[pfSense Support] Re: Squid VideoCache
I am really wondering if there is a free alternative - and if so what it is - does it work the 2.x for pfsense. On Sep 2, 2011, at 6:36 PM, Glenn Kelley wrote: > I am now running a 2.0 Snapshot (latest) and loving what the team has done > with 2.0.x > Amazing! > > My question today rests around the Squid VideoCache instructions located > here: > http://doc.pfsense.org/index.php/Setup_VideoCache_with_Squid#Install_VideoCache > > > At present many of the instruction sets on the system appear to be for the > 1.2.x release - > Are these instructions still good to follow for the 2.0.x release? > > (appear they may work - but figured it would be best to ask) > > Thank you > > Glenn >
[pfSense Support] Squid VideoCache
I am now running a 2.0 Snapshot (latest) and loving what the team has done with 2.0.x Amazing! My question today rests around the Squid VideoCache instructions located here: http://doc.pfsense.org/index.php/Setup_VideoCache_with_Squid#Install_VideoCache At present many of the instruction sets on the system appear to be for the 1.2.x release - Are these instructions still good to follow for the 2.0.x release? (appear they may work - but figured it would be best to ask) Thank you Glenn
Re: [pfSense Support] how to block the bit torrent
Thanks Chris - figured with the many changes from 1.2.x to 2 it still might be worth it. but I hear ya there :-) On Sep 2, 2011, at 4:18 PM, Jorge Fábregas wrote: > On 09/02/2011 12:36 PM, Chris Buechler wrote: >> Not official, and poorly done. Wouldn't recommend it, our 1.2.x book >> is more helpful with 2.0. > > Hi Chris, > > I own the 1.2.x book and found it very useful. Are there any remote > plans for a 2.0 book once 2.0 (final) is out? > > Regards, > Jorge > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to block the bit torrent
On 09/02/2011 12:36 PM, Chris Buechler wrote: > Not official, and poorly done. Wouldn't recommend it, our 1.2.x book > is more helpful with 2.0. Hi Chris, I own the 1.2.x book and found it very useful. Are there any remote plans for a 2.0 book once 2.0 (final) is out? Regards, Jorge - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] how to block the bit torrent
On Fri, Sep 2, 2011 at 12:23 PM, Glenn Kelley wrote: > There is a PFSense 2 book available for the Kindle or paperback - in > Amazon Store - just search for PFSENSE I recommended the 1.2 book because he said he was running 1.2 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPTP "not working" after update on Tuesday
On Thu, Sep 1, 2011 at 1:34 PM, Chris Buechler wrote: > That's from a kernel patch that was in one day's snapshots, it's since > been reverted. Downgrade to something from the 29th, or early on the > 30th, or upgrade to the one that'll come out in the next few hours. Just confirming for the posterity of the list that a September 1 snapshot solved this problem for me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to block the bit torrent
On Fri, Sep 2, 2011 at 12:23 PM, Glenn Kelley wrote: > There is a PFSense 2 book available for the Kindle or paperback - > in Amazon Store - just search for PFSENSE > Not official, and poorly done. Wouldn't recommend it, our 1.2.x book is more helpful with 2.0. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to block the bit torrent
There is a PFSense 2 book available for the Kindle or paperback - in Amazon Store - just search for PFSENSE On Sep 2, 2011, at 12:13 PM, greg whynott wrote: > as i'm sure you know, that book is based on the 1.x version. if you are > using 2.x or about to, it may cause some confusion as things have been > moved/changed... > > perhaps they have an errata update you can download or will... > > -g > > > > > On Thu, Sep 1, 2011 at 11:37 AM, Ryan Rodrigue > wrote: > Get it, Read It. It will help a lot I think. > > > > http://www.amazon.com/pfSense-Definitive-Christopher-M-Buechler/dp/0979034280 > >
Re: [pfSense Support] how to block the bit torrent
as i'm sure you know, that book is based on the 1.x version. if you are using 2.x or about to, it may cause some confusion as things have been moved/changed... perhaps they have an errata update you can download or will... -g On Thu, Sep 1, 2011 at 11:37 AM, Ryan Rodrigue wrote: > Get it, Read It. It will help a lot I think. > > ** ** > > > http://www.amazon.com/pfSense-Definitive-Christopher-M-Buechler/dp/0979034280 > >
Re: [pfSense Support] Routing/NAT issue
On 9/2/2011 11:17 AM, Giacomo Di Ciocco wrote: > Hello everyone, > please consider this scenario: http://www.deffie.it/garbage/theproblem.png > > Servers are reaching the internet from their public IP in the /26 and > they have PFSense /26 IP as their default route, this is ok. > > Users from LAN are reaching the internet with the PFSense IP in the /30 > but it is not conceptually correct, how can make services and LANs to > reach the internet from the /26 address assigned to pfsense ? That isn't a typical need, but I believe you can do that with some trickery. Add an 'other' type VIP for the pfSense IP in the /26, then edit your manual outbound NAT rule for the LAN subnet going out WAN, and have it translate to that IP. I have a vague recollection of someone I talked with doing that some time ago, I thought it worked, but don't quote me on that. :-) Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Routing/NAT issue
Hello everyone, please consider this scenario: http://www.deffie.it/garbage/theproblem.png Servers are reaching the internet from their public IP in the /26 and they have PFSense /26 IP as their default route, this is ok. Users from LAN are reaching the internet with the PFSense IP in the /30 but it is not conceptually correct, how can make services and LANs to reach the internet from the /26 address assigned to pfsense ? Thank you, Giacomo. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RES: RES: RES: [pfSense Support] Static ARP
kay, I give up trying. I will then try to put Linux Proxy client back on the network, operating as before and another time with more tranquility I explain to him that this is not the best scenario, explain the security holes that exist as in the case of an application in which you want static IP equipment. Thanks for the support of all friends here and the list of safety observations made here for everyone I serve as a new learning from experience for future projects, but I was always in favor of the physical segmentation as well, each group of machines or VLANS separate switches, but as I explained before, the client does not have the necessary equipment for this, not now. Thank you! Ivanildo Galvão - MCP, MCT, MCSA, VSP Consultor de Tecnologia Tel. (84) 3201 2146 | Cel. (84) 9111 8873 ivani...@itservices.com.br| www.itservices.com.br Twitter: @ivanildogalvao -Mensagem original- De: Jim Pingle [mailto:li...@pingle.org] Enviada em: sexta-feira, 2 de setembro de 2011 09:15 Para: support@pfsense.com Assunto: Re: RES: RES: [pfSense Support] Static ARP On 9/2/2011 8:09 AM, Ivanildo Galvão - IT Services wrote: > Please excuse my ignorance, but can you give me examples of the risks posed > by this scenario? It serves as a basis to explain to the client that even in > the previous solution with Linux, the setting was already correct. I just said it in my last e-mail. As have others here. If you have multiple subnets in the same network with no layer 2 segregation (physical or VLAN), there is zero security gained by that practice. All a client has to do is change the IP settings on their network card from DHCP to a static IP in any of the subnets, and they can talk to anything there. Even if you put static ARP on the firewall, that gains you no protection between the clients, servers, etc, in those other subnets. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: RES: RES: [pfSense Support] Static ARP
On 9/2/2011 8:09 AM, Ivanildo Galvão - IT Services wrote: > Please excuse my ignorance, but can you give me examples of the risks posed > by this scenario? It serves as a basis to explain to the client that even in > the previous solution with Linux, the setting was already correct. I just said it in my last e-mail. As have others here. If you have multiple subnets in the same network with no layer 2 segregation (physical or VLAN), there is zero security gained by that practice. All a client has to do is change the IP settings on their network card from DHCP to a static IP in any of the subnets, and they can talk to anything there. Even if you put static ARP on the firewall, that gains you no protection between the clients, servers, etc, in those other subnets. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RES: RES: [pfSense Support] Static ARP
Jim, Please excuse my ignorance, but can you give me examples of the risks posed by this scenario? It serves as a basis to explain to the client that even in the previous solution with Linux, the setting was already correct. Thank you! Ivanildo Galvão - MCP, MCT, MCSA, VSP Consultor de Tecnologia Tel. (84) 3201 2146 | Cel. (84) 9111 8873 ivani...@itservices.com.br| www.itservices.com.br Twitter: @ivanildogalvao -Mensagem original- De: Jim Pingle [mailto:li...@pingle.org] Enviada em: sexta-feira, 2 de setembro de 2011 08:59 Para: support@pfsense.com Assunto: Re: RES: [pfSense Support] Static ARP On 9/2/2011 7:46 AM, Ivanildo Galvão - IT Services wrote: > a) The previous configuration was made by a former business consultant here, > the guy made the business work well, is round, but no VLAN is vulnerable, he > may have done this way just to give a customer satisfaction that have > hitherto switch that supports VLAN. Which can be defeated simply by hardcoding your system's address into one of the other subnets. Zero security gain. > c) Under Firewall Rules, created rules that isolate these networks, works > well, had already tested. Which can be defeated simply by hardcoding your system's address into one of the other subnets. Zero security gain. > e) You can not reach the client and say, buy with VLAN switch, buy this or > that, it will say "But his predecessor did it work in Linux and had no > problems," some customers for certain things are complicated to explain, he > may think you are wanting to sell or wind, so friends I have total agreement > that this is more or less security, the firewall rules insulates networks in > fact as I said before, but a scenario with VLANS or even 802.1x, would be > better, but it does not now, the least I can do is leave the scene no less > than it was before, either with Linux or pfSense. So I'm sending this text to > explain the more because at least on this account, I'm insisting on doing > something that from the beginning is not 100% correct. Which can be defeated simply by hardcoding your system's address into one of the other subnets. Zero security gain. What was done there does not isolate the networks at all. It appears to isolate them, but in fact does not. It only "protects" you from people who don't know enough to need protecting from. By continuing to use this method, you are exposing your client to potential attacks and actually doing them real harm by giving them a false sense of security. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: RES: [pfSense Support] Static ARP
On 9/2/2011 7:46 AM, Ivanildo Galvão - IT Services wrote: > a) The previous configuration was made by a former business consultant here, > the guy made the business work well, is round, but no VLAN is vulnerable, he > may have done this way just to give a customer satisfaction that have > hitherto switch that supports VLAN. Which can be defeated simply by hardcoding your system's address into one of the other subnets. Zero security gain. > c) Under Firewall Rules, created rules that isolate these networks, works > well, had already tested. Which can be defeated simply by hardcoding your system's address into one of the other subnets. Zero security gain. > e) You can not reach the client and say, buy with VLAN switch, buy this or > that, it will say "But his predecessor did it work in Linux and had no > problems," some customers for certain things are complicated to explain, he > may think you are wanting to sell or wind, so friends I have total agreement > that this is more or less security, the firewall rules insulates networks in > fact as I said before, but a scenario with VLANS or even 802.1x, would be > better, but it does not now, the least I can do is leave the scene no less > than it was before, either with Linux or pfSense. So I'm sending this text to > explain the more because at least on this account, I'm insisting on doing > something that from the beginning is not 100% correct. Which can be defeated simply by hardcoding your system's address into one of the other subnets. Zero security gain. What was done there does not isolate the networks at all. It appears to isolate them, but in fact does not. It only "protects" you from people who don't know enough to need protecting from. By continuing to use this method, you are exposing your client to potential attacks and actually doing them real harm by giving them a false sense of security. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RES: [pfSense Support] Static ARP
It seems strange to want to apply the same mistake that had been done on Linux, but let me explain the situation. a) The previous configuration was made by a former business consultant here, the guy made the business work well, is round, but no VLAN is vulnerable, he may have done this way just to give a customer satisfaction that have hitherto switch that supports VLAN. b) Then in a work of restructuring the network, turned off the Linux client and put a pfSense virtualized on VMware ESXi 4.1, it has 03 virtual NIC interfaces that are connected to a single physical NIC connected to Switch, I am trying to apply the same scheme, after the customer wants it, at first looked like it would work, was going well until they started distributing the DHCP IP to the machines without considering the STATIC MAPPING, I found strange because I marked the option "deny unknown clients to" this each ranger, two are free and 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 and a security where any intruder would fall there, for example someone who broke the password for the wireless network. c) Under Firewall Rules, created rules that isolate these networks, works well, had already tested. d) Maybe if you put the version RC3 to work, the current is the pfSense 1.2.3, but it would be sure not to apply efforts in vain. e) You can not reach the client and say, buy with VLAN switch, buy this or that, it will say "But his predecessor did it work in Linux and had no problems," some customers for certain things are complicated to explain, he may think you are wanting to sell or wind, so friends I have total agreement that this is more or less security, the firewall rules insulates networks in fact as I said before, but a scenario with VLANS or even 802.1x, would be better, but it does not now, the least I can do is leave the scene no less than it was before, either with Linux or pfSense. So I'm sending this text to explain the more because at least on this account, I'm insisting on doing something that from the beginning is not 100% correct. Ivanildo Galvão - MCP, MCT, MCSA, VSP Consultor de Tecnologia Tel. (84) 3201 2146 | Cel. (84) 9111 8873 ivani...@itservices.com.br| www.itservices.com.br Twitter: @ivanildogalvao -Mensagem original- De: Tim Dickson [mailto:tdick...@aubergeresorts.com] Enviada em: quinta-feira, 1 de setembro de 2011 18:13 Para: support@pfsense.com Assunto: RE: [pfSense Support] Static ARP > I have a client who was using Linux as a proxy server it had this one LAN > interface and a WAN, LAN NIC in the virtual one he had, as follows: eth0: 1, > eth0: 2, eth0: 3, so he had: We kind of already answered this one yesterday... but What you want to do will not work like they had it on the linux box, and really is not a recommended way to setup a network. It provides NO "real" security on your network - so what is the reason for segregating? If it is to provide security, then you may as well not bother because it would be trivial to hop networks at that point. If it is for access restrictions after the firewall - you can do what you want with what was recommended yesterday. Open up the network with a 192.168.0.0/22 Put the DHCP Range on 192.168.3.1 -192.168.3.254 Put in STATIC DHCP for devices on 192.168.1.0 and 192.168.2.0 Then setup Rule restrictions for the ip ranges. The only other option I can think of would be to setup 3 NICs for 3 LANs then plug them all into the same switch. Turn DHCP on all of them, restricted 2 of them to STATIC MAC mappings. I have no idea how that would work, or if it would - but you are welcome to give it a shot. Seems like it would be a broadcast nightmare - but if you want to try it -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Problem with forwarding between interfaces
Hi, I've set up 2.0r3 on an ALIX2D13 box. Largely things work fine, but I have a routing issue that I can't get my head around. I'll quickly describe my setup first and then explain the problem I'm facing: The ALIX2D13 has 3 Ethernet interfaces. I use the first (vr0) as WAN connection with DHCP. Works fine. The second Ethernet interface has a static private IP and serves as my backdoor into the box when I screw up things on the other interfaces. Also works fine. The ALIX has a Wifi card built in that runs as access point. This access point, am openVPN tap client interface and the third Ethernet interface are all part of a bridge (br0). Via VPN, the bridge gets an IP assigned using a DHCP Server at the other end of the VPN tunnel in a data center. Works also. When I connect to the WIFI access point provided by the ALIX box, the client box contacts the DHCP server at the far end of the VPN tunnel for an IP address. This also works. Part of the DHCP-provided information is the gateway to be used by the client, which is set as the IP of the bridge interface in the ALIX box. Here the problem comes in: the Internet-bound traffic arrives at the ALIX, and my hope would be that it is routed out directly via the WAN interface. However, it somehow disappears there or hits some kind of wall. I should say that in the advanced setting of pfSense I completely turned off packet filtering for the moment, so that the firewall is not the problem. From Linux, I know that IP forwarding can be enabled with echo "1 > /proc/sys/net/ipv4/ip_forward". I assume, FreeBSD is doing this in some similar way? Is this feature enabled by default in pfSense? if not, could that be the problem? Are there any diagnostic dumps I could add to provide more detailed info? I would really appreciate a hint or two... Thanks, Ray - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org