Re: [pfSense Support] PPTP outbound
On Sat, Mar 7, 2009 at 6:38 PM, Tim Dressel tjdres...@gmail.com wrote: We just migrated a few of our firewalls from m0n0wall to PFsense (cool that that config files work btw devs!!!) Anyways, now I can't PPTP out to another firewall from behind one of the new PF boxes (this was not a problem with m0n0wall). Some googling about found this from a few years back: http://forum.pfsense.org/index.php?topic=1110.msg8283 Does anyone know if this is still and issue, or is there a work around? From http://www.pfsense.org/index.php?option=com_contenttask=viewid=40Itemid=43 Because of limitations in pf NAT, when the PPTP Server is enabled, PPTP clients cannot use the same public IP for outbound PPTP connections. This means if you have only one public IP, and use the PPTP Server, PPTP clients inside your network will not work. The work around is to use a second public IP with Advanced Outbound NAT for your internal clients. See also the PPTP limitation under NAT on this page. The Frickin package was resurrected recently and should be a solution for this, but hasn't yet been tested. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPP/POTS modem support
Joshua Schmidlkofer wrote: Is there any known / supported way with pfSense to use an old fashion modem?I have a customer with a large number of 56K Frame Relay lines. He is moving most of them to DSL and pfSense + IPsec. His one request was regarding the ability to have a dial-up standby in case there is a sustained DSL outage. Does anyone have any advice? Sincerely, joshua - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Check the archives of this list. Your question has been answered a few times. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] IPsec tunnel with 0.0.0.0/0 remote subnet
I have an IPsec tunnel with 0.0.0.0/0 remote subnet, so all clients behind the LAN interface of the pfsense route all traffic through this tunnel. I added a third interface to pfsense to reach another network and added the static route to reach it. Pfsense reaches this network , but the clients behind the LAN interface of the pfsense always want to go through the IPsec tunnel instead of obeying the static route defined. The question is: where do I have to add a rule or what I have to modify in order to work with this third network routed in the pfsense? Sincerely, Pabel. NOTA DE CONFIDENCIALIDAD: La informacion contenida en este correo electronico y sus anexos solo puede ser utilizada por el individuo o compania a la cual esta dirigido. Sin expresa autorizacion del remitente, su difusion, distribucion o copia esta prohibida y sancionada por la ley. Si por error recibe este mensaje, por favor reenvielo a su emisor y luego borrelo. Gracias por su atencion.
Re: [pfSense Support] IPsec tunnel with 0.0.0.0/0 remote subnet
Your ipsec policy matches all traffic, this isn't a routing issue. What you've told the kernel is that all traffic uses an ipsec poliicy that encrypts it and sends it to a different site. --Bill On Tue, Mar 10, 2009 at 9:02 AM, Pabel Zenteno pzent...@prodemffp.com.bo wrote: I have an IPsec tunnel with 0.0.0.0/0 remote subnet, so all clients behind the LAN interface of the pfsense route all traffic through this tunnel. I added a third interface to pfsense to reach another network and added the static route to reach it. Pfsense reaches this network , but the clients behind the LAN interface of the pfsense always want to go through the IPsec tunnel instead of obeying the static route defined. The question is: where do I have to add a rule or what I have to modify in order to work with this third network routed in the pfsense? Sincerely, Pabel. NOTA DE CONFIDENCIALIDAD: La informacion contenida en este correo electronico y sus anexos solo puede ser utilizada por el individuo o compania a la cual esta dirigido. Sin expresa autorizacion del remitente, su difusion, distribucion o copia esta prohibida y sancionada por la ley. Si por error recibe este mensaje, por favor reenvielo a su emisor y luego borrelo. Gracias por su atencion. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPTP outbound
Thanks for the reply Chris,,, Off to VPNgui I guess. ;) Cheers, Tim On Tue, Mar 10, 2009 at 12:15 AM, Chris Buechler c...@pfsense.org wrote: On Sat, Mar 7, 2009 at 6:38 PM, Tim Dressel tjdres...@gmail.com wrote: We just migrated a few of our firewalls from m0n0wall to PFsense (cool that that config files work btw devs!!!) Anyways, now I can't PPTP out to another firewall from behind one of the new PF boxes (this was not a problem with m0n0wall). Some googling about found this from a few years back: http://forum.pfsense.org/index.php?topic=1110.msg8283 Does anyone know if this is still and issue, or is there a work around? From http://www.pfsense.org/index.php?option=com_contenttask=viewid=40Itemid=43 Because of limitations in pf NAT, when the PPTP Server is enabled, PPTP clients cannot use the same public IP for outbound PPTP connections. This means if you have only one public IP, and use the PPTP Server, PPTP clients inside your network will not work. The work around is to use a second public IP with Advanced Outbound NAT for your internal clients. See also the PPTP limitation under NAT on this page. The Frickin package was resurrected recently and should be a solution for this, but hasn't yet been tested. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] OpenVPN on pfSense to connect to OpenVPN on ISA2004
Help on setting up OPENVPN 2.0.9 Server on ISA 2004 server. The goal was to connect pfSense with OpenVPN client setup to OpenVPN server on ISA 2004 machine. Also, what are the route settings to be set on ISA server and other settings. OPENVPN-ISA (SERVER) PUBLIC IP: xxx.xxx.xxx.111 GATEWAY: xxx.xxx.xxx.100 PRIVATE IP: 192.168.200.1 (192.168.200.0/24) VPN IP: 10.10.10.1 TAP ADAPTER: ? OPENVPN-PFSENSE (CLIENT) PUBLIC IP: xxx.xxx.xxx.66 GATEWAY: xxx.xxx.xxx.99 PRIVATE IP: 192.168.100.1 (192.168.100.0/24) VPN IP: 10.10.10.2 VPN SUBNET: 10.10.10.0/24 =-=-=-=-=-=-=-=[OPENVPN CONFIG FILE]=-=-=-=-=-=-=-= local 192.168.200.1 remote 123.4.567.89 proto tcp-server dev tap route 172.16.100.0 255.255.255.0 192.168.200.1 secret C:\\Program Files\\OpenVPN\\easy-rsa\\static.key cipher AES-256-CBC verb 3 mute 10 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=[OPENVPN LOG FILE]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= C:\Program Files\OpenVPN\configopenvpn --config yeheyvpn.opvn Tue Mar 10 23:11:56 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 Tue Mar 10 23:11:56 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Tue Mar 10 23:11:56 2009 Static Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Tue Mar 10 23:11:56 2009 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Mar 10 23:11:56 2009 Static Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Tue Mar 10 23:11:56 2009 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Mar 10 23:11:56 2009 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{4AE92F6F-956D-4F39-B49E-70265BAFFAA6}.tap Tue Mar 10 23:11:56 2009 TAP-Win32 Driver Version 8.4 Tue Mar 10 23:11:56 2009 TAP-Win32 MTU=1500 Tue Mar 10 23:11:56 2009 NOTE: FlushIpNetTable failed on interface [65542] {4AE92F6F-956D-4F39-B49E-70265BAFFAA6} (status=259) : No more data is available. Tue Mar 10 23:11:56 2009 Data Channel MTU parms [ L:1594 D:1450 EF:62 EB:4 ET:32 EL:0 ] Tue Mar 10 23:11:56 2009 Local Options hash (VER=V4): '7063279a' Tue Mar 10 23:11:56 2009 Expected Remote Options hash (VER=V4): '1a1b0600' Tue Mar 10 23:11:56 2009 Listening for incoming TCP connection on 192.168.200.1:1194 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=[ROUTE TABLE of ISA 2004]=-=-=-=-=-=-=-=-=-=-=-=-=-= IPv4 Route Table Interface List 0x1 ... MS TCP Loopback interface 0x10003 ...00 00 00 00 00 00 .. VIA Rhine II Compatible Fast Ethernet Adapter 0x10004 ...00 00 00 00 00 00 .. 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX) 0x10005 ...00 00 00 00 00 00 .. Intel(R) PRO/100+ Management Adapter 0x10006 ...00 00 00 00 00 00 .. TAP-Win32 Adapter V8 = Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 xxx.xxx.xxx.100 xxx.xxx.xxx.111 30 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.200.0 255.255.255.0 192.168.200.1 192.168.200.1 20 192.168.200.1 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.200.255 255.255.255.255 192.168.200.1 192.168.200.1 20 xxx.xxx.xxx.99 255.255.255.240 xxx.xxx.xxx.111 xxx.xxx.xxx.111 30 xxx.xxx.xxx.111 255.255.255.255 127.0.0.1 127.0.0.1 30 xxx.xxx.xxx.255 255.255.255.255 xxx.xxx.xxx.111 xxx.xxx.xxx.111 30 224.0.0.0 240.0.0.0 192.168.200.1 192.168.200.1 20 224.0.0.0 240.0.0.0 xxx.xxx.xxx.111 xxx.xxx.xxx.111 30 255.255.255.255 255.255.255.255 192.168.200.1 10006 1 255.255.255.255 255.255.255.255 192.168.200.1 192.168.200.1 1 255.255.255.255 255.255.255.255 192.168.200.1 10003 1 255.255.255.255 255.255.255.255 xxx.xxx.xxx.111 xxx.xxx.xxx.111 1 Default Gateway: xxx.xxx.xxx.100 = Persistent Routes: None =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Re: [pfSense Support] IPsec tunnel with 0.0.0.0/0 remote subnet
On Tue, Mar 10, 2009 at 9:30 AM, Pabel Zenteno pzent...@prodemffp.com.bo wrote: So, is there something I can do? Change your ipsec policy. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPP/POTS modem support
On Tue, Mar 10, 2009 at 1:31 AM, Joshua Schmidlkofer joshl...@gmail.com wrote: Is there any known / supported way with pfSense to use an old fashion modem? I have a customer with a large number of 56K Frame Relay lines. He is moving most of them to DSL and pfSense + IPsec. His one request was regarding the ability to have a dial-up standby in case there is a sustained DSL outage. Does anyone have any advice? Not supported. If it's a critical feature you're willing to fund the development of, start a bounty or email me for details. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPP/POTS modem support
On Wed, Mar 11, 2009 at 12:40 AM, Joshua Schmidlkofer joshl...@gmail.com wrote: Chris, Do you have any idea of the value in $$ of the bounty? I will pitch my client, he may do it, because he likes pfsense but is looking at an expensive Cisco Solution for this. Part of this is there, and parts of it remain to be completed. It isn't terribly involved though, we can get this done including the dial up support (even throw in a support contract too) for considerably less money than the Cisco solution. We tapped the second keg at the Hackathon (http://hackathon.pfsense.org) to celebrate the arrival of mgrooms@ (and, frankly, because we emptied the first), I'll email you offlist tomorrow with more info and a clearer mind. :) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org