Re: [pfSense] IPSec nat issue

2016-05-27 Thread Lyle Giese 

On 5/26/2016 1:23 PM, Mark Wiater wrote:

On 5/26/2016 2:09 PM, Rosen Iliev wrote:

The other end has a conflict with our LAN addressing(192.168.1.0/24).
So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 for the
local Network.  NAT/BINAT network of 192.168.85.0/24.  Their remote
network is 192.168.75.0/24.

It's probably best to remove the conflict instead of perform the NAT. I
appreciate that re-addressing your network could be impractical though.

If the remote side is using 192.168.1/24 and you are using that same
space, it doesn't seem like using a sonicwall will make the situation
any better.

Where exactly are you looking with 'pfSense's packet capture tool'? Are
you looking on the ipsec tunnel or on your 192.168.1/24 interface?

Can the far end folks be more explicit about the failure mode? Perhaps
they could indicate exactly what response they get to the ICMP echo request?


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Agree on removing the conflict, but unsure how easy that might be.

Packet capture on IPSec tunnel for any 192.168.75.x or 192.168.85.x 
traffic.  I only see traffic when I ping their host at 192.168.75.220 
from the LAN(192.168.1.x).


I am not allowed to talk to the hands on person at the colo.  I am only 
allowed to talk to the Engineer at UBS.  He stated the packets were 
being rejected.  I don't know anything further.



The engineer at UBS stated 'We have many tunnels setup this way using 
SonicWall and a cookie cutter template for you to use.' Preliminary 
investigation indicates double the cost of the appliance and around $400 
per year security subscription costs for the sonicwall.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec nat issue

2016-05-27 Thread Lyle Giese 
Pinging 192.168.85.187 from 192.168.75.220.  I am trying to map 
192.168.85.x to 192.168.1.x with NAT.


Lyle

On 5/26/2016 1:09 PM, Rosen Iliev wrote:

Hi Lyle,

Which IP they are pinging exactly?

Rosen

Lyle wrote on 5/25/2016 6:54 PM:
I am trying to install a new pfSense appliance running 2.3 Release. 
works fine until I setup a IPSec tunnel.


The other end has a conflict with our LAN 
addressing(192.168.1.0/24).  So in phase 2, we setup a Tunnel IPv4 
using 193.168.1.0/24 for the local Network.  NAT/BINAT network of 
192.168.85.0/24.  Their remote network is 192.168.75.0/24.


I can ping and see the smb shares on their server at 192.168.75.220 
from a workstation on the 192.168.1.0/24 network. However they need 
to ping and access the printers on the LAN(192.168.1.0/24) network 
from their 192.168.75.0/24 network.


That's where this all breaks down.  The guys at the far end are using 
SonicWall and want me to junk what we have and buy a much more 
expensive SonicWall(not to mention the subscription costs for 
filtering web access) to do what pfSense does now, using Squid and 
squidGuard.


The guys at the far end are claiming that our end is rejecting their 
ping packets from their server at 192.168.75.220.  I am unable to see 
any of their ping packets using pfSense's packet capture tool. I have 
played with 1:1 nat and tried every combo I can think of and have not 
come up with a working way to see their packets. I have googled and 
found several pfsense docs but am not able to come up with a working 
answer.


Just not even sure what  you guys need from me to help troubleshoot 
this.


Thanks in advance,
Lyle Giese
LCR Computer Services, Inc.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec nat issue

2016-05-27 Thread Lyle Giese 

That's a typo. All routes/subnets are rfc 1918, 192.168.x.x

Lyle

On 5/26/2016 9:40 AM, Steve Yates wrote:

Jumping in midway through, 193.168.1.0/24 belongs to Universite du Luxembourg.  
If that's not you then the other end could be routing packets there.

--

Steve Yates
ITS, Inc.
-Original Message-

On Wed, May 25, 2016 at 8:54 PM, Lyle  wrote:


The other end has a conflict with our LAN addressing(192.168.1.0/24).
So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24

for the local Network.  NAT/BINAT network of 192.168.85.0/24.  Their
remote network is 192.168.75.0/24.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec nat issue

2016-05-27 Thread Lyle Giese 
I was running packet capture on the IPSec interface looking for traffic 
to/from 192.168.75.x and 192.168.85.x and only saw traffic when I pinged 
their server.


Lyle

On 5/26/2016 9:32 AM, ED Fochler wrote:

I agree.  I typically ssh in as root and tcpdump to get a more interactive view 
of the network, but packet capture should give you the same data.  You should 
be seeing traffic even if it is rejected or dropped by your firewall rules.  If 
you’re not seeing ping, it’s not showing up at your interface.

ED.


On 2016, May 26, at 8:44 AM, Vick Khera  wrote:

On Wed, May 25, 2016 at 8:54 PM, Lyle  wrote:


The other end has a conflict with our LAN addressing(192.168.1.0/24).  So
in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24

for the local Network.  NAT/BINAT network of 192.168.85.0/24.  Their
remote network is 192.168.75.0/24.


So if they have a conflicting 192.168.1.0/24 network on their end already,
how the heck do they expect traffic to *your* version of that network to
get routed to you? That is, if they type "ping 192.168.1.42" which network
is it supposed to go to? I don't see how some Sonicwall magic could make
that happen either.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec nat issue

2016-05-27 Thread Lyle Giese 
I think they would ping 192.168.85.x and incoming pfSense would forward 
that traffic to 192.168.1.x, doing a 1:1 type NAT.


Lyle

On 5/26/2016 7:44 AM, Vick Khera wrote:

On Wed, May 25, 2016 at 8:54 PM, Lyle  wrote:


The other end has a conflict with our LAN addressing(192.168.1.0/24).  So
in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24

for the local Network.  NAT/BINAT network of 192.168.85.0/24.  Their
remote network is 192.168.75.0/24.


So if they have a conflicting 192.168.1.0/24 network on their end already,
how the heck do they expect traffic to *your* version of that network to
get routed to you? That is, if they type "ping 192.168.1.42" which network
is it supposed to go to? I don't see how some Sonicwall magic could make
that happen either.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Client-Side 1:1 NAT for IP address conflicts w/ VPN

2014-12-10 Thread Lyle Giese 

Chris,

Maybe Karl needs to read RFC 1918.  It can be enlightening to find out 
he does not 'own' 10.0.0.0/8


Yes, VPN's require unique subnets on both sides of the VPN server, but 
that is the price you pay for using a VPN with RFC 1918 addresses.


Lyle Giese
LCR Computer Services, Inc.

On 12/10/14 00:36, Chris L wrote:


On Dec 9, 2014, at 8:53 PM, Karl Fife karlf...@gmail.com wrote:


In the wild, I'm seeing a an increasing number of crappy consumer/ISP
routers with subnets that conflict with ours (10../8). Comcast appears
to be a common offender, curiously allocating the largest private subnet
to their smallest customers.  Of course this breaks VPN due to address
ambiguity/conflicts.

That’s actually your fault for using 10/8, not Comcast's.

Even if they were to use something like 10.58.223.0/24 they’d still conflict 
with your 10/8.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Client-Side 1:1 NAT for IP address conflicts w/ VPN

2014-12-10 Thread Lyle Giese 
ATT/SBC used 2wire brand DSL routers and there was a version of FW in 
them that used 172.16/12 for the LAN.  I used to see that model 
frequently just before they started pushing Uverse instead.


Lyle Giese
LCR Computer Services, Inc.

On 12/10/14 06:34, Chris Bagnall wrote:

On 10/12/14 6:36 am, Chris L wrote:

That’s actually your fault for using 10/8, not Comcast's.
Even if they were to use something like 10.58.223.0/24 they’d still 
conflict with your 10/8.


There are so many different brands and models of consumer router on 
the market these days in the 10/8 and 192.168/16 range that we've 
pretty much given up on them for all new installs, instead dropping 
things into the other RFC1918 range: 172.16/12 (we usually use 
variants on 172.20.x/24 where x is reasonably random).


I don't think we've seen more than 1 or 2 consumer routers that 
default to anything in the 172.16/12 range - yet.


Kind regards,

Chris


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] After upgrading 2.1.3-2.1.5 the SNMP.pm can't be found for Nagios anymore

2014-10-02 Thread Lyle Giese 
This is not a Nagios or pfsense error.  It's a PERL error and it can not 
find SNMP.pm  You may want to try CPAN to re-install Net::SNMP


Lyle

On 10/02/14 05:04, Rens wrote:


Nobody that can help me with this?

*From:*Rens [mailto:r...@autempspourmoi.be]
*Sent:* maandag 22 september 2014 13:53
*To:* 'list@lists.pfsense.org'
*Subject:* After upgrading 2.1.3-2.1.5 the SNMP.pm can't be found for 
Nagios anymore


Dear all,

after upgrading to 2.1.5, coming from 2.1.3 PFSense all of a sudden 
lost it's Net/SNMP.pm from it's path.


This results in issues with some plugins of Nagios. e.g.

/usr/pbi/nrpe-amd64/libexec/nagios/check_ifoperstatus

Which gives these errors:

Can't locate Net/SNMP.pm in @INC (@INC contains:

/usr/pbi/nrpe-amd64/libexec/nagios

/usr/pbi/nrpe-amd64/lib/perl5/5.14.2/BSDPAN

/usr/pbi/nrpe-amd64/lib/perl5/site_perl/5.14.2/mach

/usr/pbi/nrpe-amd64/lib/perl5/site_perl/5.14.2

/usr/pbi/nrpe-amd64/lib/perl5/5.14.2/mach

/usr/pbi/nrpe-amd64/lib/perl5/5.14.2 .) at

/usr/pbi/nrpe-amd64/libexec/nagios/check_ifoperstatus line 40.

BEGIN failed--compilation aborted at

/usr/pbi/nrpe-amd64/libexec/nagios/check_ifoperstatus line 40.

I guess something went wrong in the Perl dependencies.

What is advised to get out of this situation?

Regards,

Rens



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] updating issues with signature on image

2014-07-13 Thread Lyle Giese 
I have a Soekris net4801, running 2.0.2-release(i386) NanoBSD Size 
512mb.  It shows 2.1.2-release is available for auto-update.


After downloading, I get an error message that the digital signature is 
invalid.  I have to abort and the only options is to allow unsigned 
images.  Is the right or is there something wrong with the update process?


Lyle Giese
LCR Computer Services, Inc.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 Default Gateway

2014-07-09 Thread Lyle Giese 
Typos are a terrible thing.  I often put in a ; instead of a : in IPv6 
addresses.  Depending on the font, it can be VERY hard to see that.


Plus we can not see what you thought you typed in or what you really 
typed in, it's very hard to guess what's wrong.


Lyle

On 07/09/14 10:17, Mark Tinka wrote:

Hello all.

I'm trying to create an IPv6 default gateway, and the box is
throwing back this error:

The following input errors were detected:
The gateway name must not contain invalid
 characters.

Anybody why this is coming back? The IPv6 address is
standard, and is being used well on other devices.

All help appreciated.

Mark.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] squid load so slow

2012-10-28 Thread Lyle Giese 

On 10/28/12 04:47, Mark wrote:
I notice that eveytime I make changes on my settings in Proxy Server, 
it takes time (almost 5-10 mins.) before it stop from loading. I don't 
know if it take effect immediately or what but what makes me concern 
is that it loads so slow. I don't have this issue before. Cache dir is 
only 129MB. Memory is 4GB. Here is the info of the disk I found in dmesg

*Hard Disk Info*
pass1 at mpt0 bus 1 scbus1 target 0 lun 0
pass1: ATA WDC WD1600YS-23S 6C04 Fixed Uninstalled SCSI-5 device
pass1: 300.000MB/s transfers
pass1: Command Queueing enabled
da0 at mpt0 bus 0 scbus0 target 0 lun 0
da0: LSILOGIC Logical Volume 3000 Fixed Direct Access SCSI-2 device
da0: 300.000MB/s transfers
da0: Command Queueing enabled
da0: 151634MB (310546432 512 byte sectors: 255H 63S/T 19330C)
*Kernel Version*
[2.0.2-RC3][r...@practicum.com mailto:r...@practicum.com 
]/var/squid(9): uname -a
FreeBSD practicum.com http://practicum.com 8.1-RELEASE-p12 FreeBSD 
8.1-RELEASE-p12 #1: Sat Jul 21 10:01:45 EDT 2012 
root@FreeBSD_8_1.pfSense_2_0.i386.snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_SMP.8 
mailto:root@FreeBSD_8_1.pfSense_2_0.i386.snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_SMP.8 
i386

Is this normal on squid? Should I worry about this?
TIA,
Mark

I can not begin to count the number of times where a hard drive going 
bad causes this.  Today's smart drives hide the fact it's going bad by 
error correction.   But when error correction kicks in on the drive, it 
tends to get VERY slow.


Have you backed up your configuration lately?

Lyle

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Detecting Torpig with pfsense?

2012-10-05 Thread Lyle Giese 

On 10/5/2012 3:49 AM, Ermal Luçi wrote:

On Fri, Oct 5, 2012 at 10:21 AM, Ståle Johnsen stale.john...@gmail.com wrote:

Hi,
We have a customer running pfsense 2.0 and today the customer got an email
from their ISP claiming that someone on the network was infected with torpig
with the following description: contacted known sinkhole (torpig). As I
understand Torpig contacts different known Command and Control servers so
you should be able to track which computer is infected by looking at the
outgoing traffic. Does anyone here have experience with fixing torpig with
the use of pfsense? Any package that might be good for tracking traffic to
certain ip ranges and maybe send a alert if it does?

The customer has 100 computers and as torpig seems really hard to remove we
really need to find a way to track the right computer from the network side.
This is something I found by googling but not sure if it's still valid and
how to set up tracking of this in pfsense:

The best way to find the machine responsible is to look for connections to
the Torpig CC server. This detection was made through a connection to
91.20.214.121, but this changes periodically. To find these infections, we
suggest you search for TCP/IP connections to the range 91.19.0.0/16 and
91.20.0.0/16 (in other words: 91.19.0.0-91.20.255.255) usually destination
port 80 or 443, but you should look for all ports.

Probably snort should help here.


Thanks in advance!

Stale J


Couldn't you take a look at the state table in pfsense and see who has a 
connection open to the CD server?


Lyle Giese
LCR Computer Services, Inc.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] DynDNS/No-IP question, cascaded NAT

2012-01-06 Thread Lyle Giese 

On 01/06/12 14:09, Stefan Baur wrote:

Hi List,

some of my customers are switching to No-IP, as DynDNS.org doesn't seem
to offer free accounts any more.

So far, they had used their ISP-provided routers for DynDNS.org with the
pfSense box plugged into the LAN side of that router:

[Clients]---192.168.133.x---[pfSense]---192.168.5.x---[leased
router]---Dynamic WAN IP

It seems that a rather large group of my customers have routers that
don't support No-IP, only DynDNS.org.

So the idea was to leave the No-IP update to the pfSense boxes.

There are two possible problems with that approach:

1) pfSense will report the 192.168.5.x IP to No-IP - this has been fixed
in 2.0 or 2.0.1, though (not reporting any IP will make No-IP use the
WAN IP).
2) pfSense doesn't notice when the WAN IP changes, as it only sees the
192.168.5.x IP, which never changes.

To overcome 2), it would either have to connect to

a) No-IP in regular intervals and blindly update the status - I'm not
sure if that violates No-IPs Terms of Service, though - or,
b) a text-based web service returning the current WAN IP, and only
connect to No-IP when it detects a change.

I'm wondering if a) is already implemented in pfSense and if so, what
the current interval is?

Kind Regards,
Stefan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


I went the route to buy an account at Dyndns for $20/year and that 
allows 32 dyn hosts.  I give them to my customers as needed for that 
amount.  I have handed out 22 and still have 10 more available.


That's another option for you.

Lyle
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list