyv0 as root
Jul 1 12:19:20 	php-fpm[93156]: /index.php: User logged out for user 
'admin' from: X.X.X.X
Jul 1 13:24:50 	php-fpm[4789]: /index.php: Successful login for user 
'admin' from: X.X.X.X
Jul 1 13:24:50 	php-fpm[4789]: /index.php: Successful login for user 
'admin' from: X.X.X.X

Jul 1 13:27:06  check_reload_status: Syncing firewall
Jul 1 13:27:12  check_reload_status: Syncing firewall
Jul 1 13:27:13 	php-fpm[83412]: /pkg_mgr_install.php: Beginning package 
installation for OpenVPN Client Export Utility .

Jul 1 13:27:20  check_reload_status: Syncing firewall
Jul 1 13:32:30  check_reload_status: Syncing firewall
Jul 1 13:32:38  check_reload_status: Syncing firewall
Jul 1 13:32:45 	php-fpm[83412]: /pkg_mgr_install.php: Failed to install 
package: OpenVPN Client Export Utility.

Jul 1 13:32:45  check_reload_status: Syncing firewall
Jul 1 13:32:46  check_reload_status: Starting packages
Jul 1 13:32:47 	php-fpm[71998]: /rc.start_packages: Restarting/Starting 
all packages.
Jul 1 13:36:40 	php-fpm[26707]: /index.php: User logged out for user 
'admin' from: X.X.X.X


Thanks,
Mikael
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Issues with 2.2.x and Alix devices

[Микаел Бак]

Hi Kostas,


On 2015-07-06 18:53, Kostas Backas wrote:

Hello,

I had no success restoring 2.2.x (2.2.2 or 2.2.3) proper installers or updaters 
to 2 different Alix devices.

2.1.5 is installing fine, and then update works OK. I haven’t tested yet the 
devices with serial cables to see where they stop.

Anyone faced this?



You do not specify how much RAM your Alix device have.
I have only been able to run pfsence reliably with Alix devices that 
have 256MB RAM. With less (128MB RAM) the webconfigurator process kills 
itself, presumably because it needs more RAM to work properly.


Perhaps I'm wrong, but this is what I have noticed on my systems.

HTH,
Mikael

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Issues with 2.2.x and Alix devices

[Kostas Backas]

Hello,

Thank you for your answer.

The devices I use are the 2D3 with the 256 RAM.

Best regards

Kostas


> On 7 Ιουλ 2015, at 10:45 π.μ., Микаел Бак  wrote:
> 
> Hi Kostas,
> 
> 
> On 2015-07-06 18:53, Kostas Backas wrote:
>> Hello,
>> 
>> I had no success restoring 2.2.x (2.2.2 or 2.2.3) proper installers or 
>> updaters to 2 different Alix devices.
>> 
>> 2.1.5 is installing fine, and then update works OK. I haven’t tested yet the 
>> devices with serial cables to see where they stop.
>> 
>> Anyone faced this?
>> 
> 
> You do not specify how much RAM your Alix device have.
> I have only been able to run pfsence reliably with Alix devices that have 
> 256MB RAM. With less (128MB RAM) the webconfigurator process kills itself, 
> presumably because it needs more RAM to work properly.
> 
> Perhaps I'm wrong, but this is what I have noticed on my systems.
> 
> HTH,
> Mikael
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Issues with 2.2.x and Alix devices

[Chris Bagnall]

On 7/7/15 8:45 am, Микаел Бак wrote:

I have only been able to run pfsence reliably with Alix devices that
have 256MB RAM. With less (128MB RAM) the webconfigurator process kills
itself, presumably because it needs more RAM to work properly.
Perhaps I'm wrong, but this is what I have noticed on my systems.


I've noticed the same thing on pfSense 2.1 and newer. 2.0 *just about* 
works on 128MB if you don't use any extra functionality (VPNs etc.)


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPSEC Tunnel with NAT not working under 2.2.3

[Roy Hocknull]

Hi,

I updated to 2.2.3 over the weekend, and now my tunnel no longer works
correctly, even though my settings havent changed.

I have an IPSEC tunnel, and then NAT from my LAN to the other end using my
external IP address.

When i use FTP to connect to the site, I can connect and login, but as soon
as i try to do a listing, the connection dies. I have had people look at
it, and its because the active PORT request on the ftp request isn't being
NAT'd to my external IP, and they are presented with my internal IP, which
then doesn't work.

Any clues as this worked on 2.2.x?

Roy Hocknull
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSEC Tunnel with NAT not working under 2.2.3

[compdoc]

> I updated to 2.2.3 over the weekend, and now my tunnel no longer works
correctly, even though my settings havent changed.


The same thing happened to me. I had to change the Encryption algorithm from
AES256 to 3DES to get it to work. 

There's talk this will be fixed in the next release. 



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP issues on 1:1

[Ryan Coleman]

No port forwarding. Just 1:1 and Rules.

ProFTPd is told to use port 9000. That works perfectly internally.

Rules set up to allow port 9000 out through the firewall. Connection happens - 
but no directory structure is delivered.
This is working for other services on the internal server including Apache.


> On Jul 6, 2015, at 10:35 PM, Jim Pingle  wrote:
> 
> On 7/6/2015 7:59 PM, Ryan Coleman wrote:
>> Using 1:1 has turned most of my knowledge in pfSense completely useless. I 
>> feel like a beginner again.
>> 
>> FTP worked on port 21. But for security reasons I do not want it there so I 
>> moved it to port 9000.
>> 
>> ProFTPd is set up for Masquerading on its 1:1 IP, passive ports are dictated 
>> in the conf (49500-52500) and configured as such in the Firewall Rules. 
>> Firewall Rules also have port 8999-9001 open for the FTP server.
>> 
>> FTP works internal to the network so the issue isn’t in the configuration of 
>> ftp server but in the configuration of the firewall.
> 
> Seems the actual question/problem statement is missing. What exactly
> isn't working?
> 
> Did you actually change the binding port in ProFTPd or did you redirect
> 21 to 9000 with a port forward?
> 
> If you mix 1:1 NAT and port forwards you will find a couple things you
> may not expect due to the way pf works and how NAT happens before
> firewall rules:
> 
> 1. Port forwards override 1:1 NAT, which is good for doing what you want
> 
> -but-
> 
> 2. If you forward a different port (e.g. 9000 to 21) your rule still
> passes to the local IP on port 21 so BOTH ports are actually accessible.
> In other words, you can't relocate a port and block access to the
> original port.
> 
> Changing the binding in ProFTPd to 9000 should work around that.
> 
> If that's what you did, then your rule would pass to the local IP on
> port 9000.
> 
> If that doesn't help, give us a bit more detail about the exact NAT and
> firewall rules you have and what isn't working as expected. Include
> firewall logs, states for the test connections, and perhaps a packet
> capture.
> 
> Jim
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP issues on 1:1

[ED Fochler]

FTP is a nasty beast.  There’s active, passive, and extended passive 
connections.  You may need a client that does extended passive (epsv?) to work 
properly.  Standard passive will hand back the server’s IP & data port over the 
control connection, so unless PFSense is altering the packets as they leave, or 
ProFTPd knows that it needs to respond to that IP range with a masqueraded IP, 
standard passive will get hung up.

FTP (anything other than extended passive mode) really wants to use routable 
IPs.  FTP is not naturally compatible with NAT, or IPv6.  Extended passive is 
the proper solution.  an ftp proxy is what the linux guys usually do, as 
iptables has a module for that.

sftp is my preferred solution.  Death to FTP.

ED.


> On 2015, Jul 7, at 12:45 PM, Ryan Coleman  wrote:
> 
> No port forwarding. Just 1:1 and Rules.
> 
> ProFTPd is told to use port 9000. That works perfectly internally.
> 
> Rules set up to allow port 9000 out through the firewall. Connection happens 
> - but no directory structure is delivered.
> This is working for other services on the internal server including Apache.
> 
> 
>> On Jul 6, 2015, at 10:35 PM, Jim Pingle  wrote:
>> 
>> On 7/6/2015 7:59 PM, Ryan Coleman wrote:
>>> Using 1:1 has turned most of my knowledge in pfSense completely useless. I 
>>> feel like a beginner again.
>>> 
>>> FTP worked on port 21. But for security reasons I do not want it there so I 
>>> moved it to port 9000.
>>> 
>>> ProFTPd is set up for Masquerading on its 1:1 IP, passive ports are 
>>> dictated in the conf (49500-52500) and configured as such in the Firewall 
>>> Rules. Firewall Rules also have port 8999-9001 open for the FTP server.
>>> 
>>> FTP works internal to the network so the issue isn’t in the configuration 
>>> of ftp server but in the configuration of the firewall.
>> 
>> Seems the actual question/problem statement is missing. What exactly
>> isn't working?
>> 
>> Did you actually change the binding port in ProFTPd or did you redirect
>> 21 to 9000 with a port forward?
>> 
>> If you mix 1:1 NAT and port forwards you will find a couple things you
>> may not expect due to the way pf works and how NAT happens before
>> firewall rules:
>> 
>> 1. Port forwards override 1:1 NAT, which is good for doing what you want
>> 
>> -but-
>> 
>> 2. If you forward a different port (e.g. 9000 to 21) your rule still
>> passes to the local IP on port 21 so BOTH ports are actually accessible.
>> In other words, you can't relocate a port and block access to the
>> original port.
>> 
>> Changing the binding in ProFTPd to 9000 should work around that.
>> 
>> If that's what you did, then your rule would pass to the local IP on
>> port 9000.
>> 
>> If that doesn't help, give us a bit more detail about the exact NAT and
>> firewall rules you have and what isn't working as expected. Include
>> firewall logs, states for the test connections, and perhaps a packet
>> capture.
>> 
>> Jim
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfSense 2.2.3 + Squid3 + SquidGuard + Active Directory Auth (SSO)

[Luiz Gustavo S. Costa]

Hi,

I am with a script deployment, updated and functional installation in
version 2.2.3 of pfSense using squid3.

Transparent authentication SSO in AD and ldap filters in SquidGuard.

Who interested, contact us at pvt or by my email:
luizgust...@mundounix.com.br

Thanks

-- 
Luiz Gustavo Costa (Powered by BSD)
*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+
ICQ: 2890831 / Gtalk: gustavo@gmail.com
Blog: http://www.luizgustavo.pro.br
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP issues on 1:1

[Ryan Coleman]

And is included in the Kernel in 2.x but, alas, it’s not working.

SFTP is not an option.

> On Jul 7, 2015, at 1:10 PM, ED Fochler  wrote:
> 
> an ftp proxy is what the linux guys usually do, as iptables has a module for 
> that.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP issues on 1:1

[Steve Yates]

ED Fochler wrote on Tue, Jul 7 2015 at 1:10 pm:

> FTP is a nasty beast.  There’s active, passive, and extended passive
> connections.  You may need a client that does extended passive (epsv?) to work
> properly.  Standard passive will hand back the server’s IP & data port over 
> the
> control connection, so unless PFSense is altering the packets as they leave, 
> or
> ProFTPd knows that it needs to respond to that IP range with a masqueraded
> IP, standard passive will get hung up.

http://www.proftpd.org/docs/directives/linked/config_ref_MasqueradeAddress.html

Basically that should hand out the public IP for the passive connection, 
instead of the server's LAN IP.  However (not tested) that may well break 
internal FTP, unless perhaps requests to the WAN IP are reflected back inside.  
I think I would even expect internal FTP users to have to connect via the WAN 
IP also.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP issues on 1:1

[Ryan Coleman]

> On Jul 7, 2015, at 4:41 PM, Steve Yates  wrote:
> 
> ED Fochler wrote on Tue, Jul 7 2015 at 1:10 pm:
> 
>> FTP is a nasty beast.  There’s active, passive, and extended passive
>> connections.  You may need a client that does extended passive (epsv?) to 
>> work
>> properly.  Standard passive will hand back the server’s IP & data port over 
>> the
>> control connection, so unless PFSense is altering the packets as they leave, 
>> or
>> ProFTPd knows that it needs to respond to that IP range with a masqueraded
>> IP, standard passive will get hung up.
> 
> http://www.proftpd.org/docs/directives/linked/config_ref_MasqueradeAddress.html
> 
> Basically that should hand out the public IP for the passive connection, 
> instead of the server's LAN IP.  However (not tested) that may well break 
> internal FTP, unless perhaps requests to the WAN IP are reflected back 
> inside.  I think I would even expect internal FTP users to have to connect 
> via the WAN IP also.

Yep - I’m using that.

Status: Resolving address of domain.ltd
Status: Connecting to public.IP:9000...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Connected
Status: Retrieving directory listing...
Command:PWD
Response:   257 "/" is the current directory
Command:TYPE I
Response:   200 Type set to I
Command:PORT 10,20,1,49,214,167
Response:   200 PORT command successful
Command:MLSD
Error:  Connection timed out after 20 seconds of inactivity
Error:  Failed to retrieve directory listing

But internally it immediately connects.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP issues on 1:1

[Steve Yates]

Ryan Coleman wrote on Tue, Jul 7 2015 at 4:48 pm:

>> http://www.proftpd.org/docs/directives/linked/config_ref_MasqueradeAddress.html

> Yep - I’m using that.

> Command:  PORT 10,20,1,49,214,167

Pretty sure this would be IP 10.20.1.49, not the public one...is 
10.20.1.x on your WAN?

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Plain [assword issue on Freeradius ?

[Matt .]

Hi,

I'm trying to auth EAP (Using a Accesspoint) to an FreeIPA ldap server
using Freeradius.

I get the following error when I use PEAP and CHAPv2

How can I make sure the passwords are not sent in plaintext as I think
that is my issue.

# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "username", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "username", skipping NULL due to config.
++[ntdomain] = noop
[eap] EAP packet type response id 42 length 73
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++policy redundant {
[ldap] performing user authorization for username
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> username
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=username)
[ldap]  expand: cn=users,cn=accounts,dc=domain,dc=local ->
cn=users,cn=accounts,dc=domain,dc=local
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in cn=users,cn=accounts,dc=domain,dc=local,
with filter (uid=username)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure
that the user is configured correctly?
  [ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Item Name: Calling-Station-Id, Value: A4-07-G9-2E-41-D5
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP

Thanks,

Matt
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP issues on 1:1

[Ryan Coleman]

Yes.

ProFTPd reports the masquerading address properly when starting the service.

—
Ryan


> On Jul 7, 2015, at 5:14 PM, Steve Yates  wrote:
> 
> Ryan Coleman wrote on Tue, Jul 7 2015 at 4:48 pm:
> 
>>> http://www.proftpd.org/docs/directives/linked/config_ref_MasqueradeAddress.html
> 
>> Yep - I’m using that.
> 
>> Command: PORT 10,20,1,49,214,167
> 
>   Pretty sure this would be IP 10.20.1.49, not the public one...is 
> 10.20.1.x on your WAN?
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold