[pfSense Support] Block port http for single ip
help me !!! i want ip 192.168.1.2 colud not open web but only do mail access. how to setup in pfsense to do it? thank for your help
Re: [pfSense Support] Block port http for single ip
Which Interface does that ip address residing on? Try to block any port towards that IP address under the corresponding firewall rules except SMTP, IMAP and POP ports. How about web mail? You are gonna disable it, too? Aldo P.S. I am new to pfsense :P. On Wed, Apr 23, 2008 at 5:23 PM, Toto [EMAIL PROTECTED] wrote: help me !!! i want ip 192.168.1.2 colud not open web but only do mail access. how to setup in pfsense to do it? thank for your help -- Regards, Aldo Chiu Ausing Trading (Australia) Pty Ltd P +612 9282 9882 F +612 9282 9827 M +61405 312 908 E [EMAIL PROTECTED] -- DISCLAIMER: This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Before opening any attachments, please check them for viruses and defects.
Re: [pfSense Support] Failover problem
Martin Kruse Jensen wrote: Hi. I have a Soekris Net-5501 running pfSense 1.2, and two ISP's: ISP A: Djursnet ISB B: Stofanet (Intended as a backup provider) And I would like to use failover. However there is a slight problem when I have configured pfSense for using failover and the following scenario occurs: ISP A and B is both up-and running, and another subscriber to ISP B (that is, on the same subnet) wants to talk to me. DNS tells them to contact me through ISP A, and so they do. However, since the source host is on the subnet of ISP B, pfSense replies through ISP B and then the source gets no data (not even an ACK). I am clueless as how to fix this problem, so i hope some of you have a suggestion. Sincerely yours Martin Kruse - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For public-facing services like email or web service, create a policy route to ensure that all traffic for those services from those services egresses your network on the Interface listed by your DNS response. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Failover problem
Gary Buckmaster skrev: Martin Kruse Jensen wrote: Hi. I have a Soekris Net-5501 running pfSense 1.2, and two ISP's: ISP A: Djursnet ISB B: Stofanet (Intended as a backup provider) And I would like to use failover. However there is a slight problem when I have configured pfSense for using failover and the following scenario occurs: ISP A and B is both up-and running, and another subscriber to ISP B (that is, on the same subnet) wants to talk to me. DNS tells them to contact me through ISP A, and so they do. However, since the source host is on the subnet of ISP B, pfSense replies through ISP B and then the source gets no data (not even an ACK). I am clueless as how to fix this problem, so i hope some of you have a suggestion. Sincerely yours Martin Kruse - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For public-facing services like email or web service, create a policy route to ensure that all traffic for those services from those services egresses your network on the Interface listed by your DNS response. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Thank you wery much for your reply. However, I think I need it explained further I'm quite the newbie :) Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Failover problem
On Wed, Apr 23, 2008 at 9:27 AM, Gary Buckmaster [EMAIL PROTECTED] wrote: For public-facing services like email or web service, create a policy route to ensure that all traffic for those services from those services egresses your network on the Interface listed by your DNS response. pfSense should already be installing reply-to entries. I'm guessing it's not doing this for the interface that handles the systems default route. If we can see the rules.debug entry for one of the services that are failing, it would help determine if this is the case. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] [DEBUG] Lock recursion detected
On Wed, Apr 23, 2008 at 6:31 PM, Tortise [EMAIL PROTECTED] wrote: Hi I have been testing NAT with UDP and a port range of 10001 - 16383. This is on 1.2 final, embedded on i386. You might want to disable NAT reflection (System-Advanced if my memory serves) if you need to redirect that large of a range. Of course, you'll need to have a properly architected split-DNS to achieve this :) OK revert to original wide range the following is logged: Apr 24 11:20:02 php: : Not installing nat reflection rules for a port range 500 Apr 24 11:19:53 login: login on console as root Apr 24 11:19:51 php: /ifstats.php: [DEBUG] Lock recursion detected. Seems the DEBUG message is a bug that you might wish to know about? Thanks, not sure, but we'll look into it. Of course I can enter 13 NAT blocks of ~ 500 ports each to achieve the required range of 6382 ports, is that intended by design in these days of VOIP? Not sure - all VOIP I've done the connections are all outbound from my network to the phone system. I wouldn't have expected such a large range to be forwarded inbound. Maybe someone with more VOIP experience can comment. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] [DEBUG] Lock recursion detected
As always thank you again Bill Now I think the penny has dropped and I now understand that message Not installing nat reflection rules for a port range 500 The default Trixbox incoming audio port range is closer to 10001 to 2, I've cut mine down! One of the main reasons for using pfSense here is the NAT reflection works. To my knowledge there is, however, no need for NAT reflection to work on the incoming VOIP ports? Perhaps others know otherwise? Kind regards David Hingston - Original Message - From: Bill Marquette [EMAIL PROTECTED] To: support@pfsense.com Sent: Thursday, April 24, 2008 12:00 PM Subject: Re: [pfSense Support] [DEBUG] Lock recursion detected On Wed, Apr 23, 2008 at 6:31 PM, Tortise [EMAIL PROTECTED] wrote: Hi I have been testing NAT with UDP and a port range of 10001 - 16383. This is on 1.2 final, embedded on i386. You might want to disable NAT reflection (System-Advanced if my memory serves) if you need to redirect that large of a range. Of course, you'll need to have a properly architected split-DNS to achieve this :) OK revert to original wide range the following is logged: Apr 24 11:20:02 php: : Not installing nat reflection rules for a port range 500 Apr 24 11:19:53 login: login on console as root Apr 24 11:19:51 php: /ifstats.php: [DEBUG] Lock recursion detected. Seems the DEBUG message is a bug that you might wish to know about? Thanks, not sure, but we'll look into it. Of course I can enter 13 NAT blocks of ~ 500 ports each to achieve the required range of 6382 ports, is that intended by design in these days of VOIP? Not sure - all VOIP I've done the connections are all outbound from my network to the phone system. I wouldn't have expected such a large range to be forwarded inbound. Maybe someone with more VOIP experience can comment. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] CP Issue
Finally deploying captive portal at one of our new sites. But am coming across a redirect issue I'm hoping you can shed some light on. BACKGROUND: I have 3 Wans setup - WAN, DSL, DSL2 I have 3 Lans setup - LAN, GUEST, PHONE I have load balancing setup with DSL + DSL2 for the GUEST WAN I have Failover setup with WAN - DSL - DSL2 for the LAN I have squid setup with defaults (non transparent) on LAN ONLY I have lightsquid installed for reporting ISSUE: Clients accessing on the GUEST interface are bypassing the Captive Portal for the redirect ports. PORT 80,443 They are not able to access non-redirect ports (such as 25 etc) because of course they have not authenticated. Now if I manually go to the interface address for the GUEST LAN on port 80 - I can get the login page, and if I authenticate all is enabled correctly. (they can access 25 etc) Where do I go from here to find out why it's not redirect correctly? I'm stumped :( I read transparent proxy doesn't work, so I've disabled that. (plus Squid is set to only run on LAN) Am I just SOL with having squid and CP? People on the forums seem to have gotten it working by turning off transparent mode ,but I can't seem to figure it out. -Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CP Issue
On Wed, Apr 23, 2008 at 8:24 PM, Tim Dickson [EMAIL PROTECTED] wrote: Finally deploying captive portal at one of our new sites. But am coming across a redirect issue I'm hoping you can shed some light on. BACKGROUND: I have 3 Wans setup - WAN, DSL, DSL2 I have 3 Lans setup - LAN, GUEST, PHONE I have load balancing setup with DSL + DSL2 for the GUEST WAN I have Failover setup with WAN - DSL - DSL2 for the LAN I have squid setup with defaults (non transparent) on LAN ONLY I have lightsquid installed for reporting ISSUE: Clients accessing on the GUEST interface are bypassing the Captive Portal for the redirect ports. PORT 80,443 They are not able to access non-redirect ports (such as 25 etc) because of course they have not authenticated. Multi-WAN and CP have interoperability issues because any rule specifying a load balancing/failover pool or gateway will bypass CP. There may be a work around, there is a ticket open but I haven't had time to look into it yet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] [DEBUG] Lock recursion detected
On Wed, Apr 23, 2008 at 7:15 PM, Tortise [EMAIL PROTECTED] wrote: As always thank you again Bill Now I think the penny has dropped and I now understand that message Not installing nat reflection rules for a port range 500 duh, yeah :) So yeah, the reflection rules aren't enabled for large ranges, that's all the error is showing. Disabling reflection, generically won't help any more than removing the message entirely. To my knowledge there is, however, no need for NAT reflection to work on the incoming VOIP ports? Shouldn't need to unless somehow calls within the voice switch need to go outside to come back in (seems kinda stupid to me) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]