Re: [pfSense Support] OpenVPN GUI troubles
Didn't fix it, unfortunately. I am at a loss. It connects but I can't reach the LAN... Curtis LaMasters wrote: If I remember correctly, the first 5 IP's 1-5 are taken by adapters, vitrual interfaces, etc and the first available IP is .6. That might be your issue. Curtis On Jan 30, 2008 10:43 PM, Gabe Green [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Okay, *almost* got OpenVPN working. I can connect now, but not reach any hosts on the LAN side of pfSense. . Now on the *server* side, this is what I do not get. Our default LAN is 192.168.111.0/24 http://192.168.111.0/24; but I specified 192.168.253.0/24 http://192.168.253.0/24 in the OpenVPN setup. DHCP is not enabled on the server-side OpenVPN config. PfSense side config: Protocol: UDP Local port: 1194 Address pool: 192.168.253.0/24 http://192.168.253.0/24 Remote Network (blank) Cryptography: AES-128-CBC (128-bit) Shared key: same as key specified in client config below DHCP-Opt: DNS-Server: 192.168.111.108 http://192.168.111.108 DHCP-Opt: WINS-Server: 192.168.111.108 http://192.168.111.108 DHCP-Opt: NTP-Server: (blank) DHCP-Opt: NetBIOS node type: m-node DHCP-Opt: NetBIOS Scope: (blank) DHCP-Opt: Disable NetBIOS (unchecked) LZO compression: (checked) Custom options: (blank) Client and Client-specific configuration are left blank At home, I set my tap1 adaptor to the following static: 192.168.253.5 http://192.168.253.5 255.255.255.0 http://255.255.255.0 192.168.111.22 http://192.168.111.22 (pfsense vpn LAN ip, set to default gateway as per suggestion) DNS: 192.168.111.108 http://192.168.111.108 (DNS server for pfSense LAN; pfSense is not serving up DNS) I added a WAN firewall rule, at the top, to permit traffic anywhere on port 1194; from the WAN to the LAN (or anywhere else). No-go. My current OVPN config file: ;dev tap dev tap1 dev-node tap1 # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote PFSENSE.WAN.IP.ADDRESS 1194 ;remote my-server-2 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) ;user nobody ;group nobody # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings secret static.key ## THIS IS THE SAME KEY AS IN THE PFSENSE OPENVPN CONFIG ;ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. cipher AES-128-CBC # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20 == LOG FILE FROM OVPN == Wed Jan 30 01:15:40 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 Wed Jan 30 01:15:40 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Wed Jan 30 01:15:40 2008 Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Wed Jan 30 01:15:40 2008 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jan 30 01:15:40 2008 Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Wed Jan 30 01:15:40 2008 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jan 30 01:15:40 2008 LZO compression initialized Wed Jan 30 01:15:40 2008 TAP-WIN32 device [tap1] opened:
Re: [pfSense Support] Fresh Install -- Broken logging
Jack Doyle wrote: I've just reinstalled (fresh this time) 1.2-RC4 and logging has, once again, stopped. The last log entry I have anywhere is at 16:22 (it is now 18:28). I just generated some traffic that should be logged and it is not. This includes the system log, firewall log, DHCP log, all of them. Anyways, I can't seem to figure out why this is happening. Please help. could you start syslogd manually with debug enabled and no-daemon so you can see why it dies? sorry if this is really obvious, but is /var or /var/log a separate partition, and is it full, or are you seeing errors on the console indicating a disk fault? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: IPv6
Eugen Leitl wrote: On Wed, Jan 30, 2008 at 09:19:21PM +0200, Graham Beneke wrote: While I can appreciate that this is an issue of supply vs demand - I would like to say that I think that it would be in the best interests of the project to aim for at least an IPv6 capable beta release before the end of this year. That sounds like good advice (I'm not particular to that date). IPv6 support on home and company LAN is already easy, but 6to4 tunnels across WAN is I would agree that IPv6 shouldn't be left totally on the back burner - at the very least ensure that consideration is given to ipv6 support when any changes are being made - start early and it should be less of a burden! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] OpenVPN GUI troubles
On the client side config add in: pull float and uncomment ns-cert-type server Then send your log back if it doesn't connect. You could also change verb 3 to verb 5 for more logging. Curtis
Re: [pfSense Support] Fresh Install -- Broken logging
Enable SSH, connect in, then go to the filter logs and see if it's logging anything there. Curtis
Re: [pfSense Support] Re: IPv6
I don't know if it would help, but I have a few extra 2500 series cisco routers that I could donate to the cause for testing. With IOS 12.3T IPv6 is an option. Curtis
Re: [pfSense Support] possible bug in filter rule replication
Paul M wrote: I've noticed that if I have a pair of firewalls - master/slave - and have a comment in the filter rules which contains a colon or a fullstop, they are replaced by spaces when the rules are replicated. is this a known bug? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Without looking at the code, I suspect that this is intentional. Colons and other special characters can munge up the rules parsing and I'm guessing there's some input validation code that's cleaning out characters that can cause problems. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] possible bug in filter rule replication
Gary Buckmaster wrote: Paul M wrote: I've noticed that if I have a pair of firewalls - master/slave - and have a comment in the filter rules which contains a colon or a fullstop, they are replaced by spaces when the rules are replicated. is this a known bug? Without looking at the code, I suspect that this is intentional. Colons and other special characters can munge up the rules parsing and I'm guessing there's some input validation code that's cleaning out characters that can cause problems. well, sounds reasonable, but why don't these punctuations get removed on the master's rule set? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense public intenet w/ authentication
The most robust solution would be to add another NIC to your setup with an external access point of some sort. I've always had outstanding luck with Linksys WRT54G and DD-WRT firmware. Enable captive portal on the new interface. For your firewall rules, you would want rules allowing access out to DNS(port 53), HTTP(80), and HTTPS(443). If a wireless client is not authenticated with the CP, no traffic will pass out unless the destined IP is in the allowed list in the CP. You will need to make sure your clients are allowed to access DNS somehow. Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 - Original Message - From: Dane Reugger [EMAIL PROTECTED] To: support@pfsense.com Sent: Thursday, January 31, 2008 10:40:23 AM (GMT-0600) America/Chicago Subject: [pfSense Support] Pfsense public intenet w/ authentication I have a small computer shop and would like to setup free / open access point so that clients can use it while in the shop. But I don't want it so open that my neighbors are using it for nefarious purposes. Can somebody recommend a configuration. My thoughts: Add another nic and a wireless router or access point w/ captive portal Add a wireless nic Ad-Hod w/ captive portal Setup up some sort of VLan w/ Access point Any recommendation on the route I should go? Another route? And a lazy questions (I've not really looked into it) - what is best / easiest way to lock this connection down to HTTP only. And will failure to log into the captive portal block all traffic or just prevent browsing? Thanks, -Dane - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Pfsense public intenet w/ authentication
I have a small computer shop and would like to setup free / open access point so that clients can use it while in the shop. But I don't want it so open that my neighbors are using it for nefarious purposes. Can somebody recommend a configuration. My thoughts: Add another nic and a wireless router or access point w/ captive portal Add a wireless nic Ad-Hod w/ captive portal Setup up some sort of VLan w/ Access point Any recommendation on the route I should go? Another route? And a lazy questions (I've not really looked into it) - what is best / easiest way to lock this connection down to HTTP only. And will failure to log into the captive portal block all traffic or just prevent browsing? Thanks, -Dane - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Pfsense public intenet w/ authentication
If you want to block by site, better use OpenDNS to block at DNS level. -Raylund From: Sean Cavanaugh [mailto:[EMAIL PROTECTED] Sent: Thursday, January 31, 2008 12:01 PM To: support@pfsense.com Subject: RE: [pfSense Support] Pfsense public intenet w/ authentication security wise, remember that more and more programs are using HTTP tunneling to get out thru firewalls. this type of traffic cannot really be stopped that well without layer 4+ firewalls that look at packet content. you will however block most of the joe blow users that will try stuff. also adding in blocks to specific sites will help cut down on nefarious activities. -Sean _ Date: Thu, 31 Jan 2008 10:40:23 -0600 From: [EMAIL PROTECTED] To: support@pfsense.com Subject: [pfSense Support] Pfsense public intenet w/ authentication I have a small computer shop and would like to setup free / open access point so that clients can use it while in the shop. But I don't want it so open that my neighbors are using it for nefarious purposes. Can somebody recommend a configuration. My thoughts: Add another nic and a wireless router or access point w/ captive portal Add a wireless nic Ad-Hod w/ captive portal Setup up some sort of VLan w/ Access point Any recommendation on the route I should go? Another route? And a lazy questions (I've not really looked into it) - what is best / easiest way to lock this connection down to HTTP only. And will failure to log into the captive portal block all traffic or just prevent browsing? Thanks, -Dane - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Connect and share in new ways with Windows Live. Get it now! http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008
RE: [pfSense Support] Pfsense public intenet w/ authentication
security wise, remember that more and more programs are using HTTP tunneling to get out thru firewalls. this type of traffic cannot really be stopped that well without layer 4+ firewalls that look at packet content. you will however block most of the joe blow users that will try stuff. also adding in blocks to specific sites will help cut down on nefarious activities. -Sean Date: Thu, 31 Jan 2008 10:40:23 -0600 From: [EMAIL PROTECTED] To: support@pfsense.com Subject: [pfSense Support] Pfsense public intenet w/ authentication I have a small computer shop and would like to setup free / open access point so that clients can use it while in the shop. But I don't want it so open that my neighbors are using it for nefarious purposes. Can somebody recommend a configuration. My thoughts: Add another nic and a wireless router or access point w/ captive portal Add a wireless nic Ad-Hod w/ captive portal Setup up some sort of VLan w/ Access point Any recommendation on the route I should go? Another route? And a lazy questions (I've not really looked into it) - what is best / easiest way to lock this connection down to HTTP only. And will failure to log into the captive portal block all traffic or just prevent browsing? Thanks, -Dane - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Connect and share in new ways with Windows Live. http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008
[pfSense Support] minor fix/request: button positions on NAT page compared to rules
on the nat page, the buttons to the right of the nat look like this E + on the rules page, the buttons to the right are E X + maybe I'm being fussy, but could the nat page be changed to suit the rules? thanks! Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Carp FW Rules?
Good Afternoon I have configured 2 IP virtual in virtual IP as Carp mode. I configure the necessary ports in the Nat options for the services that desire to use. In the Internet side all services function ok however I cannot connect to this IP´s for my internal net (LAN) the Firewall logs accuses the following blocks: Jan 31 15:56:08 pf: 2. 439592 rule 527/0(match): block out on carp0: (tos 0x10, ttl 64, id 24317, offset 0, flags [DF], proto: TCP (6), length: 44) 189.2.203.20.56845 189.2.203.19.80: S, cksum 0x330e (correct), 51016579:51016579(0) win 0 mss 1460 Jan 31 15:56:10 pf: 2. 560566 rule 527/0(match): block out on carp0: (tos 0x10, ttl 64, id 1182, offset 0, flags [DF], proto: TCP (6), length: 44) 189.2.203.20.51379 189.2.203.19.80: S, cksum 0x9f8a (correct), 52143:52143(0) win 0 mss 1460 Jan 31 15:56:13 pf: 2. 440578 rule 527/0(match): block out on carp0: (tos 0x10, ttl 64, id 31284, offset 0, flags [DF], proto: TCP (6), length: 44) 189.2.203.20.58885 189.2.203.19.80: S, cksum 0x2b16 (correct), 51016579:51016579(0) win 0 mss 1460 Jan 31 15:56:15 pf: 2. 559579 rule 527/0(match): block out on carp0: (tos 0x10, ttl 64, id 21814, offset 0, flags [DF], proto: TCP (6), length: 44) 189.2.203.20.61750 189.2.203.19.80: S, cksum 0x7707 (correct), 52143:52143(0) win 0 mss 1460 How I can configure to allow conections in that interfaces?? -- - = - = - = - = - = - = - = - = - = - . Of course it runs William David Armstrong |== Bio Systems Security Networking ' FreeBSD MSN / GT biosystems gmail . com -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Carp FW Rules?
On 1/31/08, William Armstrong [EMAIL PROTECTED] wrote: Good Afternoon I have configured 2 IP virtual in virtual IP as Carp mode. I configure the necessary ports in the Nat options for the services that desire to use. In the Internet side all services function ok however I cannot connect to this IP´s for my internal net (LAN) the Firewall logs accuses the following blocks: Jan 31 15:56:08 pf: 2. 439592 rule 527/0(match): block out on carp0: (tos 0x10, ttl 64, id 24317, offset 0, flags [DF], proto: TCP (6), length: 44) 189.2.203.20.56845 189.2.203.19.80: S, cksum 0x330e (correct), 51016579:51016579(0) win 0 mss 1460 Jan 31 15:56:10 pf: 2. 560566 rule 527/0(match): block out on carp0: (tos 0x10, ttl 64, id 1182, offset 0, flags [DF], proto: TCP (6), length: 44) 189.2.203.20.51379 189.2.203.19.80: S, cksum 0x9f8a (correct), 52143:52143(0) win 0 mss 1460 Jan 31 15:56:13 pf: 2. 440578 rule 527/0(match): block out on carp0: (tos 0x10, ttl 64, id 31284, offset 0, flags [DF], proto: TCP (6), length: 44) 189.2.203.20.58885 189.2.203.19.80: S, cksum 0x2b16 (correct), 51016579:51016579(0) win 0 mss 1460 Jan 31 15:56:15 pf: 2. 559579 rule 527/0(match): block out on carp0: (tos 0x10, ttl 64, id 21814, offset 0, flags [DF], proto: TCP (6), length: 44) 189.2.203.20.61750 189.2.203.19.80: S, cksum 0x7707 (correct), 52143:52143(0) win 0 mss 1460 How I can configure to allow conections in that interfaces?? System - Advanced - Reflection Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] pfsense and soekris 5501
Has nyone had any issues with a NET5501 and pfsense? Either with a HD or CF install? TIA -Ron - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfsense and soekris 5501
I've not tried an HD install, but we have about 15 net5501s out there in the wild running pfSense and there's been nary a problem with them. We're using 512MB compact flash cards made by Integral, if it's any help. Regards, Chris -- C.M. Bagnall, Director, Minotaur I.T. Limited For full contact details visit http://www.minotaur.it This email is made from 100% recycled electrons - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense and soekris 5501
Ronald L. Rosson Jr. wrote: Has nyone had any issues with a NET5501 and pfsense? Either with a HD or CF install? TIA -Ron - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Did my install using VMware on a laptop. Did most of config and set serial console. Then installed SATA disk into 5501. Works well. If you want to support VLANs, Soekris 4 port Ether seems to work well. Chuck Benson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense and soekris 5501
No problems with 1.2-rc4. - You should check the soekris homepage for issue (004),005 and your hd/cf for errors. - Verify your downloaded pfsense version with md5. http://www.soekris.com/support.htm Nylan P.S.: What type of issues? -Ursprüngliche Nachricht- Von: support@pfsense.com Gesendet: 31.01.08 20:35:06 An: support@pfsense.com Betreff: [pfSense Support] pfsense and soekris 5501 Has nyone had any issues with a NET5501 and pfsense? Either with a HD or CF install? TIA -Ron - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Carp FW Rules?
Thanks a lot. I´ts works now. []´s. -- - = - = - = - = - = - = - = - = - = - . Of course it runs William David Armstrong |== Bio Systems Security Networking ' FreeBSD MSN / GT biosystems gmail . com -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] minor issue with latest upgrade, mostly success.
I upgraded from RC3 to RC4 last night using the snapshots. Embedded platform on a WRAP. I copied the tar file to /tmp then ran option 13 on the console. After it asked me which kernel to install, it had a failure writing some .txt to /boot/kernel directory with a complaint of read only file system. Then it proceeded to do its work, but within about a few seconds, it reported something about some processes being killed, and returned to the menu. From the shell, I could still see the firmware upgrade running, so I left it. After a few minutes, it rebooted and I was up and running 99.44% correct. I had my usual /etc/ttys file being the wrong one. I just copied over my copy of ttys_wrap and did a kill -1 1 and considered it a success. It seems just fine to me. This is just on my home LAN, so all I have is a basic NAT for outbound access. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense and soekris 5501
On Jan 31, 2008, at 2:01 PM, [EMAIL PROTECTED] wrote: No problems with 1.2-rc4. - You should check the soekris homepage for issue (004),005 and your hd/cf for errors. - Verify your downloaded pfsense version with md5. http://www.soekris.com/support.htm Nylan P.S.: What type of issues? Was just asking since I ordered one to and HD to go with it. Thanks all for the feedback -Ursprüngliche Nachricht- Von: support@pfsense.com Gesendet: 31.01.08 20:35:06 An: support@pfsense.com Betreff: [pfSense Support] pfsense and soekris 5501 Has nyone had any issues with a NET5501 and pfsense? Either with a HD or CF install? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] minor fix/request: button positions on NAT page compared to rules
In my opinion, no, you're not being fussy ... UIs should be consistent wherever possible. pfSense (and probably m0n0wall, too) has some inconsistency issues in a few places; I've been meaning to make some suggestions / patches for some UI improvements and simplifications for some time. Maybe I'll get round to that someday ... Paul M wrote: on the nat page, the buttons to the right of the nat look like this E + on the rules page, the buttons to the right are E X + maybe I'm being fussy, but could the nat page be changed to suit the rules? thanks! Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]