Re: [pfSense Support] DNS forwarding log? Finding which machine is accessing what site.
Nice, thank you Chris -Andy On 03/01/2011 08:28 PM, Chris Buechler wrote: On Tue, Mar 1, 2011 at 7:26 AM, Andy Graybeal andy.grayb...@casanueva.com wrote: Greetings, I'm wondering if there is a DNS forwarding log? I don't have a DNS server installed here at the site, I use OpenDNS for my name servers. I have a machine that is requesting a website that supposedly is related to malware according to OpenDNS. How would I figure out which machine this is on my network? I figure the best way would be with a DNS forwarding log, but there isn't one... and I don't know much about this stuff anyway and I'm eager to learn. If you can do some basic command line hacking, there is an option for dnsmasq to log all its queries with the -q option. Level of logging could get out of hand quickly, you'll probably have to log to a syslog server to be able to retain enough to find what you're looking for as the local logs on the system are circular and will overwrite themselves. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Only allow DHCP assigned addresses access to network
On 03/01/2011 06:49 PM, Cole Devitt wrote: If a computer doesn't pick up a DHCP address I believe it gets an APIPA address, a 169.192 address if I recall right. With an apipa address the computer wouldn't be able to do much of anything anyways as the subnet is different and there isnt a gateway to my knowledge, so a standard setup of a DHCP server and client machines sounds like what you want no? If a computer isn't receiving a DHCP address from your pfsense then you have a configuration issue, or your scope is too small (not set to give out enough addresses), or there is a physical problem somewhere in your network. Cole, forgive me if I'm mis-understanding, but I'm pretty sure I understand what your saying. The client isn't asking for an IP address. They are manually (statically assigning) typing in an IP address into their computer and getting onto the network this way. I'm sorry I didn't explain that very well in my original email. -Andy On Mar 1, 2011, at 5:40 PM, Andy Graybealandy.grayb...@casanueva.com wrote: Hi, I would like every machine on my network to get it's address from PFSense's DHCP server. If it doesn't receive an address from the DHCP server (if they pick some arbitrary address on the same subnet) how do I dis-allow them access to network services? Does this make any sense to do this? Does this make sense to not do this? -Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Only allow DHCP assigned addresses access to network
On 03/01/2011 08:47 PM, Daniel Davis wrote: Andy, 802.1x with MAC authentication bypass is probably what you are looking for. Nearly all managed switches these days have support for 802.1x. This way the device is authenticated at the switch-port, if it is not an allowed device the switch will deny the device access (or you could set the switch to give unknown users access to a guest VLAN). Once set up it is no harder to administer than maintaining you DHCP reservations list (Once you have it set up I would recommend removing DHCP reservations where they are not needed, this way you only need to maintain one list of MAC addresses). Regards, Daniel Ah.. I don't have a managed switch. I have an HP 1400-24G (j9078a). Thank you for this information, it gives me something to consider. I've always wanted a managed switch. Andy -Original Message- From: Andy Graybeal [mailto:andy.grayb...@casanueva.com] Sent: Wednesday, 2 March 2011 9:10 AM To: support@pfsense.com; t...@casanueva.com Subject: [pfSense Support] Only allow DHCP assigned addresses access to network Hi, I would like every machine on my network to get it's address from PFSense's DHCP server. If it doesn't receive an address from the DHCP server (if they pick some arbitrary address on the same subnet) how do I dis-allow them access to network services? Does this make any sense to do this? Does this make sense to not do this? -Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- This message has been scanned for viruses and dangerous content by mail.lasseters.com.au, and no infections were found. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Only allow DHCP assigned addresses access to network
On Wed, Mar 02, 2011 at 08:22:12AM -0500, Andy Graybeal wrote: Ah.. I don't have a managed switch. I have an HP 1400-24G (j9078a). Thank you for this information, it gives me something to consider. I've always wanted a managed switch. In case you're shopping for one, I'll repeat my recent recommendation: I just got a HP V1910-24G (formerly 3Com 3CRBSG2893), and while it's not fanless as HP 1810-24G it is a remarkably powerful switch for a mere ~200 EUR (sans VAT)/me gusta -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 2.0 LDAP Auth
Maybe I am missing something, but is it possible to configure the parameters such that the query checks for group membership? I tried to set the container it searched for as a group cn that included a user, then that user attempted to log in but the query failed. So far I can only set the auth container to that of which holds the users for a successful login. Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Issues with Captive Portal
We have established a connection via a remote site using a GRE tunnel. We can establish connectivity to the inside interface of the pfsense device. The redirect does not appear to be happening. The web page continues to timeout. We have tried everything I could think of. Today we tried to connect via port 8000 with both the FQDN and the IP address. Neither worked. We have not tried to remove the CP pages we inserted to just see if we can get the standard CP page to come up. Also if you use IE, you can see the DNS FQDN of the site in the lower bar of the web page. I am stuck. I have searched the pfsense archives and have tried some things. Is there a troubleshooting guideline I can follow? Any suggestions would be helpful at this point. Thanks Dwane
[pfSense Support] Re: throughput tuning in 2.0
On Wed, Mar 2, 2011 at 2:44 AM, David Burgess apt@gmail.com wrote: the NIC is sending and receiving a total of about 530 mbit x2 during the test. This gets worse I'm afraid. I recreated my setup, substituting a GS724T switch in for the GS108E, hoping the switch might be the bottleneck. Again, testing LANWAN iperf throughput was a flat 500 mbps, with about 10 mbps on the return during the push test. I then moved one test machine from the WAN to OPT1 and repeated the test. This time throughput dropped to around 200 mbps, and pfsense became totally unresonsive in the UI. As soon as the test ended, the UI quickly responded to whatever I might have clicked on during the iperf test. Similarly in an ssh session on pfsense, I could type in the shell and see the characters I typed with no observable latency, but pressing enter returned the carriage and produced no further output until iperf was halted. Even if I started top running before starting the iperf test, top did not update itself until after iperf was killed. Next I changed the mtu on pfsense and my test machines to 4078, the largest supported by pfsense. This time iperf throughput dropped to 96 mbps and pfsense was similarly unresponsive during the test. These results are troubling. I will probably have to test 1.2.3 on this hardware and hope for better results. Perhaps the Yandex drivers will turn this around? http://forum.pfsense.org/index.php/topic,33345.msg175595.html#msg175595 This is an Intel DG57JG board, FYI, with on-board 82578DC GBE using the em driver. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Clearing squid and squidguard logs
Dear all, My pfsense box is taking too long to boot i think its due to large log files, how can i clear the log files??? -- Thanks Regards Shali K R Server Administrator Vidya Academy of Science Technology Thrissur,Kerala. Mob:9846303531