[pfSense Support] Re: Trouble with openvpn client (SOLVED)
I received one e-mail of advice from the list, but I did a bit more digging on my own and found the resolution. My OpenVPN server had been set up for road warriors in mind. I had never set up a site-to-site VPN before. I followed the instructions here: http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html Particularly: the part about adding a ccd entry specific to the CN of the key of the site-to-site client and putting the iroute in there so the packet would have a full return path to the network. On Jan 27, 2011, at 11:45 AM, Mark P Hennessy wrote: Hello, I've set up an openvpn client on my pfSense 2.0 BETA5 2011-01-26 firewall device, but I see that it isn't creating a route to my remote network. In the OpenVPN Status page the client instances section shows that the connection is up, but in the list of routes, I don't see a route for my remote network. I have confirmed independently on my own machine using TunnelBlick that I'm able to pass traffic between the hosts that I'm using for testing purposes through my remote network's OpenVPN server. Any advice? Thanks! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can anyone build a 1.2.3 ISO?
On 2/2/2011 10:20 PM, Pandu Poluan wrote: I agree with Jim. A firewall box should be exclusively a firewall, no matter how 'stout' it is. H. Perhaps. I am currently running DHCP/NTP on my pfsense installation. I'll be adding BGP/OSPF routing soon as well. I could put these things on separate machines, but don't really see the point. Oh I also run squid and SNORT on the machine. I see all of these functions as networking services, and pfsense makes them all quite easy to deploy. pfsense also has so much clean integration between everything, that it just makes sense to use as a combined routing/firewall/security system. Now I do export all the data via SNMP/barnyard/netflow off to other machines in my VM farm for monitoring/analytics purposes. I wouldn't do that on the firewall itself. As far as I can tell, pfsense really sucks at any sort of general purpose functionality. :) It excels as what it's built for. More components == more attack surface area. Not to mention the intricacies of interaction that might bollix the firewall's mechanisms in a non-repeatable way. Better to put all analysis packages in another box, which may be realized as a Linux box, which Mark is more comfortable with. Yep. Lots and lots of great software out there for analysis that runs in a LAMP environment. Or, you can also save on boxes by installing the analysis mechanisms as a VM, either through KVM or XenServer. Admittedly, the latter requires you to reformat a box, but IMO more stable because it does not have to rely on the stability of the Dom0 Liuux. I use OpenVZ (proxmox) to host my vm farm. Have two Dell servers hosting all my virtual machines. Really quite happy with that setup. Have a dedicated machine for pfsense. Will add a secondary pfsense firewall at some point. Just my 2 cents. Rgds, - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can anyone build a 1.2.3 ISO?
On Thu, Feb 03, 2011 at 07:46:52AM -0800, Charles N Wyble wrote: Or, you can also save on boxes by installing the analysis mechanisms as a VM, either through KVM or XenServer. Admittedly, the latter requires you to reformat a box, but IMO more stable because it does not have to rely on the stability of the Dom0 Liuux. I use OpenVZ (proxmox) to host my vm farm. Have two Dell servers hosting I use Linux VServer. all my virtual machines. Really quite happy with that setup. Have a dedicated machine for pfsense. Will add a secondary pfsense firewall at some point. I already did -- though they're not running as a cluster yet. (In fact, currently the guests still sit completely naked, with world-routable addresses directly on the hot side of the switch interface). -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pfSense - Squid user levels
Hi, I would like to separate the user levels on my proxy so that users are unable to visit certain sites but managers are unrestricted, ideally managed via AD though rather than IP based as staff move between machines Does anyone have a setup like this working and if so could you advise how you achieved this? Thanks in advance. Dom. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
