[pfSense Support] dnsmasq / wildcards
Is there work in progress to add wildcards to dnsmasq? I run dnsmasq and fill in all of my network hosts and of course if it can't answer, then it forwards to OpenDNS for answers. However I have noticed that windows7 seems to look to look up weird things on my domain (like ipad.domain.com and some weird *._udp.domain.com stuff) - and I am trying to prevent that noise from reaching the OpenDNS servers. If we could put a wildcard after all of the entries in the dnsmasq hosts file, then I could filter out this noise. Any thoughts? - tinyDNS is not an option for me. I can't tolerate it and there isnt any bind9 package I could find. I usually roll my own bind9, but pfsense isnt setup to install things manually like that. -- J.D. Bronson Information Technology Aurora Health Care - Milwaukee WI - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] firewall rules strange behavior
Hi Have a pfsense 1.2.3 with the following setup. WAN: /30 Routed ip-net #1: /26 Routed ip-net #2: /25 62 vlan interfaces with rfc1918 adresses. The routed ip-net #1 is configured as 62 other virtual ip's, one for each rfc1918 vlan. Outbound nat rules is made for every interface. The routed ip-net #2 is configured on its own vlan interface. The problem is, that even when I have no rules on the interface with ip-net #2, a client can still ping a client on any of the rfc1918 networks. It can't reach the client on for instance MSRDP, and it can't ping or anything else to the outside world. Can anyone figure out why? Kind regards Anders
Re: [pfSense Support] Serious issue with PPTP VPN
Sorry for not posting back sooner. I discovered that it was only my desktop that was able to login without a password (well, pfsense show's my username and so does RADIUS). I somehow had it cached in my client. Deleting and recreating the connection fixed my issue. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, Jan 15, 2010 at 1:32 PM, Lyle Giese l...@lcrcomputer.net wrote: Chris Buechler wrote: On Fri, Jan 15, 2010 at 1:02 PM, Curtis LaMasters curtislamast...@gmail.com wrote: Ok, I'm not sure where to begin troubleshooting on this one. I'm running 1.2.3-RC (I'll be upgrading to RELEASE this weekend during a maintenance window). I have discovered that a blank user/pass in the Windows PPTP client is accepted by the PPTP VPN server on pfSense. Any thoughts. Not on any of mine. Maybe if you're authenticating to a RADIUS server that tells pfSense a blank user/pass is OK (which would be the fault of your RADIUS server). How do you have it setup? There is an option in the Windows client to use the logon credentials (Automatically use my Windows logon name and password(and domain if any).) If you happened to have that selected... Lyle Giese LCR Computer Services, Inc. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Web filtering with Squid/Squidguard and AD Groups
Is there a way that I am just not seeing to authenticate users based on their AD group (Users, Admins, Executives, etc) with Squid or Squidguard. I would need to apply different policies to each group. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Web filtering with Squid/Squidguard and AD Groups
Its possible to do with Squid and SquidGuard, and while some of the widgets exist in the package GUI, I don't think they actually do anything. Curtis LaMasters wrote: Is there a way that I am just not seeing to authenticate users based on their AD group (Users, Admins, Executives, etc) with Squid or Squidguard. I would need to apply different policies to each group. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Web filtering with Squid/Squidguard and AD Groups
Do you happen to have a config that I can look at to do this or should I start looking at Squidguard's page? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jan 20, 2010 at 11:08 AM, Gary Buckmaster g...@s4f.com wrote: Its possible to do with Squid and SquidGuard, and while some of the widgets exist in the package GUI, I don't think they actually do anything. Curtis LaMasters wrote: Is there a way that I am just not seeing to authenticate users based on their AD group (Users, Admins, Executives, etc) with Squid or Squidguard. I would need to apply different policies to each group. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Web filtering with Squid/Squidguard and AD Groups
So, the current squid/squidguard package can or cannot be used in conjunction with AD. IE: High school students able to access social networking sites based on their group but Elementary being blocked. Jason James Technology Department School District of Milton 608-868-9570 ext 1082 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Web filtering with Squid/Squidguard and AD Groups
Actually, most of the heavy lifting will need to be done with squid's ad-authenticator. There are a number of howto's for doing this online, but I'm afraid I don't have one handy right now. Get squid authenticating to your AD system, then you simply need to configure squidguard to filter based on those groups. In a hypothetical example, if you have AD groups for Students, Teachers, Administrators and IT staff, you would want to ensure that everyone is contacting squid on the authenticated port, not being transparently proxied through squid. The browser would then send the AD credentials to squid upon connection and squid would confirm the credentials against your AD server. Then all HTTP requests would be passed to squidguard as coming from someone within say the Students group and would be filtered according to your squidGuard ACLs for that group. Disclaimer: All of this works with off-the-shelf squid+squidguard, I do not know how much of this can be done specifically with the squid+squidguard package in pfSense. Most of the GUI stuff is there, but I don't know how much of the underlying code is there or works. This would be an excellent bounty project for some people to embark upon since URL filtering seems to be something that everyone and their second cousin wants to see in the pfSense squid package. -Gary Curtis LaMasters wrote: Do you happen to have a config that I can look at to do this or should I start looking at Squidguard's page? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jan 20, 2010 at 11:08 AM, Gary Buckmaster g...@s4f.com wrote: Its possible to do with Squid and SquidGuard, and while some of the widgets exist in the package GUI, I don't think they actually do anything. Curtis LaMasters wrote: Is there a way that I am just not seeing to authenticate users based on their AD group (Users, Admins, Executives, etc) with Squid or Squidguard. I would need to apply different policies to each group. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Routing issue between LAN and OPT1 when IPSEC enabled
I have hub and spoke VPN network setup. 192.168.1.0/24 is the hub (central office) and 192.168.x.0/24 are all the spokes (remote offices). These are all connected with IPSEC VPN connections running a mix of linksys vpn routers and pfSense 1.2.3-RC3. The problem I am having is related to two pfSense boxes running 1.2.3-RC3 (I'll update to RELEASE if that's really the problem but I'd rather wait a while). In most locations there is a single subnet at the remote offices and that works fine. The remote offices are all able to communicate to each other through the central office because on their routers the IPSEC remote subnet is 192.168.0.0/16. Here is the problem: at one location we have both 192.168.2.0/24 on LAN and 192.168.50.0/24 on OPT1. We have a VPN connection from the LAN to the hub office and that worked fine but neither computers on the 192.168.2.0/24 or the 192.168.1.0/24 could reach the 192.168.50.0/24 subnet. I determined that the reason must be that any packets from the LAN must be getting sent over the VPN tunnel before the router would check to see that it held that subnet on one of it's own interfaces. Just last week, I set up a second VPN tunnel between the two routers. This one has the destination subnet of 192.168.50.0/24 and now from the hub router we can reach that subnet but from the 192.168.2.0/24 still cannot reach it. My thinking was that the router with LAN and OPT1 would either route between the two subnets and if not, it would send data up one VPN connection because it was interesting traffic and then it would get sent back down the 2nd tunnel to the other subnet. Neither of these things is happening. Any ideas on how to get this working? If there are any details I missed, please let me know and I will try to clarify.
Re: [pfSense Support] dnsmasq / wildcards
On Wed, Jan 20, 2010 at 7:01 AM, J.D. Bronson jd_bron...@sbcglobal.net wrote: Is there work in progress to add wildcards to dnsmasq? I run dnsmasq and fill in all of my network hosts and of course if it can't answer, then it forwards to OpenDNS for answers. However I have noticed that windows7 seems to look to look up weird things on my domain (like ipad.domain.com and some weird *._udp.domain.com stuff) - and I am trying to prevent that noise from reaching the OpenDNS servers. If we could put a wildcard after all of the entries in the dnsmasq hosts file, then I could filter out this noise. Not sure offhand if it's capable of doing that, it's not in the GUI at least. As a workaround, if you have an internal DNS server for those domains you can forward the entire domain to an internal server, which will keep it from getting to OpenDNS. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Routing issue between LAN and OPT1 when IPSEC enabled
On Wed, Jan 20, 2010 at 2:55 PM, Oliver Hansen oliver.han...@gmail.com wrote: I have hub and spoke VPN network setup. 192.168.1.0/24 is the hub (central office) and 192.168.x.0/24 are all the spokes (remote offices). These are all connected with IPSEC VPN connections running a mix of linksys vpn routers and pfSense 1.2.3-RC3. The problem I am having is related to two pfSense boxes running 1.2.3-RC3 (I'll update to RELEASE if that's really the problem but I'd rather wait a while). In most locations there is a single subnet at the remote offices and that works fine. The remote offices are all able to communicate to each other through the central office because on their routers the IPSEC remote subnet is 192.168.0.0/16. Here is the problem: at one location we have both 192.168.2.0/24 on LAN and 192.168.50.0/24 on OPT1. We have a VPN connection from the LAN to the hub office and that worked fine but neither computers on the 192.168.2.0/24 or the 192.168.1.0/24 could reach the 192.168.50.0/24 subnet. I determined that the reason must be that any packets from the LAN must be getting sent over the VPN tunnel before the router would check to see that it held that subnet on one of it's own interfaces. Just last week, I set up a second VPN tunnel between the two routers. This one has the destination subnet of 192.168.50.0/24 and now from the hub router we can reach that subnet but from the 192.168.2.0/24 still cannot reach it. My thinking was that the router with LAN and OPT1 would either route between the two subnets and if not, it would send data up one VPN connection because it was interesting traffic and then it would get sent back down the 2nd tunnel to the other subnet. Neither of these things is happening. That traffic is going out IPsec because IPsec always wins over anything in the system routing table including other directly attached networks (just how it works in the FreeBSD kernel). You either have to not include that other local subnet within your remote IPsec definition, or use OpenVPN which will work properly in that scenario. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Routing issue between LAN and OPT1 when IPSEC enabled
On Wed, Jan 20, 2010 at 2:18 PM, Chris Buechler cbuech...@gmail.com wrote: On Wed, Jan 20, 2010 at 2:55 PM, Oliver Hansen oliver.han...@gmail.com wrote: --snip-- Just last week, I set up a second VPN tunnel between the two routers. This one has the destination subnet of 192.168.50.0/24 and now from the hub router we can reach that subnet but from the 192.168.2.0/24 still cannot reach it. My thinking was that the router with LAN and OPT1 would either route between the two subnets and if not, it would send data up one VPN connection because it was interesting traffic and then it would get sent back down the 2nd tunnel to the other subnet. Neither of these things is happening. That traffic is going out IPsec because IPsec always wins over anything in the system routing table including other directly attached networks (just how it works in the FreeBSD kernel). You either have to not include that other local subnet within your remote IPsec definition, or use OpenVPN which will work properly in that scenario. Thanks for the reply. I can understand that IPsec always wins but why if it is getting sent up the VPN tunnel does it not get sent back down the second VPN tunnel to the 192.168.50.0/24 subnet? Any of my other networks such as 192.168.3.0/24 can send traffic to the .50 network and receive replies. Is there something about having two IPsec VPNs between the same two boxes that causes this not to work? Example A: 192.168.3.0/24 - 192.168.1.0/24 - 192.168.50.0/24 = successful Example B: 192.168.2.0/24 - 192.168.1.0/24 ---X 192.168.50.0/24 = no success
Re: [pfSense Support] Routing issue between LAN and OPT1 when IPSEC enabled
Sounds to me like a NAT Reflection issue On Wed, Jan 20, 2010 at 5:51 PM, Oliver Hansen oliver.han...@gmail.comwrote: On Wed, Jan 20, 2010 at 2:18 PM, Chris Buechler cbuech...@gmail.comwrote: On Wed, Jan 20, 2010 at 2:55 PM, Oliver Hansen oliver.han...@gmail.com wrote: --snip-- Just last week, I set up a second VPN tunnel between the two routers. This one has the destination subnet of 192.168.50.0/24 and now from the hub router we can reach that subnet but from the 192.168.2.0/24 still cannot reach it. My thinking was that the router with LAN and OPT1 would either route between the two subnets and if not, it would send data up one VPN connection because it was interesting traffic and then it would get sent back down the 2nd tunnel to the other subnet. Neither of these things is happening. That traffic is going out IPsec because IPsec always wins over anything in the system routing table including other directly attached networks (just how it works in the FreeBSD kernel). You either have to not include that other local subnet within your remote IPsec definition, or use OpenVPN which will work properly in that scenario. Thanks for the reply. I can understand that IPsec always wins but why if it is getting sent up the VPN tunnel does it not get sent back down the second VPN tunnel to the 192.168.50.0/24 subnet? Any of my other networks such as 192.168.3.0/24 can send traffic to the .50 network and receive replies. Is there something about having two IPsec VPNs between the same two boxes that causes this not to work? Example A: 192.168.3.0/24 - 192.168.1.0/24 - 192.168.50.0/24 = successful Example B: 192.168.2.0/24 - 192.168.1.0/24 ---X 192.168.50.0/24 = no success
Re: [pfSense Support] dnsmasq / wildcards
Chris Buechler wrote: On Wed, Jan 20, 2010 at 7:01 AM, J.D. Bronson jd_bron...@sbcglobal.net wrote: Is there work in progress to add wildcards to dnsmasq? I run dnsmasq and fill in all of my network hosts and of course if it can't answer, then it forwards to OpenDNS for answers. However I have noticed that windows7 seems to look to look up weird things on my domain (like ipad.domain.com and some weird *._udp.domain.com stuff) - and I am trying to prevent that noise from reaching the OpenDNS servers. If we could put a wildcard after all of the entries in the dnsmasq hosts file, then I could filter out this noise. Not sure offhand if it's capable of doing that, it's not in the GUI at least. As a workaround, if you have an internal DNS server for those domains you can forward the entire domain to an internal server, which will keep it from getting to OpenDNS. I create a custom dnsmasq.conf file and upload it to /usr/local/etc/dnsmasq.conf (via the 'Diagnostics: Execute command' menu) In that file I add entries for the domains that I'd like to return NXDOMAIN for, like this: local=/_dns-sd._udp.my-domain.com/ local=/doubleclick.net/ Works great! -bmw - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dnsmasq / wildcards
On 1/20/10 6:46 PM, Bruce Walker wrote: I create a custom dnsmasq.conf file and upload it to /usr/local/etc/dnsmasq.conf (via the 'Diagnostics: Execute command' menu) In that file I add entries for the domains that I'd like to return NXDOMAIN for, like this: local=/_dns-sd._udp.my-domain.com/ local=/doubleclick.net/ Works great! This is exactly what I was looking for. I do have a list of all of my internal machines but didnt think of this. So the syntax is as you have listed above? local=/blah.domain.com/ ? thanks, -- J.D. Bronson Information Technology Aurora Health Care - Milwaukee WI Office: 414.978.8282 // Fax: 414.978.3988 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dnsmasq / wildcards
J.D. Bronson wrote: On 1/20/10 6:46 PM, Bruce Walker wrote: I create a custom dnsmasq.conf file and upload it to /usr/local/etc/dnsmasq.conf (via the 'Diagnostics: Execute command' menu) In that file I add entries for the domains that I'd like to return NXDOMAIN for, like this: local=/_dns-sd._udp.my-domain.com/ local=/doubleclick.net/ Works great! This is exactly what I was looking for. I do have a list of all of my internal machines but didnt think of this. So the syntax is as you have listed above? local=/blah.domain.com/ ? thanks, That's correct; you need the forward slashes like that. The full syntax is described in here ... http://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html ... under the -S option. It's a rather inscrutable description but the relevant bit is: Also permitted is a -S flag which gives a domain but no IP address; this tells dnsmasq that a domain is local and it may answer queries from /etc/hosts or DHCP but should never forward queries on that domain to any upstream servers. Note that it matches all sub-domains of your spec'ed domain as well. *Probably* what you want anyway. Cheers! -bmw - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dnsmasq / wildcards
On 1/20/10 7:01 PM, Bruce Walker wrote: Also permitted is a -S flag which gives a domain but no IP address; this tells dnsmasq that a domain is local and it may answer queries from /etc/hosts or DHCP but should never forward queries on that domain to any upstream servers. Thats exactly what I was seeking. If it isnt listed in the hosts, it was forwarding to upstream for resolution even though it was within the local domain. Thats annoying and I wonder why that's the default? Thanks for the tip.. -- J.D. Bronson Information Technology Aurora Health Care - Milwaukee WI Office: 414.978.8282 // Fax: 414.978.3988 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] firewall rules strange behavior
Do you have firewall rules that enable this action? I mean, it is not the firewall just blocking ? On Wed, Jan 20, 2010 at 3:01 PM, a_subscribti...@fiberby.dk wrote: Hi Have a pfsense 1.2.3 with the following setup. WAN: /30 Routed ip-net #1: /26 Routed ip-net #2: /25 62 vlan interfaces with rfc1918 adresses. The routed ip-net #1 is configured as 62 “other” virtual ip’s, one for each rfc1918 vlan. Outbound nat rules is made for every interface. The routed ip-net #2 is configured on its own vlan interface. The problem is, that even when I have no rules on the interface with ip-net #2, a client can still ping a client on any of the rfc1918 networks. It can’t reach the client on for instance MSRDP, and it can’t ping or anything else to the outside world. Can anyone figure out why? Kind regards Anders
[pfSense Support] OpenVPN Client
Trying to setup a site-to-site and the remote network field is grayed out which I presume is what obviously prevents automatic route generation so that only pfsense has access though the tunnel atm... Anyone know why this is? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenVPN Client
On Wed, Jan 20, 2010 at 10:31 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: Trying to setup a site-to-site and the remote network field is grayed out which I presume is what obviously prevents automatic route generation so that only pfsense has access though the tunnel atm... Anyone know why this is? Shared key can't push routes. Put them in on both sides. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] OpenVPN Client
Shared key can't push routes. Put them in on both sides. Actually, I was using tls, I noticed that field was grayed out in that scenario only but as I am remote and don't want to tank my only connection into the non pfsense side by editing its openvpn config, I was going to hold off changing to Shared Key. But now with what you say I am confused, is TLS supposed to add routes? I am free to use either method, just used to tls. In the mean time, I'll test by adding a route... Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] OpenVPN Client
Shared key can't push routes. Put them in on both sides. Well, my remote openvpn config has route statements that allow the pfsense appliance access to its segment, but I don't know how to allow the pfsense lan clients access to the remote segment. Can you shed some insight Chris? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenVPN Client
On Wed, Jan 20, 2010 at 11:46 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: Shared key can't push routes. Put them in on both sides. Well, my remote openvpn config has route statements that allow the pfsense appliance access to its segment, but I don't know how to allow the pfsense lan clients access to the remote segment. Can you shed some insight Chris? That's why you need remote network filled in on both sides. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org