Re: [pfSense Support] 1:1 NAT Entry issue - Bug or mistake?
On Fri, Jan 21, 2011 at 4:11 AM, Dimitri Rodis dimit...@integritasystems.com wrote: On Thu, Jan 20, 2011 at 9:28 PM, Dimitri Rodis dimit...@integritasystems.com wrote: pfSense 2.0-BETA5 (i386) built on Wed Jan 19 12:45:14 EST 2011 When I try to use an alias in the Internal IP field (suppose the alias was ) I receive the following error upon saving (or trying to save): The following input errors were detected: is not a valid internal IP address I know in 2.0 you could not use aliases in the 1:1 fields, but in this version the boxes are RED, implying that aliases are allowed. I don't know if this is a bug or just a mistake (in formatting the fields RED) but in any event it looks like something needs to be fixed or changed. I did not try using an Alias in the External Subnet IP field, although it is RED also. That's correct, the fields shouldn't be red though, I just fixed that. Aliases aren't supported in binat in pf. Even if binat doesn't support them, they could theoretically be resolved via code prior to updating the rulesin 2.1 :) You can put a feature request on redmine.pfsense.org so it does not get forgotten. -- Ermal - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pfSense routing
Hi, I´ve got a 1.2.3 pfSense connected this way: XP [LAN] PFSense [WAN] --- [WAN] Cisco router [LAN] I can ping from XP to LAN and WAN pfsense interfaces, but cannot ping WAN Cisco router interface I can ping from PFSense WAN to Cisco WAN interface Can not ping from XP to Cisco Router WAN, if pfSense LAN is not Bridged with WAN Is that correct? The purpose is to configure pfsense as a router (disabling firewalling) Thank you -- meta
Re: [pfSense Support] pfSense routing
I may not be the best person to comment on this, but have you enabled a rule for your LAN interfaces to be able to talk with the WAN interface machines (the Cisco router)? Bridging would fix this because the two interfaces would essentially be bonded together. and wouldn't need a rule to enable traffic between them. Perhaps someone else will comment with better suggestions, but that's what I would try to fix your problem.. Also make sure that your rules are in the proper ordering, and that there's not a conflict there.. Hope this helps! On Fri, Jan 21, 2011 at 3:58 AM, Danny metal...@gmail.com wrote: Hi, I´ve got a 1.2.3 pfSense connected this way: XP [LAN] PFSense [WAN] --- [WAN] Cisco router [LAN] I can ping from XP to LAN and WAN pfsense interfaces, but cannot ping WAN Cisco router interface I can ping from PFSense WAN to Cisco WAN interface Can not ping from XP to Cisco Router WAN, if pfSense LAN is not Bridged with WAN Is that correct? The purpose is to configure pfsense as a router (disabling firewalling) Thank you -- meta
Re: [pfSense Support] pfSense routing
I have disable firewalling so i supposed no rules or NAT are applying Under System \ Advanced i checked disable firewall Disable all packet filtering. Note: This converts pfSense into a routing only platform! Note: This will turn off NAT! In any case in both interfaces there any any permit Regads On Fri, Jan 21, 2011 at 12:13 PM, Neonicacid neonica...@gmail.com wrote: I may not be the best person to comment on this, but have you enabled a rule for your LAN interfaces to be able to talk with the WAN interface machines (the Cisco router)? Bridging would fix this because the two interfaces would essentially be bonded together. and wouldn't need a rule to enable traffic between them. Perhaps someone else will comment with better suggestions, but that's what I would try to fix your problem.. Also make sure that your rules are in the proper ordering, and that there's not a conflict there.. Hope this helps! On Fri, Jan 21, 2011 at 3:58 AM, Danny metal...@gmail.com wrote: Hi, I´ve got a 1.2.3 pfSense connected this way: XP [LAN] PFSense [WAN] --- [WAN] Cisco router [LAN] I can ping from XP to LAN and WAN pfsense interfaces, but cannot ping WAN Cisco router interface I can ping from PFSense WAN to Cisco WAN interface Can not ping from XP to Cisco Router WAN, if pfSense LAN is not Bridged with WAN Is that correct? The purpose is to configure pfsense as a router (disabling firewalling) Thank you -- meta -- dpc
Re: [pfSense Support] pfSense routing
Have you configured the Cisco router with a static route to the XP's network? Rgds, On 2011-01-21, Danny metal...@gmail.com wrote: Hi, I´ve got a 1.2.3 pfSense connected this way: XP [LAN] PFSense [WAN] --- [WAN] Cisco router [LAN] I can ping from XP to LAN and WAN pfsense interfaces, but cannot ping WAN Cisco router interface I can ping from PFSense WAN to Cisco WAN interface Can not ping from XP to Cisco Router WAN, if pfSense LAN is not Bridged with WAN Is that correct? The purpose is to configure pfsense as a router (disabling firewalling) Thank you -- meta -- Sent from my mobile device -- Pandu E Poluan - IT Optimizer My website: http://pandu.poluan.info/ - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense routing
Yes. ip route 0.0.0.0 0.0.0.0 FasthEthernet 0/0 Surprisingly, it started working without doing aparently nothing I will recreate the situation again, because the environment is virtual pfsense, virtual XP, with VMWare using GNS3... maybe that causes that weird behaviour. thanks a lot Rgards On Fri, Jan 21, 2011 at 12:52 PM, Pandu Poluan pa...@poluan.info wrote: Have you configured the Cisco router with a static route to the XP's network? Rgds, On 2011-01-21, Danny metal...@gmail.com wrote: Hi, I´ve got a 1.2.3 pfSense connected this way: XP [LAN] PFSense [WAN] --- [WAN] Cisco router [LAN] I can ping from XP to LAN and WAN pfsense interfaces, but cannot ping WAN Cisco router interface I can ping from PFSense WAN to Cisco WAN interface Can not ping from XP to Cisco Router WAN, if pfSense LAN is not Bridged with WAN Is that correct? The purpose is to configure pfsense as a router (disabling firewalling) Thank you -- meta -- Sent from my mobile device -- Pandu E Poluan - IT Optimizer My website: http://pandu.poluan.info/ - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- dpc
Re: [pfSense Support] pfSense routing
Op 21-1-2011 13:19, Danny schreef: Yes. ip route 0.0.0.0 0.0.0.0 FasthEthernet 0/0 err, no, there should be route to the public netblock you are using on the LAN behind pfsense, pointing to the WAN of pfSense which will be in the Cisco LAN subnet. Also note that Ciscos have really long arp timeouts of 15 minutes by default which can cause long delays before it is being picked up. I bet you didn't reboot the Cisco yet. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense routing
No. It´s working with that default route, Not necessary to route specific LAN behind pfSense, and no I did not reboot the router Thanks a lot On Fri, Jan 21, 2011 at 1:23 PM, Seth Mos seth@dds.nl wrote: Op 21-1-2011 13:19, Danny schreef: Yes. ip route 0.0.0.0 0.0.0.0 FasthEthernet 0/0 err, no, there should be route to the public netblock you are using on the LAN behind pfsense, pointing to the WAN of pfSense which will be in the Cisco LAN subnet. Also note that Ciscos have really long arp timeouts of 15 minutes by default which can cause long delays before it is being picked up. I bet you didn't reboot the Cisco yet. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- dpc
Re: [pfSense Support] pfSense routing
Mmm... according to Cisco: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800ef7b2.shtml you shouldn't do an ip route 0.0.0.0 0.0.0.0 to an interface. The page I linked above gives some explanations why. One key problem is that with 0x8 to an interface, *all* addresses are considered to be directly connected. Rgds, On 2011-01-21, Danny metal...@gmail.com wrote: Yes. ip route 0.0.0.0 0.0.0.0 FasthEthernet 0/0 Surprisingly, it started working without doing aparently nothing I will recreate the situation again, because the environment is virtual pfsense, virtual XP, with VMWare using GNS3... maybe that causes that weird behaviour. thanks a lot Rgards On Fri, Jan 21, 2011 at 12:52 PM, Pandu Poluan pa...@poluan.info wrote: Have you configured the Cisco router with a static route to the XP's network? Rgds, On 2011-01-21, Danny metal...@gmail.com wrote: Hi, I´ve got a 1.2.3 pfSense connected this way: XP [LAN] PFSense [WAN] --- [WAN] Cisco router [LAN] I can ping from XP to LAN and WAN pfsense interfaces, but cannot ping WAN Cisco router interface I can ping from PFSense WAN to Cisco WAN interface Can not ping from XP to Cisco Router WAN, if pfSense LAN is not Bridged with WAN Is that correct? The purpose is to configure pfsense as a router (disabling firewalling) Thank you -- meta -- Sent from my mobile device -- Pandu E Poluan - IT Optimizer My website: http://pandu.poluan.info/ - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- dpc -- -- Pandu E Poluan - IT Optimizer My website: http://pandu.poluan.info/ - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Alias Renaming Issue
pfSense 2.0-BETA5 (i386) built on Wed Jan 19 12:45:14 EST 2011 I created a NAT rule with a linked firewall rule using a port alias that I called OWA_PORTS. After creating the rule I decided to rename the port alias to PORTS_WEBSERVER. When I did, the alias was renamed in the NAT rule properly, but it was not updated in the linked firewall rule, and now in the log I see: php: : filter_generate_address: OWA_PORTS is not a valid source port. Opening up the NAT rule and just hitting save again did cause the firewall rule to update (as a workaround)--but you first have to notice that your stuff doesn't work ;) Anyone else see this? Dimitri Rodis http://www.integritasystems.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] ShrewSoft
On 1/21/2011 9:25 PM, DuWayne Odom wrote: Better late than never... :-) That change fixed the problem. Thanks for your response! I was almost on the edge of giving up on pfsense. As a side note: Shrewsoft has been a huge life saver for me as an IT support person. It has allowed my co-workers which have 64 bit windows to finally be able to connect to the Cisco VPN Concentrator at my work. Prior to finding out about Shrewsoft we had to tell all 64 bit users that they could not connect to our concentrators due to Cisco deciding they were not going to support 64 bit windows on our concentrator. I have not had a chance to try out vpn connectivity between shrew and pfsense's ipsec/vpn but hope to be able to play with it some in the future so I can connect securely to my home network. Thanks again for the solution... you rock!!! Hi DuWayne, No problem. Glad to hear the problem is now resolved. We added the new policy generation mode feature to allow for more complete compatibility with VPN gateways such as Cisco. The Cisco VPN client only negotiates a single SA using a remote network ID of 0.0.0.0/0 and then selectively tunnels traffic based on the remote topology specifications provided by the VPN gateway during modecfg. The Shrew Soft client will try to mimic this behavior when it receives a CISCO vendor ID. It just so happens that the ipsec-tools racoon daemon provides the same vendor ID during phase1 negotiations for compatibility reasons. By specifying UNIQUE under the policy tab, the VPN client negotiates a unique SA for each destination network it needs to talk to. This is the way pfSense and other Linux/BSD based systems typically operate. In any case, thanks for trying the Shrew Soft VPN client and following up with this list to report your results after changing the suggested setting. -Matthew - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org