[pfSense] Problem with load vpn status

[Edward Josette Ortega Salas]

Greetings!

I have a problem with my  pfsense ( *2.2.2-RELEASE *(amd64) built on Mon
Apr 13 20:10:22 CDT 2015 FreeBSD 10.1-RELEASE-p9  ),
i have 157 ipsecc tunnel and everything working fine, but when i get into
Status -> Ipsec, i have between 15 and 20min delay  for show the
information.

I configured all my vpn with fqdn insted of ip because they are changing
theirs ip constantly, i test the fqdn answer and its seems that work fine,
in deed i increase the "ini_set" value from 256M to 8192M  on
/etc/inc/config.inc.

But it seems that was not enough, now i got this error in the status page:

Warning: Illegal string offset 'childsa' in /etc/inc/xmlparse.inc on line
77 Fatal error: Cannot create references to/from string offsets nor
overloaded objects in /etc/inc/xmlparse.inc on line 77

In the last few days i've submit the error from the bug page on the
dashboard, so maybe you already have the entire problem.

Thanks in advance.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Suricata alert suppression

[Steve Yates]

For posterity, I found references in the web forum that the "stream" 
rules basically don't work the way IDS is set up on pfSense so should be 
disabled.  I believe the issue is that it looks at the traffic in parallel so 
packets might be processed out of order.

Still not sure why it wasn't honoring the Suppress instruction.

--

Steve Yates
ITS, Inc.


Steve Yates wrote on Mon, Jul 13 2015 at 3:16 pm:

>   I got Suricata installed and operating.  I found, oddly, that the 
> highest
> volume of packet errors alerted was to/from Symantec IPs.  I added that
> subnet as "trusted" but apparently that doesn't take effect unless automatic
> blocking is also enabled.  I have not had much luck having it actually 
> suppress
> the alerts though...  I edited the Suppress rules to use a subnet, which seems
> to be allowed, like so:
> 
> #SURICATA STREAM Packet with invalid ack
> suppress gen_id 1, sig_id 2210045, track by_dst, ip 143.127.136.0/24
> 
> ...and then disabled and re-enabled Suricata on the WAN interface.  However,
> IPs from within that /24 still show in the Alerts tab?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Vick Khera]

On Tue, Jul 28, 2015 at 4:12 PM, Moshe Katz  wrote:

> Again,  I agree with you that this shouldn't affect your score.  I am
> simply explaining why they do it.
>

based on this explanation, i agree. there's no reason for them to demand
your certificate also signs any other domain name as long as it signs the
one to which they are connecting and testing.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Claudio Thomas]

 
On 29.07.2015 18:02, Vick Khera wrote:
> On Tue, Jul 28, 2015 at 4:12 PM, Moshe Katz  wrote:
>
>> Again,  I agree with you that this shouldn't affect your score.  I am
>> simply explaining why they do it.
> based on this explanation, i agree. there's no reason for them to demand
> your certificate also signs any other domain name as long as it signs the
> one to which they are connecting and testing.
Hi, the reason why it affects your score is simple:
1. client makes a request to https://www.example.net
=>if it does not redirect to https://example.net the checks stops here.
All ist OK
=>if your server responds with a redirect to https://example.net, it
does it with an untrusted certificate. Untrusted, because the server
certificate is not certificated to be used from www.example.net.

So you have 3 options:
1. disable redirection of https://www to https://bare (probably not what
you wish)
2. give your https://www server a valid certificate, so that the
redirect is trust-worthy (as done by https://www.web.de, that points to
https://web.de)
3. if it is the same server, but only a separed config, you probably
should get a certificate with CN:www.example.net and ALT-Names: DNS:
www.example.net and DNS: example.net (example: https://xmodus-systems.de
redirects to https://www.xmodus-systems.de, the cert is valid for both)

Again: the connection to the https://www.example.net is technical not ok
for shure. But this you probably already know.
Now "why does qualys check also the www.?": Qualys check this option for
bare domains, because many users worlwide use to prefix www. on every
domain without thinking about (bad habit). If the www. domain does not
belong to you it is a potential risk that your customers think they are
accessing your site but in real it is a possible "man-in-the-midle" side.
=> Security is not only a technical issue, but must also take account of
human bad habits.

Best regards,
Claudio

-- 
Working on OpenWrt CC for Xmodus GSM Router XM1710E




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with load vpn status

[Vick Khera]

On Wed, Jul 29, 2015 at 10:24 AM, Edward Josette Ortega Salas <
edward.jose...@gmail.com> wrote:

> Status -> Ipsec, i have between 15 and 20min delay  for show the
> information.
>

How long do these commands take to run on the command line:

setkey -D
setkey -DP

If these are quick, I'd suspect that the UI code that parses this output is
inefficient and taking a long time.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DHCP Relay attaching to wrong interface

[Juan Bernhard]

El 27/07/2015 a las 08:07 p.m., Juan Pablo escribió:

hola Juan!
dont know if you solved this, what you trying to achieve here? what's
your wan interface IP doing there? =)
can you provide more info, maybe an idea of the topology?

bye,
me


hola juan pablo! Sorry for the delay, I had a bad week...
I didnt solve this problem, I just let the relay to work along the dhcp 
server, this is not a problem (dhcp protocol is ment to work with 
several servers in the same net... I think)

this is the topology:
one interface for the internet traffic, the other one connected inside 
to a really big net. 1500 host, 30 servers...


on the bce0 is connected the internet fiber.

the bce1 has 3 public class C networks (thats the ip you see inside, 
thats not my wan ip address, is the public ip address of dns and dhcp 
server). there are a lot of vlans connected to this interface (through 
vlan tag) and each vlan needs to have a dhcp relay on it.
The idea is to relay each vlan, but not the default vlan (the dhcp 
server is connected to this one)


I will try to recreate this problem creating a vlan and try to attach 
the dhcp relay only to this one, and not to the "parent" interface.

Ill tell you latter if i succeed.


Saludos!



2015-07-25 10:06 GMT-03:00 Juan Bernhard :

Hi list, first I want to congratulates all pfsense developoers for this
magnificent piece of software.

I think I found a simple bug:
I configuring a pfsense in a single server to replace a cisco 2821 and an
asa 5520, and at the moment almost everithing is working great.
But... I'm having troubles with the dhcp relay. I have a 2 real inteface
configurations, one on the internet side and the other in de inside, with 8
vlan in there. I cofigured dhcp relay to listen to some vlan interfaces, but
it also attaches to the lan interface (the one with out vlan tag), having 2
dhcp responding server on the same collision domain.

In shell I can see that dhcrelay in up and has the command is wrong:
[2.2.3-RELEASE][r...@inti1.inti.gob.ar]/root: ps auxww | grep dhc
root30087   0.0  0.1  20184  9820  -  Ss9:34AM  0:00.05
/usr/local/sbin/dhcrelay -i bce1_vlan3 -i bce1_vlan10 -i bce1_vlan20 -i
bce1_vlan33 -i bce1_vlan51 -i bce1 -a -m replace 200.10.161.34

it hould not say "-i bce" this interface (lan) is not selected in the dhcp
relay web configration.



Saludos, Juan.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with load vpn status

[Edward Josette Ortega Salas]

Hi!.

Yes, it was quick:

-  For setkey -D its took:  0.253u 0.276s 0:31.37 1.6% 93+178k 0+0io 0pf+0w
- And  for setkey -DP:  0.017u 0.008s 0:00.02 50.0% 204+408k 0+0io 0pf+0w


And.. we are talking about 157 vpn, So what can we do with this delay?, do
you need another parse code or additional information for solve this?

Thanks in advance..



2015-07-29 12:16 GMT-04:30 Vick Khera :

> On Wed, Jul 29, 2015 at 10:24 AM, Edward Josette Ortega Salas <
> edward.jose...@gmail.com> wrote:
>
> > Status -> Ipsec, i have between 15 and 20min delay  for show the
> > information.
> >
>
> How long do these commands take to run on the command line:
>
> setkey -D
> setkey -DP
>
> If these are quick, I'd suspect that the UI code that parses this output is
> inefficient and taking a long time.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] OpenVPN -> nat -> IPSec tunnel

[Lorenzo Milesi]

Hi.
I've a working IPSec tunnel to another endpoint. I'd like to be able to access 
this tunnel from OpenVPN.

Right now I have:
LAN: 10.1.1.0/24
IPSEC remote: 10.99.99.0/24
OpenVPN: 172.16.12.0/24

Since I cannot change the IPSec network I'd like to NAT the OpenVPN net to the 
tunnel.
I added a second phase2 entry, with the OpenVPN network in the upper part, and 
the LAN net in the second "local network" area, where it mentions "NATting", 
but it's not working.

I have no blocking rules on OpenVPN firewall, and very few in IPSec.

Is this solution working? Is the approach corect?
Any help is welcome.
ciao
-- 
Lorenzo Milesi - lorenzo.mil...@yetopen.it

YetOpen S.r.l. - http://www.yetopen.it/
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Connect pfSense as client to a Hotel WLAN?

[Ray]

Hi,

I run pfSense on a few ALIX boxes, usually as tunnel end and as access 
point. When I can plug one of these machines into any (wired) network, I 
have easy access to my home network through the private WLAN the ALIX 
provides.


This works beautifully.

I travel a lot and today hotels only provide WLAN access. Ethernet ports 
in hotel rooms are relics of the past.


I solved this problem by using a Mac to connect to the Hotel WLAN and 
then select "Share my Intenet (WLAN) connection to Ethernet" in the 
"Sharing" control panel. When I then connect the ALIX WAN interface to 
my Mac using a cable, things again work nicely, but I effectively block 
a Mac as router that I would rather carry around.


My thought was "throw a second ALIX box at the problem and make that one 
connect as client to the hotel's WLAN", then plug the two ALIX's 
together with a short cable.


I did try this, hacking the hotel's WLAN details into the WLAN interface 
configuration of the second ALIX (configured to use "Infrastructure" 
mode, of course), but the WLAN interface always stays down, no matter 
what I try.


My hope was that the the hotel's captive portal mechanism could be 
fooled to give access to my client ALIX from any client computer 
connected to AP provided by ALIX number 1, but as the client ALIX's WLAN 
is always down, I didn't even make it to this point.



Did anyone here successfully do this (and share some insights)?


Thanks,
Ray

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DHCP Relay attaching to wrong interface

[Chris Buechler]

On Sat, Jul 25, 2015 at 8:06 AM, Juan Bernhard  wrote:
> Hi list, first I want to congratulates all pfsense developoers for this
> magnificent piece of software.
>
> I think I found a simple bug:
> I configuring a pfsense in a single server to replace a cisco 2821 and an
> asa 5520, and at the moment almost everithing is working great.
> But... I'm having troubles with the dhcp relay. I have a 2 real inteface
> configurations, one on the internet side and the other in de inside, with 8
> vlan in there. I cofigured dhcp relay to listen to some vlan interfaces, but
> it also attaches to the lan interface (the one with out vlan tag), having 2
> dhcp responding server on the same collision domain.
>

At some point ages ago, if you didn't specify the interface where the
target server resides in the list, it wouldn't work. Has nothing to do
with it being a VLAN parent, that's just where your target DHCP server
resides or is reachable. That no longer appears to be necessary. It
won't relay requests out the same interface they came in on, so it
should have no functional difference. Regardless, shouldn't be
specified now.

Ticket, and commit that removes it.
https://redmine.pfsense.org/issues/4908
https://github.com/pfsense/pfsense/commit/97613114b5b74c334609d7fcd79c94741b111793

If you could help verify, please replace your /etc/inc/services.inc
file with this:
https://raw.githubusercontent.com/pfsense/pfsense/RELENG_2_2/etc/inc/services.inc

Then just click Save under Services>DHCP Relay.

I have tested it in VLAN and non-VLAN circumstances, and it works.
Additional confirmation appreciated.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Connect pfSense as client to a Hotel WLAN?

[Chris Buechler]

On Wed, Jul 29, 2015 at 7:59 PM, Ray  wrote:
> Hi,
>
> I run pfSense on a few ALIX boxes, usually as tunnel end and as access
> point. When I can plug one of these machines into any (wired) network, I
> have easy access to my home network through the private WLAN the ALIX
> provides.
>
> This works beautifully.
>
> I travel a lot and today hotels only provide WLAN access. Ethernet ports in
> hotel rooms are relics of the past.
>
> I solved this problem by using a Mac to connect to the Hotel WLAN and then
> select "Share my Intenet (WLAN) connection to Ethernet" in the "Sharing"
> control panel. When I then connect the ALIX WAN interface to my Mac using a
> cable, things again work nicely, but I effectively block a Mac as router
> that I would rather carry around.
>
> My thought was "throw a second ALIX box at the problem and make that one
> connect as client to the hotel's WLAN", then plug the two ALIX's together
> with a short cable.
>
> I did try this, hacking the hotel's WLAN details into the WLAN interface
> configuration of the second ALIX (configured to use "Infrastructure" mode,
> of course), but the WLAN interface always stays down, no matter what I try.
>
> My hope was that the the hotel's captive portal mechanism could be fooled to
> give access to my client ALIX from any client computer connected to AP
> provided by ALIX number 1, but as the client ALIX's WLAN is always down, I
> didn't even make it to this point.
>
>
> Did anyone here successfully do this (and share some insights)?
>

Definitely doable. I've done it in about every combination imaginable.
ALIX or similar hardware with a wifi card, a pfSense VM on a laptop
with a LTE card via USB passthrough, same for wifi USB. Ethernet
bridged to a VM on a laptop. Some ugly combinations of those where
multiple layers of NAT were necessary before the traffic left my
equipment, but was fine as a temporary hack.

For connecting to captive portal networks, everything behind it will
look like one device as far as their network is concerned, as you're
NATing everything to the same source IP and MAC.

How do you have the wireless interface configured for standard and
channel? What wireless card are you using?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold