Re: [pfSense] CARP random Failover

[Justin Edmands]

Sometimes your modem will need a reboot to clear the ARP cache(or something 
similar). This was my experience at least with the Netgear DCR 3000 modem. The 
interfaces come online one at a time during setup of CARP and I believe this is 
when it was stuck. Reboot cleared it up.

--

Justin Edmands

> On Feb 4, 2017, at 5:02 PM, Daniel  wrote:
> 
> Nope,
> 
> Both Servers are dedicated Hardware Firewalls. I think it can be a network 
> problem or a Switch Problem.
> I will plan a new network Setup and will prepare some NIC bondings.
> 
> 
>> Am 04.02.2017 um 22:32 schrieb Matt . :
>> 
>> Are it virtual Machines ? if so, is Macspoofing enabled ?
>> 
>> 2017-02-04 20:23 GMT+01:00 Daniel :
>>> Hi There,
>>> 
>>> anyone can help me to debug my CARP problem?
>>> My Problem is that my CARP interfaces randomly toggle from Master to Backup 
>>> and serval seconds later it toggles back to Master.
>>> Sometimes its so faulty that the IP is after some switches not reachable 
>>> anymore.
>>> 
>>> Maybe there is a command how i can proof the connections or something like 
>>> that.
>>> 
>>> Cheers
>>> 
>>> Daniel
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] RADIUS + LDAP + 2 wifi networks but need 2 LDAP DN's

[Justin Edmands]

Hey,
We currently have FreeRADIUS running on our pfsense box. Works great. Binds
to our LDAP server to perform authentication and authorization.

I am adding an additional wifi network to bring the count to 2.

In my FreeRADIUS LDAP config I have my base DN set to the proper section of
employees that will access the first network, with specific sets of rules.

I would like the new wifi network to look at a different DN in my RADIUS to
LDAP lookup scenario. This will allow people with the extra "IT" group in
LDAP to connect to the higher privileges wifi network.

Any ideas? I can only think of running two Free RADIUS servers (somehow).
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] client VPN on IOS

[Justin Edmands]

Also, aside from not requiring a Jailbreak anymore, it now shows your
OpenVPN profiles/connections in the iOS Settings menu.

If you are still jailbroken, like me, you can map awesome button combos or
gestures to hop on VPN super fast. I set Triple home screen click to fire
up OpenVPN and i'm on that network instantly.

On Thu, Sep 17, 2015 at 3:07 PM, Vick Khera  wrote:

> On Tue, Sep 15, 2015 at 9:18 AM, Ray Bagby  wrote:
>
> > Anyone have any luck connecting iphone via VPN?
> >
>
> Yes, with the built-in Cisco VPN client. Works great unless you have
> pfSense 2.2.3 (older and newer work ok)
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] bacula downgrade on pfsense 2.2.2

[Justin Edmands]

I have upgraded my pfsense firewalls to 2.2.2. Bacula-fd needs to be 5.2
and below. I only see bacula 7 in the package manager. Any way to fix this?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] CARP slave slow management page -- pages fail to load

[Justin Edmands]

Hey pfSensers,
I have been running into an issue with our CARP setup. Right after I
brought up the slave member, the slave is having issues properly loading
HTTP pages to manage the firewall. Randomly pages will take a very long
time -or- they will ultimately fail to load. After I just hit reload on the
page...it works. The issue is very bad when trying to install a package.
the page will let me hit install and then it might fail to connect to the
page shortly after. This leaves me with a bad package install, etc.

both boxes are pfsense 2.2.2.
CARP failover works just fine.
No packet loss/errors appear to be occurring in the interface statistics.


any ideas?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP development testing within our network -- broadcast storm?

[Justin Edmands]

Hey Steve,
Sorry for the confusion. There are no computers residing in the development
network yet. It's really jsut to test the CARP and see the CARP status page
show up and running. Adding a laptop or two after the fact to test pulling
the plug on one pfsense. The 10.10.10.XXX computers could have been left
out. I was attempting to show that computers are on the same plane as the
"WAN" IPs I set for the development pfsenses.

These computers in the 10.10.10.XXX lose all access to the internet when I
plug in the 10.10.10.112 and 10.10.10.113 pfsense boxes.

On Mon, Jul 27, 2015 at 5:48 PM, Steve Yates  wrote:

> I'm not sure I follow...the 192.168.50.x subnet would use 192.168.50.1 as
> its gateway and 10.10.10.111 would be the NATted WAN IP.  I don't see how
> that's a problem for other PCs in 10.10.10.x?  Unless 10.10.10.111-113 are
> in use on it?
>
> This reads like you added the computer and server to the WAN side of
> pfSense, so they would not be using pfSense at all.
>
> You can't connect the networks through pfSense and around it at the same
> time...
>
> --
>
> Steve Yates
> ITS, Inc.
>
>
>
> Justin Edmands wrote on Mon, Jul 27 2015 at 3:53 pm:
>
> > I have setup a dual gateway setup I have created to test a future project
> > of adding another gateway to our production setup. I added two computers
> > next to me connected to a switch and the "WAN" IPs are IPs from our
> regular
> > subnet. The LAN is a subnet that we don't use normally.
> >
> > my computer - 10.10.10.58
> > random server - 10.10.10.43
> >
> > devpfsense WAN CARP IP - 10.10.10.111
> > devpfsense1 WAN - 10.10.10.112
> > devpfsense2 WAN - 10.10.10.113
> >
> > devpfsense LAN CARP IP - 192.168.50.1
> > devpfsense1 LAN - 192.168.50.10
> > devpfsense2 LAN - 192.168.50.11
> >
> >
> > I connect all of this up. CARP works just fine. I edit a few things and
> > everything syncs over to the secondary gateway. The problem is that the
> > "WAN" IPs being set are wreaking havoc on my regular network where the
> > 10.10.10.XXX IPs reside.
> >
> > It is as if I am creating some form of a loop or broadcast storm.
> >
> > Am I supposed to enable something like HSRP or VVRP to tell my regular
> > network that these two "WAN" IPs work together and form 10.10.10.111?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] CARP development testing within our network -- broadcast storm?

[Justin Edmands]

I have setup a dual gateway setup I have created to test a future project
of adding another gateway to our production setup. I added two computers
next to me connected to a switch and the "WAN" IPs are IPs from our regular
subnet. The LAN is a subnet that we don't use normally.

my computer - 10.10.10.58
random server - 10.10.10.43

devpfsense WAN CARP IP - 10.10.10.111
devpfsense1 WAN - 10.10.10.112
devpfsense2 WAN - 10.10.10.113

devpfsense LAN CARP IP - 192.168.50.1
devpfsense1 LAN - 192.168.50.10
devpfsense2 LAN - 192.168.50.11


I connect all of this up. CARP works just fine. I edit a few things and
everything syncs over to the secondary gateway. The problem is that the
"WAN" IPs being set are wreaking havoc on my regular network where the
10.10.10.XXX IPs reside.

It is as if I am creating some form of a loop or broadcast storm.

Am I supposed to enable something like HSRP or VVRP to tell my regular
network that these two "WAN" IPs work together and form 10.10.10.111?

If so, where in my regular networks pfsense would I configure this?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

[Justin Edmands]

I am having issues as well. 2.0.0 <--> 2.0.3 works fine. Upgraded to 2.2.1
and the connection always fails within 24 hours.

Please let me know how the 2.2.1 x 5 setup works.

On Mon, Mar 23, 2015 at 1:40 PM, Jeremy Bennett  wrote:

> Yes. I have 5 sites (of various 2.0+ pfsense) connected via IPSec.
> Historically, this setup was the definition of stable. Since adding a 2.2
> box it has been flaky as all get out.
>
> I'm in the process of upgrading each location to 2.2.1. Hoping that will
> be the easy fix, if not, will have to start chasing it.
>
>
> On Monday, March 23, 2015, mayak  wrote:
>
>>
>> On 03/23/2015 03:03 PM, mayak wrote:
>>
>>> On 03/22/2015 12:38 AM, Bryan D. wrote:
>>>
 We've had a pfSense-to-pfSense "always on" IPsec VPN connecting 2
 offices since 2008 (pfSense 1.2 IIRC) and it's:
 - been ultra reliable (if VPN is down, suspect ISP issue or pfSense box
 failure)
 - it's been quick to connect (about 1 second, almost unnoticeable)
 - it's worked across numerous upgrades without issue (nice!)

 Beginning with pfSense v2, we added multiple P2s at each end (still
 same reliability, etc.).

 One of the offices has had its hardware updated and its pfSense updated
 to 2.2 then 2.2.1 (after testing to see whether we seemed to be affected by
 the "multiple P2 issue" noted in the upgrade page -- we're OK on that
 one).  This connection has continued to work with the same characteristics
 as before.  The 2.2.1 system is 64-bit and the other end is v2.1.5 32-bit

 We recently added a second site-to-site IPsec VPN, essentially the same
 as the existing one except both sides are pfSense v2.2.1 (but other end is
 32-bit) and stronger algorithms are being used and P1 is set to v2
 (supposedly avoiding any "multiple P2" issues).

>>> 
>>>
>>> i have to say that i am also experiencing this. i'm in the process of
>>> installing smokeping to prove connectivity is good between the public ip
>>> endpoints between various vpns.
>>>
>>> will report back with those results.
>>>
>>> thanks
>>>
>>> m
>>> __
>>>
>> it is happening -- three times since last post ... anyone else noticing
>> vpn outages?
>>
>> thanks
>>
>> m
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPSEC from pf2.0 <--> pf2.2.1 not working consistently

[Justin Edmands]

pfSensers,
I am having an issue with 2 pfsense boxes that connect with IPSEC. One box
is 2.0.0 and the other is 2.2.1. The tunnels appear to connect without
warning, yet fail within 24 hours. I don't let them hang long enough to see
any errors. Anyone know of incompatibilities between the two? Both of these
also connect to a Juniper firewall to complete a IPSEC triangle. That link
from Juniper <--> 2.0.0 and Juniper <--> 2.2.1 operates perfectly fine. I
am thinking of upgrading the pf2.0.0 because I love the new filtering for
logs (among other things) in 2.2.1.

Thanks in advance for any insight you may have!
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense fw blocking internal requests

[Justin Edmands]

It's most likely your specified Protocol in the "allow" rule you have
set. Open the rule that you believe should allow the traffic and
change the rule from TCP, UDP, TCP/UDP to say any.

On Tue, Jul 22, 2014 at 5:30 PM, Khurram Khan  wrote:
> Hi Team,
>
> Trying to figure out an issue i'm facing with pfsense 2.1.4. I'm routing 
> 192.168.0.0/24 via pfsense. this block resides on a linux machine. within the 
> internal LAB if i ping to 192.168.0.5 , all the machines on the LAN can ping 
> successfully. However, if i ping from the linux machine , sourcing from 
> 192.168.0.5, to the pfsense LAN IP , my pings fail. i've got a firewall rule 
> on the pfsense firewall allowing anything from 192.168.0.0/24 to anything.
>
> here's what the topology looks like:
>
>
> internet <> rl1 <> pfsense <> rl0 <> LAN
>
> LAN subnet (rl0) : 10.10.171.0/24
>
> here are the routes on the pfsense appliance:
>
> [2.1.4-RELEASE][ad...@pfw01.b.lan]/root(1): netstat -rn | grep 192.168.
> 192.168.0.0/24 10.10.171.80   UGS 0  161rl0
>
> and here's the rl0 interface:
>
> [2.1.4-RELEASE][ad...@pfw01.b.lan]/root(4): ifconfig rl0 | grep inet | grep 
> -v inet6
> inet 10.10.171.1 netmask 0xff00 broadcast 10.10.171.255
>
>
>
> the LAN subnet is : 10.10.171.0/24
> the server that 192.168.0.0/24 resides on is : 10.10.171.80
>
>
> when trying to initiate the ping from 10.10.171.80, sourcing 192.168.0.5 and 
> destined for 10.10.171.1 (rl0), pings fail and here is what i see in the logs:
>
>
> Jul 22 15:27:53 pfw01.rl0.171.10.10.in-addr.arpa pf: 00:00:00.60 rule 
> 3/0(match): block in on rl0: (tos 0x0, ttl 64, id 22636, offset 0, flags 
> [DF], proto ICMP (1), length 84)
> Jul 22 15:27:54 pfw01.rl0.171.10.10.in-addr.arpa pf: 00:00:00.84 rule 
> 3/0(match): block in on rl0: (tos 0x0, ttl 64, id 22638, offset 0, flags 
> [DF], proto ICMP (1), length 84)
> Jul 22 15:27:54 pfw01.rl0.171.10.10.in-addr.arpa pf: 00:00:00.84 rule 
> 3/0(match): block in on rl0: (tos 0x0, ttl 64, id 22638, offset 0, flags 
> [DF], proto ICMP (1), length 84)
> Jul 22 15:27:54 pfw01.rl0.171.10.10.in-addr.arpa pf: 00:00:00.84 rule 
> 3/0(match): block in on rl0: (tos 0x0, ttl 64, id 22638, offset 0, flags 
> [DF], proto ICMP (1), length 84)
> Jul 22 15:27:55 pfw01.rl0.171.10.10.in-addr.arpa pf: 00:00:01.45 rule 
> 3/0(match): block in on rl0: (tos 0x0, ttl 64, id 22640, offset 0, flags 
> [DF], proto ICMP (1), length 84)
> Jul 22 15:27:55 pfw01.rl0.171.10.10.in-addr.arpa pf: 00:00:01.45 rule 
> 3/0(match): block in on rl0: (tos 0x0, ttl 64, id 22640, offset 0, flags 
> [DF], proto ICMP (1), length 84)
> Jul 22 15:27:55 pfw01.rl0.171.10.10.in-addr.arpa pf: 00:00:01.45 rule 
> 3/0(match): block in on rl0: (tos 0x0, ttl 64, id 22640, offset 0, flags 
> [DF], proto ICMP (1), length 84)
> Jul 22 15:27:56 pfw01.rl0.171.10.10.in-addr.arpa pf: 00:00:01.02 rule 
> 3/0(match): block in on rl0: (tos 0x0, ttl 64, id 22642, offset 0, flags 
> [DF], proto ICMP (1), length 84)
>
>
> the fact that the firewall rule is there on the LAN interface , permitting 
> anything from 192.168/24 , plus not blocking any bogons or private addresses 
> on this interface, i'm scratching my head.
> if someone has any ideas, would really appreciate it.
>
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] VLAN Issue - pfSense/VMware/Cisco

[Justin Edmands]

Here is some interesting info about esxi NICs when used with Cisco, or
other, VLAN:

"Only allowing through VLAN traffic on physical switch ports
connecting to ESX reduces TCP/IP overhead. Native VLANs do not tag the
out going VLAN packets toward ESX NICs and if the same VLAN ID is used
to configure the vSwitch port group, the vSwitch drops any packet that
is not tagged for it, causing the connection to fail. Unnecessary VLAN
traffic on a TRUNK port that connects to ESX can cause major
performance issues.

Note: Do not use the Native VLAN ID of a physical switch as a VLAN on
ESX/ESXi portgroups."

Also the link shows the proper Cisco trunk config

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006628

On Sun, Jul 13, 2014 at 10:07 PM, Alex Needham  wrote:
> Hi
>
> If the port group is already in vlan 10 then you don't need to create a vlan
> in pfsense as the vswitch is already untaging it.
>
> Just add teh interface and assign an ip, or set the vswitch to be vlan 4095
> and it will send tagged traffic through. Which is what I do so that you can
> make changes to pfSense without rebooting to detect a new interface that has
> been added through esx.
>
> Also throw an ip on the cisco switch ion vlan 10, that will help you trouble
> shoot the problem.
>
> Hope that helps
>
> Cheers
>
> Alex
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On 13 July 2014 18:03, Jonatas Baldin  wrote:
>>
>> Hi guys, how u doing?
>>
>> I'm doing a home lab for VLAN studying and it's going bad. I don't know
>> where the problem is.
>>
>> Here's my setup:
>>
>> VMware ESXi 5.5
>> pfSense 2.3.4 (VM)
>> Cisco SF300
>>
>> - The ESXi has o vSwitch attached to a port group in a physical interface
>> with VLAN 10.
>> - The pfSense has this port group attached and recognizing as em2.
>> - In the pfSense I created a VLAN interface binding on em2 with de ID 10.
>> - The FW rules are allowed everything in this interface and a DHCP server
>> is configured on the VLAN interface.
>> - Physically, this em2 interface is connected to the SF300 on a TRUNK port
>> (port 10), with the VLAN 10 allowed.
>> - And the port 11 is configured as an access port with VLAN 10, where I
>> connected a laptop expecting to receive a DHCP address and got I ICMP
>> response which I didn't, even configuring a static IP.
>>
>> Does anyone have a clue where the problem is?
>>
>> Thx!
>> 
>> Jonatas Baldin de Oliveira
>> Profissional de TI
>> Skype: jonatas.baldin
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Install on one machine, deploy on another

[Justin Edmands]

Most problems will surround the network cards and identification.
You'll most likely have to set that all up again. Maybe delete all
interfaces right before powering down the new test disk. Reassign them
when it comes back up. Otherwise, in ym use of pfsense 2.0, your
interfaces get all wonky and you'll be saying ...justdie! they
seem to not go away. I did the whole delete and reassign thing I am
mentioning and it all worked. Used all the exact names and all of the
rules stayed put and the interface groups all maintained a proper
config.

On Mon, Jun 9, 2014 at 6:19 PM, compdoc  wrote:
>> Will I have any problems if I install a new version of pfsense on one
>>machine and then move the hard drive to another machine?
>
> You probably will have some problem. Let us know how it goes...
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] LoadBalancing traffic FROM the pfSense

[Justin Edmands]

On Mon, Apr 14, 2014 at 12:47 PM, Lucas Mocellin wrote:

> Hello,
>
> I googled and tried to search in this list but didn't find anything very
> useful.
>
> my loadbalance/fail over is working out amazingly, the only thing is that
> the traffic FROM the pfSense by itself is not passing through this rules.
>
> I tried to force in the WAN interface to get this traffic from WAN address
> and put it to the gateway group but it didn't work out.
>
> does someone has a generic answer for this? I checked individual answer
> for any of the specific services. in my case I wanna OpenVPN client to use
> the loadbalance, with one preferred link.
>
> thanks in advance,
>
> Lucas.
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
I think you may need a NAT rule (someone please correct me if this is
incorrect).

An example NAT rule would be to set your source to be your OpenVPN
interface. Set the destination to be your loadbalancer virtual server. You
may need to clone the existing virtual server that uses the WAN IP, but I
find that "cloning" doesn't work. Just open a new one and manually copy
over the new settings. Set the destination as the internal loadbalanced
IP(may or may not need a Virtual IP setup for this)

Let me know how this goes. I will most likely be doing this kind of thing
in the future.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Gateway Group / Failover WAN setup question

[Justin Edmands]

pfSense List,
We currently run a gateway with a single WAN connection. We are adding
another WAN connection in the near future. The WAN will be for Failover and
not Loadbalancing.

After reading the pfsense docs and watching a few youtube videos; I'll add
a gateway group and create the proper Tiers to assign the Failover1 and
Failover2 groups. I'll create external DNS entries and have each WAN aware
of that respective DNS in the General Setup.

The main questions:
The current rules all read * for the Gateway. Do all of my current LAN,
OpenVPN, and IPSec rules need to be altered to include the Gateway as the
new Failover1 rule?

Do I need to clone each and every rule to have:
rule 1 of 2 say WAN_FailoverGroup1
 -and-
rule 2 of 2 say WAN_FailoverGroup2

?
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Added second WAN. NAT/VIP to primary WAN no longer working

[Justin Edmands]

Hey Everyone,
Our ISP has been having issues every once in a while. In order to keep
things running we had a secondary comcast line installed.

Until I have downtime to setup gateway groups, I wanted to get the WAN
failover working for our website. Essentially I want to be able to hit the
Primary WAN VIP(ISP1) for the webserver, if this fails, external DNS has an
autofailover rule to hit the secondary WAN VIP(ISP2)

Pretty simple and works well right away. request from WAN1 hits the
firewall and gets properly NATed to the appropriate webserver (which
actually is an IfAlias VIP for internal Load Balancer). The rules exist on
the WAN tab to allow traffic to the webserver. All works well.
I disable the rule for HTTP to the webserver...access is gone...external
DNS picks up on it and routes to the Second ISP VIP (which is NATed to the
same internal IP as the first)

OK so all of that works.

Now, the weird part. Nothing else in the Public IP range works anymore. We
have (example IP)
Colo Facility/ISP1 - 50.112.11.16/28
Comcast/ISP2 - 77.124.19.32/28

So, many virtual IPs within the subnet. only one of those VIPs, the main
one mentioned earlier, continues to work. All other VIPs don't even see
traffic hitting the gateway. I ran a packet trace and filtered for traffic.
Nothing at all showed up.


Any bugs or services to restart?

Ways to find bad routes in the external world? Unlikely, but I think it can
happen ha.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 1:1 NAT not working, but the equivalent port forward everything coming into a VIP to the internal unit is ...

[Justin Edmands]

On Wed, Dec 11, 2013 at 2:32 PM, Joe Landman <
land...@scalableinformatics.com> wrote:

> Hi folks:
>
>   Trying to figure this one out.  Very simple concept, I want to take one
> virtual IP (VIP), and tie it to an internal (isolated) machine for
> customer/partner use.   I've done this before using other firewall
> appliances, and it works pretty well for its use case.  I just tried to do
> the same thing here.
>
>
> External IP: a.b.c.d
> Internal IP:  e.f.g.h
> Internal Machine:  i.j.k.l
>
> I started at Firewall->NAT->1:1
>
> Added the rule:
>
> External subnet IP:a.b.c.d
> Internal IP: e.f.g.h
> Destination:   i.j.k.l
>
> Made sure I had a VIP setup with a.b.c.d.  I've got ping set up for
> testing, and it worked nicely.
>
> Next I tried sshing to that box
>
> ssh -vvv user@a.b.c.d
>
> Nothing.  No negotiation, which usually means it can't reach it.  So I
> logged into the pfsense box, and did a
>
> tcpdump -i em5  # the private NIC going to the isolated machine
>
> at the shell.  I did not see the ssh traffic, or the pings.
>
> Ok, I tried a few other combinations (changed internal IP to destination
> IP, and the converse of that).  Still nothing.
>
> So I deleted that rule, and did a simple multi-port forward.  All TCP/UDP
> showing up for any port 1-65000 on a.b.c.d is port forwarded to the
> destination starting at port 1.
>
> That worked.  I see the traffic with tcpdump, I can ssh in, etc.
>
> But I don't like that, as it seems ... hack-ish.  I would think the 1:1
> would be cleaner (and use fewer states?), but I am not sure about this.
>
> Is there any magic incantation, burn offerings, or typing one can do to
> diagnose this?  The tcpdump on the internal port on the pfsense box is a
> good indicator if packets are getting through.  Is there somewhere else to
> look on the system to watch the decision processes it makes during the pf
> filter pipeline?
>
> Or should I simply be happy that it works, and not worry about it? I am
> happy to file a bug report if it makes sense, I figured I'd ask first to
> see if someone thinks this is pilot error (very well could be).
>
> Thanks!
>
>
> Joe
>
> --
>
> Joseph Landman, Ph.D
> Founder and CEO
> Scalable Informatics, Inc.
> email: land...@scalableinformatics.com
> web  : http://scalableinformatics.com
> twtr : @scalableinfo
> phone: +1 734 786 8423 x121
> cell : +1 734 612 4615
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>


Monitor blocked attempts under Status --> System Logs --> Firewall ...
filter for the IP you want. If you see the block, click the small grey
arrow with a plus sign next to the destination IP. This will create a rule
and allow you to go to Firewall --> Rules to indentify the proper rule
setup to pass these SSH attempts.

Next, notice that these rules are in order...top to bottom. Here is the
sentence at the bottom of all firewall rule pages:

* Hint: *

   - Rules are evaluated on a first-match basis (i.e. the action of the
   first rule to match a packet will be executed). This means that if you use
   block rules, you'll have to pay attention to the rule order. Everything
   that isn't explicitly passed is blocked by default.


PS: By default, all blocked attempts are logged. After creating a rule, you
can also turn on logging for the rules that pass. This will allow you to
see the source/destination that is using the rule.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Adaptive filtering?

[Justin Edmands]

On Tue, Dec 10, 2013 at 2:38 PM, David Miller wrote:

> Quick capability question from those in the know….
>
>
> Does pfsense offer any kind of adaptive filtering?
>
> Specifically, can it:
>
>  Tell that it’s under attack and block all packets from the attacking
> source for some period of time?
>  Get a list of signatures to block on the way in (as in virus
> scanning).
>
>
> TIA,
>
> — David
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>


First question, what's an attack?  your pfsense box doesn't know.

Snort is a package that can be installed to define the attacks and take
action based on the request.

get the paid snort.org version(cheap) and it will give you up-to-date
rules. Otherwise I think it's a week or two behind in definitions.

https://doc.pfsense.org/index.php/Setup_Snort_Package#Select_what_types_of_rules_you_want_protecting_your_network


After you have installed and tested it, THEN worry about the CPU/RAM/disk
overhead.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Load balancing IMAPs / POP3s / HTTPs

[Justin Edmands]

On Fri, Nov 22, 2013 at 12:12 PM, Nikos Zaharioudakis wrote:

> Dear list,
>
> I will have to load balance IMAPs , POP3s and HTTPs for more or less 20K
> users.
> I expect something like 7-8K concurrent users at pick times but
> activesync from mobile devices is always there even people are not on
> their computers :-)
>
> Are there any hints and tips on how to do this? Are there things that
> I should have in mind? I found 2 different balancer solutions in the
> distribution of pfsense. One which is built in and ha-proxy. Should I
> use one or the other for this specific situation ?
>
> Thank you for your kind attention
>
>
> Nikos
>
> 3
> Zaharioudakis Nikos, RHC{A,DS,E,VA,X,I}, VCP(4,5},VCI, Mentor VCI,
> Zimbra Instructor
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>

>From experience I found the built in one to work well. The ha-proxy one
appears to work, but gave me a few issues, so I dropped it. I found that I
had to manually edit the configuration file by SSHing into the box. I
feared an upgrade of pfsense or the package would blow it all out.

Also, you may find that you want to use both for different services.
HA-proxy can provide,again through manual config file edits, a higher level
of configuration.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Optimal Setup

[Justin Edmands]

On Thu, Sep 19, 2013 at 10:13 AM, Joseph W Joshua wrote:

> On 09/19/2013 04:38 PM, Mehma Sarja wrote:
>
>> Have you tried pinging to 8.8.8.8 from your wan and lan ports? If that
>> works, have you tried pinging to yahoo..com off those ports? This might be
>> a DNS issue.
>>
> Hello,
>
> I can ping 8.8.8.8 from my wan and lan ports. pfSense can also resolve
> google.com and pfsense.org. But interestingly, It on the dashboard it
> says 'Unable to check for updates'.
>
>
>> See if you can use the setup wizard to get online and build your rules
>> from there. Your's is a simple setup and the pfsense book is a nice
>> reference to have on the shelf if you are supporting an office.
>>
>
> Thanks, I will check out the book
>
>
>
> --
> With Kind Regards,
> Joseph W. Joshua
>
> __**_
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/**mailman/listinfo/list
>

Take a look at the logs on the pfsense while trying to access the internet.

Status --> System Logs --> Firewall. If you see it being blocked, click the
button next to the destination IP that will allow the traffic through. [image:
file:///root/Desktop/screen09192013-102134.jpg][image:
file:///root/Desktop/screen09192013-102134.jpg][image:
file:///root/Desktop/screen09192013-102134.jpg]
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.1 RC1 -- openvpn connections reset on any modification of openvpn

[Justin Edmands]

I have seen the same thing for IPsec. I have not tested it in my openvpn
stuff after experiencing the dropped tunnels.

I even just edited the Description once and it dropped the tunnel. It's
weird, but happened every single time.


On Thu, Jul 25, 2013 at 10:46 AM, mayak-cq  wrote:

> **
> Hi All,
>
> A quick note/observation when using a recent snapshot of 2.1 rc-1  ...
>
> I have many openvpn connections, and if i modify an openvpn parameter
> (client specific overrides for example). all vpn tunnels are dropped and
> all states lost.
>
> Has anyone else seen this -- is there work around?
>
> thanks
>
> m
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Load Balancing - External request shows internal hostname

[Justin Edmands]

Hey,
I setup Load Balancing for two web servers using the pfSense book.
Everything looks fine from the "Status" --> "Load Balancer" section. Both
Virtual Servers are Active and Pools are 100%.

The problem is when I connect from an external IP, I get a page not found
and it shows my internal hostname in the error page. Also shows this as
expected :* *Error 105 (net::ERR_NAME_NOT_RESOLVED): Unable to resolve the
server’s DNS address.

Even more weird is that when it hits Server 1 it shows the error above.
When it hits server 2, it shows the page normally. Why would one show the
proper page while the other shows the internal hostname? OK so through
inbound and outbound NAT, what am I doing wrong? Throw out even bazaar
suggestions. Anything is possible.

THANKS!
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list