Re: [pfSense Support] Source NAT

2009-12-18 Thread Peter Todorov 
Hi Chris,
Can he just edit the conf file on hand and bypass webgui?

On Fri, Dec 18, 2009 at 10:39 AM, Chris Buechler cbuech...@gmail.com wrote:
 On Fri, Dec 18, 2009 at 3:21 AM, Tapani Tarvainen
 pfse...@tapanitarvainen.fi wrote:
 On Fri, Dec 18, 2009 at 02:52:43AM -0500, Chris Buechler (c...@pfsense.org) 
 wrote

  Source NAT

  Can this be done with pfSense?

 Not at this time.

 Bummer. :-(

 Are there plans to add it in the future?


 It will be eventually, I don't know when. It's a pretty minor change I
 believe, and it may be a requirement for a project I'm working on
 right now. If that turns out to be the case, it may make 2.0 if it
 ends up as simple as I think it will be. Otherwise the next release
 after probably.

 -
 To unsubscribe, e-mail: support-unsubscr...@pfsense.com
 For additional commands, e-mail: support-h...@pfsense.com

 Commercial support available - https://portal.pfsense.org





-- 
честността не е порок

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] RC3 to RELEASE - Verify

2009-12-18 Thread Peter Todorov 
I have a problem with SATA in FreeBSD kernel and upgrade is still no go.

On Fri, Dec 18, 2009 at 9:26 AM, Seth Mos seth@xs4all.nl wrote:
 Op 17-12-2009 11:35, Paul Mansfield schreef:

 has anyone upgraded a pfsense cluster running 1.2.2-release to 1.2.3?

 Yes.

 am using many CARP addresses on WAN and LAN ports, IPSEC, OpenVPN, and
 advanced outbound nat.

 I am using multiple WAN connections, 380 IPsec vpn tunnels, roughly a
 hundred rules and 40 aliases. It is a 8 interface box with 1 lan and
 multiple opt interfaces, it uses vlans as well. I also use the load balancer
 for outbound traffic. It uses both port forwarding an 1:1 NAT. I also use
 the outbound NAT feature to bind to a carp address.

 It is a carp cluster based on 2 Dell PowerEdge servers with each 6 gigabit
 ports, one being the sync network, the others used by pfSense.
 It have about ~30 carp vips or so.

 Regards,

 Seth

 -
 To unsubscribe, e-mail: support-unsubscr...@pfsense.com
 For additional commands, e-mail: support-h...@pfsense.com

 Commercial support available - https://portal.pfsense.org





-- 
честността не е порок

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Source NAT

2009-12-18 Thread Tapani Tarvainen 
On Fri, Dec 18, 2009 at 10:53:40AM +0200, Peter Todorov (pmi...@gmail.com) wrote
 Hi Chris,
 Can he just edit the conf file on hand and bypass webgui?

Not quite that easy. I took a look at the code, and pfSense doesn't
keep the raw pf conf file, but rebuilds it out of its own xml config
at every reload, and the code that does that (filter.inc) has any
hardwired as source address.

I took a stab at hacking filter.inc and modified it so that if
there's source-address modifier in the nat rule, it uses it
as source in the rdr entry. I tested it with backup/restore:
backed config up, added source-address entry, restored,
and it seems to work. Somewhat surprisingly the rule even
survived adding another NAT rule from the GUI.

This is not exactly convenient, however, and I haven't
taken a look at the GUI code to see how hard it'd be
to make necessary changes there.

-- 
Tapani Tarvainen

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Source NAT

2009-12-18 Thread Peter Todorov 
Hi Tapani Tarvainen,
So the code will be overwritten on reboot - right?
If so one simple script that copy the file before rebooting and one
script that overwrite original file after boot. Is this sound any
sense?

On Fri, Dec 18, 2009 at 11:13 AM, Tapani Tarvainen
pfse...@tapanitarvainen.fi wrote:
 On Fri, Dec 18, 2009 at 10:53:40AM +0200, Peter Todorov (pmi...@gmail.com) 
 wrote
 Hi Chris,
 Can he just edit the conf file on hand and bypass webgui?

 Not quite that easy. I took a look at the code, and pfSense doesn't
 keep the raw pf conf file, but rebuilds it out of its own xml config
 at every reload, and the code that does that (filter.inc) has any
 hardwired as source address.

 I took a stab at hacking filter.inc and modified it so that if
 there's source-address modifier in the nat rule, it uses it
 as source in the rdr entry. I tested it with backup/restore:
 backed config up, added source-address entry, restored,
 and it seems to work. Somewhat surprisingly the rule even
 survived adding another NAT rule from the GUI.

 This is not exactly convenient, however, and I haven't
 taken a look at the GUI code to see how hard it'd be
 to make necessary changes there.

 --
 Tapani Tarvainen

 -
 To unsubscribe, e-mail: support-unsubscr...@pfsense.com
 For additional commands, e-mail: support-h...@pfsense.com

 Commercial support available - https://portal.pfsense.org





-- 
честността не е порок

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Source NAT

2009-12-18 Thread Peter Todorov 
Hi Tapani,
I run away from ugly hacks and thats the reason I am stuck with
version 1.2.1 (do not want to recompile the custom kernel and make my
disk)
tell if that work

On Fri, Dec 18, 2009 at 11:41 AM, Tapani Tarvainen
pfse...@tapanitarvainen.fi wrote:
 On Fri, Dec 18, 2009 at 11:21:32AM +0200, Peter Todorov (pmi...@gmail.com) 
 wrote

 So the code will be overwritten on reboot - right?

 The actual pf code, yes - the xml config is where permanent
 configuration is kept. (Caveat: I haven't read the code
 very thoroughly yet, I only downloaded pfSense first time
 yesterday, so I may have missed something obvious.)

 If so one simple script that copy the file before rebooting and one
 script that overwrite original file after boot. Is this sound any
 sense?

 I guess that'd be possible, but in this case modifying filter.inc
 as I did and putting the changes in the xml file seems easier.
 It's also more consistent with the rest of the stuff and might
 allow patching the GUI later without breaking anything or
 having to undo any ugly hacks.

 --
 Tapani Tarvainen

 -
 To unsubscribe, e-mail: support-unsubscr...@pfsense.com
 For additional commands, e-mail: support-h...@pfsense.com

 Commercial support available - https://portal.pfsense.org





-- 
честността не е порок

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Source NAT

2009-12-18 Thread Tapani Tarvainen 
On Fri, Dec 18, 2009 at 11:13:45AM +0200, Tapani Tarvainen (pfse...@tapanitarvai

 I took a stab at hacking filter.inc and modified it so that if
 there's source-address modifier in the nat rule, it uses it
 as source in the rdr entry.

Does anybody think it'd be worthwhile to submit that as a patch?
Or would someone like to see it otherwise (small enough even
for posting on the list, perhaps - 105 line context diff)?

It's not very useful in itself, but not dangerous either, as it should
have no effect whatsoever unless one manually adds source-address
entries to config file. But it would allow using SNAT for those who
need it badly enough to edit xml files manually, and it might be
useful as a first step towards proper SNAT support later
(with GUI and all).

-- 
Tapani Tarvainen

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Source NAT

2009-12-18 Thread Paul Mansfield 
On 18/12/09 10:58, Tapani Tarvainen wrote:
 On Fri, Dec 18, 2009 at 11:13:45AM +0200, Tapani Tarvainen 
 (pfse...@tapanitarvai
 
 I took a stab at hacking filter.inc and modified it so that if
 there's source-address modifier in the nat rule, it uses it
 as source in the rdr entry.
 
 Does anybody think it'd be worthwhile to submit that as a patch?
 Or would someone like to see it otherwise (small enough even
 for posting on the list, perhaps - 105 line context diff)?

it does sound useful, even for those who just want to tinker!



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] RC3 to RELEASE - Verify

2009-12-18 Thread Paul Mansfield 
On 18/12/09 07:26, Seth Mos wrote:
 Op 17-12-2009 11:35, Paul Mansfield schreef:
 has anyone upgraded a pfsense cluster running 1.2.2-release to 1.2.3?
 
 Yes.
 
 am using many CARP addresses on WAN and LAN ports, IPSEC, OpenVPN, and
 advanced outbound nat.
 
 I am using multiple WAN connections, 380 IPsec vpn tunnels, roughly a
 hundred rules and 40 aliases. It is a 8 interface box with 1 lan and
 multiple opt interfaces, it uses vlans as well. I also use the load
 balancer for outbound traffic. It uses both port forwarding an 1:1 NAT.
 I also use the outbound NAT feature to bind to a carp address.
 
 It is a carp cluster based on 2 Dell PowerEdge servers with each 6
 gigabit ports, one being the sync network, the others used by pfSense.
 It have about ~30 carp vips or so.

cool!

I have just upgraded some Dell R300s with Xeon x33~~ processors from
1.2.2 to 1.2.3 now, and a core2quad based machine a few days ago, and a
dell vostro cor2duo desktop with realtek onboard and PCIe intel.

so far so good. not done our production firewalls yet, I'll leave things
alone just for now!

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Source NAT /tmp/rules.debug

2009-12-18 Thread Beat Siegenthaler 





Does anybody think it'd be worthwhile to submit that as a patch?
Or would someone like to see it otherwise (small enough even
for posting on the list, perhaps - 105 line context diff)?



Maybe this could help too: I Found this article because this Guy wanted 
to add IPv6 stuff to the Rules.
Should work for more or less all unsupported additions if You are 
sed-aware

http://remcobressers.nl/2009/08/configuring-native-ipv6-pfsense/comment-page-1/#comment-2161
search for 10_config-ipv6-pf.sh


Beat

Re: [pfSense Support] Source NAT

2009-12-18 Thread Ian Bowers 
I'd really like to see source NAT added.  I've been used to pf on openbsd
for a while... it'll let you abuse nat any way you like it, and will still
call you the next day.  I tried pfsense and actually really liked it a lot.
it was eventually the lack of options for NAT that made me switch back...
no source distinction and strange collisions complaints when allocating
ports (overlaps which wouldnt actually have hindered traffic).

On Fri, Dec 18, 2009 at 7:15 AM, Paul Mansfield
it-admin-pfse...@taptu.comwrote:

 On 18/12/09 10:58, Tapani Tarvainen wrote:
  On Fri, Dec 18, 2009 at 11:13:45AM +0200, Tapani Tarvainen
 (pfse...@tapanitarvai
 
  I took a stab at hacking filter.inc and modified it so that if
  there's source-address modifier in the nat rule, it uses it
  as source in the rdr entry.
 
  Does anybody think it'd be worthwhile to submit that as a patch?
  Or would someone like to see it otherwise (small enough even
  for posting on the list, perhaps - 105 line context diff)?

 it does sound useful, even for those who just want to tinker!



 -
 To unsubscribe, e-mail: support-unsubscr...@pfsense.com
 For additional commands, e-mail: support-h...@pfsense.com

 Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Source NAT /tmp/rules.debug

2009-12-18 Thread Tapani Tarvainen 
On Fri, Dec 18, 2009 at 02:14:30PM +0100, Beat Siegenthaler (bsi...@gmail.com) w

 Maybe this could help too: I Found this article because this Guy
 wanted to add IPv6 stuff to the Rules.
 Should work for more or less all unsupported additions if You are
 sed-aware
 http://remcobressers.nl/2009/08/configuring-native-ipv6-pfsense/comment-page-1/#comment-2161

Yeah, that would work, and I'm certainly sed-aware enough,
but I still consider that a rather ugly hack - as a commenter
there said, I might as well forego pfSense and use plain
freeBSD and hand-written pf.conf.

If I had pfSense in production use and had to get this working ASAP
I might do something like that, but now I'd rather try to do it
pfSense way, for maintainability, and also to learn how it works.

-- 
Tapani Tarvainen

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Source NAT

2009-12-18 Thread Tapani Tarvainen 
I take it there're no rules on this list against sending
patches (and attempt to register at rcs.pfsense.org failed),
so here it goes. Just apply the patch to filter.inc
and edit /cf/conf/config.xml ) by adding something like
source-address172.16.20.5/source-address
in a nat rule and reboot
(or edit saved backup and restore edited version).

-- 
Tapani Tarvainen
*** filter.inc.ORIG	Mon Dec  7 05:12:36 2009
--- filter.inc	Fri Dec 18 12:43:28 2009
***
*** 987,992 
--- 987,998 
  			else
  $extaddr = get_current_wan_address($rule['interface']);
  
+ 			/* Source-NAT support */
+ 			if ($rule['source-address'])
+ $srcaddr = $rule['source-address'];
+ 			else
+ $srcaddr = any;
+ 
  			if (!$rule['interface'] || ($rule['interface'] == wan))
  $natif = $wanif;
  			else if($rule['interface'] == pptp)
***
*** 1053,1061 
  		case tcp/udp:
  			if($natif) {
  if($rule['external-port']  $rule['local-port'])
! 	$natrules .= {$nordr}rdr on $natif proto { tcp udp } from any to {$extaddr} port { {$extport[0]} } - {$target}{$localport};
  else
! 	$natrules .= {$nordr}rdr on $natif proto { tcp udp } from any to {$extaddr} port { {$extport[0]} } - {$target};
  			}
  			break;
  		case udp:
--- 1059,1067 
  		case tcp/udp:
  			if($natif) {
  if($rule['external-port']  $rule['local-port'])
! 	$natrules .= {$nordr}rdr on $natif proto { tcp udp } from {$srcaddr} to {$extaddr} port { {$extport[0]} } - {$target}{$localport};
  else
! 	$natrules .= {$nordr}rdr on $natif proto { tcp udp } from {$srcaddr} to {$extaddr} port { {$extport[0]} } - {$target};
  			}
  			break;
  		case udp:
***
*** 1063,1094 
  			if($extport[0])
  if($natif) {
  	if($rule['external-port']  $rule['local-port'])
! 		$natrules .= rdr on $natif proto {$rule['protocol']} from any to {$extaddr} port { {$extport[0]} } - {$target}{$localport};
  	else
! 		$natrules .= rdr on $natif proto {$rule['protocol']} from any to {$extaddr} port { {$extport[0]} } - {$target};
  }
  			else
  if($natif)
! 	$natrules .= rdr on $natif proto {$rule['protocol']} from any to {$extaddr} - {$target}{$localport};
  			break;
  		default:
! 			$natrules .= rdr on $natif proto {$rule['protocol']} from any to {$extaddr} - {$target};
  			break;
  	}
  } else {
  	switch ($rule['protocol']) {
  		case tcp/udp:
  			if($natif)
! $natrules .= {$nordr}rdr on $natif proto { tcp udp } from any to {$extaddr} port {$extport[0]}:{$extport[1]} - {$target}{$localport}:*;
  			break;
  		case udp:
  		case tcp:
  			if($natif)
! $natrules .= {$nordr}rdr on $natif proto {$rule['protocol']} from any to {$extaddr} port {$extport[0]}:{$extport[1]} - {$target}{$localport}:*;
  			break;
  		default:
  			if($natif)
! $natrules .= {$nordr}rdr on $natif proto {$rule['protocol']} from any to {$extaddr} - {$target};
  	}
  }
  			}
--- 1069,1100 
  			if($extport[0])
  if($natif) {
  	if($rule['external-port']  $rule['local-port'])
! 		$natrules .= rdr on $natif proto {$rule['protocol']} from {$srcaddr} to {$extaddr} port { {$extport[0]} } - {$target}{$localport};
  	else
! 		$natrules .= rdr on $natif proto {$rule['protocol']} from {$srcaddr} to {$extaddr} port { {$extport[0]} } - {$target};
  }
  			else
  if($natif)
! 	$natrules .= rdr on $natif proto {$rule['protocol']} from {$srcaddr} to {$extaddr} - {$target}{$localport};
  			break;
  		default:
! 			$natrules .= rdr on $natif proto {$rule['protocol']} from {$srcaddr} to {$extaddr} - {$target};
  			break;
  	}
  } else {
  	switch ($rule['protocol']) {
  		case tcp/udp:
  			if($natif)
! $natrules .= {$nordr}rdr on $natif proto { tcp udp } from {$srcaddr} to {$extaddr} port {$extport[0]}:{$extport[1]} - {$target}{$localport}:*;
  			break;
  		case udp:
  		case tcp:
  			if($natif)
! $natrules .= {$nordr}rdr on $natif proto {$rule['protocol']} from {$srcaddr} to {$extaddr} port {$extport[0]}:{$extport[1]} - {$target}{$localport}:*;
  			break;
  		default:
  			if($natif)
! $natrules .= {$nordr}rdr on $natif proto {$rule['protocol']} from {$srcaddr} to {$extaddr} - {$target};
  	}
  }
  			}

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Source NAT

2009-12-18 Thread Tapani Tarvainen 
On Fri, Dec 18, 2009 at 03:45:03PM +0200, Tapani Tarvainen (pfse...@tapanitarvai
 I take it there're no rules on this list against sending
 patches (and attempt to register at rcs.pfsense.org failed),
 so here it goes. Just apply the patch to filter.inc

Forgot to mention, this is for 1.2.3 release - I've no idea
if it works with any others.

-- 
Tapani Tarvainen

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Wake On LAN - Now Works on 1.2.3 Embedded!

2009-12-18 Thread Tortise 
- Original Message - 
From: Chris Weakland chris.weakl...@gmail.com

To: support@pfsense.com
Sent: Sunday, December 13, 2009 4:40 AM
Subject: Re: [pfSense Support] Wake On LAN - Now Works on 1.2.3 Embedded!



Also if ur nic is a pci or pcie nic the wol cable must be connected to
the motherboard header for it to work with wol.

Chris


I just tried WOL using an Intel 1000GT PCI NIC, (using no wol cable between the NIC and the motherboard) and it works fine.  


The tested motherboard is a GA-EP31-DS3L, which (sadly) does not have WOL in 
the BIOS.

Certainly many NIC's and motherboards will need those cables, clearly not always.  



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Wake On LAN - Now Works on 1.2.3 Embedded!

2009-12-18 Thread Peter Todorov 
What you do on client machine?

On Sat, Dec 19, 2009 at 6:11 AM, Tortise tort...@paradise.net.nz wrote:
 - Original Message - From: Chris Weakland
 chris.weakl...@gmail.com
 To: support@pfsense.com
 Sent: Sunday, December 13, 2009 4:40 AM
 Subject: Re: [pfSense Support] Wake On LAN - Now Works on 1.2.3 Embedded!


 Also if ur nic is a pci or pcie nic the wol cable must be connected to
 the motherboard header for it to work with wol.

 Chris

 I just tried WOL using an Intel 1000GT PCI NIC, (using no wol cable between
 the NIC and the motherboard) and it works fine.
 The tested motherboard is a GA-EP31-DS3L, which (sadly) does not have WOL in
 the BIOS.

 Certainly many NIC's and motherboards will need those cables, clearly not
 always.

 -
 To unsubscribe, e-mail: support-unsubscr...@pfsense.com
 For additional commands, e-mail: support-h...@pfsense.com

 Commercial support available - https://portal.pfsense.org





-- 
честността не е порок

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org