Re: [pfSense Support] multi-wan, multi-lan security
On Thu, Aug 5, 2010 at 1:51 AM, David Burgess apt@gmail.com wrote: I've been running the 2.0 betas for a few months and I'm quite happy with it. Some network and hardware upgrades present me with a few questions, and maybe I'm overthinking it, but I thought I would ask the opinion of the wise ones. I'm running mlppp and it works beautifully. For the last 2-3 months it's been just 2 DSL connections, so they each got a dedicated NIC on the net5501. Now I'm upsizing significantly to 8 DSL lines, and since there's no reasonable way of getting enough physical ports into the 5501, I'm obviously forced to use vlans to get all the DSL and LAN connections up. I have a single smart swith with vlan capability, but a second smart switch is not in the budget at the moment. A managed switch can be bought for very little. Bunch of HP 2512/2524s on ebay that go for $50 USD or less shipped, lot of similar others. In the scheme of things, compared to paying for 8 DSL lines, that's nothing. Doing VLANs properly all on one switch is probably pretty safe if done right (biggest risk in those kind of setups is accidental misconfiguration). I wouldn't do it though, managed switches are too cheap to not physically segment your internal and external networks. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
- Original Message - From: Chris Buechler cbuech...@gmail.com To: support@pfsense.com Sent: Thursday, August 05, 2010 6:01 PM Subject: Re: [pfSense Support] multi-wan, multi-lan security Doing VLANs properly all on one switch is probably pretty safe if done right (biggest risk in those kind of setups is accidental misconfiguration). I wouldn't do it though, managed switches are too cheap to not physically segment your internal and external networks. Hi Chris, Do you mind if I ask you re-express the last sentence please, (I wouldn't do it though, managed switches are too cheap to not physically segment your internal and external networks. ) I am having trouble gleaning what I think is your intended meaning. Too cheap doesn't seem an adequate justification in itself, if that is what you intend? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSENSE 2.0
Hi, Op 4-8-2010 17:40, Curtis Maurand schreef: On 8/3/2010 11:15 AM, Eugen Leitl wrote: You could probably mitigate some of the writes to disk by having the logging sent to a syslog server elsewhere inside the house that is using traditional write media. That should lengthen the life of the SSD at least until the next generation of SSD comes along that has no write limitations. Really, the whole SSD write issue is not too relevant based on the size of your SSD drive/CF card. It is widely known that flash has limited write cycles, 10.000 is common for current MLC flash. So if you have a 8GB flash card, of which 200MB is allocated by a pfSense image that leaves ~7.5GB free unused cells. The wear levelling in Flash Drives and CF cards will use these unused cells to spread the writes. What this effectively means is that the with 10k write cycles per cell the actual longevity is multiplied by a factor of 7.5. The situation with even larger ssd drives is even better. You install pfSense to a 40GB Intel X25-V, which effectively means that you won't live long enough to see it fail. Do note, that if you ever write the device from start to end that this negates the wear levelling. It then only has the spare cells on the drive or card to remap blocks (~7%). On that note, my much used 1GB lexar 133x CF card I bought when I joined the pfSense project in late 2005 is still fine after running pfSense versions from pre 1.0 to current 2.0BETA4. It's been reflashed a lot, and it's always been running a full install. Because then I can gitsync the installation. According to the pessimists the card should have stopped working atleast 3 years ago. Luckily the world isn't so grim. The CF cards I purchased with a few Alix systems at work though, they stopped working within 3 months. That was with the embedded image that doesn't write to the CF. Which leads me to believe they were exceptionally bad. The Kingston 8GB premium cards in there appear to be perfectly fine. It also seems to have rid them from lockups. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On Thu, Aug 5, 2010 at 2:08 AM, Tortise tort...@paradise.net.nz wrote: - Original Message - From: Chris Buechler cbuech...@gmail.com To: support@pfsense.com Sent: Thursday, August 05, 2010 6:01 PM Subject: Re: [pfSense Support] multi-wan, multi-lan security Doing VLANs properly all on one switch is probably pretty safe if done right (biggest risk in those kind of setups is accidental misconfiguration). I wouldn't do it though, managed switches are too cheap to not physically segment your internal and external networks. Hi Chris, Do you mind if I ask you re-express the last sentence please, (I wouldn't do it though, managed switches are too cheap to not physically segment your internal and external networks. ) I am having trouble gleaning what I think is your intended meaning. Too cheap doesn't seem an adequate justification in itself, if that is what you intend? It's best to physically segregate networks of considerably different trust levels. Especially unfiltered Internet traffic and your internal network - I would never setup a network like that. To answer an initial question posed: At what point does 'should' become 'must'? I would say it's never should, always must. That option shouldn't be discarded because it's not in the budget. If you have the budget for 8 DSL lines, you can afford a switch. I would do two switches even so you have some switch redundancy, 4 connections on each of two switches (we did a config exactly like that for a customer in the past week, one of many), where you have adequate ports on the firewall. Additional ports configured on each so if one fails, you can physically move the ports and be back up and running on them all again within minutes. That would cost considerably less than just one month of 8 DSL lines, and you have a network that you should feel much better about. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] iPad ssl vpn client
Hello, Just inquiring here, does anybody already know of a SSL vpn client that works on the Apple iPad devices? Viscosity on the Mac works great, but that doesn't apply to iOS. I see mentions of a Cisco and Juniper client, but no idea if these can be made to work with pfSense. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] new problem for me
Hello guys I use pfsense 1.2.3 and everything is ok... But there is a user in my network that use a msn messenger on the browser... I tried to stop this using DNS Forwarder but the site changes every day...The website is X10.iloveim.com X11.iloveim.com X30.iloveim.com Etc... The number after X can be between 1 and 999 How to solve this using DNS Forwarder??? Thanks in advance - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On 05/08/10 06:51, David Burgess wrote: my DSL and LAN ports will be on the same switch, different vlans. This ... what are my risks? I know it has been said on this list that WAN and if you can clearly label the switch so that you yourself cannot make a mistake when connecting cables if you use colour-coded cables to prevent accidental cable swapping if the switch is physically secure requiring a key if the switch has no IP address on untrusted/dangerous vlans if the switch has access controls to limit access to management port to trusted networks, and has username/password authentication (preferably over ssh or https) if the switch's port are set so that connected devices can't cause them to flip from untagged to tagged mode (in cisco speak from access to trunk - switchport nonegotiate then I'd say it's fairly safe. but even so I still really want to physically isolate unfirewalled network strands just in case! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSENSE 2.0
On 05/08/10 07:53, Seth Mos wrote: Do note, that if you ever write the device from start to end that this negates the wear levelling. It then only has the spare cells on the drive or card to remap blocks (~7%). does freeBSD support trim with SSDs? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSENSE 2.0
Op 5-8-2010 16:44, Paul Mansfield schreef: On 05/08/10 07:53, Seth Mos wrote: Do note, that if you ever write the device from start to end that this negates the wear levelling. It then only has the spare cells on the drive or card to remap blocks (~7%). does freeBSD support trim with SSDs? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org as of Freebsd 8.1 it is. read the following: http://www.freebsd.org/releases/8.1R/relnotes-detailed.html#DISKS regards, -- ___ Johan Hendriks Schavemaker Transport Tel: +31 (0)251 229098 Fax: +31 (0)251 212016 email: j.hendr...@schavemaker.com web: http://www.schavemaker.com ___ Confidentiality Notice: The information in this document may be confidential. It is intended only for the use of the named recipient. If you are not the intended recipient, please notify me immediately and then delete this document. Do not disclose the contents of this document to any other person, nor take any copies. Violation of this notice may be unlawful. ___ - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] iPad ssl vpn client
On Thu, Aug 5, 2010 at 4:28 AM, Seth Mos seth@dds.nl wrote: Viscosity on the Mac works great, but that doesn't apply to iOS. We just punt and use the PPTP client built-in to iOS. It is not really as secure as we'd like but we normally only run ssh or an https connection over it so that part is double secured. I'd *love* to see an OpenVPN client. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
Paul, I understand your post up to this point: if the switch's port are set so that connected devices can't cause them to flip from untagged to tagged mode (in cisco speak from access to trunk - switchport nonegotiate I'm looking at the help file for my switch, and thinking this section is saying what you're saying: Ingress Filtering - When enabled, the frame is discarded if this port is not a member of the VLAN with which this frame is associated. In a tagged frame, the VLAN is identified by the VLAN ID in the tag. In an untagged frame, the VLAN is the Port VLAN ID specified for the port that received this frame. When disabled, all frames are forwarded in accordance with the 802.1Q VLAN bridge specification. The factory default is disabled. Would you agree that Ingress Filtering on this switch appears to be the feature that you're describing? but even so I still really want to physically isolate unfirewalled network strands just in case! Point taken, from you and Chris as well. I should be able to get my hands on a used Cisco 3550 in the next few months to accomplish this. In the mean time I'm going to use this opportunity to learn the functions of my switch and improve my security practices. At this point I trust the small number of users on my OPT interfaces, however that will change. Thanks for the feedback. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSENSE 2.0
On Thu, Aug 5, 2010 at 9:09 AM, Johan Hendriks j.hendr...@schavemaker.com wrote: does freeBSD support trim with SSDs? as of Freebsd 8.1 it is. read the following: http://www.freebsd.org/releases/8.1R/relnotes-detailed.html#DISKS Very interesting. I see this in the latest build log for 2.0: Thu Aug 5 03:00:22 EDT 2010 -|- pfSense version: 8 Thu Aug 5 03:00:22 EDT 2010 -|- FreeBSD branch: RELENG_8_1 So does that mean we're on version 8 or 8.1? I'm about to move to an SSD install with squid and trim would be nice. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On 8/5/10 8:13 AM, David Burgess wrote: Paul, I understand your post up to this point: if the switch's port are set so that connected devices can't cause them to flip from untagged to tagged mode (in cisco speak from access to trunk - switchport nonegotiate I'm looking at the help file for my switch, and thinking this section is saying what you're saying: Ingress Filtering - When enabled, the frame is discarded if this port is not a member of the VLAN with which this frame is associated. In a tagged frame, the VLAN is identified by the VLAN ID in the tag. In an untagged frame, the VLAN is the Port VLAN ID specified for the port that received this frame. When disabled, all frames are forwarded in accordance with the 802.1Q VLAN bridge specification. The factory default is disabled. The switchport nonegotiate command has a different meaning in the context of Cisco Catalyst switches: It disables the use of Dynamic Trunking Protocol, a proprietary means of determining whether two switches will use trunking (tagged frames) to carry traffic between them. There may be exceptions, but DTP generally won't work between a Cisco and a non-Cisco device, or between two non-Cisco devices. Here's an sample reference from the Catlyst 3560 docs: http://is.gd/e4mFq dn - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] multi-wan, multi-lan security
Comments from another perspective on the must/should question: Best practice says to physically segregate networks by trust level and by impact of error or breach. Somewhat self-evidently, this is to mitigate the impact of a) errors, and b) security breaches. Of the two, errors (i.e. human errors) are by far the more common problem. If you have a separate NIC for each network coming in to your firewall, the cables are well-identified, the ports are well-identified, and the other endpoint of those cables is also well-identified, it's much harder to accidentally expose high-trust traffic to a low-trust network. Specifically, it's far likelier that someone will notice that the cable they're holding has an ATT tag on it but the port they're about to plug it into has a PacBell label over it. When you use a switch and VLANs to segregate traffic, you have to worry about things like: in a pathological power situation (lightning strike, UPS blows up, whatever) if the switch is suddenly reset to factory defaults - and I've seen this happen - what will happen? Every port gets reset to VLAN 1 with no filtering, and all your traffic is suddenly being propagated to every network segment. Maybe you're thinking big deal, but now consider the fairly-typical WAN situation where you're running routing protocols across WAN links, say RIPv2 without authentication (because you trust all the networks involved, right? It's a point-to-point link, right?). Your network topology suddenly collapses and takes [fixing or unplugging]+2hrs to reconverge. Or the situation I once found: two smallish WAN providers both (stupidly) left STP turned on at the edge... when they were suddenly bridged together (by accident, I made a typo when setting up the VLANs) I managed to take down most of both providers' networks, and typical of STP both were down for time to figure out what I did and fix it+5 minutes. Obviously I wasn't happy, and when we all figured out what had happened they weren't very happy with me, either. As to security breaches, it is extremely difficult to a) know about the switch, b) target the switch, and c) hack the switch, but it's *infinitely* harder to hack a piece of Cat5 cable than a switch! Having said all that, many of the firewall modules/blades you can buy for chassis-based routers and switches (Cisco 3600 ISR, Catalyst 1, Juniper [something], etc.) require you to configure their ports entirely using VLANs anyway. So it's hardly a universal must, certainly not in the technical sense - it's a very, very strong should that you should only disregard if a) you're overconfident of your own abilities, b) you have no truly private data, c) you don't care too much about pissing off your WAN providers (or you know they won't even notice!), and d) you don't have enough space to mount one or two more switches in the server closet. Note also that you might be tempted to use 802.1q-over-802.3ad (VLAN-over-LAG), which does work... but also generally speaking turns off a lot of the hardware acceleration your NIC can do for you. Many NICs (certainly any half-decent one!) can still do IP offload with 802.1q (VLAN tagging), but I haven't run into any that can still do IP offload with 802.3ad (link aggregation, aka bonding, or etherchannel). Bundling links together (LAG) actually slowed my router down instead of speeding it up. Another aspect is that if you're going to run your router in a blade chassis, say, (virtualized or not) you really won't have much choice but to use VLANs for everything - most blade chassis don't give you dedicated physical Ethernet ports, certainly not more than two on any I've seen. Most of 'em have an embedded NIC (or two, or four...) that plug straight into a backplane and are only exposed via a switch module. (I am also noticing that pfSense 1.2.3 does not have good performance (for me, at least) forwarding traffic between virtual switches on a VMWare ESXi 4 host connected to the switch through a 4x V-in-LAG trunk. I haven't had time to isolate the problem yet, although I observed slightly better performance when I let VMWare handle the VLAN tagging instead of pfSense (i.e. created 4 untagged virtual e1000 NICs instead of 1 tagged vnic). Performance only seems affected if either ingress or egress traffic is local to the ESXi host, I see more-or-less normal performance if both src and dst are off-host.) -Adam Thompson athom...@athompso.net - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSENSE 2.0
On Aug 5, 2010, at 5:20 PM, David Burgess wrote: On Thu, Aug 5, 2010 at 9:09 AM, Johan Hendriks j.hendr...@schavemaker.com wrote: does freeBSD support trim with SSDs? as of Freebsd 8.1 it is. read the following: http://www.freebsd.org/releases/8.1R/relnotes-detailed.html#DISKS Very interesting. I see this in the latest build log for 2.0: Thu Aug 5 03:00:22 EDT 2010 -|- pfSense version: 8 Thu Aug 5 03:00:22 EDT 2010 -|- FreeBSD branch: RELENG_8_1 So does that mean we're on version 8 or 8.1? I'm about to move to an SSD install with squid and trim would be nice. db 8.1-RELEASE(+Patches and security things). releng_8 would be 8-stable, which will be 8.2, 8.3 etc. Cheers Remko -- /\ Best regards,| re...@freebsd.org \ / Remko Lodder | re...@efnet Xhttp://www.evilcoder.org/| / \ ASCII Ribbon Campaign| Against HTML Mail and News - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
Just want to throw another data point into this confusing discussion. The low-end Cisco ASA 5505 requires VLAN configuration since it is just a switch. The Cisco ASA 5510 has four Ethernet ports. If you need more, just use VLAN. Perhaps, Cisco is expecting a firewalled network to use managed switches. Is it best practice? Why is there a resistance to VLAN in the pfSense community? I had somebody asked about at least ten port pfSense router with ability adding more as needed. He wants to provide Internet to a building but wants each tenant to be on a separate network. I asked why doesn't he just use a managed switch and trunk everybody to the router? I sold a Cisco Catalyst 3500XL with 48 Fast Ethernet ports for $35 a couple of months ago on eBay. I don't think cost is the issue. Bao On Thu, Aug 5, 2010 at 10:08 AM, Adam Thompson athom...@c3a.ca wrote: Comments from another perspective on the must/should question: Best practice says to physically segregate networks by trust level and by impact of error or breach. Somewhat self-evidently, this is to mitigate the impact of a) errors, and b) security breaches. Of the two, errors (i.e. human errors) are by far the more common problem. If you have a separate NIC for each network coming in to your firewall, the cables are well-identified, the ports are well-identified, and the other endpoint of those cables is also well-identified, it's much harder to accidentally expose high-trust traffic to a low-trust network. Specifically, it's far likelier that someone will notice that the cable they're holding has an ATT tag on it but the port they're about to plug it into has a PacBell label over it. When you use a switch and VLANs to segregate traffic, you have to worry about things like: in a pathological power situation (lightning strike, UPS blows up, whatever) if the switch is suddenly reset to factory defaults - and I've seen this happen - what will happen? Every port gets reset to VLAN 1 with no filtering, and all your traffic is suddenly being propagated to every network segment. Maybe you're thinking big deal, but now consider the fairly-typical WAN situation where you're running routing protocols across WAN links, say RIPv2 without authentication (because you trust all the networks involved, right? It's a point-to-point link, right?). Your network topology suddenly collapses and takes [fixing or unplugging]+2hrs to reconverge. Or the situation I once found: two smallish WAN providers both (stupidly) left STP turned on at the edge... when they were suddenly bridged together (by accident, I made a typo when setting up the VLANs) I managed to take down most of both providers' networks, and typical of STP both were down for time to figure out what I did and fix it+5 minutes. Obviously I wasn't happy, and when we all figured out what had happened they weren't very happy with me, either. As to security breaches, it is extremely difficult to a) know about the switch, b) target the switch, and c) hack the switch, but it's *infinitely* harder to hack a piece of Cat5 cable than a switch! Having said all that, many of the firewall modules/blades you can buy for chassis-based routers and switches (Cisco 3600 ISR, Catalyst 1, Juniper [something], etc.) require you to configure their ports entirely using VLANs anyway. So it's hardly a universal must, certainly not in the technical sense - it's a very, very strong should that you should only disregard if a) you're overconfident of your own abilities, b) you have no truly private data, c) you don't care too much about pissing off your WAN providers (or you know they won't even notice!), and d) you don't have enough space to mount one or two more switches in the server closet. Note also that you might be tempted to use 802.1q-over-802.3ad (VLAN-over-LAG), which does work... but also generally speaking turns off a lot of the hardware acceleration your NIC can do for you. Many NICs (certainly any half-decent one!) can still do IP offload with 802.1q (VLAN tagging), but I haven't run into any that can still do IP offload with 802.3ad (link aggregation, aka bonding, or etherchannel). Bundling links together (LAG) actually slowed my router down instead of speeding it up. Another aspect is that if you're going to run your router in a blade chassis, say, (virtualized or not) you really won't have much choice but to use VLANs for everything - most blade chassis don't give you dedicated physical Ethernet ports, certainly not more than two on any I've seen. Most of 'em have an embedded NIC (or two, or four...) that plug straight into a backplane and are only exposed via a switch module. (I am also noticing that pfSense 1.2.3 does not have good performance (for me, at least) forwarding traffic between virtual switches on a VMWare ESXi 4 host connected to the switch through a 4x V-in-LAG trunk. I haven't had time to isolate the problem yet, although
RE: [pfSense Support] multi-wan, multi-lan security
The low-end Cisco ASA 5505 requires VLAN configuration since it is just a switch. The Cisco ASA 5510 has four Ethernet ports. If you need more, just use VLAN. Perhaps, Cisco is expecting a firewalled network to use managed switches. Is it best practice? Why is there a resistance to VLAN in the pfSense community? You'll note that the *switch* vendors are generally the ones pushing VLANs on firewalls: I don't think this is a coincidence. Of course, every major firewall vendor does support VLANs now, and most also support LAGs, because many people do use them. I wouldn't say I put up any resistance to VLANs, nor anything I've seen in this thread. It's just that experience has shown many of us (me, anyway) that implementing VLANs adds another layer of complexity. VLAN-on-LAG adds another layer on top of that. Every additional layer we have to work with increases the possibility of making errors. (In my experience, the occurrence of errors roughly doubles with each layer added.) And in what is usually the most secure device on the network - the firewall - you don't want to make errors. Especially when, more often than not, the firewall is the *only* secure device on the network! As I indicated in my post, using VLANs allows for new and (*cough*) interesting failure modes that you just don't have to deal with otherwise. Note that I do use VLANs and will continue to do so. The largest network I've designed (for a regional ISP) trunks over 100 different VLANs back to the core, and there's a Cisco 7206 with 100 subifs managing it all quite happily, even their two upstream pipes are trunked in on VLANs, and internal and external networks share the same wire in many places, separated only by tags. Most of my firewall deployments do use VLANs; one must be much more careful when doing so. I have encountered (and caused!) problems that would not have occurred in a non-VLAN environment. So if you don't *need* VLANs, don't use them. If you *need* VLANs, go ahead and use them. Just like any other technology. I sold a Cisco Catalyst 3500XL with 48 Fast Ethernet ports for $35 a couple of months ago on eBay. I don't think cost is the issue. I agree. Chris also pointed this out a few posts ago. Although it could be argued that GigE smart switches still aren't negligibly cheap: I think the cheapest one I can get in Canada is around $300. Still not very expensive, especially compared to the firewall hardware I'd need to actually route data at over 100Mbps. -Adam - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] new problem for me
On Thu, Aug 5, 2010 at 7:35 AM, Tiago tpi...@scenario.ind.br wrote: Hello guys I use pfsense 1.2.3 and everything is ok... But there is a user in my network that use a msn messenger on the browser... I tried to stop this using DNS Forwarder but the site changes every day...The website is X10.iloveim.com X11.iloveim.com X30.iloveim.com Etc... The number after X can be between 1 and 999 How to solve this using DNS Forwarder??? Use a domain override for iloveim.com to send it to an IP that won't respond. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] USB Keyboard - Boot Hangs
- Tim Nelson tnel...@rockbochs.com wrote: - Paul Mansfield it-admin-pfse...@taptu.com wrote: On 04/08/10 18:31, Tim Nelson wrote: There is no option for legacy mode in the BIOS. :-( presumably there's no PS2 keyboard port? or if there is, your keyboard isn't the type which can turn into a ps2 keyboard using the oversized purple usb-to-ps2 plug thing that some come with? I have a ps2 KVM and a device which is usb only and I use one of these: http://tinyurl.com/35m36nc I've actually tried using an adapter that appears to be identical to the one you reference with the same result. Unfortunately, this board does not have any PS2 ports, only USB. An interested thread about keyboard detection regression can be found here: http://old.nabble.com/ukbd-probe-order-regression-td27433764.html The situation is exactly the same as mine, a host with no PS2 ports, USB keyboard, same behavior. Is it possible for someone with better FreeBSD fu than I to apply the patch/recompile ukbd.c for testing? --Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] iPad ssl vpn client
If you jailbreak your ipad there is a openvpn client. On Thu, Aug 5, 2010 at 11:13 AM, Vick Khera vi...@khera.org wrote: On Thu, Aug 5, 2010 at 4:28 AM, Seth Mos seth@dds.nl wrote: Viscosity on the Mac works great, but that doesn't apply to iOS. We just punt and use the PPTP client built-in to iOS. It is not really as secure as we'd like but we normally only run ssh or an https connection over it so that part is double secured. I'd *love* to see an OpenVPN client. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On Thu, Aug 5, 2010 at 1:25 PM, Bao Ha b...@hacom.net wrote: Perhaps, Cisco is expecting a firewalled network to use managed switches. Is it best practice? Why is there a resistance to VLAN in the pfSense community? I don't think anyone in this thread is expressing resistance to VLANs in general, not me at least. Every network that runs this project uses VLANs in some fashion. None of them combine unfiltered Internet traffic on the same switch as networks behind the firewall though. That's the only point I'm trying to get across here. If you're putting unfiltered Internet traffic on the same switch as your internal networks, it's a simple fat finger to drop that traffic into your LAN. It's much harder to plug something into the wrong place inadvertently, and if you do, it's not going to work as expected, where a VLAN misconfiguration could put a port into both the unfiltered Internet segment and the LAN segment, so you may not notice. I had somebody asked about at least ten port pfSense router with ability adding more as needed. He wants to provide Internet to a building but wants each tenant to be on a separate network. I asked why doesn't he just use a managed switch and trunk everybody to the router? That's a good solution, exactly what we've done a number of times for similar scenarios, there are production setups like that running more than 100 VLANs on a box (and I did a proof of concept with 4000 VLANs assigned. you'll want 2.0 for 100+, 1.2.x is way too slow in processing interfaces). Everyone in their own VLAN, so if they're infected by some ARP poisoning tool, or plug their router in backwards adding a rogue DHCP server, etc. they can't impact anyone else. Depending on your switches there are other options like PVLANs, DHCP snooping, etc. Generally with lower end managed switches your only option is one VLAN per port, and that works fine. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On Thu, Aug 5, 2010 at 9:20 PM, Chris Buechler cbuech...@gmail.com wrote: it's a simple fat finger to drop that traffic into your LAN. That's poetry. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] haproxy
On Wed, Aug 4, 2010 at 7:39 AM, Hiren Joshi j...@moonfruit.com wrote: Hi, I'm running a master/slave setup of 1.2.3 and about to install haproxy, I have 2 options under packages: BETA-0.29 and BETA-0.30 My question, why is the newer one marked as stable? As we were doing some work on the package for a customer, we created yet another version for a reason that escapes me at the moment. Either of the non -dev ones should be fine. We need to get that back down to two (at most, not sure -dev is needed anymore either), I'm checking on which of those should still be around. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org