Re: [pfSense Support] ipv6 possibility
On Sep 25, 2008, at 7:59, Vivek Khera wrote: In short, there may not be a strong business case to *need* IPv6 today, but it is prudent to start exploring it and gaining the experience necessary to manage it in preparation for the day when it is necessary and when the bulk of traffic flows via it. The sooner the better, I say. Hi everyone, I looked up this old thread when I was trying to figure out the state of IPv6 support in pfSense. For the NTP Pool system we're getting IPv6 connectivity to start supporting that to the users; so for that we need IPv6 in our network stack (including firewall etc). - ask -- http://develooper.com/ - http://askask.com/ - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] ipv6 possibility
On Thu, Mar 12, 2009 at 2:15 AM, Ask Bjørn Hansen a...@develooper.com wrote: I looked up this old thread when I was trying to figure out the state of IPv6 support in pfSense. There is an IPv6 branch in git where work has started, but it's a *long* way from being complete. Personally I would really like to see it in 2.0, but finishing the work may be dependent on the contributions of others, or someone funding it so I can spend a good chunk of time on it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPP/POTS modem support
Part of this is there, and parts of it remain to be completed. It isn't terribly involved though, we can get this done including the dial up support (even throw in a support contract too) for considerably less money than the Cisco solution. We tapped the second keg at the Hackathon (http://hackathon.pfsense.org) to celebrate the arrival of mgrooms@ (and, frankly, because we emptied the first), I'll email you offlist tomorrow with more info and a clearer mind. :) BTW: I am envious of the beer. =) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] firewall blocking legit traffic
Brad Gillette wrote: I am using pfSense as transparent briding firewall and overall is working pretty good and how I want it to work except for some traffic that is coming in on my LAN interace is being blocked by the 'default deny rule'. I'm allowing all traffic that is generated on the LAN side to leave. I see where some others have ran into a similar problem. I do run 2 different IP subnets on my LAN and a router on the WAN side of the pfSense box routes between. Some of the traffic between the 2 subnets is getting blocked and some gets passed just fine This is typically a misconfiguration in your firewall rules. By default the LAN is in a default allow state. If you are bumping up against the default deny rule, then you are either using an OPT interface as a LAN, which is fine, just realize that all OPT interfaces come in a default deny state, and make your firewall rules accordingly. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] firewall blocking legit traffic
Brad Gillette wrote: How can I tell if my LAN is on a opt interface? On Thu, Mar 12, 2009 at 8:40 AM, Gary Buckmaster g...@centipedenetworks.com mailto:g...@centipedenetworks.com wrote: Brad Gillette wrote: I am using pfSense as transparent briding firewall and overall is working pretty good and how I want it to work except for some traffic that is coming in on my LAN interace is being blocked by the 'default deny rule'. I'm allowing all traffic that is generated on the LAN side to leave. I see where some others have ran into a similar problem. I do run 2 different IP subnets on my LAN and a router on the WAN side of the pfSense box routes between. Some of the traffic between the 2 subnets is getting blocked and some gets passed just fine This is typically a misconfiguration in your firewall rules. By default the LAN is in a default allow state. If you are bumping up against the default deny rule, then you are either using an OPT interface as a LAN, which is fine, just realize that all OPT interfaces come in a default deny state, and make your firewall rules accordingly. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org https://portal.pfsense.org/ You said you run two different IP subnets on your LAN, how are you accomplishing this? Through a physically separate card or some other means? This is likely to be the starting point to your issue. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] firewall blocking legit traffic
The router on the WAN side of my pfsense box routes between the 2 subnetsmy private numbers are nat'd behind one of my public numbers for access to the internet but the router has a static route setup to to route traffic between the subnets. On Thu, Mar 12, 2009 at 9:07 AM, Gary Buckmaster g...@centipedenetworks.com wrote: Brad Gillette wrote: How can I tell if my LAN is on a opt interface? On Thu, Mar 12, 2009 at 8:40 AM, Gary Buckmaster g...@centipedenetworks.com mailto:g...@centipedenetworks.com wrote: Brad Gillette wrote: I am using pfSense as transparent briding firewall and overall is working pretty good and how I want it to work except for some traffic that is coming in on my LAN interace is being blocked by the 'default deny rule'. I'm allowing all traffic that is generated on the LAN side to leave. I see where some others have ran into a similar problem. I do run 2 different IP subnets on my LAN and a router on the WAN side of the pfSense box routes between. Some of the traffic between the 2 subnets is getting blocked and some gets passed just fine This is typically a misconfiguration in your firewall rules. By default the LAN is in a default allow state. If you are bumping up against the default deny rule, then you are either using an OPT interface as a LAN, which is fine, just realize that all OPT interfaces come in a default deny state, and make your firewall rules accordingly. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org https://portal.pfsense.org/ You said you run two different IP subnets on your LAN, how are you accomplishing this? Through a physically separate card or some other means? This is likely to be the starting point to your issue. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] printing broken / Default deny rule
THE SETUP: A pfSense 1.2.2 box, the 'firewall', is providing a gateway to the Internet and DNS forwarder. LAN is 192.168.254.0/24. An additional pfSense 1.2.0 box, the 'printer router', is on the LAN, routing to a shared network on its WAN interface (192.168.1.0/24) for access to a shared Canon iRC3080i printer (on 192.168.1.101). The firewall has a static route pointing to the network with the shared printer via the printer router. The firewall's LAN interface is xl0. THE ISSUE: Printing was working fine when IPCop did the job of the firewall along with the pfSense 1.2.0 printer router. When I migrated the firewall to pfSense 1.2.2 printing stopped working properly. Here is a description of the issue from my colleague who's been dealing with this before me: The printer receives the job but fails with a NG#857 error, which according to the manual means a network issue (Data reception timed out, or the job was cancelled at the host). The job stalls after about page 2 or about 70k ... nothing over about 50-100k will print (so just text or test page - which kind of makes a mockery of test pages but there you go...). Printing when connected direct to the printer works fine. The only thing in the firewall logs is this... rule 60/0 (match) : block in on xlt : 192.168.254.238.1306192.168.1.101.9100:tcp 20 [bad hdr length 0 - too short, 20] The rule that triggered this action is: @60 block drop in log quick all label Default deny rule This error is coming up for lots of other addresses on the internet as well (and that is working fine) so can't be sure that this is the problem, but it's all the log is giving me. Some data is always sent I had previously assumed the firewall woulnd't be involved with this printing traffic, instead directing workstations (via DNS) to send their printing traffic straight to the printer router on the LAN. But I think this is a misunderstanding on my part. As I understand it all LAN traffic isn't firewalled by default, so why is the firewall blocking this? Is xlt an interface name? I don;t see any interfaces with this designation. Seeing as printing worked fine when going via IPCop and then through pfSense 1.2.0 to the printer, then fail when going via pfSense 1.2.2 and then through pfSense 1.2.0 to the printer, could the problem be a change between pfSense 1.2.0 (on FreeBSD 6.2) and pfSense 1.2.2 (on FreeBSD 7.0)? There's a comment on how FreeBSD 7's 'pf' differs from FreeBSD 6's pf, causing the same error message as above, here: http://www.nabble.com/default-snaplen-on-tcpdump-td15712249.html Brad Gillette has a similar sounding issue as this which he reported to this list today. Any help would be very much appreciated, thanks. -- Pete Boyd Open Plan IT - http://openplanit.co.uk The Golden Ear - http://thegoldenear.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] firewall blocking legit traffic
I looked at my interfacesI have a WAN and LAN interfaces. My specific problems are connections from clients to my Novell Netware servers.pfSense is apparently blocking traffic when a connection is already established or won't keep a connection alive. I also run an inhouse instant messaging system and I see traffic from the clients to the server get blocked, it works so some traffic gets through.
Re: [pfSense Support] Routing multiple subnets through IPSEC
On Thu, Mar 12, 2009 at 9:48 PM, Bennett Lee pfse...@bennettandgina.com wrote: I have pfSense with several subnets on separate interfaces at my home office and many of my clients have the same. I have IPSEC to these clients so I can admin remotely. The problem I have is that I have not found a way to route the subnets across IPSEC. Consequently, I have 2, 4, 6, 8 or even 9 IPSEC tunnels per client for the same site-to-site. Seems absolutely ridiculous to have multiple VPN tunnels between the same site-to-site, and management of all the tunnels alone is a nightmare, not to mention a huge processing burden on my home pfSense box that's juggling dozens of IPSEC tunnels (granted, not all tunnels are active all the time, but I am frequently connected to several clients' subnets at any given time). Obviously traffic needs to know to route a subnet across a particular VPN, but I've tried static routes with no luck. I can't figure out what to put for the gateway--tried every local and remote IP possible and nothing worked. How can I route multiple subnets across the same IPSEC tunnel? You can't in 1.2.x. Solution here: http://doc.pfsense.org/index.php/IPSec_with_Multiple_Subnets - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org