Re: [pfSense] IPSec nat issue
On 5/26/2016 1:23 PM, Mark Wiater wrote: On 5/26/2016 2:09 PM, Rosen Iliev wrote: The other end has a conflict with our LAN addressing(192.168.1.0/24). So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 for the local Network. NAT/BINAT network of 192.168.85.0/24. Their remote network is 192.168.75.0/24. It's probably best to remove the conflict instead of perform the NAT. I appreciate that re-addressing your network could be impractical though. If the remote side is using 192.168.1/24 and you are using that same space, it doesn't seem like using a sonicwall will make the situation any better. Where exactly are you looking with 'pfSense's packet capture tool'? Are you looking on the ipsec tunnel or on your 192.168.1/24 interface? Can the far end folks be more explicit about the failure mode? Perhaps they could indicate exactly what response they get to the ICMP echo request? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold Agree on removing the conflict, but unsure how easy that might be. Packet capture on IPSec tunnel for any 192.168.75.x or 192.168.85.x traffic. I only see traffic when I ping their host at 192.168.75.220 from the LAN(192.168.1.x). I am not allowed to talk to the hands on person at the colo. I am only allowed to talk to the Engineer at UBS. He stated the packets were being rejected. I don't know anything further. The engineer at UBS stated 'We have many tunnels setup this way using SonicWall and a cookie cutter template for you to use.' Preliminary investigation indicates double the cost of the appliance and around $400 per year security subscription costs for the sonicwall. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
Pinging 192.168.85.187 from 192.168.75.220. I am trying to map 192.168.85.x to 192.168.1.x with NAT. Lyle On 5/26/2016 1:09 PM, Rosen Iliev wrote: Hi Lyle, Which IP they are pinging exactly? Rosen Lyle wrote on 5/25/2016 6:54 PM: I am trying to install a new pfSense appliance running 2.3 Release. works fine until I setup a IPSec tunnel. The other end has a conflict with our LAN addressing(192.168.1.0/24). So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 for the local Network. NAT/BINAT network of 192.168.85.0/24. Their remote network is 192.168.75.0/24. I can ping and see the smb shares on their server at 192.168.75.220 from a workstation on the 192.168.1.0/24 network. However they need to ping and access the printers on the LAN(192.168.1.0/24) network from their 192.168.75.0/24 network. That's where this all breaks down. The guys at the far end are using SonicWall and want me to junk what we have and buy a much more expensive SonicWall(not to mention the subscription costs for filtering web access) to do what pfSense does now, using Squid and squidGuard. The guys at the far end are claiming that our end is rejecting their ping packets from their server at 192.168.75.220. I am unable to see any of their ping packets using pfSense's packet capture tool. I have played with 1:1 nat and tried every combo I can think of and have not come up with a working way to see their packets. I have googled and found several pfsense docs but am not able to come up with a working answer. Just not even sure what you guys need from me to help troubleshoot this. Thanks in advance, Lyle Giese LCR Computer Services, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
That's a typo. All routes/subnets are rfc 1918, 192.168.x.x Lyle On 5/26/2016 9:40 AM, Steve Yates wrote: Jumping in midway through, 193.168.1.0/24 belongs to Universite du Luxembourg. If that's not you then the other end could be routing packets there. -- Steve Yates ITS, Inc. -Original Message- On Wed, May 25, 2016 at 8:54 PM, Lylewrote: The other end has a conflict with our LAN addressing(192.168.1.0/24). So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 for the local Network. NAT/BINAT network of 192.168.85.0/24. Their remote network is 192.168.75.0/24. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
I was running packet capture on the IPSec interface looking for traffic to/from 192.168.75.x and 192.168.85.x and only saw traffic when I pinged their server. Lyle On 5/26/2016 9:32 AM, ED Fochler wrote: I agree. I typically ssh in as root and tcpdump to get a more interactive view of the network, but packet capture should give you the same data. You should be seeing traffic even if it is rejected or dropped by your firewall rules. If you’re not seeing ping, it’s not showing up at your interface. ED. On 2016, May 26, at 8:44 AM, Vick Kherawrote: On Wed, May 25, 2016 at 8:54 PM, Lyle wrote: The other end has a conflict with our LAN addressing(192.168.1.0/24). So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 for the local Network. NAT/BINAT network of 192.168.85.0/24. Their remote network is 192.168.75.0/24. So if they have a conflicting 192.168.1.0/24 network on their end already, how the heck do they expect traffic to *your* version of that network to get routed to you? That is, if they type "ping 192.168.1.42" which network is it supposed to go to? I don't see how some Sonicwall magic could make that happen either. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
I think they would ping 192.168.85.x and incoming pfSense would forward that traffic to 192.168.1.x, doing a 1:1 type NAT. Lyle On 5/26/2016 7:44 AM, Vick Khera wrote: On Wed, May 25, 2016 at 8:54 PM, Lylewrote: The other end has a conflict with our LAN addressing(192.168.1.0/24). So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 for the local Network. NAT/BINAT network of 192.168.85.0/24. Their remote network is 192.168.75.0/24. So if they have a conflicting 192.168.1.0/24 network on their end already, how the heck do they expect traffic to *your* version of that network to get routed to you? That is, if they type "ping 192.168.1.42" which network is it supposed to go to? I don't see how some Sonicwall magic could make that happen either. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Client-Side 1:1 NAT for IP address conflicts w/ VPN
Chris, Maybe Karl needs to read RFC 1918. It can be enlightening to find out he does not 'own' 10.0.0.0/8 Yes, VPN's require unique subnets on both sides of the VPN server, but that is the price you pay for using a VPN with RFC 1918 addresses. Lyle Giese LCR Computer Services, Inc. On 12/10/14 00:36, Chris L wrote: On Dec 9, 2014, at 8:53 PM, Karl Fife karlf...@gmail.com wrote: In the wild, I'm seeing a an increasing number of crappy consumer/ISP routers with subnets that conflict with ours (10../8). Comcast appears to be a common offender, curiously allocating the largest private subnet to their smallest customers. Of course this breaks VPN due to address ambiguity/conflicts. That’s actually your fault for using 10/8, not Comcast's. Even if they were to use something like 10.58.223.0/24 they’d still conflict with your 10/8. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Client-Side 1:1 NAT for IP address conflicts w/ VPN
ATT/SBC used 2wire brand DSL routers and there was a version of FW in them that used 172.16/12 for the LAN. I used to see that model frequently just before they started pushing Uverse instead. Lyle Giese LCR Computer Services, Inc. On 12/10/14 06:34, Chris Bagnall wrote: On 10/12/14 6:36 am, Chris L wrote: That’s actually your fault for using 10/8, not Comcast's. Even if they were to use something like 10.58.223.0/24 they’d still conflict with your 10/8. There are so many different brands and models of consumer router on the market these days in the 10/8 and 192.168/16 range that we've pretty much given up on them for all new installs, instead dropping things into the other RFC1918 range: 172.16/12 (we usually use variants on 172.20.x/24 where x is reasonably random). I don't think we've seen more than 1 or 2 consumer routers that default to anything in the 172.16/12 range - yet. Kind regards, Chris ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] After upgrading 2.1.3-2.1.5 the SNMP.pm can't be found for Nagios anymore
This is not a Nagios or pfsense error. It's a PERL error and it can not find SNMP.pm You may want to try CPAN to re-install Net::SNMP Lyle On 10/02/14 05:04, Rens wrote: Nobody that can help me with this? *From:*Rens [mailto:r...@autempspourmoi.be] *Sent:* maandag 22 september 2014 13:53 *To:* 'list@lists.pfsense.org' *Subject:* After upgrading 2.1.3-2.1.5 the SNMP.pm can't be found for Nagios anymore Dear all, after upgrading to 2.1.5, coming from 2.1.3 PFSense all of a sudden lost it's Net/SNMP.pm from it's path. This results in issues with some plugins of Nagios. e.g. /usr/pbi/nrpe-amd64/libexec/nagios/check_ifoperstatus Which gives these errors: Can't locate Net/SNMP.pm in @INC (@INC contains: /usr/pbi/nrpe-amd64/libexec/nagios /usr/pbi/nrpe-amd64/lib/perl5/5.14.2/BSDPAN /usr/pbi/nrpe-amd64/lib/perl5/site_perl/5.14.2/mach /usr/pbi/nrpe-amd64/lib/perl5/site_perl/5.14.2 /usr/pbi/nrpe-amd64/lib/perl5/5.14.2/mach /usr/pbi/nrpe-amd64/lib/perl5/5.14.2 .) at /usr/pbi/nrpe-amd64/libexec/nagios/check_ifoperstatus line 40. BEGIN failed--compilation aborted at /usr/pbi/nrpe-amd64/libexec/nagios/check_ifoperstatus line 40. I guess something went wrong in the Perl dependencies. What is advised to get out of this situation? Regards, Rens ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] updating issues with signature on image
I have a Soekris net4801, running 2.0.2-release(i386) NanoBSD Size 512mb. It shows 2.1.2-release is available for auto-update. After downloading, I get an error message that the digital signature is invalid. I have to abort and the only options is to allow unsigned images. Is the right or is there something wrong with the update process? Lyle Giese LCR Computer Services, Inc. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IPv6 Default Gateway
Typos are a terrible thing. I often put in a ; instead of a : in IPv6 addresses. Depending on the font, it can be VERY hard to see that. Plus we can not see what you thought you typed in or what you really typed in, it's very hard to guess what's wrong. Lyle On 07/09/14 10:17, Mark Tinka wrote: Hello all. I'm trying to create an IPv6 default gateway, and the box is throwing back this error: The following input errors were detected: The gateway name must not contain invalid characters. Anybody why this is coming back? The IPv6 address is standard, and is being used well on other devices. All help appreciated. Mark. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] squid load so slow
On 10/28/12 04:47, Mark wrote: I notice that eveytime I make changes on my settings in Proxy Server, it takes time (almost 5-10 mins.) before it stop from loading. I don't know if it take effect immediately or what but what makes me concern is that it loads so slow. I don't have this issue before. Cache dir is only 129MB. Memory is 4GB. Here is the info of the disk I found in dmesg *Hard Disk Info* pass1 at mpt0 bus 1 scbus1 target 0 lun 0 pass1: ATA WDC WD1600YS-23S 6C04 Fixed Uninstalled SCSI-5 device pass1: 300.000MB/s transfers pass1: Command Queueing enabled da0 at mpt0 bus 0 scbus0 target 0 lun 0 da0: LSILOGIC Logical Volume 3000 Fixed Direct Access SCSI-2 device da0: 300.000MB/s transfers da0: Command Queueing enabled da0: 151634MB (310546432 512 byte sectors: 255H 63S/T 19330C) *Kernel Version* [2.0.2-RC3][r...@practicum.com mailto:r...@practicum.com ]/var/squid(9): uname -a FreeBSD practicum.com http://practicum.com 8.1-RELEASE-p12 FreeBSD 8.1-RELEASE-p12 #1: Sat Jul 21 10:01:45 EDT 2012 root@FreeBSD_8_1.pfSense_2_0.i386.snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_SMP.8 mailto:root@FreeBSD_8_1.pfSense_2_0.i386.snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_SMP.8 i386 Is this normal on squid? Should I worry about this? TIA, Mark I can not begin to count the number of times where a hard drive going bad causes this. Today's smart drives hide the fact it's going bad by error correction. But when error correction kicks in on the drive, it tends to get VERY slow. Have you backed up your configuration lately? Lyle ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Detecting Torpig with pfsense?
On 10/5/2012 3:49 AM, Ermal Luçi wrote: On Fri, Oct 5, 2012 at 10:21 AM, Ståle Johnsen stale.john...@gmail.com wrote: Hi, We have a customer running pfsense 2.0 and today the customer got an email from their ISP claiming that someone on the network was infected with torpig with the following description: contacted known sinkhole (torpig). As I understand Torpig contacts different known Command and Control servers so you should be able to track which computer is infected by looking at the outgoing traffic. Does anyone here have experience with fixing torpig with the use of pfsense? Any package that might be good for tracking traffic to certain ip ranges and maybe send a alert if it does? The customer has 100 computers and as torpig seems really hard to remove we really need to find a way to track the right computer from the network side. This is something I found by googling but not sure if it's still valid and how to set up tracking of this in pfsense: The best way to find the machine responsible is to look for connections to the Torpig CC server. This detection was made through a connection to 91.20.214.121, but this changes periodically. To find these infections, we suggest you search for TCP/IP connections to the range 91.19.0.0/16 and 91.20.0.0/16 (in other words: 91.19.0.0-91.20.255.255) usually destination port 80 or 443, but you should look for all ports. Probably snort should help here. Thanks in advance! Stale J Couldn't you take a look at the state table in pfsense and see who has a connection open to the CD server? Lyle Giese LCR Computer Services, Inc. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DynDNS/No-IP question, cascaded NAT
On 01/06/12 14:09, Stefan Baur wrote: Hi List, some of my customers are switching to No-IP, as DynDNS.org doesn't seem to offer free accounts any more. So far, they had used their ISP-provided routers for DynDNS.org with the pfSense box plugged into the LAN side of that router: [Clients]---192.168.133.x---[pfSense]---192.168.5.x---[leased router]---Dynamic WAN IP It seems that a rather large group of my customers have routers that don't support No-IP, only DynDNS.org. So the idea was to leave the No-IP update to the pfSense boxes. There are two possible problems with that approach: 1) pfSense will report the 192.168.5.x IP to No-IP - this has been fixed in 2.0 or 2.0.1, though (not reporting any IP will make No-IP use the WAN IP). 2) pfSense doesn't notice when the WAN IP changes, as it only sees the 192.168.5.x IP, which never changes. To overcome 2), it would either have to connect to a) No-IP in regular intervals and blindly update the status - I'm not sure if that violates No-IPs Terms of Service, though - or, b) a text-based web service returning the current WAN IP, and only connect to No-IP when it detects a change. I'm wondering if a) is already implemented in pfSense and if so, what the current interval is? Kind Regards, Stefan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list I went the route to buy an account at Dyndns for $20/year and that allows 32 dyn hosts. I give them to my customers as needed for that amount. I have handed out 22 and still have 10 more available. That's another option for you. Lyle ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list