[pfSense Support] Best way of bridging with 2.0
Hello, I have found this useful post about setting up a bridge in pfSense and have translated It in French : http://forum.pfsense.org/index.php/topic,20917.0.html http://www.osnet.eu/fr/content/pfsense-v20-dhcp-et-bridge I have one more question regarding the way things should be done in a specific scenario. I have a two port alix box + 1 WLAN Here is how things are setup actually : WAN [82.66.xx.yy : vr1] --- LAN [192.168.2.1 : vr0] WLAN [192.168.2.2 : ath0] –– | | Bridged OPT2 [no IP : Bridge0] I would like to bridge LAN and WLAN on an OPT interface and still be able to have DHCP working. I would also like to have filtering (firewalling) happening at one point only (for outgoing trafic - internal trafic won't be filtered) ? Is this schema ok ? Or should I attribute vr0 interface to the bridge instead ? Thanks. –– - Grégory Bernard Director - --- www.osnet.eu --- -- Your provider of OpenSource appliances -- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: HA: Re: HA: Re: [pfSense Support] 2.0 - don't work Ipsec!
I am not sure if PFSense is using code from OpenBSD IPSec but since it this an IPSec thread this could be interesting too: Allegations regarding OpenBSD IPSEC http://marc.info/?l=openbsd-techm=129236621626462w=2 Basically it is talking about backdoors in the IPSEC OpenBSD code. At least it is interesting . Not my goal to discuss if it is real or just a rumour here. I am not an IPSec developer at all. El 13/12/10 23:29, Jeppe Øland escribió: On Mon, Dec 13, 2010 at 1:37 PM, st41kerst41...@st41ker.net wrote: On 13.12.2010 9:14, drova...@kaluga-gov.ru wrote: Please prompt the certificated decisions! To regrets ipsec WHILE, does not use (ГОСТ 28147-89), (ГОСТ Р 34.11-94) enciphering, but we hope it will be soon included in ipsec! Now ipsec does not work! As the certification theme, a question is lifted: When Pfsense, ipsec it will be compiled with support of these cripto algorithms? I'm not sure what you've tried to say. Maybe he is asking if pfSense has any plans for including the GOST ciphers in its IPSEC implementation? http://en.wikipedia.org/wiki/GOST_%28block_cipher%29 http://en.wikipedia.org/wiki/GOST_%28hash_function%29 Regards, -Jeppe - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] custom files in /var/etc/ gone after reboot
Hello everyone, We have multiple deployments of pfsense running for clients and recently after one unexpected power failure the custom files we put in /var/etc disappeared. Then last night we rebooted another pfsense box and it did the same thing. The custom files are custom authentication for openvpn. Both of these firewalls are nano bsd. I guess my question is, I know Pfsense keeps files in /var/etc/ but is it different for Pfsense Nanobsd? -- Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: HA: Re: HA: Re: [pfSense Support] 2.0 - don't work Ipsec!
And the other side of the coin: http://bsd.slashdot.org/story/10/12/15/1524202/BSD-Coder-Denies-Adding-FBI-Backdoor http://bsd.slashdot.org/story/10/12/15/1524202/BSD-Coder-Denies-Adding-FBI-Backdoor Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Wed, Dec 15, 2010 at 10:50 AM, LM asturlui...@gmail.com wrote: I am not sure if PFSense is using code from OpenBSD IPSec but since it this an IPSec thread this could be interesting too: Allegations regarding OpenBSD IPSEC http://marc.info/?l=openbsd-techm=129236621626462w=2 Basically it is talking about backdoors in the IPSEC OpenBSD code. At least it is interesting . Not my goal to discuss if it is real or just a rumour here. I am not an IPSec developer at all. El 13/12/10 23:29, Jeppe Øland escribió: On Mon, Dec 13, 2010 at 1:37 PM, st41kerst41...@st41ker.net wrote: On 13.12.2010 9:14, drova...@kaluga-gov.ru wrote: Please prompt the certificated decisions! To regrets ipsec WHILE, does not use (ГОСТ 28147-89), (ГОСТ Р 34.11-94) enciphering, but we hope it will be soon included in ipsec! Now ipsec does not work! As the certification theme, a question is lifted: When Pfsense, ipsec it will be compiled with support of these cripto algorithms? I'm not sure what you've tried to say. Maybe he is asking if pfSense has any plans for including the GOST ciphers in its IPSEC implementation? http://en.wikipedia.org/wiki/GOST_%28block_cipher%29 http://en.wikipedia.org/wiki/GOST_%28hash_function%29 Regards, -Jeppe - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] console menu closes when enter pressed
I noticed that if I just hit enter on the pfSense console without typing an option first, it exits the console. If I am on ssh, it closes the connection and if I am on the local terminal, where I have it set to prompt for a password, it asks the password again. Since option 0 can be used to do the same thing and there are times that I would like to refresh the console (to re-display the connection status at the top), I am wondering why it is set up to exit if no input is given? One of my development boxes gets a new IP address regularly and I like to refresh the console to see when the address has been successfully acquired. The way it is now, I have to log in again and again or go into another option, such as the shell, and then out of it again. I know where to modify this myself in /etc/rc.initial but before I do so, I am curious as to the reason it works this way. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732
Re: [pfSense Support] custom files in /var/etc/ gone after reboot
On Wed, Dec 15, 2010 at 11:45 AM, Scott Benson sben...@a-1networks.com wrote: Hello everyone, We have multiple deployments of pfsense running for clients and recently after one unexpected power failure the custom files we put in /var/etc disappeared. Then last night we rebooted another pfsense box and it did the same thing. The custom files are custom authentication for openvpn. Both of these firewalls are nano bsd. I guess my question is, I know Pfsense keeps files in /var/etc/ but is it different for Pfsense Nanobsd? Yes, that's a RAM disk. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] custom files in /var/etc/ gone after reboot
On 12/15/2010 11:45 AM, Scott Benson wrote: Hello everyone, We have multiple deployments of pfsense running for clients and recently after one unexpected power failure the custom files we put in /var/etc disappeared. Then last night we rebooted another pfsense box and it did the same thing. The custom files are custom authentication for openvpn. Both of these firewalls are nano bsd. I guess my question is, I know Pfsense keeps files in /var/etc/ but is it different for Pfsense Nanobsd? On NanoBSD, /var is a RAM disk. You can only rely on /conf/ being there long term. What some people do is put their files there in /conf/ and setup a shellcmd to copy them into place at boot time. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] console menu closes when enter pressed
On 12/15/2010 12:27 PM, Moshe Katz wrote: I noticed that if I just hit enter on the pfSense console without typing an option first, it exits the console. If I am on ssh, it closes the connection and if I am on the local terminal, where I have it set to prompt for a password, it asks the password again. Since option 0 can be used to do the same thing and there are times that I would like to refresh the console (to re-display the connection status at the top), I am wondering why it is set up to exit if no input is given? One of my development boxes gets a new IP address regularly and I like to refresh the console to see when the address has been successfully acquired. The way it is now, I have to log in again and again or go into another option, such as the shell, and then out of it again. I know where to modify this myself in /etc/rc.initial but before I do so, I am curious as to the reason it works this way. I don't recall the specifics on why it was done that way, but you could use hidden menu option 15 to redisplay the banner section of the console menu. (Not sure why that's hidden, except perhaps to save space on the menu.) That, or hit 8 to drop to a shell and then exit (or ctrl-d) to go back to the menu. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: HA: Re: HA: Re: [pfSense Support] 2.0 - don't work Ipsec!
On Wed, Dec 15, 2010 at 12:11 PM, Moshe Katz mo...@ymkatz.net wrote: And the other side of the coin: http://bsd.slashdot.org/story/10/12/15/1524202/BSD-Coder-Denies-Adding-FBI-Backdoor Moshe Here is more information on this situation. http://maycontaintracesofbolts.blogspot.com/2010/12/openbsd-ipsec-backdoor-allegations.html pfSense will match DES's offer for anyone that can prove that this backdoor exists. Otherwise our official stance on the issue is that it's a bit preposterous at best. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] custom files in /var/etc/ gone after reboot
[r...@host]/conf(16): ls -lsa total 58 1 drwxr-xr-x 4 root wheel512 Dec 14 06:01 . 1 drwxr-xr-x 4 root wheel512 Dec 7 2009 .. 1 drwxr-xr-x 2 root wheel512 Dec 14 06:01 backup 30 -rw-r--r-- 1 root wheel 30517 Dec 14 06:01 config.xml 0 -rw-r--r-- 1 root wheel 0 Dec 7 2009 ez-ipupdate.cache 26 -rw-r--r-- 1 root wheel 26397 Dec 31 1999 rrd.tgz 1 drwxr-xr-x 2 root wheel512 Feb 17 2010 sshd [1.2.3-RELEASE] [r...@host]/conf(17): mkdir blah mkdir: blah: Read-only file system [1.2.3-RELEASE] [r...@host]/conf(18): Any suggestions? On 12/15/10 10:05 AM, Jim Pingle wrote: On 12/15/2010 11:45 AM, Scott Benson wrote: Hello everyone, We have multiple deployments of pfsense running for clients and recently after one unexpected power failure the custom files we put in /var/etc disappeared. Then last night we rebooted another pfsense box and it did the same thing. The custom files are custom authentication for openvpn. Both of these firewalls are nano bsd. I guess my question is, I know Pfsense keeps files in /var/etc/ but is it different for Pfsense Nanobsd? On NanoBSD, /var is a RAM disk. You can only rely on /conf/ being there long term. What some people do is put their files there in /conf/ and setup a shellcmd to copy them into place at boot time. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Scott Benson A1 Networks (707)570-2021 x203 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] custom files in /var/etc/ gone after reboot
On Wed, Dec 15, 2010 at 11:14 AM, Scott Benson sben...@a-1networks.com wrote: [r...@host]/conf(17): mkdir blah mkdir: blah: Read-only file system [1.2.3-RELEASE] [r...@host]/conf(18): /etc/rc.conf_mount_rw db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] console menu closes when enter pressed
I noticed this recently too, and I could have sworn that hitting enter used to make a screen refresh, but I when I log back into a couple of different 1.2 and 1.2.3 boxes which are still in operation, I see the same result. In other words, this isn't a new 2.0 behavior unless something changed with my SSH client of choice, Putty. I would like to see a screen refresh for hitting enter as well. -Original Message- From: Jim Pingle [mailto:li...@pingle.org] Sent: Wednesday, December 15, 2010 1:08 PM To: support@pfsense.com Subject: Re: [pfSense Support] console menu closes when enter pressed On 12/15/2010 12:27 PM, Moshe Katz wrote: I noticed that if I just hit enter on the pfSense console without typing an option first, it exits the console. If I am on ssh, it closes the connection and if I am on the local terminal, where I have it set to prompt for a password, it asks the password again. Since option 0 can be used to do the same thing and there are times that I would like to refresh the console (to re-display the connection status at the top), I am wondering why it is set up to exit if no input is given? One of my development boxes gets a new IP address regularly and I like to refresh the console to see when the address has been successfully acquired. The way it is now, I have to log in again and again or go into another option, such as the shell, and then out of it again. I know where to modify this myself in /etc/rc.initial but before I do so, I am curious as to the reason it works this way. I don't recall the specifics on why it was done that way, but you could use hidden menu option 15 to redisplay the banner section of the console menu. (Not sure why that's hidden, except perhaps to save space on the menu.) That, or hit 8 to drop to a shell and then exit (or ctrl-d) to go back to the menu. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] custom files in /var/etc/ gone after reboot
On 12/15/10 10:05 AM, Jim Pingle wrote: What some people do is put their files there in /conf/ and setup a shellcmd to copy them into place at boot time. Where would you put this shellcmd to make it stay after reboots, if the only location for custom code on a nanobsd is in /conf/? Also is /conf/ persistent after reboots on non nanobsd pfsense boxes? if it is we'll just use /conf/ instead of /var/etc/. -- Scott Benson A1 Networks (707)570-2021 x203 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] custom files in /var/etc/ gone after reboot
On 12/15/2010 1:50 PM, Scott Benson wrote: On 12/15/10 10:05 AM, Jim Pingle wrote: What some people do is put their files there in /conf/ and setup a shellcmd to copy them into place at boot time. Where would you put this shellcmd to make it stay after reboots, if the only location for custom code on a nanobsd is in /conf/? Also is /conf/ persistent after reboots on non nanobsd pfsense boxes? if it is we'll just use /conf/ instead of /var/etc/. A shellcmd is a tag in config.xml - install the shellcmd package for an easy way to create them. It could be set to call a .sh script also held in /conf/ As someone else mentioned, /etc/rc.conf_mount_rw is needed to make the fs read/write before making edits. And /etc/rc.conf_mount_ro can be used to switch back to read only. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Snapshot Build Logs
Is there a reason the i386 build log uses EST and the AMD64 log uses UTC? - Yehuda
Re: [pfSense Support] Snapshot Build Logs
On Wed, Dec 15, 2010 at 2:33 PM, Yehuda Katz yeh...@ymkatz.net wrote: Is there a reason the i386 build log uses EST and the AMD64 log uses UTC? - Yehuda Is there a reason? No. I just fixed it, however. In this day and age a lot of us have gotten used to GMT and didn't even think twice about it. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] console menu closes when enter pressed
I added the following two lines at line 83 of /etc/rc.initial ') ;; Now, it should refresh if I press apostrophe, then enter. I chose that key because it is next to the enter key so I can press them both at once. I also changed ${opmode} on line 82 to have quotes around it (although I don't know if this is required to make it work or not). What I don't like about the 15 option is that it displays the banner twice in a row and to me it just looks messy. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Wed, Dec 15, 2010 at 1:46 PM, Steven Sherwood stev...@coc.ca wrote: I noticed this recently too, and I could have sworn that hitting enter used to make a screen refresh, but I when I log back into a couple of different 1.2 and 1.2.3 boxes which are still in operation, I see the same result. In other words, this isn't a new 2.0 behavior unless something changed with my SSH client of choice, Putty. I would like to see a screen refresh for hitting enter as well. -Original Message- From: Jim Pingle [mailto:li...@pingle.org] Sent: Wednesday, December 15, 2010 1:08 PM To: support@pfsense.com Subject: Re: [pfSense Support] console menu closes when enter pressed On 12/15/2010 12:27 PM, Moshe Katz wrote: I noticed that if I just hit enter on the pfSense console without typing an option first, it exits the console. If I am on ssh, it closes the connection and if I am on the local terminal, where I have it set to prompt for a password, it asks the password again. Since option 0 can be used to do the same thing and there are times that I would like to refresh the console (to re-display the connection status at the top), I am wondering why it is set up to exit if no input is given? One of my development boxes gets a new IP address regularly and I like to refresh the console to see when the address has been successfully acquired. The way it is now, I have to log in again and again or go into another option, such as the shell, and then out of it again. I know where to modify this myself in /etc/rc.initial but before I do so, I am curious as to the reason it works this way. I don't recall the specifics on why it was done that way, but you could use hidden menu option 15 to redisplay the banner section of the console menu. (Not sure why that's hidden, except perhaps to save space on the menu.) That, or hit 8 to drop to a shell and then exit (or ctrl-d) to go back to the menu. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pfSense v1.2.3 - IPSec Mobile Client connected, but cannot reach/ping any server
I'm trying to get the VPN IPSec mobile client working. The connection to remote network is established, but if I try to connect to remote machines, I can't. The IPsec log: Dec 16 16:29:14 racoon: ERROR: such policy does not already exist: 0.0.0.0/0[0] 192.168.143.5/32[0] proto=any dir=out Dec 16 16:29:14 racoon: *[Unknown Gateway/Dynamic]*: ERROR: such policy does not already exist: 192.168.143.5/32[0] 0.0.0.0/0[0] proto=any dir=in Dec 16 16:29:14 racoon: *[vpn_ac]*: INFO: IPsec-SA established: ESP 221.186.114.24[0]-122.130.80.207[0] spi=512828402(0x1e9123f2) Dec 16 16:29:14 racoon: *[vpn_ac]*: INFO: IPsec-SA established: ESP 122.130.80.207[0]-221.186.114.24[0] spi=183373000(0xaee0cc8) Dec 16 16:29:14 racoon: INFO: no policy found, try to generate the policy : 192.168.143.5/32[0] 0.0.0.0/0[0] proto=any dir=in Dec 16 16:29:14 racoon: *[vpn_ac]*: INFO: respond new phase 2 negotiation: 221.186.114.24[0]=122.130.80.207[0] Dec 16 16:29:08 racoon: *[vpn_ac]*: INFO: ISAKMP-SA established 221.186.114.24[500]-122.130.80.207[500] spi:a8537d0c8fbfc48c:27052a568c4aa4fc Dec 16 16:29:08 racoon: INFO: received Vendor ID: CISCO-UNITY Dec 16 16:29:08 racoon: INFO: received Vendor ID: DPD Dec 16 16:29:08 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Dec 16 16:29:08 racoon: INFO: received Vendor ID: RFC 3947 Dec 16 16:29:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Dec 16 16:29:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Dec 16 16:29:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01 Dec 16 16:29:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 Dec 16 16:29:08 racoon: INFO: begin Aggressive mode. Dec 16 16:29:08 racoon: *[vpn_ac]*: INFO: respond new phase 1 negotiation: 221.186.114.24[500]=122.130.80.207[500] Firewall rule is created at the IPsec tab: Proto:* Source:* Port:* Destination:* Port:* GW:* I also have setup a non-mobile client IPsec. It works without any problems. As mobile client, I use Shrew Soft VPN connector and it is configues as explained here: http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To The client firewall is temporary turned off, so even this cannot be the problem. Any hints?? Thanks Maik attachment: maik.vcf- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org