Re: [pfSense] pfsense rules
I knew the rules were processed in order, but didn't think about doing it this way. Thanx ! -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2016-12-08 11:57 GMT-05:00 Moshe Katz : > Remember that rules are processed in order. Given that fact, here's one way > to do what you want. > > First, put in any rules that ALLOW specific traffic from LAN to OPT2. > Then, put in a rule to DENY ALL TRAFFIC from LAN to OPT2. > Finally, put the rule to ALLOW ALL TRAFFIC from LAN to ANYWHERE. > > This is exactly what we have done for our guest WiFi network to allow users > on the WiFi to access the Internet and all of the public services that run > on our internal network. > > Moshe > > -- > Moshe Katz > -- mo...@ymkatz.net > -- +1(301)867-3732 > > On Thu, Dec 8, 2016 at 11:51 AM, Luc Paulin wrote: > > > Hi Everyone, > > I am curently to look at migrating rules from our iptable/fwbuilder > system > > to pfsense. But now I am facing an issue. > > > > I need to grant internet access from LAN to WAN, so I created a rule PASS > > ANY on the LAN interface. However this cause an issues because I want to > > have specific allowance rule from LAN to OPT2. Look like the preceding > rule > > wil also grant access from LAN to OPT2, as well to other interface. > > > > I am sure that this can restricted, but can't find an example from doc > page > > on website. > > > > Thanx again for all your help > > > > > > -- > > ! > >( o o ) > > --oOO(_)OOo-- > >Luc Paulin > >email: paulinster(at)gmail.com > >Skype: paulinster > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfsense rules
Hi Everyone, I am curently to look at migrating rules from our iptable/fwbuilder system to pfsense. But now I am facing an issue. I need to grant internet access from LAN to WAN, so I created a rule PASS ANY on the LAN interface. However this cause an issues because I want to have specific allowance rule from LAN to OPT2. Look like the preceding rule wil also grant access from LAN to OPT2, as well to other interface. I am sure that this can restricted, but can't find an example from doc page on website. Thanx again for all your help -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Aliases grouping
Great .. thanx all ... At first it's not obvious that we can enter "name" in those box. For curiosity how do you manage the aliases naming ? Do you have some sort on naming convention depending of the aliases is an IP/Host/Network and or if it's and aliase of aliases ? -- ! ( o o ) --oOO(_)OOo------ Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2016-12-07 14:45 GMT-05:00 Oliver Hansen : > I can confirm I've done this as well. > > On Dec 7, 2016 11:36 AM, "Christoph Hanle" > wrote: > > Hi, > short answer: > Yes ! > > I do it by: Create Alias / Type: Host(s) / > IP or FQDN, this can also be an Alias, i found that the Alias is not > (!) limited to be a single IP, can be an Alias whith whatever content. > > Christoph > > On 07/12/16 20:19, Luc Paulin wrote: > > Hi, > > Is there a way to create group of aliases... > > > > For example, let say I create > > OFFICE1_NET > > OFFICE2_NET > > > > Can I create an aliases= ALL_OFFICES that will contain OFFICE1_NET and > > OFFICE2_NET > > > > -Luc > > > > > > > > -- > > ! > >( o o ) > > --oOO(_)OOo-- > >Luc Paulin > >email: paulinster(at)gmail.com > >Skype: paulinster > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Aliases grouping
Hi, Is there a way to create group of aliases... For example, let say I create OFFICE1_NET OFFICE2_NET Can I create an aliases= ALL_OFFICES that will contain OFFICE1_NET and OFFICE2_NET -Luc -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] rules cleanup and approval process
Look like neither a filter reload or reset state look to have zeroed the counters. Firewall/system restart did reset the counters, though there must be an easier way to reset the counters. -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2016-10-21 12:20 GMT-04:00 Steve Yates : > Not sure. Router restart? > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin > Sent: Friday, October 21, 2016 11:08 AM > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] rules cleanup and approval process > > hoo yeah .. sorry I didn't pay enough attention to that column... So when > are those number get reset ? How can I manually reset those number? > > -- > ! >( o o ) > --oOO(_)OOo-- >Luc Paulin >email: paulinster(at)gmail.com >Skype: paulinster > > > 2016-10-21 10:35 GMT-04:00 Steve Yates : > > > The Rules page logs traffic for the rule, in bytes, in the > > States column. You can also set allow rules to log traffic but that > > will be a lot of log entries. > > > > -- > > > > Steve Yates > > ITS, Inc. > > > > -Original Message- > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc > > Paulin > > Sent: Friday, October 21, 2016 9:27 AM > > To: pfSense Support and Discussion Mailing List > > > > Subject: [pfSense] rules cleanup and approval process > > > > Hi, > > I am in the final stage to review pfsense and I was wondering if > > there's a way to do the following > > > > 1. Is there way to enable an approval process. For exmaple let say I > > added rule ABC, then in order that the rules can be apply, the change > > must be approve by someone else. > > 2. How can we know which rule is mostly use and which are unused? Is > > theres some kind of way to create a report of the top 10 less use rules > ? > > > > Thanx for your help > > > > -Luc > > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] rules cleanup and approval process
hoo yeah .. sorry I didn't pay enough attention to that column... So when are those number get reset ? How can I manually reset those number? -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2016-10-21 10:35 GMT-04:00 Steve Yates : > The Rules page logs traffic for the rule, in bytes, in the States > column. You can also set allow rules to log traffic but that will be a lot > of log entries. > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin > Sent: Friday, October 21, 2016 9:27 AM > To: pfSense Support and Discussion Mailing List > Subject: [pfSense] rules cleanup and approval process > > Hi, > I am in the final stage to review pfsense and I was wondering if there's a > way to do the following > > 1. Is there way to enable an approval process. For exmaple let say I added > rule ABC, then in order that the rules can be apply, the change must be > approve by someone else. > 2. How can we know which rule is mostly use and which are unused? Is > theres some kind of way to create a report of the top 10 less use rules ? > > Thanx for your help > > -Luc > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] rules cleanup and approval process
Hi, I am in the final stage to review pfsense and I was wondering if there's a way to do the following 1. Is there way to enable an approval process. For exmaple let say I added rule ABC, then in order that the rules can be apply, the change must be approve by someone else. 2. How can we know which rule is mostly use and which are unused? Is theres some kind of way to create a report of the top 10 less use rules ? Thanx for your help -Luc -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Change WAN interface
I think that I just figure it out... Yeah it was at that page I was looking at but didn't understand the difference beetween interface and network port, I found this a bit confusing. -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2016-10-14 14:18 GMT-04:00 Steve Yates : > Interfaces/(assign) page should have drop downs to pick the interface. > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin > Sent: Friday, October 14, 2016 1:16 PM > To: pfSense Support and Discussion Mailing List > Subject: [pfSense] Change WAN interface > > How can I assign the wan interface to another interface ... > Let say I initally assign WAN to bge0, but then I need to move WAN to > bge3 How can this be done Look like we can't delete the assign WAN > interface. > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Change WAN interface
How can I assign the wan interface to another interface ... Let say I initally assign WAN to bge0, but then I need to move WAN to bge3 How can this be done Look like we can't delete the assign WAN interface. Am I missing something ? -Luc -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Change WAN interface
How can I assign the wan interface to another interface ... Let say I initally assign WAN to bge0, but then I need to move WAN to bge3 How can this be done Look like we can't delete the assign WAN interface. Am I missing something ? -Luc -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense in ha - sync interface rule disapear
Ok Thanx for information! -Luc -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2016-10-13 13:08 GMT-04:00 Steve Yates : > The rules should sync at every rule change. (alias, etc.) If > states are syncing those are in real time. > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin > Sent: Thursday, October 13, 2016 12:00 PM > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] pfsense in ha - sync interface rule disapear > > I think I am good now .. I have delete the sync interface and then > recreate it ... All look good now and system is syncing beetween > each-other. > > One more question, can we change the frequency of the sync ? Look like the > default is ~10min > > -Luc > > > -- > ! > ( o o ) > --oOO(_)OOo-- >Luc Paulin >email: paulinster(at)gmail.com >Skype: paulinster > > > 2016-10-13 12:13 GMT-04:00 Steve Yates : > > > What version pfSense? We are on 2.3.2 without the latest patch > > (2.3.2_1), using CARP/sync, since whatever version was in spring 2015, > > and haven't had this issue. > > > > -- > > > > Steve Yates > > ITS, Inc. > > > > -Original Message- > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc > > Paulin > > Sent: Thursday, October 13, 2016 10:11 AM > > To: pfSense Support and Discussion Mailing List > > > > Subject: Re: [pfSense] pfsense in ha - sync interface rule disapear > > > > Rule is disapearing on the slave only ... > > Yes both firewall's interface's description are the same and assign to > > the same interface... > > > > -Luc > > > > > > > > > > > > -- > > ! > >( o o ) > > --oOO(_)OOo-- > >Luc Paulin > >email: paulinster(at)gmail.com > >Skype: paulinster > > > > > > 2016-10-13 11:00 GMT-04:00 Steve Yates : > > > > > Are your rules disappearing on the slave, the master, or both? > > > > > > Brainstorming, do both have the same name for the pfsync interface? > > > Meaning the slave isn't named PFSYNC-SLAVE or something like that? > > > > > > -- > > > > > > Steve Yates > > > ITS, Inc. > > > > > > -Original Message- > > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc > > > Paulin > > > Sent: Thursday, October 13, 2016 9:10 AM > > > To: list@lists.pfsense.org > > > Subject: [pfSense] pfsense in ha - sync interface rule disapear > > > > > > Hi Everyone, > > > I am new to pfsense and I have to say to that I am very impressed to > > > see all the feature available out of box. > > > > > > I am currently testing it to see how well it work and perform for > > > our environement. We would like to replace our HA linux firewall > > > running IPTable/fwbuiler scripts. Currently trying to setup the HA > > > but having hard time to make it work properly. I am following the > > > wiki guide ( https://doc.pfsense.org/index.php/Configuring_pfSense_ > > > Hardware_Redundancy_(CARP) > > > ). > > > > > > The issue that I have is that the rule I added on both firewall to > > > allow SYNC interface to communicate keep disapear on the slave > > > firewall once the connection got established. So XMLRPC did copy > > > rules from master to slave, but the PFSYNC interface rules disapear, > > > therefore this cause communication issue after > > > (/rc.filter_synchronize: New alert found: A communications error > > > occurred while attempting XMLRPC sync with username admin > > > https://172.16.199.2:443.) > > > > > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense in ha - sync interface rule disapear
I think I am good now .. I have delete the sync interface and then recreate it ... All look good now and system is syncing beetween each-other. One more question, can we change the frequency of the sync ? Look like the default is ~10min -Luc -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2016-10-13 12:13 GMT-04:00 Steve Yates : > What version pfSense? We are on 2.3.2 without the latest patch (2.3.2_1), > using CARP/sync, since whatever version was in spring 2015, and haven't had > this issue. > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin > Sent: Thursday, October 13, 2016 10:11 AM > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] pfsense in ha - sync interface rule disapear > > Rule is disapearing on the slave only ... > Yes both firewall's interface's description are the same and assign to the > same interface... > > -Luc > > > > > > -- > ! >( o o ) > --oOO(_)OOo-- >Luc Paulin >email: paulinster(at)gmail.com >Skype: paulinster > > > 2016-10-13 11:00 GMT-04:00 Steve Yates : > > > Are your rules disappearing on the slave, the master, or both? > > > > Brainstorming, do both have the same name for the pfsync interface? > > Meaning the slave isn't named PFSYNC-SLAVE or something like that? > > > > -- > > > > Steve Yates > > ITS, Inc. > > > > -Original Message- > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc > > Paulin > > Sent: Thursday, October 13, 2016 9:10 AM > > To: list@lists.pfsense.org > > Subject: [pfSense] pfsense in ha - sync interface rule disapear > > > > Hi Everyone, > > I am new to pfsense and I have to say to that I am very impressed to > > see all the feature available out of box. > > > > I am currently testing it to see how well it work and perform for our > > environement. We would like to replace our HA linux firewall running > > IPTable/fwbuiler scripts. Currently trying to setup the HA but having > > hard time to make it work properly. I am following the wiki guide ( > > https://doc.pfsense.org/index.php/Configuring_pfSense_ > > Hardware_Redundancy_(CARP) > > ). > > > > The issue that I have is that the rule I added on both firewall to > > allow SYNC interface to communicate keep disapear on the slave > > firewall once the connection got established. So XMLRPC did copy > > rules from master to slave, but the PFSYNC interface rules disapear, > > therefore this cause communication issue after > > (/rc.filter_synchronize: New alert found: A communications error > > occurred while attempting XMLRPC sync with username admin > > https://172.16.199.2:443.) > > > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense in ha - sync interface rule disapear
Rule is disapearing on the slave only ... Yes both firewall's interface's description are the same and assign to the same interface... -Luc -- ! ( o o ) --oOO(_)OOo------ Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2016-10-13 11:00 GMT-04:00 Steve Yates : > Are your rules disappearing on the slave, the master, or both? > > Brainstorming, do both have the same name for the pfsync interface? > Meaning the slave isn't named PFSYNC-SLAVE or something like that? > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin > Sent: Thursday, October 13, 2016 9:10 AM > To: list@lists.pfsense.org > Subject: [pfSense] pfsense in ha - sync interface rule disapear > > Hi Everyone, > I am new to pfsense and I have to say to that I am very impressed to see > all the feature available out of box. > > I am currently testing it to see how well it work and perform for our > environement. We would like to replace our HA linux firewall running > IPTable/fwbuiler scripts. Currently trying to setup the HA but having hard > time to make it work properly. I am following the wiki guide ( > https://doc.pfsense.org/index.php/Configuring_pfSense_ > Hardware_Redundancy_(CARP) > ). > > The issue that I have is that the rule I added on both firewall to allow > SYNC interface to communicate keep disapear on the slave firewall once the > connection got established. So XMLRPC did copy rules from master to slave, > but the PFSYNC interface rules disapear, therefore this cause communication > issue after (/rc.filter_synchronize: New alert found: A communications > error occurred while attempting XMLRPC sync with username admin > https://172.16.199.2:443.) > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfsense in ha - sync interface rule disapear
Hi Everyone, I am new to pfsense and I have to say to that I am very impressed to see all the feature available out of box. I am currently testing it to see how well it work and perform for our environement. We would like to replace our HA linux firewall running IPTable/fwbuiler scripts. Currently trying to setup the HA but having hard time to make it work properly. I am following the wiki guide ( https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) ). The issue that I have is that the rule I added on both firewall to allow SYNC interface to communicate keep disapear on the slave firewall once the connection got established. So XMLRPC did copy rules from master to slave, but the PFSYNC interface rules disapear, therefore this cause communication issue after (/rc.filter_synchronize: New alert found: A communications error occurred while attempting XMLRPC sync with username admin https://172.16.199.2:443.) Thanx for your help! -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
