Re: [pfSense Support] PPTP problem
Chris Buechler wrote: Yes, it does. Only PPTP rules apply to PPTP connections. Ok then its back to basics hey! Jeremy, please Send a copy of your Status:System Log, perhaps you also want to turn on packet capture and then connect and try to access your machines. Let see the output of that as well, if possible. Mogamat - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PPTP problem
Next time I am on the same physical network as the box, I certainly will Thank you! On May 8, 2008, at 8:31 PM, Mogamat Abrahams wrote: Chris Buechler wrote: Yes, it does. Only PPTP rules apply to PPTP connections. Ok then its back to basics hey! Jeremy, please Send a copy of your Status:System Log, perhaps you also want to turn on packet capture and then connect and try to access your machines. Let see the output of that as well, if possible. Mogamat - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 1:1 push WAN ip to VLAN interface?
Chris Flugstad wrote: So I have some public ip's. 1 of them is used on a few vlans. Each 1 of those vlans has a different subnet 192.168.XXX.XXX. I have another vlan which I want to give it its own public IP. All the 1:1 NAT stuff I've seen says the subnet mask of the public ip, which is a /29, will share the same subnet of the 192. on the inside. I want basically a 2nd, 3rd and so on public WAN ip to be directly hooked with a different vlan. I created a Virtual IP(using the Public IP) then 1:1 nated it to the subnet I needed. M - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] nat on command line
Diego, I had the same problem (have a pfSense acting as VPN client, and from the server I can ping the other side, from the lan I can't). Here's what you have to do: First, disable automatic outbound nat rules, or else this will only work for a few seconds Second, edit /tmp/rules.debug and add the line nat on tun0 from YOUR-LAN-SUBNET/24 to any - (tun0) bellow Outbound nat rules Tird, save and run /sbin/pfctl -f /tmp/rules.debug More info at http://cvstrac.pfsense.com/tktview?tn=1466 Sex, 2008-05-09 às 01:56 -0300, Diego A. Gomez escreveu: 2008/5/9 Chris Buechler [EMAIL PROTECTED]: On Fri, May 9, 2008 at 12:44 AM, Diego A. Gomez [EMAIL PROTECTED] wrote: How I can to write a nat rule in command line? you don't. you can manually edit config.xml, add the rule, remove the config.cache and reload the filter rules but that's not suggested since you could blow up your config. I need to write a nat rule for tun0 (VPN) interfase Can I do it through config.xml? Thanks!
Re: [pfSense Support] ipsec woes
On Thu, 8 May 2008 16:23:28 -0700 David Rees [EMAIL PROTECTED] wrote: What version of pfSense? 1.2 everywhere. What do you mean goes blank? 100% packet loss. Going to need logs. Of course. Let's debug one by one. This is office1-office2): on office1 i see: May 9 10:30:20 racoon: [tunel 11 - 111 mv]: INFO: initiate new phase 2 negotiation: May 9 10:30:20 racoon: [tunel 11 - 111 mv]: INFO: IPsec-SA established: ESP/Tunnel 84.255.245.212[0]-77.234.135.134[0] spi=143114727(0x887c1e7) May 9 10:30:20 racoon: [tunel 11 - 111 mv]: INFO: IPsec-SA established: ESP/Tunnel 77.234.135.134[0]-84.255.245.212[0] spi=207960073(0xc653809) May 9 10:30:20 racoon: INFO: purged IPsec-SA proto_id=ESP spi=265358510. May 9 10:30:20 racoon: [tunel 11 - 111 mv]: INFO: initiate new phase 2 negotiation: May 9 10:30:21 racoon: [tunel 11 - 111 mv]: INFO: IPsec-SA established: ESP/Tunnel 84.255.245.212[0]-77.234.135.134[0] spi=66013813(0x3ef4a75) May 9 10:30:21 racoon: [tunel 11 - 111 mv]: INFO: IPsec-SA established: ESP/Tunnel 77.234.135.134[0]-84.255.245.212[0] spi=30759723(0x1d55b2b) May 9 10:30:21 racoon: INFO: purged IPsec-SA proto_id=ESP spi=207960073. May 9 10:31:02 racoon: [tunel 11 - 111 mv]: INFO: initiate new phase 2 negotiation: May 9 10:31:02 racoon: [tunel 11 - 111 mv]: INFO: IPsec-SA established: ESP/Tunnel 84.255.245.212[0]-77.234.135.134[0] spi=31393894(0x1df0866) May 9 10:31:02 racoon: [tunel 11 - 111 mv]: INFO: IPsec-SA established: ESP/Tunnel 77.234.135.134[0]-84.255.245.212[0] spi=10754697(0xa41a89) May 9 10:31:03 racoon: INFO: purged IPsec-SA proto_id=ESP spi=30759723. May 9 10:31:03 racoon: [tunel 11 - 111 mv]: INFO: initiate new phase 2 negotiation: ... and on office2 side i see: May 9 10:30:20 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 84.255.245.212[0]=77.234.135.134[0] May 9 10:30:20 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 192.168.111.0/24[0] proto=any dir=in May 9 10:30:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 77.234.135.134[0]-84.255.245.212[0] spi=30759723(0x1d55b2b) May 9 10:30:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 84.255.245.212[0]-77.234.135.134[0] spi=66013813(0x3ef4a75) May 9 10:30:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: 192.168.1.0/24[0] 192.168.111.0/24[0] proto=any dir=in May 9 10:30:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: 192.168.111.0/24[0] 192.168.1.0/24[0] proto=any dir=out May 9 10:30:20 racoon: [Unknown Gateway/Dynamic]: ERROR: pfkey DELETE received: ESP 84.255.245.212[0]-77.234.135.134[0] spi=143114727(0x887c1e7) May 9 10:31:02 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 84.255.245.212[0]=77.234.135.134[0] May 9 10:31:02 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.11.0/24[0] 192.168.111.0/24[0] proto=any dir=in May 9 10:31:02 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 77.234.135.134[0]-84.255.245.212[0] spi=10754697(0xa41a89) May 9 10:31:02 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 84.255.245.212[0]-77.234.135.134[0] spi=31393894(0x1df0866) May 9 10:31:02 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: 192.168.11.0/24[0] 192.168.111.0/24[0] proto=any dir=in May 9 10:31:02 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: 192.168.111.0/24[0] 192.168.11.0/24[0] proto=any dir=out May 9 10:31:03 racoon: [Unknown Gateway/Dynamic]: ERROR: pfkey DELETE received: ESP 84.255.245.212[0]-77.234.135.134[0] spi=66013813(0x3ef4a75) May 9 10:31:03 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 84.255.245.212[0]=77.234.135.134[0] ... and so on. This is repeating at a fairly higher frequency that I'd expect. While this is going on, tunnel mostly works but dissapears every now and then. What could be the reason for this? Lifetimes for phase1 and phase2 are set to 28800s on both sides. -- Jure Pečar http://jure.pecar.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 1:1 push WAN ip to VLAN interface?
did it NAT 1:1 to the entire subnet? i did that and it didnt really take i created the 2nd public IP 75.XXX.XXX.18 as other than i 1:1 75:XXX.XXX.18/32192.168.10.0/32 did i miss something? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense?
Hi there, I'm about to sell a bunch of pfSense-based Firewalls to a customer (who wants to run a nice loadbalanced setup). What about commercial support? bsdperimeter.com is down, as it seems to me... Any ideas? Thanks in advance, Timo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] How do i use different public IP's on different Vlans when I have only 1 WAN interface
I wrote an earlier post, but didnt describe it too well. i have a few public ip's of of them is used for 4 vlans. Each of those vlans are on different subnets 192.168.1.1 192.168.2.1 192.168.3.1 192.168.4.1 they all have dchp and route out through public ip #1 now i have another vlan 192.168.5.1 and want it to route out of public ip#2, as well as recieve inbound on that public ip as well im guessing i could physically add another ethernet interface, set it up with the public ip, and point the 192.168.5.1 at its GW, but why should i have to add another ethernet device when its going to the same port that public ip # 1 is on. I did try to add a virtual IP in other mode and 1:1 public ip#2 / 32 192.168.5.0/32 but that didnt work any ideas? -topher - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 1:1 push WAN ip to VLAN interface?
Chris Flugstad wrote: did it NAT 1:1 to the entire subnet? I only have three machines on the other subnet, it seems to work ok there. i created the 2nd public IP 75.XXX.XXX.18 as other I used Proxy Arp as the Alias type. Mogamat - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense?
Found this at the bottom of the Centipede Networks site: If you would like more information regarding this release, please contact Gary Buckmaster with Centipede Networks at (918) 524-1010 x 114 or at [EMAIL PROTECTED] I'm sure he could help. -Original Message- From: Timo Schoeler [mailto:[EMAIL PROTECTED] Sent: Friday, May 09, 2008 5:33 AM To: support@pfsense.com Subject: [pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense? Hi there, I'm about to sell a bunch of pfSense-based Firewalls to a customer (who wants to run a nice loadbalanced setup). What about commercial support? bsdperimeter.com is down, as it seems to me... Any ideas? Thanks in advance, Timo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense?
Christopher Iarocci wrote: Found this at the bottom of the Centipede Networks site: If you would like more information regarding this release, please contact Gary Buckmaster with Centipede Networks at (918) 524-1010 x 114 or at [EMAIL PROTECTED] I'm sure he could help. Hm, maybe. Gary? :) -Original Message- From: Timo Schoeler [mailto:[EMAIL PROTECTED] Sent: Friday, May 09, 2008 5:33 AM To: support@pfsense.com Subject: [pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense? Hi there, I'm about to sell a bunch of pfSense-based Firewalls to a customer (who wants to run a nice loadbalanced setup). What about commercial support? bsdperimeter.com is down, as it seems to me... Any ideas? Thanks in advance, Timo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense?
On Fri, May 9, 2008 at 5:32 AM, Timo Schoeler [EMAIL PROTECTED] wrote: Hi there, I'm about to sell a bunch of pfSense-based Firewalls to a customer (who wants to run a nice loadbalanced setup). What about commercial support? bsdperimeter.com is down, as it seems to me... Thanks for the heads up, our hosting server rebooted yesterday and all the jails didn't start properly. Thought we got them all, but missed that one. Working now. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense?
thus Chris Buechler spake: On Fri, May 9, 2008 at 5:32 AM, Timo Schoeler [EMAIL PROTECTED] wrote: Hi there, I'm about to sell a bunch of pfSense-based Firewalls to a customer (who wants to run a nice loadbalanced setup). What about commercial support? bsdperimeter.com is down, as it seems to me... Thanks for the heads up, our hosting server rebooted yesterday and all the jails didn't start properly. Thought we got them all, but missed that one. Working now. Yeah, thought something like this: nmap probed port 80, 443 and another one as /closed/. This is a sign that perfectly fits in your description. Cheers, Timo :-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense?
Timo Schoeler wrote: thus Chris Buechler spake: On Fri, May 9, 2008 at 5:32 AM, Timo Schoeler [EMAIL PROTECTED] wrote: Hi there, I'm about to sell a bunch of pfSense-based Firewalls to a customer (who wants to run a nice loadbalanced setup). What about commercial support? bsdperimeter.com is down, as it seems to me... Thanks for the heads up, our hosting server rebooted yesterday and all the jails didn't start properly. Thought we got them all, but missed that one. Working now. Yeah, thought something like this: nmap probed port 80, 443 and another one as /closed/. This is a sign that perfectly fits in your description. Cheers, just a thought... is it possible to have pfsense's load balancer system report* when it cannot find any of the hosts in the pool. also, if operating in failover mode, report when the primary has gone down? *by email? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense?
Hi there, I'm about to sell a bunch of pfSense-based Firewalls to a customer (who wants to run a nice loadbalanced setup). What about commercial support? bsdperimeter.com is down, as it seems to me... Thanks for the heads up, our hosting server rebooted yesterday and all the jails didn't start properly. Thought we got them all, but missed that one. Working now. Yeah, thought something like this: nmap probed port 80, 443 and another one as /closed/. This is a sign that perfectly fits in your description. Cheers, just a thought... is it possible to have pfsense's load balancer system report* when it cannot find any of the hosts in the pool. also, if operating in failover mode, report when the primary has gone down? *by email? IIRC relayd(8) supports this. Doesn't pfSense's load balancing entity rely on relayd(8) (was hoststated(8) before)? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense?
Yep, coming into the conversation late, but yes, I'm happy to help in any capacity I can. As you all know, we work very closely with the BSDPerimeter team. Because of the BSDCan prep, they've been pretty swamped, so if you have questions, feel free to hit me up first, I'll do what I can to get them answered for you in a timely fashion. Christopher Iarocci wrote: Found this at the bottom of the Centipede Networks site: If you would like more information regarding this release, please contact Gary Buckmaster with Centipede Networks at (918) 524-1010 x 114 or at [EMAIL PROTECTED] I'm sure he could help. -Original Message- From: Timo Schoeler [mailto:[EMAIL PROTECTED] Sent: Friday, May 09, 2008 5:33 AM To: support@pfsense.com Subject: [pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense? Hi there, I'm about to sell a bunch of pfSense-based Firewalls to a customer (who wants to run a nice loadbalanced setup). What about commercial support? bsdperimeter.com is down, as it seems to me... Any ideas? Thanks in advance, Timo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense?
Not yet, but it will soon. Currently the load balancer is slbd, but that's changing. IIRC relayd(8) supports this. Doesn't pfSense's load balancing entity rely on relayd(8) (was hoststated(8) before)? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] nat on command line
2008/5/9 David Meireles [EMAIL PROTECTED]: Diego, I had the same problem (have a pfSense acting as VPN client, and from the server I can ping the other side, from the lan I can't). Here's what you have to do: First, disable automatic outbound nat rules, or else this will only work for a few seconds Second, edit /tmp/rules.debug and add the line nat on tun0 from YOUR-LAN-SUBNET/24 to any - (tun0) bellow Outbound nat rules Tird, save and run /sbin/pfctl -f /tmp/rules.debug More info at http://cvstrac.pfsense.com/tktview?tn=1466 This works perfectly! Thanks! -- Diego.- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] panic on install of stable pfsense on latests Dell PE 1950 server
Which livecd should I download from development (pfsense1.2 -freebsd6.3) Could you provide me with a link to a working livecd. Harrie
Re: [pfSense Support] panic on install of stable pfsense on latests Dell PE 1950 server
On Fri, May 9, 2008 at 11:18 AM, Harrie Bonenkamp (Colson) [EMAIL PROTECTED] wrote: Which livecd should I download from development (pfsense1.2 –freebsd6.3) http://cvs.pfsense.org/~sullrich/testing_images/6/FreeBSD_RELENG_6_3/pfSense_RELENG_1_2/ pfSense.iso.gz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Log Access to pfsense's administration page
Hi there. One client of ours has a pfsense firewall (working great, btw). Due to their policies, and althrough they don't have indoor IT staff, they now the password to access the pfsense admin page (the boss and a teenage pseudo-it-wannabe). It happened more than once that there were problems with pfsense due to someone messing up with the firewall rules, and I know who did it, but the thing is that I cannot say to my costumer Your employe did that without having proof (my word against his). So, I was wondering, is there a way to log the time and ip of who accesses the admin page? Cheerz
[pfSense Support] pfSense6 Dev
Hi for all. This is my first post in here, so, let's go. I try to generate the pfSense6 dev edition on freebsd 6.3 and when i test the pfSense.iso, i got this error when select '99' option to install. /scripts/lua_installer: /usr/local/sbin/dfuife_curses: not found. I have search in the google and there show that lik a bug ticket close. So, what can be ? i build two times that iso trought build_deviso.sh the dev environment have been constructed with fetch -o - -q http://www.pfsense.com/~sullrich/tools/dev_bootstrap.sh | /bin/sh thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Log Access to pfsense's administration page
David Meireles wrote: Hi there. One client of ours has a pfsense firewall (working great, btw). Due to their policies, and althrough they don't have indoor IT staff, they now the password to access the pfsense admin page (the boss and a teenage pseudo-it-wannabe). It happened more than once that there were problems with pfsense due to someone messing up with the firewall rules, and I know who did it, but the thing is that I cannot say to my costumer Your employe did that without having proof (my word against his). So, I was wondering, is there a way to log the time and ip of who accesses the admin page? Cheerz Not really, the admin account is the admin account. This changes somewhat in 1.3 with the user manager code. If I were you, I would always keep a copy of the config.xml for your clients and update it every time you make changes. Then if something like this happens, you can get into the box and run a diff against the configs. If something's changed, you have pretty clear evidence that it wasn't you. It's also a good policy to have regardless for the purposes of disaster recovery. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] nat on command line
2008/5/9 David Meireles [EMAIL PROTECTED]: Diego, I had the same problem (have a pfSense acting as VPN client, and from the server I can ping the other side, from the lan I can't). Here's what you have to do: First, disable automatic outbound nat rules, or else this will only work for a few seconds Second, edit /tmp/rules.debug and add the line nat on tun0 from YOUR-LAN-SUBNET/24 to any - (tun0) bellow Outbound nat rules Tird, save and run /sbin/pfctl -f /tmp/rules.debug More info at http://cvstrac.pfsense.com/tktview?tn=1466 Where I must to write this in order to avoid to lose these changes? Thanks! -- Diego.- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipsec woes
On Fri, May 9, 2008 at 2:01 AM, Jure Pečar [EMAIL PROTECTED] wrote: Of course. Let's debug one by one. This is office1-office2): on office1 i see: Looks fairly normal. ... and on office2 side i see: May 9 10:30:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: 192.168.1.0/24[0] 192.168.111.0/24[0] proto=any dir=in May 9 10:30:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: 192.168.111.0/24[0] 192.168.1.0/24[0] proto=any dir=out Oops. Loks like you have some sort of VPN definition error here. Are you sure that the local/remote nets match on both ends? Also make sure that you do not have any duplicate local/remote nets across all VPN connectons defined on each firewall. -Dave
[pfSense Support] setting time
how do you set the time on pfsense? i have checked the openntpd and still the time is wrong. i have written a cron job to set the clock and it doesn't appear to change the clock. it seems to gain time about 15 minutes in 12 hours. what am i doing wrong? how can i fix this? thank you dean _ With Windows Live for mobile, your contacts travel with you. http://www.windowslive.com/mobile/overview.html?ocid=TXT_TAGLM_WL_Refresh_mobile_052008 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] setting time
What timezone are you in? If CST try Chicago instead of GMT -6. -- Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com