Re: [pfSense] Bandwidth Mismatch between pfSense and Data Center Provider...
This is certainly possible, but the RRD GUI has a choice to display stats for WAN (Default) and LAN... selectin LAN essentially swaps the In/Out columns +/- a few gigs... We are running ntopng but it only has data for the last 12 days... the one webserver that is likely causing a lot of usage is reporting ~300GB used via ntopng... I assume that's total in/out. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of Melvin Backus Sent: May 23, 2018 7:47 PM To: 'pfSense Support and Discussion Mailing List' <list@lists.pfsense.org> Subject: Re: [pfSense] Bandwidth Mismatch between pfSense and Data Center Provider... Is it possible these numbers are for both interfaces on the pfSense box? If so, do they include both inbound and outbound traffic for both? That would effectively double the true data transfer if traffic isn't being routed between other subnets / interfaces on the firewall. I don't have RRD loaded so this is strictly speculation on a possible cause. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chuck Mariotti Sent: Wednesday, May 23, 2018 1:57 PM To: list@lists.pfsense.org Subject: [pfSense] Bandwidth Mismatch between pfSense and Data Center Provider... We've run into a data overage situation at a datacenter... We get charged a premium per GB over 500GB (yes I know, stupid). Their reporting system seems to indicate significantly less data usages vs pfSense's RRD reporting... their billing system seems to be indicating overage similar to their reporting... Uploads seem to be growing significantly. Any idea why the pfSense box seems to be counting differently than the datacenter's metrics? We need to track down where this usage is happened, but I know users have only grown ~5% over that same period of time. Here are stats for each month: JanuaryFebruary March April May (to 23rd) Datacenter (Upload/Download): 618.95GB/76.01GB 365.25/47.15GB799.92/79.81GB801.67/105.01GB 581.57/76.26GB pfSense RRD (Upload/Download):1372.41GiB/148.91GiB 1388.65/149.60GiB 1697.71/152.24GiB 1706.53/200.86GiB 1177.95/139.55GiB Any suggestions how or why there is a mismatch? Regards, Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Bandwidth Mismatch between pfSense and Data Center Provider...
We've run into a data overage situation at a datacenter... We get charged a premium per GB over 500GB (yes I know, stupid). Their reporting system seems to indicate significantly less data usages vs pfSense's RRD reporting... their billing system seems to be indicating overage similar to their reporting... Uploads seem to be growing significantly. Any idea why the pfSense box seems to be counting differently than the datacenter's metrics? We need to track down where this usage is happened, but I know users have only grown ~5% over that same period of time. Here are stats for each month: JanuaryFebruary March April May (to 23rd) Datacenter (Upload/Download): 618.95GB/76.01GB 365.25/47.15GB799.92/79.81GB801.67/105.01GB 581.57/76.26GB pfSense RRD (Upload/Download):1372.41GiB/148.91GiB 1388.65/149.60GiB 1697.71/152.24GiB1706.53/200.86GiB 1177.95/139.55GiB Any suggestions how or why there is a mismatch? Regards, Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems...
Thanks, I had rebooted the server a few times trying to resolve. Is that the same? On the reload with error, did it point to something specific? I ask because I'm not sure how to debug this without taking everything down all over again. Chuck -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Seb Sent: August-17-15 6:40 AM To: list@lists.pfsense.org Subject: Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems... Maybe you had the same problem as me. Log in on ssh shell and then try running: pfctl -f /tmp/rules.debug This should reload the rules, but might throw an error.. Kind regards, Seb -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chuck Mariotti cmariotti-at-xunity.com Sent: 15 August 2015 22:26 To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems... I should point out that at one point there was a DNS Rebind message in the best browser for one of the sites internally (not sure if that's related). -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chuck Mariotti Sent: August-15-15 1:16 PM To: pfSense Support and Discussion Mailing List list@lists.pfsense.org Subject: [pfSense] pfSense 2.1.5 to 2.2.4 update problems... I had a need to update to the latest pfSense. I had a replacement machine with the latest 2.2.4. Took the config file from 2.1.5 and restored it... It got stuck on the restoring packages and I eventually unlocked and just left it as-is. Swapped over the connection to the replacement and some internal websites (https) stopped being available to the public... internally no problems. I looked quickly but could not find what was happening with a simple update. So I switched it back to the original. I reinstalled 2.1.5 on the replacement machine... restored the config... switched it over and all worked perfectly. I ran the in-place update and it completed without issues (including packages)... but again, many internal sites not available to the public side. Did I miss something in the upgrade method? There is a patch that was previously applied but I don't think it was related and it didn't say it was enabled. Fix SHA1 certs http://github.com/pfsense/pfsense/commit/fd750cd064a46f364a7e0 6c9fe27d46ce11cd09a.patch Unfortunately, I did not have much time to debug since there was an unrelated hardware failure which extended the appox downtime from 5-10mins to about 3 hours So was mostly interesting it restoring things back to normal. To be honest, I don't know if it was both http(s) or just https only that was not accessible... I think it was https but it's too late to test it again. There is a NLBS serving up some of those sites if that matters. Any suggestions would be greatful. Regards, Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems...
Okay, so I can create an offsite pfSense instance, import the file and run that command and likely see if it's points to specific errors. Will try that. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Seb Sent: August-17-15 12:25 PM To: list@lists.pfsense.org Subject: Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems... When I ran that command, I got an error. It pointed me to an alias that it thought was a host list alias and that needed changing to a port list alias. I do not know why 2.2.x treated it differently to 2.1.x though. Kind regards, Seb -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of A Mohan Rao mohanrao83-at-gmail.com |pfSense/Allow + Forward to Syntec| Sent: 17 August 2015 16:18 To: ; pfSense Support and Discussion Mailing List Subject: Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems... Pls try with AMD64 Pfsense it works good at my pfSense server only filter http not https... Thanks Mohan On Aug 17, 2015 6:26 PM, Chuck Mariotti cmario...@xunity.com wrote: Thanks, I had rebooted the server a few times trying to resolve. Is that the same? On the reload with error, did it point to something specific? I ask because I'm not sure how to debug this without taking everything down all over again. Chuck -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Seb Sent: August-17-15 6:40 AM To: list@lists.pfsense.org Subject: Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems... Maybe you had the same problem as me. Log in on ssh shell and then try running: pfctl -f /tmp/rules.debug This should reload the rules, but might throw an error.. Kind regards, Seb -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chuck Mariotti cmariotti-at-xunity.com Sent: 15 August 2015 22:26 To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] pfSense 2.1.5 to 2.2.4 update problems... I should point out that at one point there was a DNS Rebind message in the best browser for one of the sites internally (not sure if that's related). -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chuck Mariotti Sent: August-15-15 1:16 PM To: pfSense Support and Discussion Mailing List list@lists.pfsense.org Subject: [pfSense] pfSense 2.1.5 to 2.2.4 update problems... I had a need to update to the latest pfSense. I had a replacement machine with the latest 2.2.4. Took the config file from 2.1.5 and restored it... It got stuck on the restoring packages and I eventually unlocked and just left it as-is. Swapped over the connection to the replacement and some internal websites (https) stopped being available to the public... internally no problems. I looked quickly but could not find what was happening with a simple update. So I switched it back to the original. I reinstalled 2.1.5 on the replacement machine... restored the config... switched it over and all worked perfectly. I ran the in-place update and it completed without issues (including packages)... but again, many internal sites not available to the public side. Did I miss something in the upgrade method? There is a patch that was previously applied but I don't think it was related and it didn't say it was enabled. Fix SHA1 certs http://github.com/pfsense/pfsense/commit/fd750cd064a46f364a7e0 6c9fe27d46ce11cd09a.patch Unfortunately, I did not have much time to debug since there was an unrelated hardware failure which extended the appox downtime from 5-10mins to about 3 hours So was mostly interesting it restoring things back to normal. To be honest, I don't know if it was both http(s) or just https only that was not accessible... I think it was https but it's too late to test it again. There is a NLBS serving up some of those sites if that matters. Any suggestions would be greatful. Regards, Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfSense 2.1.5 to 2.2.4 update problems...
I had a need to update to the latest pfSense. I had a replacement machine with the latest 2.2.4. Took the config file from 2.1.5 and restored it... It got stuck on the restoring packages and I eventually unlocked and just left it as-is. Swapped over the connection to the replacement and some internal websites (https) stopped being available to the public... internally no problems. I looked quickly but could not find what was happening with a simple update. So I switched it back to the original. I reinstalled 2.1.5 on the replacement machine... restored the config... switched it over and all worked perfectly. I ran the in-place update and it completed without issues (including packages)... but again, many internal sites not available to the public side. Did I miss something in the upgrade method? There is a patch that was previously applied but I don't think it was related and it didn't say it was enabled. Fix SHA1 certs http://github.com/pfsense/pfsense/commit/fd750cd064a46f364a7e06c9fe27d46ce11cd09a.patch Unfortunately, I did not have much time to debug since there was an unrelated hardware failure which extended the appox downtime from 5-10mins to about 3 hours So was mostly interesting it restoring things back to normal. To be honest, I don't know if it was both http(s) or just https only that was not accessible... I think it was https but it's too late to test it again. There is a NLBS serving up some of those sites if that matters. Any suggestions would be greatful. Regards, Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] SG-4860 vs. support pricing question
If I can add to this question... are support incidents hardware specific? Meaning, if I purchase some hardware with 2 incidences... can I use those on other devices? -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Adam Thompson Sent: July-20-15 7:09 PM To: pfSense support and discussion list@lists.pfsense.org Subject: [pfSense] SG-4860 vs. support pricing question I see the redundant SG-4860 bundle with shelf is now available on the pfSense store, and I also see that the 2440 and 4860 appear to be shipping now. This is great! (I’m probably still waiting for the 2220, though, since it’s hard to justify anything else when I can’t get anything faster than DSL or Cable in this building.) But I do have one issue/question/comment about the pricing of that bundle: there are still only 2 support incidents bundled. It seems that if I bought two 4860s and tie-wrapped them to my own shelf, I’d wind up paying almost the same amount (maybe $75 more if I had to buy a new shelf) but would get 4 support incidents included with my purchase. Also, the price for a 2-incident support pack is $399, but I can buy a SG-2220 for only $299 and get the same # of support incidents. Have I missed something? Is this intentional? -- -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Access Point Recommendations?
We are having a number of issues with Engenius Access Points... they seems to have the features we need but for some reason, connectivity is not reliable (seems Mac related). As much time as I would like to spend debugging it, it would be cheaper to replace. Does anyone have any recommendations for small office access points? Regards, Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access Point Recommendations?
I guess I should mention, the internet connections are usually 150Mbit+ ... so would need something in the n or a/c range preferably. Lots of devices, laptops (hooked up to Ethernet but still wifi active when walking around). -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Paul Galati Sent: July-17-15 10:50 AM To: pfSense Support and Discussion Mailing List list@lists.pfsense.org Subject: Re: [pfSense] Access Point Recommendations? Probably get flamed for this but my experience has been positive. Purchase a router that is capable of running Tomato, preferably Toastman or Shibby. I still use a $15 ebay Linksys WRT54GL that is rock solid and with Tomato it includes built in OpenVPN software to connect to pfsense at the office. Paul On Jul 17, 2015, at 10:45 AM, Chuck Mariotti cmario...@xunity.com wrote: We are having a number of issues with Engenius Access Points... they seems to have the features we need but for some reason, connectivity is not reliable (seems Mac related). As much time as I would like to spend debugging it, it would be cheaper to replace. Does anyone have any recommendations for small office access points? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues
That's definitely the cable modem's NAT getting confused. If you can get the phones to randomize their source ports on their OpenVPN traffic, that might resolve. I'm not sure if that's possible on those phones. In stock OpenVPN, specifying lport 0 in the config will make it choose a random port. I'm not sure if that's configurable for the Yealink phones though. We disable that automatically in our OpenVPN client export for Yealink because they didn't support it at least up until recently. If you can change the modem to bridge mode to pass through the public IP to a router of some sort that will properly handle that circumstance, it'll resolve that. That might be hit or miss with consumer-grade routers. A completely default pfSense config will work fine in that circumstance, as it'll randomize the source ports on its own so the phones don't have to. I'm not sure installing a pfSense box is an option at the moment... will a consumer grade (Asus RT-AC68U as an example) be useful? Unless there is a Just as good / same price pfSense with wifi AC). I have one ASUS pulled from an installation... I guess another approach could be to use the consumer router to build the OpenVPN tunnel instead of the phones. Not sure if that's better or worse... will have to think that through... it's nice to see the phones popup on pfSense. Regards, Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues
You could try TCP for the OpenVPN if the phones will support it. The vast majority of your traffic will be UDP so you wont get the joy of TCP in TCP exponential standoffs. Cheers Jon The phones do support TCP (an option on a per line basis offers UDP/TCP). Could you clarify what you mean by this exactly? A little bit confused... It seems the OpenVPN connections are up/down... so you are suggesting to switch the OpenVPN connection to TCP instead of UDP? Keep the phone UDP? The standoffs you suggest, are they the OpenVPN or the Phone data screwing up? Or both? Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues
Ya, I am testing that in lab now with an Asus rt-ac68u I have. Going to see what behavior is for disconnects, etc... Will also have to figure out how to remote into the phones and the rules, etc... From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Odhiambo Washington Sent: February-19-15 8:04 AM To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues On 19 February 2015 at 14:51, Chuck Mariotti cmario...@xunity.commailto:cmario...@xunity.com wrote: That's definitely the cable modem's NAT getting confused. If you can get the phones to randomize their source ports on their OpenVPN traffic, that might resolve. I'm not sure if that's possible on those phones. In stock OpenVPN, specifying lport 0 in the config will make it choose a random port. I'm not sure if that's configurable for the Yealink phones though. We disable that automatically in our OpenVPN client export for Yealink because they didn't support it at least up until recently. If you can change the modem to bridge mode to pass through the public IP to a router of some sort that will properly handle that circumstance, it'll resolve that. That might be hit or miss with consumer-grade routers. A completely default pfSense config will work fine in that circumstance, as it'll randomize the source ports on its own so the phones don't have to. I'm not sure installing a pfSense box is an option at the moment... will a consumer grade (Asus RT-AC68U as an example) be useful? Unless there is a Just as good / same price pfSense with wifi AC). I have one ASUS pulled from an installation... I guess another approach could be to use the consumer router to build the OpenVPN tunnel instead of the phones. Not sure if that's better or worse... will have to think that through... it's nice to see the phones popup on pfSense. I would build the tunnel using other devices and just let the phones communicate. It's a lot easier that way. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 I can't hear you -- I'm using the scrambler. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues
I have 4 Yealink T46G phones, 3 on one network (problematic), 1 on a separate network... all phones are OpenVPNing into pfSense box at datacenter... then using a phone system through the OpenVPN connection. The problematic location keeps having issues with phones not receiving calls or making calls... as well as call quality issues. Rebooting the phones solves the problems. The OpenVPN logs contain a number of TLS Errors (TLS keys are out of sync)... as well as Auth/Decript errors (packet HMAC authentication failed). Logs are below. Can anyone shed some light on what might be happening here? Regards, Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues
Think you forgot the logs. That should be enough of a summary to have a good idea though. What's the firewall/router/NAT device on the network where the 3 phones reside? That sounds like what could happen with a NAT device that doesn't handle UDP well. Some consumer-grade routers and some NAT implementations built into DSL/cable modems can have problems handling long-lived UDP connections especially where multiple devices are being NATed out to a single destination IP and port. And here is the log below... argh. The devices are behind a 256Mbit cable modem... Any suggestions on how to resolve if that is the case? 3rd party router? Feb 17 22:35:49 openvpn[78847]: Phone-Ext213/172.172.172.66:1086 send_push_reply(): safe_cap=940 Feb 17 22:35:47 openvpn[78847]: MULTI_sva: pool returned IPv4=10.9.12.14, IPv6=(Not enabled) Feb 17 22:35:47 openvpn[78847]: 172.172.172.66:1086 [Phone-Ext213] Peer Connection Initiated with [AF_INET]172.172.172.66:1086 Feb 17 19:50:44 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 send_push_reply(): safe_cap=940 Feb 17 19:50:42 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 MULTI_sva: pool returned IPv4=10.9.12.18, IPv6=(Not enabled) Feb 17 19:50:42 openvpn[78847]: 172.172.172.66:1194 [Phone-Ext212] Peer Connection Initiated with [AF_INET]172.172.172.66:1194 Feb 17 19:49:39 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [0] Feb 17 19:49:37 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 TLS Auth Error: TLS object CN attempted to change from 'Phone-Ext212' to 'Phone-Ext211' -- tunnel disabled Feb 17 19:49:37 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Auth Error: TLS object CN attempted to change from 'Phone-Ext211' to 'Phone-Ext212' -- tunnel disabled Feb 17 19:49:31 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:49:27 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:49:25 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:49:20 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:49:18 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:49:18 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:49:18 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:49:15 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:49:09 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:49:05 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:49:05 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:49:01 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:48:57 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:48:55 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:48:50 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:48:48 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:48:48 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:48:48 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:48:45 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:48:44 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:48:39 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 16:35:45 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 send_push_reply(): safe_cap=940 Feb 17 16:35:42 openvpn[78847]: MULTI_sva: pool returned IPv4=10.9.12.18, IPv6=(Not enabled) Feb 17
Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues
That's definitely the cable modem's NAT getting confused. If you can get the phones to randomize their source ports on their OpenVPN traffic, that might resolve. I'm not sure if that's possible on those phones. In stock OpenVPN, specifying lport 0 in the config will make it choose a random port. I'm not sure if that's configurable for the Yealink phones though. We disable that automatically in our OpenVPN client export for Yealink because they didn't support it at least up until recently. If you can change the modem to bridge mode to pass through the public IP to a router of some sort that will properly handle that circumstance, it'll resolve that. That might be hit or miss with consumer-grade routers. A completely default pfSense config will work fine in that circumstance, as it'll randomize the source ports on its own so the phones don't have to. Thanks Chris, I've emailed Yealink support but it seems they are off until mid-next week (Chinese New Year). Not sure what to do, purchase a 3rd party router to see if solves the problem or if I should wait to see what Yealink's answer is first. Reading up on the modem seems like bridge mode is a little problematic... maybe a call to the cable provider first to see options. Thanks Again, Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Firewall Hardware/Setup for Datacenter...
Have been using pfSense for years at our datacenter, very happy with it running on old dedicate hardware with failover. The hardware is overdue to be retired and I'm wondering what people are doing/recommending for a datacenter setup. We want to use OpenVPN Server, IDS, dBandwidth, etc... so need to keep out option open for the ability to run packages... behind it we are running multiple servers and vCenter/ESXI servers. What's the go-to setup for a datacenter these days? Do we stick with two dedicated boxes? Since we pay for power, nice to have lower power... So do we go as low as using embedded hardware? It used to not be recommended for packages... still the case I assume? So I'm leaning towards some of the newer SuperMicro Atom boxes (quad core, or 8 core!!??! etc...). But then I see so many people running pfSense in VMWare and I wonder if we should consider this. Then I think about the hardware needs and VMWare Licensing (would like to avoid)... and what else can I run on the hardware along side without hurting pfSense from running properly, etc... If pfSense is setup to failover, that means the hardware can be cheap No RAID needed. If dedicated, do I go with Hard Drives/SSD drives? USB? We need packages... can I run it off of USB stick then or do I still need HDD/SSD? If setting up new hardware so can run pfSense as Virtual Machines... I would need two VM Hosts running pfSense as VM's so would have the failover... What should we consider for the hardware in this case... should I go with RAID w/HDD/SSD on ESXI? If pfSense is setup for failover, do I really need RAID? But I assume I would need something reliable if I'm going to run other non-pfsense VMs on the same hardware... so I would need RAID w/HDD/SSD and it would need to be larger... what are other people running in datacenter setups along side the pfSense? I don't want to put it onto our existing vCenter infrastructure, licensing/costs and isolation needed. Do I setup one hardware as basic, no RAID running ESXI and pfSense, and the other more robust setup (RAID, more memory). I'm really interested in what people are using in production environments/datacenters. Regards, Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Firewall Hardware/Setup for Datacenter...
Thanks… I am leaning that way I think… just trying to wrap my head around if it is worth trying to buy more ram + more storage (HW RAID) to make them ESXI worthy to run VMs, or if I should just keep it basic… the ESXI is tempting since I can at least make the secondary server do other stuff instead of just waiting for a failure on primary. Trying to think of a useful virtual machines to run that are not mission critical if a machine dies (since not raid), don’t have license to real-time replicate it on the VMWare side, but that might be useful for datacenter... From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jason Whitt Sent: February-05-15 3:23 PM To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Firewall Hardware/Setup for Datacenter... I would add that for data center workloads the apu's may not be the best choice ... Those 8 core atoms are plenty for multi 1gig feeds and the nic's are solid. Sent from my iPhone On Feb 5, 2015, at 12:38 PM, Jeremy Bennett jbenn...@hikitechnology.commailto:jbenn...@hikitechnology.com wrote: Jason is correct. Those Supermicro boxes are awesome. Be careful when ordering though... they want ECC memory. The APUs from Netgate are nice too–the year of bundled support has already saved my bacon a number of times. Well worth the cost. On Thu, Feb 5, 2015 at 9:19 AM, Jason Whitt jason.wh...@gmail.commailto:jason.wh...@gmail.com wrote: Ive ran as vm's using vmxnet3's as well as physical on these http://m.newegg.com/Product/index?itemnumber=16-101-837 Both are viable options. Jason Sent from my iPhone On Feb 5, 2015, at 11:11 AM, Walter Parker walt...@gmail.commailto:walt...@gmail.com wrote: I've used pfSense in a VM on my ESXi application server. This is mostly to firewall the Windows VMs from the Internet. If you want fail-over, I'd suggest getting one of the new Netgate (http://store.netgate.com/NetgateAPU2.aspx or http://store.netgate.com/1U-Rack-Mount-Systems-C84.aspx) or pfSense (https://www.pfsense.org/hardware/#pfsense-store) embedded systems with an SSD. Then you can run a full install that supports package installs with a power budget of ~10-15 Watts for the APU units. Then you have a choice of getting a second HW unit for an additional $400 to $1000, or setting up pfSense in a VM (not on a separate VMware server, on an existing VM server). The higher end HW systems on those pages are 8 core Atom systems built for run pfSense (of course, the power requirements will be in the 100W range). With an SSD, these systems should last for a long time with no issues. How much firewall horsepower do you need? What are your constrains (time, money, space)? P.S. You can run packages on embedded in 2.2, you just want to be careful not to run packages that would trash the SD card with too many writes. Walter On Thu, Feb 5, 2015 at 9:40 AM, Chuck Mariotti cmario...@xunity.commailto:cmario...@xunity.com wrote: Have been using pfSense for years at our datacenter, very happy with it running on old dedicate hardware with failover. The hardware is overdue to be retired and I’m wondering what people are doing/recommending for a datacenter setup. We want to use OpenVPN Server, IDS, dBandwidth, etc… so need to keep out option open for the ability to run packages... behind it we are running multiple servers and vCenter/ESXI servers. What’s the go-to setup for a datacenter these days? Do we stick with two dedicated boxes? Since we pay for power, nice to have lower power… So do we go as low as using embedded hardware? It used to not be recommended for packages… still the case I assume? So I’m leaning towards some of the newer SuperMicro Atom boxes (quad core, or 8 core!!??! etc…). But then I see so many people running pfSense in VMWare and I wonder if we should consider this. Then I think about the hardware needs and VMWare Licensing (would like to avoid)… and what else can I run on the hardware along side without hurting pfSense from running properly, etc… If pfSense is setup to failover, that means the hardware can be cheap…. No RAID needed. If dedicated, do I go with Hard Drives/SSD drives? USB? We need packages… can I run it off of USB stick then or do I still need HDD/SSD? If setting up new hardware so can run pfSense as Virtual Machines… I would need two VM Hosts running pfSense as VM’s so would have the failover... What should we consider for the hardware in this case… should I go with RAID w/HDD/SSD on ESXI? If pfSense is setup for failover, do I really need RAID? But I assume I would need something reliable if I’m going to run other non-pfsense VMs on the same hardware… so I would need RAID w/HDD/SSD and it would need to be larger… what are other people running in datacenter setups along side the pfSense? I don’t want to put it onto our existing vCenter infrastructure, licensing/costs and isolation needed. Do I setup one hardware as basic, no RAID running ESXI and pfSense
Re: [pfSense] HP DL160 for pfSense in a datacenter
THIS Also has the advantage that in the event of hardware failure, you can move the drives to any other system and still access the data - something that's not always an option if you're relying on a proprietary RAID layout. Applies to a great many system builds... if you have the option of having spare parts and idle servers waiting to be swapped in at a moment's notice, go nuts with higher level RAID... but mirror is simply easiest to recover should the controller or hardware die, with your data sitting on the drives. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Yealink OpenVPN to asterisk
Thanks Jim,
I have removed the WAN2 VLAN... this busted stuff until I uninstalled the
previous QoS Wizard Settings... it is still posting a Notice:
[ There were error(s) loading the rules: /tmp/rules.debug:50: syntax error -
The line in question reads [50]: altq on hfsc bandwidth 9.5Mb queue { qInternet
} ]
I then switched all existing Proxy ARP items to be Alias IP.
I setup an IP Alias for IPs from our SIP Trunk Provider.
Then re-ran the Traffic Shaping Wizard (Single WAN/Multi Lan). Chose a single
LAN... went through the wizard.
I setup 28% for SIP Traffic...
At the screen for setting priority on various protocols, I did not see any
option for OpenVPN... only IPSec/PPTP. I pretty much set everything to low...
left http as normal.
So I got to step 3 but did not see an OpenVPN option.
On step 4, I went into Floating rules and I did not see any OpenVPN rules.
Any ideas?
Chuck
-Original Message-
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On
Behalf Of Jim Pingle
Sent: March-11-14 1:57 PM
To: pfSense support and discussion
Subject: Re: [pfSense] Yealink OpenVPN to asterisk
On 3/11/2014 12:09 AM, Chuck Mariotti wrote:
The data center has a single Internet connection but with two separate
subnets (ran out of Ip addresses). This has been setup as WAN and WAN2.
I set up qos on pfsense but not sure if right. The single connection is
10Mbit... but I set up WAN1 AND WAN2 as 10Mbit... which I assume is wrong.
How do I set that correctly?
Don't use two interfaces for that. Add the second subnet to WAN using an IP
Alias VIP if you need to use it that way. In addition to being a simpler config
for the same result, it also eliminates any guessing about the QoS config.
I am also a little lost... since the voice traffic is OpenVPN, how to I make
certain that it is the highest priority across the board?
You need to shape both things: SIP to your upstream trunk and OpenVPN.
1. Use PRIQ for the shaper type on WAN/LAN when using the wizard.
2. Activate the VoIP screen, use your upstream SIP trunk for prioritization, or
maybe even an alias containing the SIP trunk and your PBX.
3. Raise the priority of OpenVPN on the wizard screen to Raise/Lower Other
Protocols.
4. Adjust the resulting floating rules for OpenVPN to match all of your OpenVPN
server port(s)
Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://localhost.my.domain/mailman/listinfo/list
[pfSense] Yealink OpenVPN to asterisk
I have a asterisk box at a data center that has some high traffic websites. I also have am asterisk box there with a few Yealink T46G phones OpenVPNed into the presence box at the data center. I have a few asterisk boxes but this is the first client connection via openvpn. I think the call quality takes a major hit when the websites get heavy traffic. I say this kind because I cannot pinpoint if that is the cause. The data center has a single Internet connection but with two separate subnets (ran out of Ip addresses). This has been setup as WAN and WAN2. I set up qos on pfsense but not sure if right. The single connection is 10Mbit... but I set up WAN1 AND WAN2 as 10Mbit... which I assume is wrong. How do I set that correctly? I am also a little lost... since the voice traffic is OpenVPN, how to I make certain that it is the highest priority across the board? Chuck ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] VPN group restrictions
OpenVPN allows you to push routes to the client side… not sure if those routes can be bypassed (it other words, if it’s just a rule sent to the client only, or if the firewall actually enforces that rule as well). I’m not sure about the grouping component. But you could define each user with specific routes. From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of jungleboogie0 Sent: February-13-14 5:55 PM To: list@lists.pfsense.org Subject: [pfSense] VPN group restrictions Hi All, Curious to know if pfsense supports the ability to setup groups of VPN accounts and then set restrictions on the groups. Example: groups 1, 2 3 each with 5 people in the group. Those in group 1 can access servers a-c those in group 2 can access servers d-g etc I know my explanation and terminology may barely be understandable so please let me know if you need further explanation. Thanks, jungle -- --- inum: 883510009902611 sip: jungleboo...@sip2sip.infomailto:jungleboo...@sip2sip.info xmpp: jungle-boo...@jit.simailto:jungle-boo...@jit.si ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Easy way to Prioritize to a handful of WAN IPs?
Configuration of a single datacenter connection, with 2 x WANs defined (two separate public IP sets/subnets). Both equally important... just ran out of IPs. We are experiencing an influx of traffic for a few servers that are starting to introduce some problems in some VOIP traffic at times... rather than purchasing more bandwidth (did this last previously), I think it's time to actually fix the issue at hand. Simply put, there are a handful of public IP addresses (not ours) at a few VOIP providers that I want to have the highest priority over all other traffic in/out of the datacenter. What is the easiest way to do this? In a related question, we have some phones connecting to the datacenter via OpenVPN connections. Do we have to worry about prioritizing that traffic as well or is OpenVPN traffic higher priority already... this doesn't seem to be a problem at the moment, but may as well ask now. Regards, Chuck ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Traffic tracking...
We host a number of websites at our datacenter and it has gotten to a point where we have a few high traffic sites that are doubling traffic every 2 to 3 months... Part of the agreement for hosting is that the owner would handle any additional traffic costs beyond a point... that point has passed I am sure, but I am not sure on how to reliably track this traffic. We have dedicated servers with dedicated IP addresses in most cases. However, there are a few that share a single IP address but have multiple host-names... so www.xyz.comhttp://www.xyz.com and www.abc.comhttp://www.abc.com are on the same IP address. Is there a way in pfSense that would allow me to report on traffic like this on a monthly basis? Regards, Chuck Mariotti [Xunity_Ad] 13 Seymour Ave. Toronto, Ontario M4J 3T3 Office: 416-469-5008 x 222 Fax: 416-469-5009 cmario...@xunity.commailto:cmario...@xunity.com www.xunity.comhttp://www.xunity.com/ inline: image001.jpg___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Legit HTTP Requests, lots... IP Spoof? Any way to shut it down?
It's effectively impossible to blind spoof TCP, so since you're completing the TCP session you can be assured the traffic is really coming from where it claims to be. Is it a high rate from a smallish number of IPs, or a low rate from a large number? What specifically do the HTTP requests look like? Getting full packet captures and examining the REFERER and other parts of the HTTP request may at least lead you to an explanation of why it's happening and a better understanding of what's happening, at which point you can implement mitigation if necessary or feasible. This doesn't sound like a deliberate attack, rather that someone did something to whatever you're hosting to cause this to happen, which is where the REFERER may lead you directly to the answer. ___ Thanks Chris... I am watching this happening still and we are still slack jawed on a resolution... The referrer when we capture it from the browser user agent via webserver log is blank... this is what we expect usually since the URL is in a print a publication encoded in a QR Code... What happens is that someone scans the QR Code, hits the page (updating the stats) and then is redirected to the final content elsewhere on another website. I am unable to see any referrer in wireshark packets on that web server, but I am by no means an expert using wireshark, it is possible I'm missing them. If correct, this implies that someone is either going straight to the URL manually (typing it in) or is scanning it in. I agree with you that it seems like it is something that is not deliberate because the IP's are mostly all local, the browser agent is all iPhone with varying OS versions and Webkit versions... (HTTP_USER_AGENT:Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146) (I have lots more info if needed, just can't post public), so either it is phone specific OR the browser agents are forged... But as you said, impossible(?) to fake the IP address, so unsure why they would bother faking agents of the same general type (other than making it harder to block, but that was the purpose they should have mixed it up considerably with Android, etc...) An example is that a user scans 13 unique codes within a matter of a couple of minutes (which is pretty aggressive... time between scans is below 40 seconds). They seem to switch up the sessionID every ~8 attempts... I should also point out that these are valid requests (they are not random generated URLs or guessing)... they are valid codes. So they are either really scanning paper OR they have a valid list of URLs they hit. My feeling is that it's something wrong with handling the redirects in QR Code Scanning process which is somehow locking onto the URLs and hitting them over and over again... specifically on iPhone... I have installed a handful of scanners but am getting expected results... the developer disagrees that it is not deliberate... He feels it is a deliberate attack since it started several hours after the last website update (which was minor I am told), it is hitting valid codes only (with the exception of a deleted code that was used for testing only)... he implies that this deleted code would have NEVER been seen by the public or appear in print. He feels that the code was likely displayed on an administrator's page while creating the QR Codes (displaying a list of all encoded URLs) on a compromised machine... the machine then to captured these URLs from local cache and passed those codes to a central server and it instructed bots to start hitting them with traffic... Any further ideas? I don't mind paying someone to help debug the situation, but I think the pfSense commercial support is limited to the firewall specifically, not the traffic that passes through it (I assume it would be a combo of pfSense captures and IIS Log Analysis). Chuck ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Legit HTTP Requests, lots... IP Spoof? Any way to shut it down?
We are seeing a lot of http requests to legitimate URLs on our web server... the URLs are pages that do auto redirects to other content pages. The redirects are collecting site stats and the high number of requests are knocking the tracking stats out way out of whack compared to the norm. Essentially someone is pretending to browse our content, over and over again Throwing our stats into a mess. The problem is that the 'culprit' appears to be from multiple IP addresses, mostly in our own city proximity and using slightly different host headers... so they are trying hard to look like legitimate traffic... it is next to impossible to differentiate between what is legit and what is fake (the only give away is the frequency of the pages visited and that the stats have jumped significantly). The IP addresses keep changing as well. My knowledge of current spoof technics is limited, but I am under the impression that it's pretty hard to spoof an IP address for an http request. We are definitely serving up the pages and redirecting, so they are getting responses which implies that they are real computers doing this work. At first look I see no way to stop this type of situation (still trying to figure out this). Does anyone have any advice on how to handle something of this nature either on the webserver side or pfSense side? All suggestions are welcome. Chuck ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] openVPN Bug?
If you use the same certificate on two clients, it will do that. Or if you connect two clients to a shared key instance, it will do that. In the first case, you can check Duplicate Connections to allow multiple people to connect from the same certificate, but that is highly discouraged. Use SSL/TLS and give each client their own certificate and you'll be much better off. Is there any complete walk-thru tutorials on how to properly set this up? I have an office of about 50 sales staff that eventually want to get VPN operational... I was looking at OpenVPN... the OpenVPN windows client seems to need to run as administrator which isn't an option in out case (maybe I'm missing something). I'm looking for the least path of resistance and best way to set this up. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense hardware for a proxy, 1U w/ 12 depth
I have used one of these (Supermicro SYS-5015A-EHF-D525), the only issue I have run into with the one I have, is that IP KVM for some reason isn't working as expected. Specifically... if I VPN into the firewall (PPTP), I can't seem to be able to access the IP-KVM. If I remote into a machine behind the firewall... then try access the IP-KVM from that machine... it works fine. I posted this issue to the group but I've never been able to solve it. Possibly something dumb I am doing but I haven't figured out what is wrong. Chuck -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Lloyd Sent: May-02-12 7:37 PM To: pfSense support and discussion Subject: Re: [pfSense] pfsense hardware for a proxy, 1U w/ 12 depth I have 2x http://www.supermicro.com/products/system/1U/5015/SYS-5015A-EHF-D525.cfm. Should fit your depth limitation, I have yet to hit performance problems with it and know that others on the list use this system as well. On Wed, May 2, 2012 at 4:08 PM, Ugo Bellavance u...@lubik.ca wrote: Hi, I'm looking for hardware to replace an ASA unit that only allows 5 concurrent VPN connections for road warrior by a pfsense unit. However, I need to have a proxy on the server to have reports or logs on who does what on the internet, so I need a hard drive. Also, the physical space that I have for this unit is 1U and about 12 of depth. I thought about soekris units, but anyone else has another idea? The other needs are quite simple, not that many internal users, no other VPN tunnels. Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Any suggestions on how filter in pfSense for SQL Injections?
I have some clients that has been hit twice with the recent SQL injections that seem to be ramping up. See: http://www.scmagazineus.com/new-mass-sql-injection-attack-could-be-forming/article/218069/ http://news.hitb.org/content/new-mass-sql-injection-attack-could-be-forming At our datacenter managed to not get hit. However, I guess I would like to ask for suggestions on how to stop this type of attack at the pfSense firewall and what/how to implement something that would allow us to manage such attacks. Regards, Chuck M ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Any suggestions on how filter in pfSense for SQL Injections?
Thanks Seth, Yep, validation is the key in this case. Knock on wood, we should be good. We are also using filtering using URLScan on the web servers to stop this attack, but it would be nice to be able to quickly blanket the network if that's an option should something similar (copy cats) arise in the future. Regards, Chuck From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Seth Mos Sent: December-07-11 1:42 AM To: pfSense support and discussion Subject: Re: [pfSense] Any suggestions on how filter in pfSense for SQL Injections? Hi, Op 7 dec 2011, om 00:26 heeft Chuck Mariotti het volgende geschreven: At our datacenter managed to not get hit. However, I guess I would like to ask for suggestions on how to stop this type of attack at the pfSense firewall and what/how to implement something that would allow us to manage such attacks. There is no magic button that filters out sql injection attacks, without it tools like phpmyadmin would also instantly fail to work. These send sql queries via the web too in plain text. Since it's supposed to do that. This is a application issue where people forgot or just never considered input validation. The snort approach is not guaranteed to prevent this since people can be very crafty. It's hard to get right. Just make sure that you web apps are kept up to date. Ask your vendors about SQL injection attacks, demand this in writing facing penalties, install the next update they release shortly afterwards. And if you have a datacenter you would better have a really good box to make sure that none of your HTTP traffic takes a hit from being processed through snort. Some other IDS'es note the event, then block. Which can still leave you with a broken database if they succeed on the 1st shot. It also just blocks a IP, which is easily circumventable. One can wish for the world. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Q: pfSense 2.0 SMTP problems / relay and how to report utilization per desktop
After converting a network of computers to use a fairly popular 3rd party email service (not my decision unfortunately), users are experiencing very odd issues with email (POP and SMTP based). The 3rd party says we should try different ports, increase timeouts, etc... and they sometimes take days to admit they themselves have an issue (after we have jumped through their hoops). One of the issues is email taking a while to be sent out of the network to the 3rd party SMTP servers... in many cases, items sit in Outlook... with recipients complaining that they received multiple copies of the same email. Anyone have any advice on how to solve this problem? My thought are: 1. Is there an SMTP server that can run on pfSense 2.0? I would like to be able to monitor the queue, etc... My hope is that the client computers would stop failing/timing out/multiple deliveries and that pfSense would just act as the active sender SMTP server. But I need to be able to manage it easily. Does anything exist? 2. How can I monitor in real-time and after the fact on specific dates/times which of the end user desktop computers is utilizing the most traffic? Basically, I want to see if someone is downloading a large file, sending a huge attachment or who is streaming music, etc... I do not have traffic shaping enabled... the reasoning is that the connection has bursting and it seems unpredictable on the busts speeds so I would prefer not to limit connection just to throttle it (unless of course, I'm not thinking this through correctly). Any advice or suggestions? Regards, Chuck ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN road warrior how to for 2.0
It' not a How to but a quick video... of setting up. Not sure if it's the right way to do it but it worked for me. http://www.youtube.com/watch?v=odjviG-KDq8 Now if only I could find out how to setup OpenVPN via pfSense to work with Snom phones. Chuck -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Nenhum_de_Nos Sent: October-04-11 12:15 AM To: list@lists.pfsense.org Subject: [pfSense] OpenVPN road warrior how to for 2.0 hail, is there any ? I looked for it, but nothing :( for 1.2.3 it works great, but I always get cert problem in 2.0 :( if anyone knows any ;) matheus -- We will call you cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
