[pfSense Support] couple of inquiries regarding pfsense
Dear All, I have a couple of inquiries where I need people who have experience to convey some of their knowledge to me. 1- Does pfsense support 802.1x authentications; I mean does it act as an authenticator for any 802.1x supplicant, in another word, does it allow EAP authentication requests to EAP authentication servers? 2- Does pfsense support Group-oriented policy firewall and bandwidth control? Regards Bassam
Re: [pfSense Support] IPSEC over an OPT interface Problems
Just to be thorough, I added two more rules to the firewall's OPT interface to make sure all the IPSEC stuff gets through. I'm fuzzy on if the last two are needed, but just to be safe, I added them. Here are all the rule that I've added: Rules in the format listed below: Format: Protocol Source Port Destination Port Gateway Schedule 1. UDP * * Interface IP Address 500 * Blank 2. ESP * * Interface IP Address * * Blank 3. AH * * Interface IP Address * * Blank 4. GRE * * Interface IP Address * * Blank Vaughn On Mon, 02 Apr 2007 20:43:38 -0400, "Vaughn L. Reid III" <[EMAIL PROTECTED]> said: > Interesting, > > This version of the firmware doesn't even list the VPN tunnel that is > configured for the OPT interface in the vpn section of /tmp/rules.debug. > The tunnel definition is listed in the GUI, and it's working with the > manual rules because I'm in the process of accessing remote resources > now. > > In /tmp/rules.debug, however, it's like the vpn out the opt interface > just doesn't exist. I checked the firewall rules section of > /tmp/rules.debug, and the manual rules that I added are there. > > Also, the firmware version that I was using when I started this thread > last week showed the VPN tunnel definition in /tmp/rules.debug, but it > showed the wrong interface. > > Vaughn > > > On Mon, 2 Apr 2007 20:32:47 -0400, "Scott Ullrich" <[EMAIL PROTECTED]> > said: > > On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > > > Here are the rules for the interface in question that seem to make the > > > IPSEC tunnel work: > > [snip] > > > > Look in /tmp/rules.debug and search for IPSEC. > > > > Do you see rules permitting traffic to the interface? > > > > Scott > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
Interesting, This version of the firmware doesn't even list the VPN tunnel that is configured for the OPT interface in the vpn section of /tmp/rules.debug. The tunnel definition is listed in the GUI, and it's working with the manual rules because I'm in the process of accessing remote resources now. In /tmp/rules.debug, however, it's like the vpn out the opt interface just doesn't exist. I checked the firewall rules section of /tmp/rules.debug, and the manual rules that I added are there. Also, the firmware version that I was using when I started this thread last week showed the VPN tunnel definition in /tmp/rules.debug, but it showed the wrong interface. Vaughn On Mon, 2 Apr 2007 20:32:47 -0400, "Scott Ullrich" <[EMAIL PROTECTED]> said: > On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > > Here are the rules for the interface in question that seem to make the > > IPSEC tunnel work: > [snip] > > Look in /tmp/rules.debug and search for IPSEC. > > Do you see rules permitting traffic to the interface? > > Scott > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: Here are the rules for the interface in question that seem to make the IPSEC tunnel work: [snip] Look in /tmp/rules.debug and search for IPSEC. Do you see rules permitting traffic to the interface? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
Here are the rules for the interface in question that seem to make the IPSEC tunnel work: Rules in the format listed below: Format: Protocol Source Port Destination Port Gateway Schedule 1. UDP * * Interface IP Address 500 * Blank 2. ESP * * Interface IP Address * * Blank Vaughn On Mon, 2 Apr 2007 20:11:10 -0400, "Scott Ullrich" <[EMAIL PROTECTED]> said: > On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > > I've just tested the most recent pfsense update available on > > http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ > > Please show the IPSEC rules that are relevant to the interface in > question as you did prior. > > Thanks! > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I've just tested the most recent pfsense update available on http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ Please show the IPSEC rules that are relevant to the interface in question as you did prior. Thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
I've just tested the most recent pfsense update available on http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ Here is the system's firmware information: 1.0.1-SNAPSHOT-03-27-2007 built on Mon Apr 2 19:21:19 EDT 2007 My results indicate that IPSEC over OPTx still does not work without explicitly opening UDP 500 and ESP on the interface in question to allow the interface's IP address to accept these two items. I believe that this may still be an older firmware, but I do not see a newer firmware available in the update format. At this time, I am also not in a position to test an .iso file. To do that, I will need to wait for the weekend when firewall usage is low. Vaughn On Fri, 30 Mar 2007 12:23:44 -0400, "Vaughn L. Reid III" <[EMAIL PROTECTED]> said: > I'll check back later this evening or Monday day sometime. > > Thanks, > > Vaughn > > Scott Ullrich wrote: > > This is an old image. The snapshot server has been down for some > > time... Try again 2-3 hours from now or on Monday. > > > > Scott > > > > > > On 3/30/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > >> I just tried implementing IPSEC over an OPT interface using the > >> pfsense.iso file from March 29, 2007 at 7:19 p.m. > >> > >> Here are my results. IPSEC will not work over my OPT2 Interface without > >> adding specific firewall rules to the OPT2 interface to allow UDP 500 > >> and ESP to connect to that interface's IP address. > >> > >> Once I manually add the rules, the tunnels get created and work > >> correctly over the OPT2 interface. Before I manually added the rules to > >> the OPT2 interface, I noticed that there was no SAD listing to the > >> tunnel being tested. Both ends of the tunnel were, however, listed on > >> the SPD tab of the IPSEC tunnel diagnostic page. > >> > >> Once I added the needed firewall rules to the OPT2 interface, the VPN > >> tunnel immediately set up and started working. At that time, the proper > >> entries appeared in the SAD on the IPSEC diagnostic page. > >> > >> Also, I noticed during the loading of the pfsense firewall software > >> while it was connecting services, etc. that an error message appeared > >> that stated that there was an invalid argument foreach on line 7 of the > >> /etc/inc/vslb.inc file. Don't quote me on the line number, but I'm > >> pretty sure it was line 7. I'm not sure if this is related to my IPSEC > >> issue, but I thought I'd comment in case it is relevant. > >> > >> Thanks, > >> > >> Vaughn Reid III > >> > >> Tunge2 wrote: > >> > If this is working it would be a great step a head :) > >> > > >> > -Oorspronkelijk bericht- > >> > Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED] > >> > Verzonden: vrijdag 30 maart 2007 1:08 > >> > Aan: support@pfsense.com > >> > Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems > >> > > >> > Have the IPSEC changes been committed and built yet? I'm looking > >> at the > >> > update files, and they all still say March 27 2007. I'm using this > >> > repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ > >> > > >> > Should I be looking somewhare else for the update with the IPSEC fix? > >> > > >> > Thanks, > >> > > >> > Vaughn > >> > > >> > On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III" > >> > <[EMAIL PROTECTED]> said: > >> > > >> >> Thanks for your hard work. I appreciate it and I'm sure my customers > >> >> do too. > >> >> > >> >> Vaughn > >> >> > >> >> Vaughn L. Reid III wrote: > >> >> > >> >>> The ones ones that say Computer Support are from the test tunnel > >> >>> that I created to use OPT2. > >> >>> > >> >>> The interfaces on this machine are labeled like this: > >> >>> > >> >>> LAN => em0 > >> >>> WAN => em1 > >> >>> ATTDSL => em4 -- This is the OPT interface that I was using for the > >> >>> Computer Support VPN test wireless => em2 > >> >>> > >> >>> Vaughn > >> >>> > >> >>> Scott Ullrich wrote: > >> >>> > >> Okay, so that I am on the same page as you. Those $wan rules > >> should have read $optX ?? > >> > >> Scott > >> > >> > >> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> > >> wrote: > >> > >> > Oops! Sorry for the double post. > >> > > >> > Vaughn L. Reid III wrote: > >> > > >> >> Here is the relevant text of my rules.debug file. It looks like > >> >> the interface on the connection "computer support" has the same > >> >> interface as the rest of the tunnels. This is the test > >> >> connection that should be using OPT3. > >> >> > >> >> # let out anything from the firewall host itself and decrypted > >> >> IPsec traffic pass out quick on $lan proto icmp keep state label > >> >> "let out anything from firewall host itself" > >> >> pass out quick on $wan proto icmp keep state label "let out > >> >> anything from firewall host itself" > >> >> pass out quick on em1 all keep state label "let out anything > >> >> from firewall host itself" > >> >> #
Re: [pfSense Support] Client-Specific-Configuration - OpenVPN
On 4/1/07, Kelvin Chiang <[EMAIL PROTECTED]> wrote: Hi, I realized that even though the Client-Specific-Configuration is deleted, the openvpn-csc directory still have the file in there. This cause the openvpn server still uses the options stated in this file. Does anyone experience the same thing? I presume that the action to delete the CSC from the web interface did not delete the file in openvpn_csc directory, where do I make changes to sort this? I read through openvpn.inc but it did not seem to contain any relevant functions. This should now be fixed. Please try a snapshot a couple of hours from now. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bridged interface and "arp: moved..." messages
On 4/2/07, Diego Morato <[EMAIL PROTECTED]> wrote: Scott, The Shared Physical Netork option is not setting net.link.ether.inet.log_arp_movement in my box. I check and save, and unckek and save, and this always stay in 1. I´m using sysctl -a to list the onfigurations. It only print 1 -> 0 at the top to the page. Oops, it was setting sysctl -n net.link.ether.inet.log_arp_wrong_iface=0 I've fixed both of the problems. Please try a snapshot a couple of hours from now. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Killing/Cutting off a TCP connection
Great, Glad to see that feature. I have not needed to do it with this snap shot. I had to do it previousy when changing NAT rules for client machines. I have not needed to with the new version. I am assuming this has been clean up more? Robert On Thursday 29 March 2007 22:38, Scott Ullrich wrote: > On 3/29/07, Robert Goley <[EMAIL PROTECTED]> wrote: > > I found the command. Here are some basics on it. > > > > pfctl > > [snip] > > Newer snapshots can kill the states from Diagnostics -> States without > the command line. > > Scott > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] PFSense Bridge & VOIP issue
I plundered through the archives and couldnt find any help on this issue. I have a 1.0.1 PFSense unit in Bridge between WAN & OPT1 interface. I have (for testing) an allow * in & out rule on all 3 interfaces (the LAN is unplugged and just used for management when needed). I can create various drop rules to test the functionality of the bridge and most is working as expected. When I attempt to place a VOIP call, I have no audio either way of the call. If I bypass the bridge and plug the voip phone directly on the other side of the network, all is well. You can ping & manage the phone through the bridge fine from the server side. We had this scenerio working fine via NAT but network circumstances have changed forcing me to bridge my network to another. Any ideas? Tim
Re: [pfSense Support] NAT Mapping failure
Sorry, This particular issue turned out to be a typo in the virtual IP address. It was trying to do right but of course would not work. As for why the WAN connection did not work correctly when I tested using the interface address, I am not sure. I deleted and recreated all rules and forwards for that interface many times. After I made all the others work (which only took a couple of minutes), I redid the rules for WAN one more time. It started working better. Then I noticed the typo for 2 of the 5 IP addresses set for the device. The only remaining issues I have are DNS and a possible bug. The caching DNS server/service of pfsense is not working. It is refusing the clients that try to get DNS info from it. The pfsense router is unable to resolve any DNS names for the ping command either. The DNS servers are set for the interface. The same DNS servers are what the of clients on the network had to be set to and are working. The bug issue is a feature that is now missing. For the firewall/gateway rules for the LAN interface, you used to be able to add a rule based on the destination port. That is not longer on the page. You can use source port but that is useless in most cases. I need to direct outgoing traffic out different WANs based on the destination port. This worked in the 11-29-06 version I upgraded from. Thank you ffor your time. Again I apologize for my email behavior. It was late and I was running pretty low on fuel at that point. Robert On Friday 30 March 2007 02:04, Holger Bauer wrote: > Please don't switch the topics of your mails concerning the same issue > constantly. It's hard to follow/track a vonversation this way. Thank > you. > > Holger > > > -Original Message- > > From: Robert Goley [mailto:[EMAIL PROTECTED] > > Sent: Friday, March 30, 2007 2:42 AM > > To: support@pfsense.com > > Subject: [pfSense Support] NAT Mapping failure > > > > I did find that 1-1 mapping is breaking the outgoing connect > > of the machine that is being mapped. I verified this by > > switching a 1-1 NAT mapping between to machines. I was able > > to access before the map and could not after. on the other > > machine that had the map to start with, I could not access out. > > After switch the map to another machine I was able to access > > it from this machine. I have deleted all NAT port forward > > for the WAN interface and recreated 2 for testing SSH and > > HTTP. Neither work. The same portforwards for OPT1 and OPT2 > > work. The firewall rules were autocreated by pfSense. I an > > using any for the from IP addresses and ports. > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] For > > additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bridged interface and "arp: moved..." messages
Scott, The Shared Physical Netork option is not setting net.link.ether.inet.log_arp_movement in my box. I check and save, and unckek and save, and this always stay in 1. I´m using sysctl -a to list the onfigurations. It only print 1 -> 0 at the top to the page. System: 1.0.1-SNAPSHOT-03-15-2007 built on Fri Mar 23 05:07:13 EDT 2007 -- Diego - Original Message - From: "Scott Ullrich" <[EMAIL PROTECTED]> To: Sent: Sunday, April 01, 2007 12:20 AM Subject: Re: [pfSense Support] bridged interface and "arp: moved..." messages On 3/31/07, Charles Sprickman <[EMAIL PROTECTED]> wrote: > On Sat, 31 Mar 2007, Scott Ullrich wrote: > Just out of curiousity, what does this setting actually do? Does it move > the WAN IP to the bridge interface? No, it sets sysctl -w net.link.ether.inet.log_arp_movement=0. -HEAD has different code which moves the IP to the bridge interface. [snip] Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
