[pfSense Support] wpad/wpac configuration in pfsense dhcp server
I would like to fix/break wpad as suggested here: http://www.mercenary.net/blog/index.php?/archives/42-HOWTO-WPAD.html is there any way to insert the additional dhcp configuration options into pfsense's dhcp configuration - there's no text field to allow arbitrary insertion of my own config - so would I have to hack the pfsense source code to do this? thanks - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Low-cost VPN endpoint compatible with pfSense
Greetings list, One of our clients has a requirement for a low-cost ADSL modem/router that'll act as a VPN endpoint (IPSec or OpenVPN) to a central pfSense node (at their head office). Ordinarily I'd just recommend small pfSense nodes like the ALIX (so the VPN is pfSense to pfSense), but this would be a two-box solution (the ADSL modem and the ALIX), and there isn't space for that. I know some versions of the Netgear DG834 claim to support IPSec - has anyone any experience VPNing those with pfSense? I've had a look on the Wiki, but can't see any reference to that device. Alternatively, any hardware suggestions gratefully appreciated. TIA. Regards, Chris -- For full contact details visit http://www.minotaur.it This email is made from 100% recycled electrons - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Low-cost VPN endpoint compatible with pfSense
Op 17-3-2010 13:02, Chris Bagnall schreef: Greetings list, One of our clients has a requirement for a low-cost ADSL modem/router that'll act as a VPN endpoint (IPSec or OpenVPN) to a central pfSense node (at their head office). Ordinarily I'd just recommend small pfSense nodes like the ALIX (so the VPN is pfSense to pfSense), but this would be a two-box solution (the ADSL modem and the ALIX), and there isn't space for that. I know some versions of the Netgear DG834 claim to support IPSec - has anyone any experience VPNing those with pfSense? I've had a look on the Wiki, but can't see any reference to that device. Alternatively, any hardware suggestions gratefully appreciated. We use a lot of Draytek Vigor routers in our shops. We have about 400 of those which we use with pfSense. We have the 2800 dsl router, the 2910 ethernet and the 2820 dsl/ethernet dual wan router models in use today. We use the 2820 with a UMTS internet USB dongle. It has a dynamic tunnel to our pfSense cluster. The Draytek Routers vary in price between 150 and 250 euros. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Low-cost VPN endpoint compatible with pfSense
We use a lot of Draytek Vigor routers in our shops. The Draytek Routers vary in price between 150 and 250 euros. Thanks for that info. The Draytek boxes are what the client is currently using (2700 in their case), and they're perfect for their shops, but the client is looking to run a number of concession stands (for food, primarily), which means they'll be hostile environments for anything electrical. Hence the hope for something lower cost - I'm basically expecting these to be treated as disposable every couple of months. Regards, Chris -- For full contact details visit http://www.minotaur.it This email is made from 100% recycled electrons - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Low-cost VPN endpoint compatible with pfSense
On 3/17/2010 8:02 AM, Chris Bagnall wrote: Greetings list, One of our clients has a requirement for a low-cost ADSL modem/router that'll act as a VPN endpoint (IPSec or OpenVPN) to a central pfSense node (at their head office). Ordinarily I'd just recommend small pfSense nodes like the ALIX (so the VPN is pfSense to pfSense), but this would be a two-box solution (the ADSL modem and the ALIX), and there isn't space for that. I know some versions of the Netgear DG834 claim to support IPSec - has anyone any experience VPNing those with pfSense? I've had a look on the Wiki, but can't see any reference to that device. Alternatively, any hardware suggestions gratefully appreciated. A customer of ours had some Netgear ADSL routers at their sites that did IPsec, but the model escapes me at the moment. They worked fine for a while, but I think about half of them died or started flaking out within 2-3 years. Most anything that does standard IPsec should work together, I have yet to find a router that won't connect up to pfSense in some way with IPsec. I have heard there are also some ADSL modem/routers that ATT is distributing to its business customers which can do IPsec, probably something from Efficient/Siemens or 2Wire. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Low-cost VPN endpoint compatible with pfSense
Op 17-3-2010 13:34, Jim Pingle schreef: On 3/17/2010 8:02 AM, Chris Bagnall wrote: Greetings list, I have heard there are also some ADSL modem/routers that ATT is distributing to its business customers which can do IPsec, probably something from Efficient/Siemens or 2Wire. I've looked at a really old speedstream once and it was horrible at the time. It did eventually make a IPsec connection but it depended on a browser popup. This was roughly 4 years ago though. It looked like a plastic lunch box with leds. IIrc the model was a 5380 or something along those lines. Regarding the hostile power, I have no gripes with the Drayteks. What I do see is that in shops where the shop window lighting is failing (which is high voltage fluorescent) that the either the Router keeps restarting or it causes so much RF interference from the light startup that it is causing massive DSL communication failures. The routers we deployed with the old style transformers are less affected by the reboots, but still suffer the DSL issues. These power supplies fail every now and then. The routers that have the switch mode power supplies don't get many power supply failures but are very prone to rebooting on line spikes. We've also been succesful deploying line filters on some really bad shops. Those cost about 250 a piece. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pfsense log snippet and the results
Below is a small snippet of the logs that this pfsense generated. We send them to a linux host to be captured via syslog. This started Monday and I noted the destination address was 224.0.0.x The troubling part to me was the middle set of packets tagged IGMP. Again, having never seen this before I did some research via Google and did find the culprit(s) on this network. We have a conference room that is using by the company auditors during their annual review of the books. The company being audited has nothing Microsoft newer than WinXP, so their network is not generating any of this traffic. But the auditors have brand new shiny laptops running Win7. We have a Cisco 1841 facing the Internet and our own public ip subnet. For the conference room, we put a Linksys router in to give people (sales people doing demos and the auditors) easy access to the Internet without compromising the company's internal network. So the LAN side of the Linksys only feeds the data jacks in that conference room and is separate from the rest of the company's internal network. The Linksys router we use for them to access the Internet is too stupid to know what to do with those multicast packets and forwards them into our public ip subnet. The Netgear switch is correctly(?) handling them as multicast packets and sending them to everyone on the public IP switch. And pfSense is tagging these packets, possibly incorrectly. I discovered that pfSense has a packet capture feature and I used that. I installed WireShark on my workstation and it can decode the packet capture. The MAC address in those packets was that of the Linksys router. Match! Is there a bug in pfSense(1.2.3rc1) that it was tagging the one set of packets as IGMP? One other reason for forwarding this info is for the entertainment of others that may suddenly find this stuff in their logs and wonder what it is. I have lurked on this list for a while and have not seen this mentioned before. This is normal traffic coming out of Vista and Win7 machines and is used for it's network mapping functions. Thanks, Lyle Giese LCR Computer Services, Inc. Mar 16 06:59:26 vpngw pf: 20. 447477 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 30294, offset 0, flags [none], proto UDP (17), length 53) 66.253.101.30.54219 224.0.0.252.5355: UDP, length 25 Mar 16 06:59:27 vpngw pf: 109153 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 7750, offset 0, flags [none], proto UDP (17), length 53) 66.253.101.30.54219 224.0.0.252.5355: UDP, length 25 Mar 16 06:59:37 vpngw pf: 10. 747937 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 57677, offset 0, flags [none], proto UDP (17), length 53) 66.253.101.30.56951 224.0.0.252.5355: UDP, length 25 Mar 16 06:59:37 vpngw pf: 107564 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 27935, offset 0, flags [none], proto UDP (17), length 53) 66.253.101.30.56951 224.0.0.252.5355: UDP, length 25 Mar 16 06:59:47 vpngw pf: 9. 387961 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 10309, offset 0, flags [none], proto UDP (17), length 52) 66.253.101.30.57072 224.0.0.252.5355: UDP, length 24 Mar 16 06:59:47 vpngw pf: 094776 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 27446, offset 0, flags [none], proto UDP (17), length 52) 66.253.101.30.57072 224.0.0.252.5355: UDP, length 24 Mar 16 07:00:49 vpngw pf: 61. 813473 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 45355, offset 0, flags [none], proto UDP (17), length 54) 66.253.101.30.54544 224.0.0.252.5355: UDP, length 26 Mar 16 07:00:49 vpngw pf: 106967 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 51721, offset 0, flags [none], proto UDP (17), length 54) 66.253.101.30.54544 224.0.0.252.5355: UDP, length 26 Mar 16 07:00:52 vpngw pf: 2. 790296 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 43038, offset 0, flags [none], proto UDP (17), length 54) 66.253.101.30.53319 224.0.0.252.5355: UDP, length 26 Mar 16 07:00:52 vpngw pf: 094111 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 13098, offset 0, flags [none], proto UDP (17), length 54) 66.253.101.30.53319 224.0.0.252.5355: UDP, length 26 Mar 16 07:00:54 vpngw pf: 2. 662042 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 45163, offset 0, flags [none], proto UDP (17), length 54) 66.253.101.30.59147 224.0.0.252.5355: UDP, length 26 Mar 16 07:00:54 vpngw pf: 098603 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 13426, offset 0, flags [none], proto UDP (17), length 54) 66.253.101.30.59147 224.0.0.252.5355: UDP, length 26 --bunch deleted--- Mar 16 07:03:24 vpngw pf: 26. 844176 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 7356, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 66.253.101.30 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] Mar 16 07:03:24 vpngw pf: 078830 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id
Re: [pfSense Support] SpamD Broken Behavior Fixed, see attached patch.
Tim A. wrote: Scott Ullrich wrote: Hey this is great, thank you! Can you please do a diff -rub and then email the patch as an attachment to coret...@pfsense.org and I will get it promptly committed. Done. I've also attached a patch for spamd_db.php that makes the GUI more accurate and informative in the db accounting. I'd also like to modify the package to add options for enabling spamd-setup -b and spamlogd -I options which I use and should be selectable I think. There should also be a blacklist tab for editing the blacklist.txt file, just as there is with the whitelist.txt\ ~Tim I am disappointed to see SpamD was removed from the packages rather than fixed. Now I need it. How do I get it? I can fix it after its installed, but I'm not sure how to make the package to get it installed --- filter.inc_1.2.2-REL2009-06-18 22:09:05.0 -0400 +++ filter.inc_1.2.2-REL-spamd-fix 2009-06-18 21:35:09.0 -0400 @@ -810,21 +810,26 @@ /* is SPAMD insalled? */ if (is_package_installed(spamd) == 1) { $natrules .= \n# spam table \n; - + if(file_exists(/var/db/whitelist.txt)) + $natrules .= table whitelist persist file \/var/db/whitelist.txt\\n; + else $natrules .= table whitelist persist\n; + if(file_exists(/var/db/blacklist.txt)) + $natrules .= table blacklist persist file \/var/db/blacklist.txt\\n; + else $natrules .= table blacklist persist\n; $natrules .= table spamd persist\n; - if(file_exists(/var/db/whitelist.txt)) - $natrules .= table spamd-white persist file \/var/db/whitelist.txt\\n; - $natrules .= rdr pass on {$wanif} proto tcp from blacklist to port smtp - 127.0.0.1 port spamd\n; - $natrules .= rdr pass on {$wanif} proto tcp from spamd to port smtp - 127.0.0.1 port spamd\n; - $natrules .= rdr pass on {$wanif} proto tcp from !spamd-white to port smtp - 127.0.0.1 port spamd\n; + $natrules .= table spamd-white persist\n; + if($config['installedpackages']['spamdsettings']['config']) foreach($config['installedpackages']['spamdsettings']['config'] as $ss) $nextmta = $ss['nextmta']; - if($nextmta ) { - $natrules .= rdr pass on {$wanif} proto tcp from spamd-white to port smtp - {$nextmta} port smtp\n; - } + if($nextmta ) +$natrules .= rdr pass on {$wanif} proto tcp from { spamd-white whitelist } to port smtp - {$nextmta} port smtp\n; + else + $natrules .= no rdr on {$wanif} proto tcp from whitelist to any port = smtp\n; + $natrules .= rdr pass on {$wanif} proto tcp from { blacklist spamd } to port smtp - 127.0.0.1 port spamd\n; + $natrules .= rdr pass on {$wanif} proto tcp from { !spamd-white } to port smtp - 127.0.0.1 port spamd\n; } /* load balancer anchor */ --- spamd_db.php_1.2.2-REL 2009-06-18 01:56:34.0 -0400 +++ spamd_db.php_1.2.2-REL-spamd-fix2009-06-18 11:15:14.0 -0400 @@ -176,17 +176,18 @@ include(head.inc); if(file_exists(/var/db/whitelist.txt)) - $whitelist_items = `cat /var/db/whitelist.txt | wc -l`; + $static_whitelist_items = `pfctl -T show -t whitelist | wc -l`; else $whitelist_items = 0; if(file_exists(/var/db/blacklist.txt)) - $blacklist_items = `cat /var/db/blacklist.txt | wc -l`; + $static_blacklist_items = `pfctl -T show -t blacklist | wc -l`; else $blacklist_items = 0; // Get an overall count of the database $spamdb_items = `/usr/local/sbin/spamdb | wc -l`; +$accounted_items = $spamdb_items + $static_whitelist_items + $static_blacklist_items; // Get blacklist and whitelist count from database $spamdb_white = `/usr/local/sbin/spamdb | grep WHITE | wc -l`; @@ -194,8 +195,8 @@ $spamdb_grey = `/usr/local/sbin/spamdb | grep GREY | wc -l`; // Now count the user contributed whitelist and blacklist count -$whitelist_items = $whitelist_items + $spamdb_white; -$blacklist_items = $blacklist_items + $spamdb_black; +$whitelist_items = $static_whitelist_items + $spamdb_white; +$blacklist_items = $static_blacklist_items + $spamdb_black; ? body link=#00 vlink=#00 alink=#00 @@ -447,10 +448,11 @@ br pfont size=-2bDatabase totals:/bbrfont size=-3br ?php - echo {$whitelist_items} total items in the whitelist.br; - echo {$blacklist_items} total items in the blacklist.br; + echo {$whitelist_items} total items in the whitelist: {$spamdb_white} dynamic, {$static_whitelist_items} static (/var/db/whitelist.txt).br; +