RE: [pfSense Support] IPsec - Automatically Ping Host
Hi Holger, yes it was an IP address that can triggers the IPSec tunnel. If PING Host is enabled, does it automatically initiate the tunnel? Or that it has to be manually initiated then maintained by ping host? Where can I check whether the ping host packet was indeed fired? Regards, Kelvin -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 2:04 PM To: support@pfsense.com Subject: RE: [pfSense Support] IPsec - Automatically Ping Host I'm using it in a 13 dynamic IP locations to one static IP location as concentrator without issues. You probably use a wrong monitor IP? You have to use an IP of the remote end's local subnet behind the tunnel (has to be an IP that's inside the tunneldefinition of the remote end). Holger From: Kelvin Chiang [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 3:29 AM To: support@pfsense.com Subject: [pfSense Support] IPsec - Automatically Ping Host Hi, there is a check box to automatically ping host. I assume that this function is intended for site with dynamic WAN IP address. I activated it but it did not seem to do the job. Has anyone tried it? Regards, Kelvin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPsec - Automatically Ping Host
Watch pftop from the shell. You should see the ping kick in frequently. It will bring up the tunnel even if there is no other qualifying traffic from lan to the remote subnet. Holger -Original Message- From: Kelvin Chiang [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 2:27 PM To: support@pfsense.com Subject: RE: [pfSense Support] IPsec - Automatically Ping Host Hi Holger, yes it was an IP address that can triggers the IPSec tunnel. If PING Host is enabled, does it automatically initiate the tunnel? Or that it has to be manually initiated then maintained by ping host? Where can I check whether the ping host packet was indeed fired? Regards, Kelvin -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 2:04 PM To: support@pfsense.com Subject: RE: [pfSense Support] IPsec - Automatically Ping Host I'm using it in a 13 dynamic IP locations to one static IP location as concentrator without issues. You probably use a wrong monitor IP? You have to use an IP of the remote end's local subnet behind the tunnel (has to be an IP that's inside the tunneldefinition of the remote end). Holger From: Kelvin Chiang [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 3:29 AM To: support@pfsense.com Subject: [pfSense Support] IPsec - Automatically Ping Host Hi, there is a check box to automatically ping host. I assume that this function is intended for site with dynamic WAN IP address. I activated it but it did not seem to do the job. Has anyone tried it? Regards, Kelvin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Transparent proxy to a separate Squid box.
I'm in the process of (hopefully) migrating from a Linux router running Shorewall to a pfSense box. One of the things we were able to do on our Linux router was transparently proxy to a separate machine on our network running Squid. We accomplished this with a mix of iproute and iptables. First, the web packets on port 80 from any machine except the Squid box are marked for a separate routing table by an iptables rule: iptables -t mangle -A PREROUTING -i eth0 -s ! 192.168.0.12 -p tcp --dport 80 -j MARK --set-mark 3 A routing table was set up for that mark, so the result of ip route show table 3 is: default via 192.168.0.12 dev eth0 On the Squid box, packets to port 80 are redirected to port 8080 with an iptables rule: iptables -t nat -A PREROUTING -i eth0 -d ! 165.78.125.12 -p tcp --dport 80 -j REDIRECT --to-ports 8080 What I have gotten to work with pfSense is a NAT rule to redirect port 80 to the Squid box. That worked, but probably only because the Squid box is still using our Linux router as it's default gateway. Otherwise, I think that once its gateway is set to the new pfSense firewall, it will try to redirect it's port 80 traffic back to itself. The other issue I found, is that by using NAT, the Squid logs show the source IP address of the web requests as the IP of the pfSense firewall - not the local client that is actually making the request. This will really throw off our usage reporting software, MySAR (http://giannis.stoilis.gr/software/mysar/). I'm also not sure how this will affect our MAC address-based ACLs in Squid. Being new to BSD and pfSense, I'm not sure if it is even possible to replicate the setup that we currently have with Linux. Hoping that someone here can give me some insight on how I can accomplish this or whether I need to use a Linux-based router. Thanks, Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Incoming FTP Traffic To Wrong Queue
On Tue, Mar 27, 2007, at 19:28:05 -0400, Scott Ullrich wrote: I have commited a fix that should solve this problem for you. Please try a snapshot about 2 hours after you receive this. Scott With the updated snapshot, incoming FTP traffic still goes into the qlandef queue instead of qP2PDown but it doesn't seem to kill the other traffic anymore. Is that what the change was supposed to do? Thanks! -Mark -- Internet Radio: Party107 (Trance/Electronic) - http://www.party107.com Rock 101.9 The Edge (Rock) - http://www.rock1019.net IRC: MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Incoming FTP Traffic To Wrong Queue
On 3/28/07, Mark Kane [EMAIL PROTECTED] wrote: With the updated snapshot, incoming FTP traffic still goes into the qlandef queue instead of qP2PDown but it doesn't seem to kill the other traffic anymore. Is that what the change was supposed to do? Please issue this command from a shell: ps awux | grep pftpx Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Incoming FTP Traffic To Wrong Queue
On Wed, Mar 28, 2007, at 14:08:48 -0400, Scott Ullrich wrote: On 3/28/07, Mark Kane [EMAIL PROTECTED] wrote: With the updated snapshot, incoming FTP traffic still goes into the qlandef queue instead of qP2PDown but it doesn't seem to kill the other traffic anymore. Is that what the change was supposed to do? Please issue this command from a shell: ps awux | grep pftpx # ps awux | grep pftpx proxy548 0.0 0.1 656 424 ?? Ss8:49PM 0:00.72 /usr/local/sbin/pftpx -q qlandef -c 8021 -g 8021 192.168.1.1 root 98551 0.0 0.3 1528 988 p0 R+1:14PM 0:00.01 grep pftpx -Mark -- Internet Radio: Party107 (Trance/Electronic) - http://www.party107.com Rock 101.9 The Edge (Rock) - http://www.rock1019.net IRC: MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Incoming FTP Traffic To Wrong Queue
So you do not have P2P Catch all option enabled? Scott On 3/28/07, Mark Kane [EMAIL PROTECTED] wrote: On Wed, Mar 28, 2007, at 14:08:48 -0400, Scott Ullrich wrote: On 3/28/07, Mark Kane [EMAIL PROTECTED] wrote: With the updated snapshot, incoming FTP traffic still goes into the qlandef queue instead of qP2PDown but it doesn't seem to kill the other traffic anymore. Is that what the change was supposed to do? Please issue this command from a shell: ps awux | grep pftpx # ps awux | grep pftpx proxy548 0.0 0.1 656 424 ?? Ss8:49PM 0:00.72 /usr/local/sbin/pftpx -q qlandef -c 8021 -g 8021 192.168.1.1 root 98551 0.0 0.3 1528 988 p0 R+1:14PM 0:00.01 grep pftpx -Mark -- Internet Radio: Party107 (Trance/Electronic) - http://www.party107.com Rock 101.9 The Edge (Rock) - http://www.rock1019.net IRC: MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Incoming FTP Traffic To Wrong Queue
On Wed, Mar 28, 2007, at 14:28:00 -0400, Scott Ullrich wrote: So you do not have P2P Catch all option enabled? I do, and all other traffic gets caught by it fine. Here are screenshots of the shaper rules and the queues page with an HTTP download going. http://tntpowerhost.com/mixx941/pfsense_shaperrules_20070328.png http://tntpowerhost.com/mixx941/pfsense_queues_20070328.png And with an FTP download going: http://tntpowerhost.com/mixx941/pfsense_queues_ftp_20070328.png -Mark -- Internet Radio: Party107 (Trance/Electronic) - http://www.party107.com Rock 101.9 The Edge (Rock) - http://www.rock1019.net IRC: MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Incoming FTP Traffic To Wrong Queue
On 3/28/07, Mark Kane [EMAIL PROTECTED] wrote: On Wed, Mar 28, 2007, at 14:28:00 -0400, Scott Ullrich wrote: So you do not have P2P Catch all option enabled? I do, and all other traffic gets caught by it fine. Here are screenshots of the shaper rules and the queues page with an HTTP download going. http://tntpowerhost.com/mixx941/pfsense_shaperrules_20070328.png http://tntpowerhost.com/mixx941/pfsense_queues_20070328.png And with an FTP download going: http://tntpowerhost.com/mixx941/pfsense_queues_ftp_20070328.png Okay, try a new snapshot about 2 hours from now. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] [UPDATE] Adding OPT3 and OPT4 WAN connections
I am able to access the internet thru OPT3 using the x.x.x.49/29 for setting up the interface. It works great, outgoing anyway. I am not able to setup a port forward. I turned on logging for the port forward firewall rule. It shows the traffic passing. It just never goes any where. I am still testing using SSH. The SSH connection will try out while the firewall shows that it allowed the SSH connection. Does anyone have a suggestion? This interface and port forward is setup the same as the others that are working. It is using the correct gateway address. I am really stumped on this part. The states status page shows only the outgoing states. There are no incoming states for these IP addresses. If I connect out using SSH to an external server and type who, it shows the correct outbound IP address. Is there some OPT3--LAN default rule I am missing? I let pfsense create the firewall rule when I setup the portforward. Robert On Tuesday 27 March 2007 18:20, Robert Goley wrote: I have 1 existing DSL connection and 2 existing Cable connections. I am adding 2 more Cable connections as part of a phase-in/phase-out scenario. The current setup works great. It is using policy based routing on pfsense 1.0.1. I can not seem to get the additional interfaces to work. I have tested with my laptop and know the the ISP routers are setup and working correctly as bridges. On my laptop, all I have to do is enter the correct static IP information to use the internet. The ISP threw me off a little setting the router IP as the highest number in the assigned IP range. All other ISPs have used the lowest. I am not sure how to enter the static IP info for the OPTx interfaces because of this. I have been assigned x.x.x.49-x.x.x.53 with the default gateway being x.x.x.54. It is a /29 netblock with netmask 255.255.255.248. Would I enter this as x.x.x.49/29, x.x.x.53/29, or x.x.x.54/29? I am not getting any traffic thru the interface when I have tried using these. I setup a port forward for SSH to a test machine on the network. It does not go thru. Is there a default traffic rule I have missed adding somewhere? Any information you can provide would be appreciated. Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] ntop package on 03-27 snapshot
Can't get ntop to work on the latest snapshot. I did a format/reinstall on this particular PC and no dice (reconfigured it from scratch as well). Uninstalled/reinstalled package and that doesn't work either. Basically, the package installs, I get the ntop settings and ntop menu option in pfSense, but when I try to access ntop on port 3000 (which is where the access ntop link takes me), nothing responds (and yes there is a firewall rule for it). The install AND uninstall of the package is supposedly successful, and the package installation screen says that the service was started, but it just plain doesn't respond. By the way, after subsequently uninstalling and reinstalling ntop, it seems to reinstall VERY quickly (too quickly, in my opinion, but that may be because the package has already been downloaded?) Any clues? Any other info you need me to gather? Thanks-- Dimitri Rodis Integrita Systems LLC
RE: [pfSense Support] ntop package on 03-27 snapshot
In addition to what the webGUI is telling you about NTOP's status, you can confirm it's status by going to DiagnosticCommand Prompt and using the ps -A command. You should see NTOP in the resulting list if it's running. If it is running, you can also do a netstat -a from DiagnosticCommand Prompt to see what ports are being listened to. If port 3000 is listed, stop NTOP and then try netstat again to see if it goes away. On my install, NTOP only responds at http://myhostname:3000/ Are you accessing the webGUI at this point from the LAN side or the WAN side? From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 4:53 PM To: support@pfsense.com Subject: [pfSense Support] ntop package on 03-27 snapshot Can't get ntop to work on the latest snapshot. I did a format/reinstall on this particular PC and no dice (reconfigured it from scratch as well). Uninstalled/reinstalled package and that doesn't work either. Basically, the package installs, I get the ntop settings and ntop menu option in pfSense, but when I try to access ntop on port 3000 (which is where the access ntop link takes me), nothing responds (and yes there is a firewall rule for it). The install AND uninstall of the package is supposedly successful, and the package installation screen says that the service was started, but it just plain doesn't respond. By the way, after subsequently uninstalling and reinstalling ntop, it seems to reinstall VERY quickly (too quickly, in my opinion, but that may be because the package has already been downloaded?) Any clues? Any other info you need me to gather? Thanks-- Dimitri Rodis Integrita Systems LLC
RE: [pfSense Support] Transparent proxy to a separate Squid box.
If you search on the forums you should be able to find more information, but basically you can't currently do this with pfSense because you can't do source based redirection. The underlying firewall pf can do it just fine but the functionality is not exposed through the pfSense web gui. I was going to work on that but I've been a little too busy lately. To: support@pfsense.com From: [EMAIL PROTECTED] Date: Wed, 28 Mar 2007 12:50:52 -0400 Subject: [pfSense Support] Transparent proxy to a separate Squid box. I'm in the process of (hopefully) migrating from a Linux router running Shorewall to a pfSense box. One of the things we were able to do on our Linux router was transparently proxy to a separate machine on our network running Squid. We accomplished this with a mix of iproute and iptables. First, the web packets on port 80 from any machine except the Squid box are marked for a separate routing table by an iptables rule: iptables -t mangle -A PREROUTING -i eth0 -s ! 192.168.0.12 -p tcp --dport 80 -j MARK --set-mark 3 A routing table was set up for that mark, so the result of ip route show table 3 is: default via 192.168.0.12 dev eth0 On the Squid box, packets to port 80 are redirected to port 8080 with an iptables rule: iptables -t nat -A PREROUTING -i eth0 -d ! 165.78.125.12 -p tcp --dport 80 -j REDIRECT --to-ports 8080What I have gotten to work with pfSense is a NAT rule to redirect port 80 to the Squid box. That worked, but probably only because the Squid box is still using our Linux router as it's default gateway. Otherwise, I think that once its gateway is set to the new pfSense firewall, it will try to redirect it's port 80 traffic back to itself. The other issue I found, is that by using NAT, the Squid logs show the source IP address of the web requests as the IP of the pfSense firewall - not the local client that is actually making the request. This will really throw off our usage reporting software, MySAR (http://giannis.stoilis.gr/software/mysar/). I'm also not sure how this will affect our MAC address-based ACLs in Squid. Being new to BSD and pfSense, I'm not sure if it is even possible to replicate the setup that we currently have with Linux. Hoping that someone here can give me some insight on how I can accomplish this or whether I need to use a Linux-based router. Thanks, Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Your friends are close to you. Keep them that way. http://spaces.live.com/signup.aspx
RE: [pfSense Support] ntop package on 03-27 snapshot
I see no mention of ntop, yet the package installer insists that it is installed (and if I uninstall/reinstall, it states that it started the service successfully) $ ps -A PID TT STAT TIME COMMAND 0 ?? WLs0:00.00 [swapper] 1 ?? ILs0:00.00 /sbin/init -- 2 ?? DL 0:00.00 [crypto] 3 ?? DL 0:00.00 [crypto returns] 4 ?? DL 0:00.52 [g_event] 5 ?? DL 0:00.76 [g_up] 6 ?? DL 0:00.74 [g_down] 7 ?? DL 0:00.00 [thread taskq] 8 ?? DL 0:00.00 [acpi_task_0] 9 ?? DL 0:00.00 [acpi_task_1] 10 ?? RL 105:42.57 [idle: cpu0] 11 ?? WL 1:33.57 [swi4: clock sio] 12 ?? WL 0:00.00 [swi3: vm] 13 ?? WL 0:00.19 [swi1: net] 14 ?? DL 0:00.44 [yarrow] 15 ?? WL 0:05.90 [swi6: task queue] 16 ?? WL 0:00.00 [swi6: Giant taskq] 17 ?? DL 0:00.00 [acpi_task_2] 18 ?? WL 0:00.00 [swi5: +] 19 ?? DL 0:00.00 [kqueue taskq] 20 ?? WL 0:00.00 [swi2: cambio] 21 ?? WL 0:00.00 [irq9: acpi0] 22 ?? WL 0:00.00 [irq16: uhci0] 23 ?? DL 0:00.00 [usb0] 24 ?? DL 0:00.00 [usbtask] 25 ?? WL 0:00.02 [irq19: sf0 uhci1] 26 ?? DL 0:00.00 [usb1] 27 ?? WL 1:52.96 [irq18: xl0 em0+] 28 ?? DL 0:00.00 [usb2] 29 ?? WL 0:00.00 [irq23: ehci0] 30 ?? DL 0:00.00 [usb3] 31 ?? WL 0:00.20 [irq14: ata0] 32 ?? WL 0:00.00 [irq15: ata1] 33 ?? DL 0:00.05 [fdc0] 34 ?? WL 0:00.00 [irq1: atkbd0] 35 ?? WL 0:00.00 [irq12: psm0] 36 ?? WL 0:00.00 [swi0: sio] 37 ?? WL 0:00.00 [irq7: ppc0] 38 ?? DL 0:00.01 [pagedaemon] 39 ?? DL 0:00.00 [vmdaemon] 40 ?? RL 0:00.01 [idlepoll] 41 ?? RL 0:01.76 [pagezero] 42 ?? DL 0:00.06 [bufdaemon] 43 ?? DL 0:00.39 [syncer] 44 ?? DL 0:00.05 [vnlru] 45 ?? DL 0:00.08 [softdepflush] 46 ?? DL 0:00.63 [schedcpu] 53 ?? DL 0:00.04 [md0] 112 ?? Is 0:00.01 /sbin/devd 183 ?? Ss 0:00.05 /usr/sbin/syslogd -s -f /var/etc/syslog.conf 530 ?? R 0:00.95 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfig 531 ?? Is 0:00.02 /usr/local/bin/php 533 ?? I 0:00.50 /usr/local/bin/php 549 ?? Is 0:00.02 /usr/local/bin/php 554 ?? S 0:02.34 /usr/local/bin/php 562 ?? I 0:00.00 /usr/local/sbin/dnsmasq 638 ?? Ss 0:00.06 /usr/local/sbin/pftpx -q qP2PDown -c 8021 -g 8021 10. 646 ?? Ss 0:00.24 /usr/local/sbin/ftpsesame -q qP2PDown -i em0 649 ?? Ss 0:00.40 /usr/local/sbin/ftpsesame -q qP2PDown -i bridge0 826 ?? Ss 0:00.02 ntpd: [priv] (ntpd) 829 ?? Is 0:00.04 /usr/sbin/cron -s 845 ?? Is 0:00.01 minicron 240 /var/run/ping_hosts.pid /etc/ping_hosts. 853 ?? Is 0:00.01 /usr/local/sbin/sshlockout_pf 12241 ?? ZN 0:00.02 defunct 12247 ?? IN 0:00.00 /bin/sh /var/db/rrd/updaterrd.sh 12248 ?? RN80:16.29 pfctl -vsq 12249 ?? IN 0:00.00 [awk] 13577 ?? S 0:00.00 sh -c ps -A 13578 ?? R 0:00.00 ps -A 852 v0 Is 0:00.02 login [pam] (login) 854 v0 I 0:00.01 -sh (sh) 855 v0 I+ 0:00.01 /bin/sh /etc/rc.initial 306 con- S 0:00.25 /usr/sbin/tcpdump -l -n -e -ttt -i pflog0 307 con- I 0:00.00 logger -t pf -p local0.info 718 con- IN 0:01.07 /bin/sh /var/db/rrd/updaterrd.sh 825 con- I 0:00.19 ntpd: ntp engine (ntpd) 841 con- SN 0:00.86 /usr/local/sbin/check_reload_status $ netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 15310 pfsense.https (removed) ESTABLISHED tcp4 0 0 localhost.ftp-proxy*.* LISTEN tcp6 0 0 *.domain *.* LISTEN tcp4 0 0 *.domain *.* LISTEN tcp4 0 0 *.https*.* LISTEN udp4 0 0 spanishtrails2.w.65060 dedibox.bitschin.ntp udp4 0 0 spanishtrails2.w.61789 trane.wu-wien.ac.ntp udp4 0 0 spanishtrails2.w.54543 www.icewarm.com..ntp udp4 0 0 spanishtrails2.w.60141 magma.woody.ch.ntp udp4 0 0 spanishtrails2.w.64172 ntp04.oal.ul.pt.ntp udp4 0 0 spanishtrails2.w.58719 srv1.dvmed.net.ntp udp4 0 0 spanishtrails2.w.62739 fog.mindcry.org.ntp udp4 0 0 spanishtrails2.w.62250 eth0-castralrock.ntp udp4 0 0 *.56406*.* udp6 0 0 *.domain *.* udp4 0 0 *.domain *.* udp4 0 0 *.syslog *.* udp6 0 0 *.syslog *.* Active UNIX domain sockets Address Type Recv-Q Send-QInode Conn Refs Nextref Addr c2449dac stream 0 0
Re: [pfSense Support] Transparent proxy to a separate Squid box.
I think I figured out a means of doing it. I created a load balancer pool with just the Squid server listed as a gateway. Then I created a firewall rule on the LAN that sends port 80 traffic from any IP but the Squid box to that load balancer pool. The only part that I haven't confirmed as functional is that the Squid box won't be redirected. I'll see whether that's the case once I get this router fully configured and make it the default gateway for the Squid box. But I'm confident that it will work. The inspiration came to me when I was going over the load balancing instructions and saw the diagrams about routing traffic through a particular gateway. On Mar 28, 2007, at 7:37 PM, Adam Van Ornum wrote: If you search on the forums you should be able to find more information, but basically you can't currently do this with pfSense because you can't do source based redirection. The underlying firewall pf can do it just fine but the functionality is not exposed through the pfSense web gui. I was going to work on that but I've been a little too busy lately. To: support@pfsense.com From: [EMAIL PROTECTED] Date: Wed, 28 Mar 2007 12:50:52 -0400 Subject: [pfSense Support] Transparent proxy to a separate Squid box. I'm in the process of (hopefully) migrating from a Linux router running Shorewall to a pfSense box. One of the things we were able to do on our Linux router was transparently proxy to a separate machine on our network running Squid. We accomplished this with a mix of iproute and iptables. First, the web packets on port 80 from any machine except the Squid box are marked for a separate routing table by an iptables rule: iptables -t mangle -A PREROUTING -i eth0 -s ! 192.168.0.12 -p tcp --dport 80 -j MARK --set-mark 3 A routing table was set up for that mark, so the result of ip route show table 3 is: default via 192.168.0.12 dev eth0 On the Squid box, packets to port 80 are redirected to port 8080 with an iptables rule: iptables -t nat -A PREROUTING -i eth0 -d ! 165.78.125.12 -p tcp --dport 80 -j REDIRECT --to-ports 8080 What I have gotten to work with pfSense is a NAT rule to redirect port 80 to the Squid box. That worked, but probably only because the Squid box is still using our Linux router as it's default gateway. Otherwise, I think that once its gateway is set to the new pfSense firewall, it will try to redirect it's port 80 traffic back to itself. The other issue I found, is that by using NAT, the Squid logs show the source IP address of the web requests as the IP of the pfSense firewall - not the local client that is actually making the request. This will really throw off our usage reporting software, MySAR (http://giannis.stoilis.gr/software/mysar/). I'm also not sure how this will affect our MAC address-based ACLs in Squid. Being new to BSD and pfSense, I'm not sure if it is even possible to replicate the setup that we currently have with Linux. Hoping that someone here can give me some insight on how I can accomplish this or whether I need to use a Linux-based router. Thanks, Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Your friends are close to you. Keep them that way. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Incoming FTP Traffic To Wrong Queue
On Wed, Mar 28, 2007, at 15:49:24 -0400, Scott Ullrich wrote: On 3/28/07, Mark Kane [EMAIL PROTECTED] wrote: On Wed, Mar 28, 2007, at 14:28:00 -0400, Scott Ullrich wrote: So you do not have P2P Catch all option enabled? I do, and all other traffic gets caught by it fine. Here are screenshots of the shaper rules and the queues page with an HTTP download going. http://tntpowerhost.com/mixx941/pfsense_shaperrules_20070328.png http://tntpowerhost.com/mixx941/pfsense_queues_20070328.png And with an FTP download going: http://tntpowerhost.com/mixx941/pfsense_queues_ftp_20070328.png Okay, try a new snapshot about 2 hours from now. The latest snapshot seems to be the same as the previous one (still going to qlandef but doesn't seem to affect other traffic much). 1.0.1-SNAPSHOT-03-27-2007 built on Wed Mar 28 21:01:28 EDT 2007 # ps awux | grep pftpx proxy550 0.0 0.1 656 420 ?? Is 10:23PM 0:00.04 /usr/local/sbin/pftpx -q qlandef -c 8021 -g 8021 192.168.1.1 root1492 0.0 0.2 1552 660 p0 R+ 10:26PM 0:00.01 grep pftpx Thanks, -Mark -- Internet Radio: Party107 (Trance/Electronic) - http://www.party107.com Rock 101.9 The Edge (Rock) - http://www.rock1019.net IRC: MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]