Re: [pfSense Support] Tutorial Request: Setting up OPT1 for WiFi
Paul- Run an ethernet cable from your OPT1 interface to one of your switch/LAN ports on your AP. Make sure it is NOT the WAN/Internet port. Disable DHCP on the AP. You may also want to configure MAC filtering, Encryption, and authentication on the AP. In pfSense, enable DHCP on your OPT1, and put in your firewall rules. You may wish to start with an Allow all FROM anywhere TO anywhere rule to get started before locking things down. I know this isn't a 'tutorial' as you requested, but it can at least give you a good start. I run a Linksys WRT54G with DD-WRT on an OPT interface in several locations. Feel free to ask more questions. Tim Nelson Technical Consultant Rockbochs Inc. - Original Message - From: Paul Brown [EMAIL PROTECTED] To: support@pfsense.com Sent: Thursday, August 30, 2007 9:34:16 PM (GMT-0600) America/Mexico_City Subject: [pfSense Support] Tutorial Request: Setting up OPT1 for WiFi Perhaps I'm just a bit slower than most but I'm having some trouble setting up my Linksys (with dd-wrt installed) to run on my OPT1 interface. I would like to have the Linksys provide the wireless service but have the DHCP, firewall, etc services handled by pfSense. Would anybody be willing to write a tutorial on this for http://www.pfsense.com/index.php?id=36 ? It seems like this would be useful to a number of people. Thanks Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Re: [pfSense-discussion] did something change in 1.2rc1?
On Fri, Aug 31, 2007 at 11:48:07AM +0200, Eugen Leitl wrote: I'm defining firewall rules according to http://pfsense.trendchiller.com/transparent_firewall.pdf but they seem to get ignored. There's a comment which says the logic is now reversed -- before I lock myself out, can someone confirm or deny this (that I need to define things on WAN tab instead of LAN tab in Firewal-Rules)? Strange, whatever I do I get no change: # pfctl -s rules pass quick proto carp all keep state pass quick proto pfsync all pass out proto tcp from any to any port = domain keep state pass out proto udp from any to any port = domain keep state Any ideas? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Issues with pfSense and Captive Portal
Good day. Thank you for the help you have given us in our initial usage of pfSense. We are however experiencing some issues with pfSense 1.0.1 in general and also have a CaptivePortal pre-authentication issue. First issue: I have a particular machine that is capable of going anywhere on the interenet and has yet to authenticate via the CaptivePortal. If this machine can do this, I am sure there are others. The device will show up in the DHCP lease but there is no way to give cancel their connection in 1.0.1. And the device does not show up in the CaptivePortal page at all. Second and biggest issue: We have particular users who run Safari, Firefox, and IE 7 that our initial captive portal page will allow them to authenticate our Acceptable Use Page (AUP) and then once they click Accept, it brings up the AUP again. If they log in again, it repeats the action. We have discovered that in IE, you can check the Check for new Page on each attempt and that will correct it. We have Empty/Deleted Cache and this does not work. Has anyone seen this before and if corrected, what was the fix action? Thank you Dwane
RE: [pfSense Support] Issues with pfSense and Captive Portal
Dwane, Give me the specifics like IP address, MAC address, for Number 1. The second issue may not be clearly described. I think we complete the login process (all the way to the LOGOUT pop-up), then click on the HOME page and it re-displays the AUP page, etc. This seems to be a problem with browser caching the redirected page, not the originally requested page. I thought from what Ed said, that getting a new page everything did NOT work. If you find a PC that has this condition, let me look at it. Fred From: Atkins, Dwane P [mailto:[EMAIL PROTECTED] Sent: Friday, August 31, 2007 8:36 AM To: support@pfsense.com Subject: [pfSense Support] Issues with pfSense and Captive Portal Good day. Thank you for the help you have given us in our initial usage of pfSense. We are however experiencing some issues with pfSense 1.0.1 in general and also have a CaptivePortal pre-authentication issue. First issue: I have a particular machine that is capable of going anywhere on the interenet and has yet to authenticate via the CaptivePortal. If this machine can do this, I am sure there are others. The device will show up in the DHCP lease but there is no way to give cancel their connection in 1.0.1. And the device does not show up in the CaptivePortal page at all. Second and biggest issue: We have particular users who run Safari, Firefox, and IE 7 that our initial captive portal page will allow them to authenticate our Acceptable Use Page (AUP) and then once they click Accept, it brings up the AUP again. If they log in again, it repeats the action. We have discovered that in IE, you can check the Check for new Page on each attempt and that will correct it. We have Empty/Deleted Cache and this does not work. Has anyone seen this before and if corrected, what was the fix action? Thank you Dwane
[pfSense Support] RE: Issues with pfSense and Captive Portal
My apologies. I may not have been totally clear on the second issue. It appears that the authentication process does complete. It is just that when you call up a browser, the Acceptable Use Policy comes up again. It looks like an issue there maybe an issue with caching or potentially the redirection with these web browsers. Any help would be appreciated. Dwane From: Atkins, Dwane P Sent: Friday, August 31, 2007 8:36 AM To: 'support@pfsense.com' Subject: Issues with pfSense and Captive Portal Good day. Thank you for the help you have given us in our initial usage of pfSense. We are however experiencing some issues with pfSense 1.0.1 in general and also have a CaptivePortal pre-authentication issue. First issue: I have a particular machine that is capable of going anywhere on the interenet and has yet to authenticate via the CaptivePortal. If this machine can do this, I am sure there are others. The device will show up in the DHCP lease but there is no way to give cancel their connection in 1.0.1. And the device does not show up in the CaptivePortal page at all. Second and biggest issue: We have particular users who run Safari, Firefox, and IE 7 that our initial captive portal page will allow them to authenticate our Acceptable Use Page (AUP) and then once they click Accept, it brings up the AUP again. If they log in again, it repeats the action. We have discovered that in IE, you can check the Check for new Page on each attempt and that will correct it. We have Empty/Deleted Cache and this does not work. Has anyone seen this before and if corrected, what was the fix action? Thank you Dwane
[pfSense Support] Re: Authentication errors on pfsync
I have more info, more confusing. I have deleted all carp interfaces. When I set a CARP address on the LAN, everything works as expected, except for the authentication failure message below. However, when I add a CARP address on the WAN interface, I get the following errors: Aug 31 10:17:49 php: : Beginning XMLRPC sync to http://10.0.0.3:80. Aug 31 10:17:51 php: : XMLRPC sync successfully completed with http://10.0.0.3:80. Aug 31 10:17:51 php: : Beginning XMLRPC sync to http://10.0.0.3:80. Aug 31 10:17:51 php: : An error code was received while attempting XMLRPC sync with username admin http://10.0.0.3:80 - Code 801: Authentication failure Aug 31 10:17:51 php: : New alert found: An error code was received while attempting XMLRPC sync with username admin http://10.0.0.3:80 - Code 801: Authentication failure And on the backup machine, the CARP address shows up, but the CARP interface section is blank (the section where on the LAN it shows carp0, and on this one it should presumably show carp1) and the status just has the grey arrow, like for the LAN, but it doesn't say Backup like the LAN one does. So why would it transfer successfully once but fail authentication tenths of a second later? ANd what's wrong with my CARP backup? Ron Garcia-Vidal wrote: I have 2 machines set up doing CARP with a dedicated crossover connecting them for pfsync. I keep getting the following error: php: : An error code was received while attempting XMLRPC sync with username admin http://X.X.X.X:80 - Code 801: Authentication failure I have typed and retyped the password on both machines several times, and still get this error. The CARP interfaces, NATs and firewall rules replicate ok, but some of the CARP interfaces show up as master on both and I get a bad hash error (even though I set the has on one box and let it replicate to the other. I'm using the snapshot that was released on 8/27, since when I ran the regular RC2, both machines were rebooting sporadically. Any ideas? -Ron smime.p7s Description: S/MIME Cryptographic Signature
[pfSense Support] Re: Authentication errors on pfsync
Even more information: When CARP was working properly, I SSHed from a machine behind the firewall to a machine outside and started a `seq 1 10`. Once underway, I took the master offline. The seq count would hang for less than a minute and pick right back up when the backup promoted itself. Bringing the master back online didn't even have a hang, it was totally seamless. Under the current snapshot, that seq count hangs and stays hung until I bring the master back online. Does this help? Should I be posting this to another forum? Ron Garcia-Vidal wrote: I have more info, more confusing. I have deleted all carp interfaces. When I set a CARP address on the LAN, everything works as expected, except for the authentication failure message below. However, when I add a CARP address on the WAN interface, I get the following errors: Aug 31 10:17:49 php: : Beginning XMLRPC sync to http://10.0.0.3:80. Aug 31 10:17:51 php: : XMLRPC sync successfully completed with http://10.0.0.3:80. Aug 31 10:17:51 php: : Beginning XMLRPC sync to http://10.0.0.3:80. Aug 31 10:17:51 php: : An error code was received while attempting XMLRPC sync with username admin http://10.0.0.3:80 - Code 801: Authentication failure Aug 31 10:17:51 php: : New alert found: An error code was received while attempting XMLRPC sync with username admin http://10.0.0.3:80 - Code 801: Authentication failure And on the backup machine, the CARP address shows up, but the CARP interface section is blank (the section where on the LAN it shows carp0, and on this one it should presumably show carp1) and the status just has the grey arrow, like for the LAN, but it doesn't say Backup like the LAN one does. So why would it transfer successfully once but fail authentication tenths of a second later? ANd what's wrong with my CARP backup? Ron Garcia-Vidal wrote: I have 2 machines set up doing CARP with a dedicated crossover connecting them for pfsync. I keep getting the following error: php: : An error code was received while attempting XMLRPC sync with username admin http://X.X.X.X:80 - Code 801: Authentication failure I have typed and retyped the password on both machines several times, and still get this error. The CARP interfaces, NATs and firewall rules replicate ok, but some of the CARP interfaces show up as master on both and I get a bad hash error (even though I set the has on one box and let it replicate to the other. I'm using the snapshot that was released on 8/27, since when I ran the regular RC2, both machines were rebooting sporadically. Any ideas? -Ron smime.p7s Description: S/MIME Cryptographic Signature
Re: [pfSense Support] anyone noticed slowdown in RC1 or RC2?
Jonathan Horne wrote: i have a client, who has been running pfsense since january. i recently updated him to 1.2-RC1, and since then, his internet browsing for his site has been really poor. when a browser is opened, the initial connection to the site takes 10-15 seconds, then the site starts to open. other links within the site will seem to work fine, but when you try to open another site, pause.. then opens. For the sake of the archives - Jonathan sent me the packet captures as I instructed in a previous reply. It's nothing pfsense-related, it's DNS on the client machine. The client machine is doing several lookups (IPv6) which are timing out or getting empty responses before doing A lookups (IPv4) for the domain name. This is adding a 10-15 second delay to every DNS lookup while all the IPv6 lookups fail. Since your typical page load is going to make a few DNS queries, incurring this delay several times, it has a significant impact on page load times. Once the machine queries the A record as it should have initially, it gets a reply very quickly and immediately pulls down the web page with no delays whatsoever. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] LAN / WAN Disconnections continue in 1.2-RC1, Intel Pro/1000GT NICs with 370M RAM
I think we may have got this fixed, (all be it as a Kludge?) Essentially the fix is to ping the static IP's first hop, if this is down then flick the WAN NIC state down and up, this restores the lost connection where the motorola 5101 has stopped sending packets (presumably for some incompatibility reason) The motorola 5101 has today been replaced with a 5100, the ISP tell me most commercial lines are running the 5100 as they say it is more router compatible than the newer 5101. I'll advise if the 5100 exhibits the same behaviour(!) however if it does the following should address it within a minute. If you are copying it be sure to copy it exactly as spaces in the wrong place stuff it upetc!! For both the lists and my record it is done by: = in /etc/crontab add */1 * * * * root /usr/bin/pinger.sh = from edit.php create / write into new file /usr/bin/pinger.sh #!/bin/sh ping -c1 Insert_1st_Gateway_Hop_Here_commonly_Static_IP_a.b.c.1 if [ $? -eq 2 ]; then ifconfig em0 down ifconfig em0 up echo 'Gateway Down' else echo 'Gateway Up' fi = from exec.php run chmod u+x /usr/bin/pinger.sh = from exec.php run ls -l /usr/bin/pinger.sh and check there is an x in the file permissions (for executable) It will have run when you see a log series of commands starting with Sep 1 11:32:13 kernel: em0: link state changed to UP Sep 1 11:32:11 kernel: em0: link state changed to DOWN The only problem I see with this approach is that whenever the Internet is down for whatever reason the WAN interface is going to be disconnected and reconnected every minute, as well as filling the logs with this info, but that seems only of concern from the perspective of filling the log with rubbish. I might tinker with it to send me an email to advise me when the code has also run . Whilst we could have changed to a different router (non freebsd) I really like the pfsense and its monowall heritage, and wanted to give back something by solving this problem in some sort of gratitude and small contribution, I hope this helps someone and goes in some small way to contribute to what is a great piece of software - and the leaders and community behind it. Thanks to Vivek, Sean, Bill, Raj, Paul and others also! Kind regards David Hingston - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC and NAT
I'm tearing my hair out... and I have very little to spare. In an effort to determine what's going on, I've set up a vlan in order to have an actual interface to work with. So, I've set up a vlan on on the fpSense box for the same interface as lan, and given it an address of 10.100.100.81/28. I've also set up another host in the local network with 10.100.100.83/28. With this configuration, and IPSEC enabled, the remote host is successfully able to ping the 10 net address (10.100.100.81) of the firewall. The firewall however, is not able to ping the remote host. And the local host is not able to ping the address of the firewall. Just to add insult to injury, the firewall cannot even ping its own address! Now if I change the mask on the vlan interface to a /8, the firewall is then able to ping the remote host, but still cannot ping itself. The local 10 net host is not able to ping either the firewall or the remote host. An last, if I disable IPSEC, then things look more normal: the firewall is able to ping itself and the local host. I'm sure that there has to be a reasonable and logical explanation for all of this, but every time I try to come up with an explanation of what's going on, I end up with the term Packet Vortex :-) Can anyone help me understand this? Denny On Aug 29, 2007, at 11:20 , Denny Page wrote: Hello, I have what I thought would be a simple item to solve, but have been unable to find a way to make this work with pfSense. Here's the configuration: remote-host (10.101.1.1) | remote-net (10.0.0.0/8) | remote-ipsec-server (11.11.11.11) | internet | pfsense (wan 22.22.22.22, lan 192.168.0.1/16) | local-net (192.168.0.0/16) | local-host (192.168.0.2) The way IPSEC is set up is that the remote net is 10.0.0.0/8, whereas my local portion is 10.100.100.80/28. What I am trying to do is to have hosts in the local network access the remote 10.0.0.0/8 network in the same way that they access hosts in the internet. In other words, I want to hide them behind nat. There are no inbound connections to the local net from the remote net, all connections originate from the local net. The remote IPSEC device is a Cisco. The pfSense version is 1.2- RC2. I'm migrating to pfSense from Shorewall on Linux. I have the IPSEC vpn configured in fpSense with local network 10.100.100.80/28, and remote network 10.0.0.0/8. I have a virtual IP 10.100.100.81 set up on the WAN interface. I have AON enabled, and I have a NAT rule on the WAN interface for destination 10.0.0.0/8 with NAT address 10.100.100.81. For testing, I have a firewall rule for IPSEC that allows all packets from the remote host (10.101.1.1) to any destination. If I ping 10.10.1.1 from the local host, nothing happens--pfsense does not initiate the IPSEC connection. If I ping any address in the 10.100.100.80/28 network from the remote host, the tunnel successfully initiates. IPSEC traffic is seen between the remote server and fpSense. Even though the tunnel is already up, ping from the local host to the remote host still results in no traffic whatsoever. I cannot get pfSense to route packets destined for 10.0.0.0/8 through the tunnel. Can anyone suggest a way to solve this? Thanks, Denny - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]