RE: [pfSense Support] BGP support in 2.0

[Nathan Eisenberg]

> Does 2.x have BGP support ?
> We have 2 providers that we wish to connect to via BGP

It does, and it works great.  Multiple production deployments using it to 
advertise routes.  All outbound - not accepting any prefixes inbound, so can't 
speak to how well that works.  If Chris says it works well though, I believe 
him!

Nathan

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] hardware suggestions

[Nick Upson]

On 2 August 2011 17:09, Mehma Sarja  wrote:

> On 8/2/11 8:22 AM, Nick Upson wrote:
>
>> ok, I'm close to giving up with installing pfsense 1.2.3 or 2.0rc3 onto
>> the FX5624 harddrive,
>>
>> Does anyone have suggestions for similiar hardware (6 lan ports,
>> preferably rack mount) that is available in the UK
>>
>> --
>> Nick Upson (01799 533252)
>>
>>  We really need more info than provided. What is a FX5624? Is it a drive
> or a system? Who makes it? Googling it, "Fanless Celeron M CPU and 1GB DDR2
> RAM. 2x RTL8111C Chipset Gigabit LAN and 4x Realtek 8100C Chipset 10/100
> LAN"
>
> Now we know something. How are you booting it? Spinning drive, SSD, CF
> card? I ran into a problem installing onto a SSD drive, which turned out to
> be a minor issue. I don't understand when you say it "hangs at the spinner
> after boot prompt." So, a better description is warranted.


I'm installing onto a seagate 320GB 2.5" hard drive, from a CD, both
connected via sata. I boot from the CD and have attempted to install
directly (press I) and continue (press C) into the liveCD boot, do a minimal
configuration (1 lan & 1 wan) and install from there (option 99). I'm using
the non-embedded version, both 1.2.3 and 2.0rc3.

I have 2 possible outcomes when I boot from disk, depending upon the options
used to install

- A menu is visible on the screen which after a few seconds attempts to
boot, this is what I finish up with on the screen
F1  pfSense
Boot:  F1
\<- non-moving spinner

- the other outcome is that I get an error message like this:
default 0:ad(0,a)/boot/kernel/kernel
no /boot/loader
boot:




-- 
Nick Upson (01799 533252)

RE: [pfSense Support] Re: open vpn

[Jochem de Waal]

Hi Mohan,

 

Could you please tell a little more about your OpenVPN configuration.
Normallt you whould not be using NAT on your VPN, only on Site to Site
with maching subnets.

 

Address pool:

Local network:

Remote network:

Authentication Method:

 

Normally firewall rules are automatically created for OpenVPN
connections, except the rule on the WAN interface for opening up UDP1194

 

Cheers,

Jochem

 



Van: A Mohan Rao [mailto:mohanra...@gmail.com] 
Verzonden: woensdag 3 augustus 2011 7:50
Aan: support@pfsense.com
Onderwerp: [pfSense Support] Re: open vpn

 


i need to access my remote server from my home.
need to nat with port forward already i had create rule and forward
172.16.1.145 to static ip port 3389.

any body give tips..

On Wed, Jul 20, 2011 at 10:56 AM, A Mohan Rao 
wrote:

Dear all pfsense experts,

i m tried open vpn on pfsense 2.0 its successfully configured but when
user's r try to connect from client end its connected but not access our
lan network i have to create a rule for that.
but still its not working i had tried googled.

kindly give any tips or help.

Thanks

Mohan Rao 

 

[pfSense Support] openVPN frustration

[Alberto Villegas Erce]

Hi pfSense lovers,

I am quite new in the pfSense world but this past two weeks I have been 
working hard with it. We have plan to change our actual firewall and we 
are doing some test with pfSense in a machine working in our internal 
network. I have managed to configure almost everything I needed: 
Internet conection, DHCP, VLANs, Captive Portal and so on; but openVPN 
configuration is driving me crazy.


I am trying to configure a Remote Access (road warrior) connection with 
pfSense working as openVPN server. I have followed several tutorials, 
the book one and this one I found in the forums [1] among others, and I 
allways get the same error when I try to connect with the server.


This is the configuration right now.

WAN --> Firewall (not pfSense) --> Firewall (pfSense 2.0-RC3) --> LAN 
(where I am right now)


I am trying to connect from a remote machine, using vncviewer, with 
Debian GNU/Linux 5.0  (certificates, user and configuration following 
[1]), with the following config file (exported with "OpenVPN Client 
Export Utility"):


"""
dev tun
persist-tun
persist-key
proto udp
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote 192.168.1.35 1194
auth-user-pass
pkcs12 pfsense-udp-1194.p12
tls-auth pfsense-udp-1194-tls.key 1
comp-lzo
"""

and the error is:

"""
$ openvpn pfsense-udp-1194.ovpn
Wed Aug  3 11:57:18 2011 OpenVPN 2.1.3 i686-pc-linux-gnu [SSL] [LZO2] 
[EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Mar 11 2011

Enter Auth Username:vpnuser
Enter Auth Password:
Wed Aug  3 11:57:21 2011 IMPORTANT: OpenVPN's default port number is now 
1194, based on an official port number assignment by IANA.  OpenVPN 
2.0-beta16 and earlier used 5000 as the default port.
Wed Aug  3 11:57:21 2011 WARNING: No server certificate verification 
method has been enabled.  See http://openvpn.net/howto.html#mitm for 
more info.
Wed Aug  3 11:57:21 2011 NOTE: OpenVPN 2.1 requires '--script-security 
2' or higher to call user-defined scripts or executables
Wed Aug  3 11:57:21 2011 WARNING: file 'pfsense-udp-1194.p12' is group 
or others accessible
Wed Aug  3 11:57:21 2011 /usr/bin/openssl-vulnkey -q -b 2048 -m omitted>
Wed Aug  3 11:57:21 2011 WARNING: file 'pfsense-udp-1194-tls.key' is 
group or others accessible
Wed Aug  3 11:57:21 2011 Control Channel Authentication: using 
'pfsense-udp-1194-tls.key' as a OpenVPN static key file

Wed Aug  3 11:57:21 2011 LZO compression initialized
Wed Aug  3 11:57:21 2011 UDPv4 link local (bound): [undef]:1194
Wed Aug  3 11:57:21 2011 UDPv4 link remote: 212.XXX.4.XXX:1194 ##This is 
our public IP
Wed Aug  3 11:58:21 2011 TLS Error: TLS key negotiation failed to occur 
within 60 seconds (check your network connectivity)

Wed Aug  3 11:58:21 2011 TLS Error: TLS handshake failed
Wed Aug  3 11:58:21 2011 SIGUSR1[soft,tls-error] received, process 
restarting

"""

In the states table I can see:

udp192.168.1.35:1194 <- 194.YYY.252.YYY:1194NO_TRAFFIC:SINGLE

Some extra details:

- pfSense LAN is 172.16.0.1/24
- pfSense WAN is 192.168.1.35

- The first firewall is redirecting port 1194 for TCP/UDP to pfSense 
192.168.1.35:1194


- The local network to connect to is 172.16.0.1/24
- The tunnel network is 172.16.1.1/24
- Firewall:Rules:WAN -> UDP * * * 1194(openVPN) * none
- Firewall:Rules:LAN -> * * * * * * none
- Firewall:Rules:openVPN -> * * * * * * none
- No extra NAT rules added.

After 2 days dealing with this, I still have no clue about what to do. 
Any suggestion?

I tried to give all relevant info, I hope it's fine.
Thank you all for reading and excuse my poor english

Regards

[1] http://forum.pfsense.org/index.php/topic,39481.0.html

--
Alberto Villegas Erce


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] BGP support in 2.0

[Adam Thompson]

I've been accepting ~ 13k routes inbound  advertising nothing.  So that part 
works, too.
Now you just need confirmation from someone who does both!
-Adam Thompson


Nathan Eisenberg  wrote:

>> Does 2.x have BGP support ?
>> We have 2 providers that we wish to connect to via BGP
>
>It does, and it works great.  Multiple production deployments using it to 
>advertise routes.  All outbound - not accepting any prefixes inbound, so can't 
>speak to how well that works.  If Chris says it works well though, I believe 
>him!
>
>Nathan
>
>-
>To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>For additional commands, e-mail: support-h...@pfsense.com
>
>Commercial support available - https://portal.pfsense.org
>

[pfSense Support] pfSense 2.0 IPSec-VPN with Certs

[Fuchs, Martin]

Hi !

Does anyone have mutual-RSA-IPSec VPN working with 2.0 ?
All settings I tried do not work, I always get errors:

racoon: ERROR: failed to get subjectAltName
racoon: ERROR:
racoon: ERROR: no peer's CERT payload found.

These errors are away as soon as I use PSKs, so I think it hust have something 
to do with the generated certs...

Any ideas ?

Regards,

Martin

Re: [pfSense Support] pf in bridge mode

[Arquivos]

HI then.

I had figured that configuration, but what i really don't know is wich ip's
to put in each interface, LAN, WAN and OPT1 (the bridge interface). I
followed some howtos and discussion lists threads but in every case i lost
conectivity with my box. In my scenario wich ip's do you suggest to each
interface? 

Regards,

Danilo Ventura

- Mensagem Original 
De: support@pfsense.com
Para: support@pfsense.com 
Assunto: Re: [pfSense Support] pf in bridge mode
Data: 02/08/11 18:28

> Not sure if this will help your issue, but here's how I set up a
bridge between 3 of my 4 interfaces. In your control panel, go to Interfaces
> (assign). Then there should be a Bridges tab, click that and add a new
bridge interface. Select both your WAN and LAN interfaces to bridge them,
and maybe take a look at the advanced bridging options if you need any of
those..
> 
> On Tue, Aug 2, 2011 at 2:05 PM, Arquivos 
wrote:
> 
> Hello all.
> 
> I have the following cenario:
> 
> LAN 10.1.1.x  --- router 10.1.1.1 (providing load balance) --- WAN 1 and
> WAN2
> 
> and want to insert the pfSense box between the LAN and the router to do
> firewall and traffic shaper. I tried to use in NAT mode but in this case
the
> router directed all the traffic to WAN 1.
> Now  i'm struggling to put it in Bridge mode, but i really don't
know how to
> do it.
> My pf box have 2 NIC's, LAN and WAN only and i don't want to
change it. The
> router supports up to 4 WAN's and we want to keep it working.
> 
> Does someone can help me in that?
> 
> pfSense 2.0-RC3 .
> 
> Danilo Ventura
> 
> 
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] hardware suggestions

[Ryan Rodrigue]

I'm installing onto a seagate 320GB 2.5" hard drive, from a CD, both
connected via sata. I boot from the CD and have attempted to install
directly (press I) and continue (press C) into the liveCD boot, do a minimal
configuration (1 lan & 1 wan) and install from there (option 99). I'm using
the non-embedded version, both 1.2.3 and 2.0rc3.

I have 2 possible outcomes when I boot from disk, depending upon the options
used to install

- A menu is visible on the screen which after a few seconds attempts to
boot, this is what I finish up with on the screen
F1  pfSense
Boot:  F1
\<- non-moving spinner

- the other outcome is that I get an error message like this:
default 0:ad(0,a)/boot/kernel/kernel
no /boot/loader
boot:
 

I would change the setting in the bios for the hard drive to ATA or legacy
mode if it has such a setting.  

 

It appears as though it doesn't like the hard drive for some reason.  

 

I have had that problem with some compact flash modules and 1 SATA drive
that I fixed by setting my BIOS to what it called legacy mode. (Basically it
presented the SATA drive as IDE I think.)




-- 
Nick Upson (01799 533252)

[pfSense Support] fx5624 pfsense install - FIXED

[Nick Upson]

Hi everyone,

I have finally got 1.2.3 installed onto this box, things that seems to help
fix it (I cannot go back and exhaustively test, this needs to go into
production asap)

- disable packet mode during the install

- format the new hard disk on a windows machine first

- that got me to a mountroot> prompt which I hadn't seen before, I then used
information from http://forum.pfsense.org/index.php?topic=22824.0;wap2
which allowed me to enter "ufs:ad1s1a" (Note slight change) and
"Once it is running edit (either through the UI or through the shell)
/boot/loader.conf and add the line:
   vfs.root.mountfrom="ufs:ad1s1a""



-- 
Nick Upson (01799 533252)

[pfSense Support] php: : Could not open /usr/local/etc/snort/suppress/ for writing.

[Ernst den Broeder]

I am seeing this message in the system logs:
php: : Could not open /usr/local/etc/snort/suppress/ for writing.

Here's the version info:
pfsense 2.0-RC3 (i386)   (hard disk installation)
snort 2.8.6.1 pkg v.
1.34

Looking at the permissions of the directory:
drwxrwx---  2 snort  snort  512 Aug  3 11:40 suppress

If I change permissions of this directory to 777, it reverts to 770 when I
click save after editing a suppression config file.

Is this a known issue?

regards,
Ernst

[pfSense Support] Re: php: : Could not open /usr/local/etc/snort/suppress/ for writing.

[Ernst den Broeder]

More snips from the system log:
Aug 3 12:54:26 snort[48939]: FATAL ERROR: Unable to open rules file
"/usr/local/etc/snort/snort_5152_fxp0//usr/local/etc/snort/suppress/LANsuppressList":
No such file or directory.
Aug 3 12:54:26 SnortStartup[49209]: Snort HARD Reload For 5152_fxp0...
Aug 3 12:54:26 php: : Could not open /usr/local/etc/snort/suppress/ for writing.
Aug 3 12:54:26 check_reload_status: Syncing firewall
Aug 3 12:55:19 sshd[30260]: Accepted keyboard-interactive/pam for root
from 161.44.192.58 port 5 ssh2
Aug 3 12:56:15 check_reload_status: Syncing firewall
Aug 3 12:56:16 php: /snort/snort_interfaces_suppress_edit.php: Could
not open /usr/local/etc/snort/suppress/ for writing.
Aug 3 12:56:16 check_reload_status: Syncing firewall
Aug 3 12:56:22 check_reload_status: Syncing firewall
Aug 3 12:56:22 php: /snort/snort_interfaces_suppress_edit.php: Could
not open /usr/local/etc/snort/suppress/ for writing.
Aug 3 12:56:23 check_reload_status: Syncing firewall
Aug 3 12:56:35 check_reload_status: Syncing firewall
Aug 3 12:56:35 php: /snort/snort_interfaces_suppress_edit.php: Could
not open /usr/local/etc/snort/suppress/ for writing.
Aug 3 12:56:36 check_reload_status: Syncing firewall
Aug 3 12:59:37 check_reload_status: Syncing firewall
Aug 3 12:59:37 php: /snort/snort_interfaces_suppress_edit.php: Could
not open /usr/local/etc/snort/suppress/ for writing.

On Wed, Aug 3, 2011 at 1:11 PM, Ernst den Broeder  wrote:
>
> I am seeing this message in the system logs:
> php: : Could not open /usr/local/etc/snort/suppress/ for writing.
>
> Here's the version info:
> pfsense 2.0-RC3 (i386)   (hard disk installation)
> snort 2.8.6.1 pkg v. 1.34
>
> Looking at the permissions of the directory:
> drwxrwx---  2 snort  snort  512 Aug  3 11:40 suppress
>
> If I change permissions of this directory to 777, it reverts to 770 when I 
> click save after editing a suppression config file.
>
> Is this a known issue?
>
> regards,
> Ernst
>
>
>
>
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] hardware suggestions

[Mehma Sarja]

On 8/3/11 1:29 AM, Nick Upson wrote:



On 2 August 2011 17:09, Mehma Sarja > wrote:


On 8/2/11 8:22 AM, Nick Upson wrote:

ok, I'm close to giving up with installing pfsense 1.2.3 or
2.0rc3 onto the FX5624 harddrive,

Does anyone have suggestions for similiar hardware (6 lan
ports, preferably rack mount) that is available in the UK

-- 
Nick Upson (01799 533252)


We really need more info than provided. What is a FX5624? Is it a
drive or a system? Who makes it? Googling it, "Fanless Celeron M
CPU and 1GB DDR2 RAM. 2x RTL8111C Chipset Gigabit LAN and 4x
Realtek 8100C Chipset 10/100 LAN"

Now we know something. How are you booting it? Spinning drive,
SSD, CF card? I ran into a problem installing onto a SSD drive,
which turned out to be a minor issue. I don't understand when you
say it "hangs at the spinner after boot prompt." So, a better
description is warranted.


I'm installing onto a seagate 320GB 2.5" hard drive, from a CD, both 
connected via sata. I boot from the CD and have attempted to install 
directly (press I) and continue (press C) into the liveCD boot, do a 
minimal configuration (1 lan & 1 wan) and install from there (option 
99). I'm using the non-embedded version, both 1.2.3 and 2.0rc3.


I have 2 possible outcomes when I boot from disk, depending upon the 
options used to install


- A menu is visible on the screen which after a few seconds attempts 
to boot, this is what I finish up with on the screen

F1  pfSense
Boot:  F1
\ <- non-moving spinner

- the other outcome is that I get an error message like this:
default 0:ad(0,a)/boot/kernel/kernel
no /boot/loader
boot:



Nick,

Dug up the old message where my install got stuck - below. That's not 
your issue. Have you tried the usual things like booting from external 
cd, switch disk drives, boot from a live Linux cd - anything to isolate 
the problem?


Mehma
===

On Thu, Mar 10, 2011 at 12:14 AM, Mehma Sarja  wrote:


The - Motherboard is "Super X7SPA-HF" I switched the TORQX SSD with a
regular drive - they both get stuck at the same point, see screenshot. "Root
mount" fails is a "panic" Here is a link to what I think is the cause:
http://forums.freebsd.org/showthread.php?t=17331


Based on your screenshot, that has no relevance. The screenshot shows
you're booting from CD, likely a USB CD drive, which is slow
initializing and you need to pick the "boot from USB" option at the
first boot menu.

Re: [pfSense Support] BGP support in 2.0

[Chris Buechler]

On Wed, Aug 3, 2011 at 7:43 AM, Adam Thompson  wrote:
> I've been accepting ~ 13k routes inbound  advertising nothing.  So that part 
> works, too.
> Now you just need confirmation from someone who does both!

I setup one that does both last week, gets full Internet routing
table, ~360K routes each, from two providers. And advertises their AS.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] php: : Could not open /usr/local/etc/snort/suppress/ for writing.

[Chris Buechler]

On Wed, Aug 3, 2011 at 1:11 PM, Ernst den Broeder  wrote:
> I am seeing this message in the system logs:
> php: : Could not open /usr/local/etc/snort/suppress/ for writing.
>
> Here's the version info:
> pfsense 2.0-RC3 (i386)   (hard disk installation)
> snort 2.8.6.1 pkg v. 1.34
>

That's an old version of the package, a huge number of fixes went in
this week. Uninstall and reinstall the package and that shouldn't be
an issue.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] BGP support in 2.0

[Nathan Eisenberg]

> I setup one that does both last week, gets full Internet routing table, ~360K
> routes each, from two providers. And advertises their AS.

What about IPv6? ;)

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] php: : Could not open /usr/local/etc/snort/suppress/ for writing.

[Ernst den Broeder]

On 2011-08-03, at 5:23 PM, Chris Buechler wrote:

> On Wed, Aug 3, 2011 at 1:11 PM, Ernst den Broeder  wrote:
>> I am seeing this message in the system logs:
>> php: : Could not open /usr/local/etc/snort/suppress/ for writing.
>> 
>> Here's the version info:
>> pfsense 2.0-RC3 (i386)   (hard disk installation)
>> snort 2.8.6.1 pkg v. 1.34
>> 
> 
> That's an old version of the package, a huge number of fixes went in
> this week. Uninstall and reinstall the package and that shouldn't be
> an issue.

Looks like I just traded one bug for another.  :)  I now get snort 2.8.6.1 pkg 
v 2.0

Now I get this in the log file:
snort[57729]: FATAL ERROR: /usr/local/etc/snort/suppress/(1) Invalid 
configuration line: ^EãB

Here's the file that was created:
[2.0-RC3][r...@commented.out.my.domain]/usr/local/etc/snort/suppress(11): more 
mySuppressList 
# This file is auto generated by the snort package. Please do not edit this 
file by hand.

suppress gen_id 119, sig_id 14

regards,
Ernst

Re: [pfSense Support] php: : Could not open /usr/local/etc/snort/suppress/ for writing.

[Ernst den Broeder]

On 2011-08-03, at 7:52 PM, Ernst den Broeder wrote:

> 
> On 2011-08-03, at 5:23 PM, Chris Buechler wrote:
> 
>> On Wed, Aug 3, 2011 at 1:11 PM, Ernst den Broeder  wrote:
>>> I am seeing this message in the system logs:
>>> php: : Could not open /usr/local/etc/snort/suppress/ for writing.
>>> 
>>> Here's the version info:
>>> pfsense 2.0-RC3 (i386)   (hard disk installation)
>>> snort 2.8.6.1 pkg v. 1.34
>>> 
>> 
>> That's an old version of the package, a huge number of fixes went in
>> this week. Uninstall and reinstall the package and that shouldn't be
>> an issue.
> 
> Looks like I just traded one bug for another.  :)  I now get snort 2.8.6.1 
> pkg v 2.0
> 
> Now I get this in the log file:
> snort[57729]: FATAL ERROR: /usr/local/etc/snort/suppress/(1) Invalid 
> configuration line: ^EãB
> 
> Here's the file that was created:
> [2.0-RC3][r...@commented.out.my.domain]/usr/local/etc/snort/suppress(11): 
> more mySuppressList 
> # This file is auto generated by the snort package. Please do not edit this 
> file by hand.
> 
> suppress gen_id 119, sig_id 14
> 
> regards,
> Ernst
> 
Well, that was weird.  I re-installed the package again and now it is 
working...(thanks for the suggestion Chris)

Re: [pfSense Support] BGP support in 2.0

[Chris Buechler]

On Wed, Aug 3, 2011 at 6:19 PM, Nathan Eisenberg
 wrote:
>> I setup one that does both last week, gets full Internet routing table, ~360K
>> routes each, from two providers. And advertises their AS.
>
> What about IPv6? ;)
>

Should work on the 2.1 branch with manual bgpd.conf configuration,
haven't tried it though.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org