Re: [pfSense Support] OT: coexisting with cisco
What is the Cisco equip? An ASA, A Pix or a router? U can answer in pvt if u prefer Alex On 12/8/10, David Burgess apt@gmail.com wrote: Can somebody please tell me the cisco equivalent of a firewall rule that will keep state? I have hosts (Windows and pfSense) on opposite sides of a cisco firewall and router which I don't control. When I try to reach pfSense from Windows, tcpdump shows that pfSense is receiving the packet and responding, but Windows never gets the response. I want to tell Mr Cisco-Admin that his firewall is passing packets but not allowing the return, but I don't know the Cisco lingo, and I'm not confident that he'll know what I'm talking about unless I'm very specific. Thanks for your help. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Sent from my mobile device - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Cannot reach several domains...
Hi, I use the latest pfSense 1.2.3 on an alix board in our company since a view days. First, I did all necessary settings for our network environment, but then me and my colleagues notices, we cannot reach several web-pages. I can ping the pages from pfSense and even from a client, but I'm not able to reach the page. Also, I tried to use default settings, without any firewall, or Nat settings. Just only PPPoE settings and nothing more. The same effect. Does someone has a hint, what could be wrong there? It is working like a charm with our old router! Effected domains are for example: apple.com extensions.joomla.org and some more! Thanks for any help! Regards, Maik -- .. Heinelt Maik | Software Developer ハイネルト マイク 愛知県一宮市富士2−2−22 株式会社 ベガシステムズ TEL: 0586-71-3903 FAX: 0586-71-4071 http://www.vegasystems.com Skype ID: daliose .. DISCLAIMER: This information is confidential and is intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, please disregard and destroy this email and its content. Thank you attachment: maik.vcf- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OT: coexisting with cisco
If the cisco router is doing NAT: netflow + sh ip nat translations If the cisco router is just doing routing: netflow With high detail the Cisco guy could create an ACL and then execute a debug ip packet ACL El 08/12/10 21:38, David Burgess escribió: Can somebody please tell me the cisco equivalent of a firewall rule that will keep state? I have hosts (Windows and pfSense) on opposite sides of a cisco firewall and router which I don't control. When I try to reach pfSense from Windows, tcpdump shows that pfSense is receiving the packet and responding, but Windows never gets the response. I want to tell Mr Cisco-Admin that his firewall is passing packets but not allowing the return, but I don't know the Cisco lingo, and I'm not confident that he'll know what I'm talking about unless I'm very specific. Thanks for your help. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Keep-alive
Can I assume that keep-alive is impossible with this version of pfsense? Josh. -Original Message- From: Hiren Joshi Sent: 03 December 2010 15:31 To: support@pfsense.com Subject: [pfSense Support] Keep-alive Hello all, I'm using 1.2.3-RELEASE with HAProxy 0.29 which I believe is 1.3.22. Is there any plan to upgrade this to a version of HAProxy that supports keep-alive? Or is there a work-around that I can employ here? Thanks, Josh. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Keep-alive
On Fri, Dec 3, 2010 at 10:31 AM, Hiren Joshi j...@moonfruit.com wrote: Hello all, I'm using 1.2.3-RELEASE with HAProxy 0.29 which I believe is 1.3.22. Is there any plan to upgrade this to a version of HAProxy that supports keep-alive? That version should support keep-alive. May want to check the other haproxy packages, those need to be consolidated at some point, there are differing versions there though that may only be differences in GUI code. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Keep-alive
The 0.29 was the one that was recommended on this list, I couldn't quite get the others to work. I see an option for Use 'httpclose' option, this looks like what I want... Thanks, Josh. -Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: 09 December 2010 15:30 To: support@pfsense.com Subject: Re: [pfSense Support] Keep-alive On Fri, Dec 3, 2010 at 10:31 AM, Hiren Joshi j...@moonfruit.com wrote: Hello all, I'm using 1.2.3-RELEASE with HAProxy 0.29 which I believe is 1.3.22. Is there any plan to upgrade this to a version of HAProxy that supports keep-alive? That version should support keep-alive. May want to check the other haproxy packages, those need to be consolidated at some point, there are differing versions there though that may only be differences in GUI code. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPTP VPN question
On 12/9/2010 5:49 PM, David Miller wrote: How does one configure routes across a VPN connection? IE, I have a pfsense 2.0beta box with external address 1.2.3.4 connected to 10.2.1.0/24 on the inside. If the box gives out 172.30.40.50 as a VPN ppp0 address, how do I tell the client to route 10.2.1.0 traffic over the link? (VPN client gets 172.30.40.50) - [internet] - 1.2.3.4[pfsense box] - 10.2.1.0/24 Everything works fine if I do a route add on the client for network 10.2.1.0 via the ppp interface, but I'd like that to be automatic. If the book covers this in the VPN chapter I'm just not seeing it. AFAIK there is no way to make it automatic with PPTP in our GUI. You can assign yourself a static PPTP IP and then make a .cmd file to add the route if you want though. It's in the book. Page 291, section 14.10 PPTP Routing Tricks. If you use RADIUS auth, you _might_ be able to pass back routes via RADIUS REPLYATTRs but I have never tried this before. Someone else may have better input on that aspect. IMHO everyone should really be using OpenVPN for complex (or any, to be honest) remote access VPN needs. You can make it do pretty much anything you want, especially in 2.0. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 2.0 book?
Is there any public plan for a 2.0 book? I sure would like to pick one up. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: OT: coexisting with cisco
On Wed, Dec 8, 2010 at 1:38 PM, David Burgess apt@gmail.com wrote: Can somebody please tell me the cisco equivalent of a firewall rule that will keep state? After some closer inspection I don`t think there is a Cisco firewall on site at all, just a router and layer 3 switching. I talked to the Cisco admin and he was surprised to hear that anything was being routed that way without NAT, and has since closed the tap. Too bad, as I would have liked so much access without routing over the internet. Thanks for the suggestions. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPTP VPN question
On 12/9/10 6:01 PM, Jim Pingle wrote: On 12/9/2010 5:49 PM, David Miller wrote: How does one configure routes across a VPN connection? IE, I have a pfsense 2.0beta box with external address 1.2.3.4 connected to 10.2.1.0/24 on the inside. If the box gives out 172.30.40.50 as a VPN ppp0 address, how do I tell the client to route 10.2.1.0 traffic over the link? (VPN client gets 172.30.40.50)- [internet]- 1.2.3.4[pfsense box] - 10.2.1.0/24 Everything works fine if I do a route add on the client for network 10.2.1.0 via the ppp interface, but I'd like that to be automatic. If the book covers this in the VPN chapter I'm just not seeing it. AFAIK there is no way to make it automatic with PPTP in our GUI. You can assign yourself a static PPTP IP and then make a .cmd file to add the route if you want though. It's in the book. Page 291, section 14.10 PPTP Routing Tricks. Great reply and unbelievably quick too! Thanks Jim. 291/292 describe how to tell the pfsense box about routes the vpn client has access to. I'm looking to automatically advertise selected subnets attached (in)directly to the inside of the pfsense box. Right now it gives my mac a second default route - I want the mac to pickup a route to only 10.2.1.0/24 via ppp0. Doable? Thanks, --- David - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Openvpn routing config help
I was using a client mode config to connect to an OpenVPN server which worked well, clients on the Lan interface routed correctly across the vpn and could access the remote server and its clients. I now needed to change this and use a server config on my pfsense side and let the remote side be the client. What has to be done to let LAN clients access resources across the tunnel now from the pfsense side of the config? Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Firewall Rule for another network
We have 2 networks in our company with pfSense 1.2.3. A. 192.168.144.0/24 B. 192.168.11.0/24 The gateway for network B is 192.168.144.112 So I had setup a static route for network B to it's gateway. From network A to B it works as expected, but if I try reach from network B to network A, I'm not able to connect. Firewall rule to pass traffic from network 192.168.11.0/24 to 192.168.144.0/24 is set, but if I check the firewall logs in pfSense, it still is blocking traffic between B and A. Rip in pfsense is also activated. Any hint? Maik .. Heinelt Maik | Software Developer ハイネルト マイク 愛知県一宮市富士2-2-22 株式会社 ベガシステムズ TEL: 0586-71-3903 FAX: 0586-71-4071 http://www.vegasystems.com Skype ID: daliose .. DISCLAIMER: This information is confidential and is intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, please disregard and destroy this email and its content. Thank you attachment: maik.vcf- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall Rule for another network
On Thu, Dec 9, 2010 at 8:42 PM, Maik Heinelt m...@vegasystems.com wrote: We have 2 networks in our company with pfSense 1.2.3. A. 192.168.144.0/24 B. 192.168.11.0/24 The gateway for network B is 192.168.144.112 So I had setup a static route for network B to it's gateway. From network A to B it works as expected, but if I try reach from network B to network A, I'm not able to connect. Firewall rule to pass traffic from network 192.168.11.0/24 to 192.168.144.0/24 is set, but if I check the firewall logs in pfSense, it still is blocking traffic between B and A. Rip in pfsense is also activated. Any hint? SystemAdvanced, check Bypass firewall rules for traffic on the same interface. Can't statefully filter asymmetrically routed traffic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall Rule for another network
Chris, Thank you for your tip, but Bypass firewall rules for traffic on the same interface didn't resolve the problem. Any other tips? Maik .. Heinelt Maik | Software Developer ハイネルト マイク 愛知県一宮市富士2-2-22 株式会社 ベガシステムズ TEL: 0586-71-3903 FAX: 0586-71-4071 http://www.vegasystems.com Skype ID: daliose .. DISCLAIMER: This information is confidential and is intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, please disregard and destroy this email and its content. Thank you On 2010/12/10 10:56, Chris Buechler wrote: On Thu, Dec 9, 2010 at 8:42 PM, Maik Heineltm...@vegasystems.com wrote: We have 2 networks in our company with pfSense 1.2.3. A. 192.168.144.0/24 B. 192.168.11.0/24 The gateway for network B is 192.168.144.112 So I had setup a static route for network B to it's gateway. From network A to B it works as expected, but if I try reach from network B to network A, I'm not able to connect. Firewall rule to pass traffic from network 192.168.11.0/24 to 192.168.144.0/24 is set, but if I check the firewall logs in pfSense, it still is blocking traffic between B and A. Rip in pfsense is also activated. Any hint? SystemAdvanced, check Bypass firewall rules for traffic on the same interface. Can't statefully filter asymmetrically routed traffic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org attachment: maik.vcf- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall Rule for another network
On 10-12-09 08:42 PM, Maik Heinelt wrote: We have 2 networks in our company with pfSense 1.2.3. A. 192.168.144.0/24 B. 192.168.11.0/24 The gateway for network B is 192.168.144.112 So I had setup a static route for network B to it's gateway. From network A to B it works as expected, but if I try reach from network B to network A, I'm not able to connect. Firewall rule to pass traffic from network 192.168.11.0/24 to 192.168.144.0/24 is set, but if I check the firewall logs in pfSense, it still is blocking traffic between B and A. Rip in pfsense is also activated. Any hint? Maik It does not make sense: B. 192.168.11.0/24 The gateway for network B is 192.168.144.112 Can you run simultaneous tcpdump on both interfaces and try to reach A from B? Evgeny - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall Rule for another network
Sorry for the confusion. We have L3 switch between network A and B. This switch has the IP 192.168.144.112 in network A and the IP 192.168.11.1 in network B. Any request for network B (192.168.11.0) from 192.168.144.0 network is routed to 192.168.144.112. I can reach from A network to B network, but not backward. Maik .. Heinelt Maik | Software Developer ハイネルト マイク 愛知県一宮市富士2-2-22 株式会社 ベガシステムズ TEL: 0586-71-3903 FAX: 0586-71-4071 http://www.vegasystems.com Skype ID: daliose .. DISCLAIMER: This information is confidential and is intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, please disregard and destroy this email and its content. Thank you On 2010/12/10 11:40, Evgeny Yurchenko wrote: On 10-12-09 08:42 PM, Maik Heinelt wrote: We have 2 networks in our company with pfSense 1.2.3. A. 192.168.144.0/24 B. 192.168.11.0/24 The gateway for network B is 192.168.144.112 So I had setup a static route for network B to it's gateway. From network A to B it works as expected, but if I try reach from network B to network A, I'm not able to connect. Firewall rule to pass traffic from network 192.168.11.0/24 to 192.168.144.0/24 is set, but if I check the firewall logs in pfSense, it still is blocking traffic between B and A. Rip in pfsense is also activated. Any hint? Maik It does not make sense: B. 192.168.11.0/24 The gateway for network B is 192.168.144.112 Can you run simultaneous tcpdump on both interfaces and try to reach A from B? Evgeny - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org attachment: maik.vcf- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall Rule for another network
On 10-12-09 11:01 PM, Maik Heinelt wrote: Sorry for the confusion. We have L3 switch between network A and B. This switch has the IP 192.168.144.112 in network A and the IP 192.168.11.1 in network B. Any request for network B (192.168.11.0) from 192.168.144.0 network is routed to 192.168.144.112. I can reach from A network to B network, but not backward. Maik And where is pfSense here? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall Rule for another network
On 2010/12/10 13:26, Evgeny Yurchenko wrote: On 10-12-09 11:07 PM, Maik Heinelt wrote: pfSense is our internet router (192.168.144.10) The L3 switch in between the 2 networks A. and B. is configured to send all request for network A (192.168.144.0) to the pfsense router. Before we used pfSense, we had a working CentreCom Router. Maik .. Heinelt Maik | Software Developer ハイネルト マイク 愛知県一宮市富士2-2-22 株式会社 ベガシステムズ TEL: 0586-71-3903 FAX: 0586-71-4071 http://www.vegasystems.com Skype ID: daliose .. DISCLAIMER: This information is confidential and is intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, please disregard and destroy this email and its content. Thank you On 2010/12/10 13:04, Evgeny Yurchenko wrote: On 10-12-09 11:01 PM, Maik Heinelt wrote: Sorry for the confusion. We have L3 switch between network A and B. This switch has the IP 192.168.144.112 in network A and the IP 192.168.11.1 in network B. Any request for network B (192.168.11.0) from 192.168.144.0 network is routed to 192.168.144.112. I can reach from A network to B network, but not backward. Maik And where is pfSense here? please do not top-post. So, we have Network A -192.168.144.112 switch 192.168.11.1 -- Network B 192.168.144.0/24 | | 192.168.11.0/24 | | \-192.168.144.10 pfsense 192.168.11.x-/ and hosts from A forward packets to pfSense when send to B while hosts from B always forward packets to the switch. Right? Ideal solution is to get rid of asymmetric routing, if you want to filter traffic just make hosts in B to use pfSense when sending to A. If it is not possible then what Chris proposed does not work because pfSense has network B on one of its interfaces, thus you can't create static route to Network B. Try in the rule allowing A to B set StateType to None. You are almost right with our network configuration. Network A 192.168.144.0/24 is using pfsense on 192.168.144.10 as internet router. Network B 192.168.11.0/24 is using it's own router for internet connection. Only in case of requests to network A from B it will use the L3 switch in between the both networks. So all clients in network B are using the 192.168.11.xx internet router as gateway. So it isn't possible to use pfsense in network B as default. If I set the rule allowing A to B with settings StateType to None, I cannot connect to network B (192.168.11.0/24) at all. Maik attachment: maik.vcf- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall Rule for another network
On 10-12-09 11:54 PM, Maik Heinelt wrote: On 2010/12/10 13:26, Evgeny Yurchenko wrote: On 10-12-09 11:07 PM, Maik Heinelt wrote: pfSense is our internet router (192.168.144.10) The L3 switch in between the 2 networks A. and B. is configured to send all request for network A (192.168.144.0) to the pfsense router. Before we used pfSense, we had a working CentreCom Router. Maik .. Heinelt Maik | Software Developer ハイネルト マイク 愛知県一宮市富士2-2-22 株式会社 ベガシステムズ TEL: 0586-71-3903 FAX: 0586-71-4071 http://www.vegasystems.com Skype ID: daliose .. DISCLAIMER: This information is confidential and is intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, please disregard and destroy this email and its content. Thank you On 2010/12/10 13:04, Evgeny Yurchenko wrote: On 10-12-09 11:01 PM, Maik Heinelt wrote: Sorry for the confusion. We have L3 switch between network A and B. This switch has the IP 192.168.144.112 in network A and the IP 192.168.11.1 in network B. Any request for network B (192.168.11.0) from 192.168.144.0 network is routed to 192.168.144.112. I can reach from A network to B network, but not backward. Maik And where is pfSense here? please do not top-post. So, we have Network A -192.168.144.112 switch 192.168.11.1 -- Network B 192.168.144.0/24 | | 192.168.11.0/24 | | \-192.168.144.10 pfsense 192.168.11.x-/ and hosts from A forward packets to pfSense when send to B while hosts from B always forward packets to the switch. Right? Ideal solution is to get rid of asymmetric routing, if you want to filter traffic just make hosts in B to use pfSense when sending to A. If it is not possible then what Chris proposed does not work because pfSense has network B on one of its interfaces, thus you can't create static route to Network B. Try in the rule allowing A to B set StateType to None. You are almost right with our network configuration. Network A 192.168.144.0/24 is using pfsense on 192.168.144.10 as internet router. Network B 192.168.11.0/24 is using it's own router for internet connection. Only in case of requests to network A from B it will use the L3 switch in between the both networks. So all clients in network B are using the 192.168.11.xx internet router as gateway. So it isn't possible to use pfsense in network B as default. If I set the rule allowing A to B with settings StateType to None, I cannot connect to network B (192.168.11.0/24) at all. Maik Ok then, if pfSense does not have 192.168.11.0/24 at all then just create static route on pfSense. 192.168.11.0/24 route via 192.168.144.112 and enable option Chris mentioned. Should work. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall Rule for another network
On 2010/12/10 13:56, Evgeny Yurchenko wrote: On 10-12-09 11:54 PM, Maik Heinelt wrote: On 2010/12/10 13:26, Evgeny Yurchenko wrote: On 10-12-09 11:07 PM, Maik Heinelt wrote: pfSense is our internet router (192.168.144.10) The L3 switch in between the 2 networks A. and B. is configured to send all request for network A (192.168.144.0) to the pfsense router. Before we used pfSense, we had a working CentreCom Router. Maik .. Heinelt Maik | Software Developer ハイネルト マイク 愛知県一宮市富士2-2-22 株式会社 ベガシステムズ TEL: 0586-71-3903 FAX: 0586-71-4071 http://www.vegasystems.com Skype ID: daliose .. DISCLAIMER: This information is confidential and is intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, please disregard and destroy this email and its content. Thank you On 2010/12/10 13:04, Evgeny Yurchenko wrote: On 10-12-09 11:01 PM, Maik Heinelt wrote: Sorry for the confusion. We have L3 switch between network A and B. This switch has the IP 192.168.144.112 in network A and the IP 192.168.11.1 in network B. Any request for network B (192.168.11.0) from 192.168.144.0 network is routed to 192.168.144.112. I can reach from A network to B network, but not backward. Maik And where is pfSense here? please do not top-post. So, we have Network A -192.168.144.112 switch 192.168.11.1 -- Network B 192.168.144.0/24 | |192.168.11.0/24 | | \-192.168.144.10 pfsense 192.168.11.x-/ and hosts from A forward packets to pfSense when send to B while hosts from B always forward packets to the switch. Right? Ideal solution is to get rid of asymmetric routing, if you want to filter traffic just make hosts in B to use pfSense when sending to A. If it is not possible then what Chris proposed does not work because pfSense has network B on one of its interfaces, thus you can't create static route to Network B. Try in the rule allowing A to B set StateType to None. You are almost right with our network configuration. Network A 192.168.144.0/24 is using pfsense on 192.168.144.10 as internet router. Network B 192.168.11.0/24 is using it's own router for internet connection. Only in case of requests to network A from B it will use the L3 switch in between the both networks. So all clients in network B are using the 192.168.11.xx internet router as gateway. So it isn't possible to use pfsense in network B as default. If I set the rule allowing A to B with settings StateType to None, I cannot connect to network B (192.168.11.0/24) at all. Maik Ok then, if pfSense does not have 192.168.11.0/24 at all then just create static route on pfSense. 192.168.11.0/24 route via 192.168.144.112 and enable option Chris mentioned. Should work. Evgeny. Static route is set: InterfaceNetwork Gateway LAN 192.168.11.0/32192.168.144.112 Static route filtering: *Bypass firewall rules for traffic on the same interface* is checked. But if I try to reach an 192.168.144.0/24 IP from 192.168.11.0/24 network, I cannot. connect. From 144.0 network to 11.0 works very well. Maik attachment: maik.vcf- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 2.0 - don't work Ipsec!
Hi,
LAN net - 192.168.8.0/24 This is pfsense 2.0 --
172.20.20.0/24
172.20.21.0/24
0.0.0.0/0 172.20.22.0/24
172.20.24.0/24
...
firewall on the ipsec iface full open.
Why not established 1 phase ipsec?
P.S. With this configuration all works on pfsense 1.2 and monowall!
Please Help!
my racoon.conf:
# This file is automatically generated. Do not edit
path pre_shared_key /var/etc/psk.txt;
path certificate /var/etc;
listen
{
adminsock /var/db/racoon/racoon.sock root wheel 0660;
isakmp 192.168.180.33 [500];
isakmp_natt 192.168.180.33 [4500];
isakmp 192.168.180.1 [500];
isakmp_natt 192.168.180.1 [4500];
isakmp 10.221.40.6 [500];
isakmp_natt 10.221.40.6 [4500];
}
remote 192.186.180.38
{
ph1id 1;
exchange_mode aggressive;
my_identifier address 192.168.180.33;
peers_identifier address 192.186.180.38;
ike_frag on;
generate_policy = off;
initial_contact = on;
nat_traversal = off;
dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check obey;
proposal
{
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 3600 secs;
}
}
remote 192.186.180.39
{
ph1id 2;
exchange_mode aggressive;
my_identifier address 192.168.180.33;
peers_identifier address 192.186.180.39;
ike_frag on;
generate_policy = off;
initial_contact = on;
nat_traversal = on;
dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check obey;
proposal
{
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 3600 secs;
}
}
..
sainfo subnet 0.0.0.0/0 any subnet 172.20.22.0/24 any
{
remoteid 1;
encryption_algorithm blowfish 256, blowfish 248, blowfish 240,
blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200,
blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160,
blowfish 152, blowfish 144, blowfish 136, blowfish 128;
authentication_algorithm hmac_sha1;
pfs_group 2;
lifetime time 3600 secs;
compression_algorithm deflate;
}
sainfo subnet 0.0.0.0/0 any subnet 172.20.20.0/24 any
{
remoteid 2;
encryption_algorithm aes 256, aes 192, aes 128;
authentication_algorithm hmac_sha1;
pfs_group 2;
lifetime time 3600 secs;
compression_algorithm deflate;
}
...
racoon.log
racoon: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
Dec 10 08:55:02 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24
Mar 2010 (http://www.openssl.org/)
Dec 10 08:55:02 racoon: INFO: Reading configuration from
/var/etc/racoon.conf
Dec 10 08:55:02 racoon: [Self]: INFO: 10.221.40.6[4500] used as isakmp
port (fd=16)
Dec 10 08:55:02 racoon: INFO: 10.221.40.6[4500] used for NAT-T
Dec 10 08:55:02 racoon: [Self]: INFO: 10.221.40.6[500] used as isakmp
port (fd=17)
Dec 10 08:55:02 racoon: INFO: 10.221.40.6[500] used for NAT-T
Dec 10 08:55:02 racoon: INFO: 192.168.180.1[4500] used as isakmp port
(fd=18)
Dec 10 08:55:02 racoon: INFO: 192.168.180.1[4500] used for NAT-T
Dec 10 08:55:02 racoon: INFO: 192.168.180.1[500] used as isakmp port
(fd=19)
Dec 10 08:55:02 racoon: INFO: 192.168.180.1[500] used for NAT-T
Dec 10 08:55:02 racoon: [Self]: INFO: 192.168.180.33[4500] used as
isakmp
port (fd=20)
Dec 10 08:55:02 racoon: INFO: 192.168.180.33[4500] used for NAT-T
Dec 10 08:55:02 racoon: [Self]: INFO: 192.168.180.33[500] used as isakmp
port (fd=21)
Dec 10 08:55:02 racoon: INFO: 192.168.180.33[500] used for NAT-T
Dec 10 08:55:02 racoon: INFO: unsupported PF_KEY message REGISTER
Dec 10 08:55:04 racoon:
