Re: [pfSense Support] Proxy Question
Thanks Dan. Appreciate it. I suppose the trick is in web interface to https... But what happens when I go to online bank and that uses https traffic?? 1. Should we change the web interface to some absurd port number? Only web admin of pfsense needs that. 2. It sounds like the Squid or no Squid, this solution proposed by you should work... Anil Garg +1 408-221-7725 From: Daniel Davis To: "support@pfsense.com" Sent: Tue, October 5, 2010 3:54:39 PM Subject: RE: [pfSense Support] Proxy Question Yes, just put a DNS entry in the DNS forwarder for proxy.sucks.com pointing to your gateway IP address. You will also need to change the proxy port to port 80 (make sure that the pfsense web interface is set to HTTPS in advanced settings first). Regards, Daniel Davis From:Anil Garg [mailto:garg_art2...@yahoo.com] Sent: Wednesday, 6 October 2010 4:28 AM To: support@pfsense.com Subject: [pfSense Support] Proxy Question At my work, I have to enter:proxy.sucks.com:80 under the Tools>Options>network>connections>settings When I get home, I have to invariably retrace my path. I have a vanilla pfsense 1.2.3 set up with no proxy or anything.. in the following way: LAN |--pfsense---DSLrouter---ISP is there a way for domain name proxy.sucks.com:80 to point to squid on pfsense? If so one can venture and install squid as a package for fun. Anil Garg +1 408-221-7725 -- This message has been scanned for viruses and dangerous content by mail.lasseters.com.au, and no infections were found.
Re: [pfSense Support] Proxy Question
Just a minor problem is that in my company they have 100,000 desktops/laptops and IT is high up in hierarchy. Anil Garg +1 408-221-7725 From: Seth Mos To: support@pfsense.com Sent: Wed, October 6, 2010 2:06:44 AM Subject: Re: [pfSense Support] Proxy Question Op 5-10-2010 20:58, Anil Garg schreef: > At my work, I have to enter: proxy.sucks.com:80 under the > Tools>Options>network>connections>settings I would suggest setting up a proxy wpad host at work that provides the clients with that information. Setup a wpad.sucks.com website that has a wpad.dat file with the javascript proxy configuration script. When you get home the site doesn't exist and it just works. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Proxy Question
At my work, I have to enter:proxy.sucks.com:80 under the Tools>Options>network>connections>settings When I get home, I have to invariably retrace my path. I have a vanilla pfsense 1.2.3 set up with no proxy or anything.. in the following way: LAN |--pfsense---DSLrouter---ISP is there a way for domain name proxy.sucks.com:80 to point to squid on pfsense? If so one can venture and install squid as a package for fun. Anil Garg +1 408-221-7725
Re: [pfSense Support] PFSENSE 2.0
Vick - Newer hardware tend to have VGA because chipset manufacturers (Intel/Nvidia etc) can throw in a VGA on cheap. If you polled random 100 people they will all tell you hooking up a monitor is easier. The whole purpose of pfsense is providing an ease of use. It appears m0n0wall now has VGA and hopeflly pf will too. Its a stretch to claim universe resembles *your* collection of embedded boxes. In circa 2010 even die hard geeks will agree that for majority of people, including geeks, having VGA interface is easier. I have a huge respect for leaders like you, who make such strong vibrant pfsense community possible. However, I will be less than honest if I did not wholeheartedly disagreed. Because I am a fan of pfsense, I eagerly hope that VGA interface will bubble up to top when folks have some spare bandwidth. I will be patient till then. Anil Garg +1 408-221-7725 From: Vick Khera To: support@pfsense.com Sent: Mon, August 2, 2010 7:47:30 AM Subject: Re: [pfSense Support] PFSENSE 2.0 none of the devices on which I run embedded even *have* VGA, so I disagree. If you have a full system, just run the full release. On Sat, Jul 31, 2010 at 4:17 AM, Anil Garg wrote: I think VGA with embedded is now major convenience issue. >
Re: [pfSense Support] PFSENSE 2.0
Hi Chris Thanks for the pointer. I will check that out. Your point about serial cable @ serious ops environment is also valid. Anil Garg +1 408-221-7725 - Original Message From: Chris Buechler To: support@pfsense.com Sent: Sat, July 31, 2010 10:50:55 AM Subject: Re: [pfSense Support] PFSENSE 2.0 On Sat, Jul 31, 2010 at 4:17 AM, Anil Garg wrote: > > I think VGA with embedded is now major convenience issue. > I think we'll probably see it for 2.0, but anyone who does any serious network work has no shortage of serial gear. There isn't a decent managed switch or commercial router or many embedded hardware platforms that offer anything but serial console (until you get it on the network at least), and that doesn't look to change anytime in the near future. Hacom already offers embedded images with VGA enabled, though I don't know how specific to their hardware those are (probably not very). http://www.hacom.net/catalog/pub/pfsense - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSENSE 2.0
I found a serial cable at Fry's but you guys are going to laugh at my sorry state... I don't have a single laptop at home that has a serial port. Perhaps my work docking station will haveHad I known this I would have purchased USB to serial... I think VGA with embedded is now major convenience issue. Anil Garg +1 408-221-7725 - Original Message ---- From: Anil Garg To: support@pfsense.com Sent: Fri, July 30, 2010 9:30:10 AM Subject: Re: [pfSense Support] PFSENSE 2.0 Thanks Vick. I can wait for a week if its so cheap and costs me just a few clicks. Woo Hoo!! Anil Garg +1 408-221-7725 - Original Message From: Vick Khera To: support@pfsense.com Sent: Fri, July 30, 2010 9:14:28 AM Subject: Re: [pfSense Support] PFSENSE 2.0 On Thu, Jul 29, 2010 at 11:54 PM, Anil Garg wrote: > I also hadn't > heard of usb to serial and so will go look for that as well next time I am at > best buys... Not so likely to find it there... I get them online from here: http://www.dealextreme.com/details.dx/sku.5859 They work just great plugged into a FreeBSD and MacOS X host. I'm sure they'll work in windows, and likely linux. I've driven them at 115200 baud with no problems. Buy a handful at that price! :-) They are a chinese company and ship directly from there, but the stuff usually arrives within a week. I've bought lots of stuff from them. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSENSE 2.0
Thanks Vick. I can wait for a week if its so cheap and costs me just a few clicks. Woo Hoo!! Anil Garg +1 408-221-7725 - Original Message From: Vick Khera To: support@pfsense.com Sent: Fri, July 30, 2010 9:14:28 AM Subject: Re: [pfSense Support] PFSENSE 2.0 On Thu, Jul 29, 2010 at 11:54 PM, Anil Garg wrote: > I also hadn't > heard of usb to serial and so will go look for that as well next time I am at > best buys... Not so likely to find it there... I get them online from here: http://www.dealextreme.com/details.dx/sku.5859 They work just great plugged into a FreeBSD and MacOS X host. I'm sure they'll work in windows, and likely linux. I've driven them at 115200 baud with no problems. Buy a handful at that price! :-) They are a chinese company and ship directly from there, but the stuff usually arrives within a week. I've bought lots of stuff from them. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSENSE 2.0
Thanks Chris. Its a great product and love to start testing it. I also hadn't heard of usb to serial and so will go look for that as well next time I am at best buys... Anil Garg +1 408-221-7725 - Original Message From: Chris Buechler To: support@pfsense.com Sent: Thu, July 29, 2010 8:47:56 PM Subject: Re: [pfSense Support] PFSENSE 2.0 On Thu, Jul 29, 2010 at 10:38 PM, Anil Garg wrote: > Is the embedded version of PFSENSE 2.0 enabled with VGA? Not at this time. Renato was working on building both serial and VGA images, pretty sure he's still going to complete that. So there probably will be at some point. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] PFSENSE 2.0
Is the embedded version of PFSENSE 2.0 enabled with VGA? Its very hard to find serial cable these days in comparison to DVI or VGA cables Thanks. Anil Garg
Re: [pfSense Support] Power Question for pfsense
Chris Thanks. I suspected this as I am a pfsense loyal for over 4 years. Some things are best kept unknown!! Thanks again for quick response. --- On Sun, 11/29/09, Chris Buechler wrote: From: Chris Buechler Subject: Re: [pfSense Support] Power Question for pfsense To: support@pfsense.com Date: Sunday, November 29, 2009, 2:20 PM On Sun, Nov 29, 2009 at 3:25 PM, Anil Garg wrote: > > I have a headless pfsense 1.23 box powering my home network with a wired > setup. > We had a power glitch after which it was stuck and not booking with the sonic > pleasure of clear boot sound and neither were internet access working etc... > > I switched off and connected to another monitored and booted and it said RW > mode mount not possible etc etc. Then it cleaned up the file system and we > are good. > It automatically does that when needed. I always intentionally yank the plug on my systems just to see if I can ever break it and after easily thousands of unsafe shut downs I've never had a box not come back up just fine on its own. I guess you couldn't see why it didn't get through fsck properly without having a monitor on it before, so there's no telling what happened. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Power Question for pfsense
I have a headless pfsense 1.23 box powering my home network with a wired setup. We had a power glitch after which it was stuck and not booking with the sonic pleasure of clear boot sound and neither were internet access working etc... I switched off and connected to another monitored and booted and it said RW mode mount not possible etc etc. Then it cleaned up the file system and we are good. Here is the problem. When the power glitch happened we lost our intenet and my wife could not make it work with a simple powercycle. She tried a few time. When I came back a day later, I tried it once myself. Suspecting that the drive may be shot, I took it to another place where we had monitor and like it said it returned. Can something be done so that every boot cycle will include clean the file system at the expense of boot duration? We hardly boot this once every 3/4 months, if that Anil
[pfSense Support] Multi-Wan Question
Will something like this work and be secure enough. The only reason I am using VLAN on unmanged switch is to direct traffic to different gateways operating like client bridge (no dhcp) and send traffic on the the only spare Ethernet interface available and only cable limitation going to different parts of the home where the client bridges are located... http://www.gargcentral.com/files/multi_wan_fooling_vlan.JPG
Re: [pfSense Support] VLAN Capable switch
David I am not very technical. My server room is far away from my internet connection at my home. So there is only one cable going from the internet to server room. I am still reading about VLAN so that I understand its working better. Anil From: David Burgess To: support@pfsense.com Sent: Sunday, October 4, 2009 7:25:40 PM Subject: Re: [pfSense Support] VLAN Capable switch On Sun, Oct 4, 2009 at 6:15 PM, Anil Garg wrote: > I have a pfsense with two 10/100 PCI cards (acting as LAN & WAN router). > I have a 4 port (quad) 10/100 PCI (ZNYX ZX374) card. > If I were to add this card into the box and then add those ports and bridge > them with each other (completely away from LAN WAN) will those four ports > act like a VLAN capable switch? I don't don't have a VLAN capable switches > and by introducing this will I be able to run a VLAN based segmented > network. Why bridge multiple interfaces, then separate them as vlans with no vlan-capable switch? Wouldn't you get the same effect by just running the separate interfaces as separate LANs? Just asking. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] VLAN Capable switch
I have a pfsense with two 10/100 PCI cards (acting as LAN & WAN router). I have a 4 port (quad) 10/100 PCI (ZNYX ZX374) card. If I were to add this card into the box and then add those ports and bridge them with each other (completely away from LAN WAN) will those four ports act like a VLAN capable switch? I don't don't have a VLAN capable switches and by introducing this will I be able to run a VLAN based segmented network. The traffic is not much Comments. Anil
[pfSense Support] PPTP
Pardon me for asking if its already asked several times. Is 1.21 ready with the PPTP fix? I need outgoing and incoming PPTP for next few months. So far we have been fine with outgoing pptp alone. Anil
Re: [pfSense Support] random lock up -> Now with high CPU usage
Have you installed a package called Dashboard? I noticed high CPU usage with some of its applets. Have since disabled that through a brand new install. - Original Message From: Matias Surdi <[EMAIL PROTECTED]> To: support@pfsense.com Sent: Wednesday, September 24, 2008 10:43:03 AM Subject: [pfSense Support] random lock up -> Now with high CPU usage Finally, we've migrated to 1.2.1 RC1 and seems to be working, at least for now. But, we are seeing that the CPU keeps on 50% use, and a top shows that it's being used by "interrupt". The hardware is the same.(exactly the same, we reinstalled 1.2.1 on the same disk where was 1.2) The driver on 1.2.1 is Intel(R) PRO/1000 Network Connection Version - 6.7.3 And on 1.2 was Intel(R) PRO/1000 Network Connection Version - 6.2.9 Any idea what could be happenning? Matias Surdi escribió: > Hi, > > I'm experiencing random crashed with 1.2, sometimes happens when saving > a rule, other times when saving advanced settings.No reply from the > pfSense box, no ping replies.nothing.Completly dead. > > Any idea what could be happenning here? > > Thanks a lot. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: Multiple gateways on the same network interface
Is there a place to check what is new on the stove for 1.3 release. Ah goodies. - Original Message From: Matias Surdi <[EMAIL PROTECTED]> To: support@pfsense.com Sent: Wednesday, September 17, 2008 2:43:59 PM Subject: [pfSense Support] Re: Multiple gateways on the same network interface Matias Surdi escribió: > Chris Buechler escribió: >> On Wed, Sep 17, 2008 at 4:55 PM, Matias Surdi >> <[EMAIL PROTECTED]> wrote: >>> Thanks for your help Wilson. >>> >>> That's not exactly what I'm trying to do. >>> >>> I've both DSL router on the same phisical WAN interface (with a switch, >>> obviously). >>> >>> Then, on these DSL routers I've some port redirections to the pfSense >>> box, >>> and from the pfSense box to my servers on the LAN side. >>> >>> The incomming connections get succefully to the internal servers, but >>> the >>> replies from the servers for those connections allways return to the >>> internet throught the system default gateway (the first DSL) instead >>> from >>> the DSL router it came (that could be the 1st DSL or the second), >>> thus, port >>> forwardings from the second DSL doesn't work. >>> >> >> You need one interface per Internet connection. This will change in >> 1.3 but that is not suitable for production use at this time. > > > Thanks Chris, this clears my doubts. Hi again Chris, just one more question. If I've more than one IP address on each of my internet connections (now each one on his own interface), Will I be able to do Port Forwardings for all the IPs? Thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue?
thanks. --- On Wed, 7/30/08, Chris Buechler <[EMAIL PROTECTED]> wrote: From: Chris Buechler <[EMAIL PROTECTED]> Subject: Re: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue? To: support@pfsense.com Date: Wednesday, July 30, 2008, 10:03 PM On Thu, Jul 31, 2008 at 12:58 AM, Anil Garg <[EMAIL PROTECTED]> wrote: > > I would love to try the new 1.2.1 but there are so many images > Which one should be tested as most stable. > They're built once a day. Most days RELENG_1_2 doesn't change, and any changes that do occur are minor. Just pick the newest one available at the time of download. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue?
Hi Chris I have an experimental rack for a start-up idea on 100 mbps pipe and the machines is an Dell 450 mhtz and added-in Intel 10/100 Server cards. Have Red/Orange/Green with about 12 servers. The image is 1.2 release and I have had no trouble cranking up to 78 mbps once .. Another point is that it has VPN and WAN is configured as static IP xxx.xxx.xxx.66/27 and for last 5 months it has never given up. There is no other small biz router that can compete with this solution. And I would put large environments on this considering it has snort implementation. CONGRATS for having a winner on your hands!! I would love to try the new 1.2.1 but there are so many images Which one should be tested as most stable. Best Regards Anil Garg --- On Wed, 7/30/08, Chris Buechler <[EMAIL PROTECTED]> wrote: From: Chris Buechler <[EMAIL PROTECTED]> Subject: Re: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue? To: support@pfsense.com Date: Wednesday, July 30, 2008, 6:29 PM On Wed, Jul 30, 2008 at 7:30 PM, Ted Crow <[EMAIL PROTECTED]> wrote: > > As an additional note, I've already tried the following to no avail: > > - tcp/udp tweaking (no change) Shouldn't be necessary anyway. Most of those settings are only relevant when the firewall is the endpoint of the connection. > - duplex mismatch testing (no problems) No errors on Status -> Interfaces? What speed and duplex is the WAN port showing as? In my experience with metro Ethernet, the endpoints are set inconsistently by providers (at least by AT&T). Some are forced speed/duplex and some are set to auto. In the former case you'll need to force your end, in the latter, leave it to auto. > what I can see. > - the DMZ speed is 40-60Mbps to the Internet and 50-60Mbps to the LAN. > How are you testing? I've pushed more than that through a 500 MHz box, something of the spec you're running with Intel NICs is capable of multi-Gbps. Since it's slow from DMZ to LAN it's likely not WAN port related. Since you're running relatively new hardware, the first thing I'd recommend is trying 1.2.1. The NICs you have in a box that new probably didn't exist at the time the em driver in FreeBSD 6.2 was written, so you may be hitting some glitch there. Ditto for any number of other components in that box. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] panic on install of stable pfsense on latests Dell PE 1950 server
One word of caution is that using such a super fast machine may cause more harm than good. It may make some packets reach destination before they are expected to or allowed to causing total chaos and anarchy in the IP domain. Be careful Christopher Iarocci <[EMAIL PROTECTED]> wrote:Ill trade you that machine for one that works. ;-) Seriously though, disable the ACPI in the bios. There was just a thread on a similar problem yesterday. See here: http://www.mail-archive.com/support@pfsense.com/msg13026.html HTH Chris From: Harrie Bonenkamp (Colson) [mailto:[EMAIL PROTECTED] Sent: Thursday, May 08, 2008 11:39 AM To: support@pfsense.com Subject: [pfSense Support] panic on install of stable pfsense on latests Dell PE 1950 server Dear Support, I tried to install the latest stable pfsense 1.2 on a brand new Dell PowerEdge 1950 With the default (ACPI enabled) install It came back to me with this error: DELL_PE_SC3 Panic ACPI0sDerivePciId unable to initialize PCI bus And system reboots in 15 seconds. The server has this specification: PE1950 III Quad-Core Xeon E5430 2.66GHz/2x6MB 1333FSB PE1950 PCIE Riser (2 Slots) PE1950 Bezel Assembly 4GB FB 667MHz Memory (2x2GB dual rank DIMMs) No second Processor option 300GB SAS (10,000 rpm) 3.5inch Hard Drive PE1950 III 3.5" HDD support chassis Perc 6i Integrated Controller 8X IDE DVD-ROM Drive PE1950 III Non-Redundant Power Supply - No Power Cord Broadcom TCP/IP Offload Engine functionality (TOE) Not Enabled No Operating System PE1950 OpenManage kit and FI Driver PE1950 III - C3,MSSR1, ADD IN PERC 5i/6i or SAS6iR, min 2 / max 2 Harrie Bonenkamp
Re: [pfSense Support] boot usb wothout bios support
If BIOS does not support booting from USB then no operating system can help because the BIOS is the first intelligence to the processor which directs the computer to devices. Looks like you should boot from pfsense liveCD and then configure the rules to be saved on the USB drive. Ideally save your current config.xml file on any USB drive root. Remove all other files even if they don't matter(just keeps it clean) And then boot from CD. The pfsense should recognize the USB drive and the config file. Leave the CD in there for future power cyles. Hope this helps. Ernesto Eduardo Medina Núñez <[EMAIL PROTECTED]> wrote: Hi I'm new to BSD and pfsense. I want to boot pfsense from my usb pen drive but my BIOS it's old and can't boot from a USB drive. Sombody can help me? Note: I don't have Hard Drive nor Floppy Disk, I just have: -Cd-rom drive -1GB USB pen drive with pfsense installed (it works I tested it on my laptop) - the pfsense cd, - computer with 3 network cards. - celeron proccesor (333) very old! -- Lalo: Just do it, life is too short
[pfSense Support] PPTP
I have one WAN, One LAN, and one OPT-1 (DMZ). My PPTP users get an IP address from LAN subnet such as 192.168.1.1 I have a rule on LAN that says any protocol /any interface /any port /any interface /any port I have a similar rule for PPTP Its under a home setting and I am trying to host some content. However one minor problem is that my PPTP connections can not access OPT1 (DMZ) machines. As a PPTP user coming on WAN, I can SSH into a LAN machine, and then once I am on the LAN machine we can use command prompt to get to the server on the OPT-1 (DMZ) sort of like sneaky way. Is it normal or should I looking else where in the rules. Any clue would be highly appreciated. Anil
[pfSense Support] PPTP
Guys I noticed a very strange behavior with pfsense and it baffled me so I thought I will ask. My firewall has been supporting an incoming VPN and IPSEC connection at my office for several months. Yesterday PPTP would not work (no changes were made to the firewall). After forum search we added two rules for WAN which I found after google-ing and searching pfsense forum, The rules newly added were: WAN TCP/Any/Any/192.168.75.1/1723 and WAN GRE/Any/Any/192.168.75.1/any and PPTP again started working. Before this failure, PPTP was faithfully working for months without these rules. Hate to make it sound like a scary story but I spent almost 8 hours trying to find problem and then finally opting to install the above two rules. Any insight would be very helpful. I saved a copy of status.php and am also studying it to read the tea leaves!!! Best Regards
Re: AW: [pfSense Support] Filtering OpenVPN Road Warrior Clients
I one read a saw "In marriage, one realizes that the better one was around the corners moments after - I do"!! Sorry - I know this is serious forum but could not resist. "Fuchs, Martin" <[EMAIL PROTECTED]> wrote: In 1.3 it will be possible⦠Von: Jared B. Griffith [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 5. April 2008 03:38 An: support@pfsense.com Betreff: [pfSense Support] Filtering OpenVPN Road Warrior Clients Is it possible to filter OpenVPN Road Warrior clients on the 1.2 Release? If not, is it going to be possible and when? -- - Thank you, - Jared B. Griffith - Farheap Solutions, Inc. - Lead Systems Administrator - California IT Department - Email - [EMAIL PROTECTED] - Phone - 949.417.1500 ext. 266 - Cell Phone - 949.910.6542
Re: [pfSense Support] CARP
Bill Thanks for correcting. I am quite green on this stuff and as they say little knowledge is dangerous! Load balance built in is a great idea. I will test that out too... Bill Marquette <[EMAIL PROTECTED]> wrote: On Tue, Apr 1, 2008 at 9:44 AM, Anil Garg wrote: > However most examples are for WAN side traffic and for keeping internet > alive. I will keep trying to find something that shows how servers can be > balanced. If balancing is what you need, then use the load balancer built into pfSense. If active/passive, then while the load balancer will also work fine, you might try one of the server high availability solutions available outside of pfSense (CARP for the BSDs, linux's HA stuff, etc - again Google will get you going there) > Its amazing because it even keeps the state. FWIW, to correct a few misstatements you've made in this thread. "CARP requires a dedicated cable" - not correct, CARP is a multi-cast protocol that is broadcast on the same network segment as the address for it. "it (CARP) even keeps the state" - not correct, pfsync keeps state synchronization. It's also highly recommended (as it's not cryptographically secure) to run this on a dedicated cable. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP
Thanks David and Thanks Gary. I spent a lot of time reading and a few things are somewhat becoming clear.. CARP uses a trusted (preferably dedicated) link to send heartbeat signals to keep who is alive. This common knowledge enables some pfsense to stay inactive (to either act as dhcp server or act as a gateway). When something happens to master next in succession line takes over. Very unique and innovative simple. However most examples are for WAN side traffic and for keeping internet alive. I will keep trying to find something that shows how servers can be balanced. Its amazing because it even keeps the state. Best Regards Anil Garg Gary Buckmaster <[EMAIL PROTECTED]> wrote: Anil Garg wrote: > I have seen some documentation that shows how two pfsense can act as > back up to the other (hot standby).. > > > Is it possible for servers behind pfsense to exploit the same capability? > > Say we have one www.server on lan or dmz. If this server to die, we > want the system to point to another www.server on the same subnet. > > Thanks much. Yes, there are a number of mechanisms that allow this to happen. It depends entirely on the type of operating system and applications you are using. Many database server software offer a clustering feature. Linux has clustering capabilities through a couple of different facilities. Spend some quality time with Google, I'm sure you'll find what you need. -Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] CARP
I have seen some documentation that shows how two pfsense can act as back up to the other (hot standby).. Is it possible for servers behind pfsense to exploit the same capability? Say we have one www.server on lan or dmz. If this server to die, we want the system to point to another www.server on the same subnet. Thanks much.
Re: [pfSense Support] Server NAT
Chris This is a great product and the documentation for m0n0wall is also finest. However, we should rewrite documentation for pfsense because there are different menu items etc. I understand that the efforts are often reliant on community for success and therefore I feel that its even worth breaking this effort down into small recipes and then aggregate. Please forgive me if spoke beyond the scope of a individual user. BTW, I would be willing to contribute and support that documentation effort. Anil Garg Chris Buechler <[EMAIL PROTECTED]> wrote: Anil Garg wrote: > I am reading the m0n0wall documentation (its so well written - kudos > to the author) What, you specifically buttering me up to get a response? ;) > > There is a pointer that for many public addresses to be mapped to > servers inside, m0nowall specifies that "Server NAT should be used" > > What would be an equivalent for that in pfsense and if there is any > difference. I could not find any documentation on the web anywhere > which shows the difference. > > > Is "Server NAT" acheiving the same goal that pfsense would do with a > proxy ARP (under virtual IP)?? Server NAT in m0n0wall is the same as Inbound NAT with VIPs in pfSense. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ICMP not Replying on Virtual IPs
Hi Gary - I could but : 1. There is a page long list of CARP settings issue 2. Then there are number of new settings like password and VHID and ad freq etc.. Thanks for taking moment to respond. Anil Gary Buckmaster <[EMAIL PROTECTED]> wrote: CARP is a virtual IP type. If you already have Virtual IPs defined as ProxyARP, simply change them to CARP, and make sure you have CARP enabled. Anil Garg wrote: > Hi Gary - Is there a place that I can read which shows how to do CARP > in place of Virtual IP when we are doing NAT... > > I am also searching into Google and my head spins!! > > */Gary Buckmaster /* wrote: > > Ron Lemon wrote: > > > > I have setup a rule to allow all ICMP types from any source any > port > > to any destination on any port via any gateway. > > > > If I ping my WAN IP it responds correctly. > > > > > > My WAN link also has 6 Virtual Ips of type other configured. I can > > access the resources via NAT that are on these virtual Ips but > when I > > ping one of them I never get a response. What else do I need to > do to > > get the virtual Ips to respond to ICMP requests. > > > > > > Thanks > > > > Ron. > > > ProxyARP virtual IPs don't respond to ping. CARP virtual IPS do, if > ping is necessary, convert your virtual IPs over to CARP. > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ICMP not Replying on Virtual IPs
Hi Gary - Is there a place that I can read which shows how to do CARP in place of Virtual IP when we are doing NAT... I am also searching into Google and my head spins!! Gary Buckmaster <[EMAIL PROTECTED]> wrote: Ron Lemon wrote: > > I have setup a rule to allow all ICMP types from any source any port > to any destination on any port via any gateway. > > If I ping my WAN IP it responds correctly. > > > My WAN link also has 6 Virtual Ips of type other configured. I can > access the resources via NAT that are on these virtual Ips but when I > ping one of them I never get a response. What else do I need to do to > get the virtual Ips to respond to ICMP requests. > > > Thanks > > Ron. > ProxyARP virtual IPs don't respond to ping. CARP virtual IPS do, if ping is necessary, convert your virtual IPs over to CARP. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ICMP not Replying on Virtual IPs
I too am struggling with this for last several weeks Yesterday, I noticed an interesting observation which may have some clue to solving To map the Virtual IP using NAT, we need a static IP on the LAN or DMZ side. When I used the Mac address based DHCP (in LAN as well as DMZ) to give my server a fix IP address and NAT this fixed IP to Virtual IP. I noticed that all my pings magically started to work. I also had a ICMP rule set on each interface which was any/any/anyany/any/anyany/any/anyany/any/anyany/any/any 7 ways to sunday Stupid but hey this is test... I broke this rule down to similar rule for each zone... Like one for LAN ==> DMZ then for DMZ ===>LAN Then for WAN > LAN and for LAN ===> WAN I think the static IP or Fixed IP obtained for DHCP is likely a suspect area.. I will tighten my ICMP rule to allow only echo and destination not reachable once it is fully debugged... Another suggestion will be to use LOG and make it like the log for even those driven by policy.. BTW, is there a place we can find the defualt rule /default policy .. Status >> System Logs >> Settings Tab =>> Log packets blocked by the default rule Tim Dickson <[EMAIL PROTECTED]> wrote: ICMP not Replying on Virtual IPs What kind of NAT are you using? If it is port forward youll have to forward the packets as well as adding the rule to your Wan ruleset If it is 1:1 it should work for you as long as then respond correctly within your network -tim From: Ron Lemon [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 12:06 PM To: support@pfsense.com Subject: [pfSense Support] ICMP not Replying on Virtual IPs I have setup a rule to allow all ICMP types from any source any port to any destination on any port via any gateway. If I ping my WAN IP it responds correctly. My WAN link also has 6 Virtual Ips of type other configured. I can access the resources via NAT that are on these virtual Ips but when I ping one of them I never get a response. What else do I need to do to get the virtual Ips to respond to ICMP requests. Thanks Ron.
[pfSense Support] Server NAT
I am reading the m0n0wall documentation (its so well written - kudos to the author) There is a pointer that for many public addresses to be mapped to servers inside, m0nowall specifies that "Server NAT should be used" What would be an equivalent for that in pfsense and if there is any difference. I could not find any documentation on the web anywhere which shows the difference. Is "Server NAT" acheiving the same goal that pfsense would do with a proxy ARP (under virtual IP)?? Any pointers would be highly appreciated. Best Regards
[pfSense Support] Load Balancing
Has anyone some ideas on how o use pfsense to load balance several servers behind the pfsense firewall? Say I have three web /application servers. There are thousands of visitors logged in and to improve service levels on transaction, can we put more than one application server in a load balancing mode...? Many thanks
Re: [pfSense Support] Dumb VPN question
Hi Jermey - >From what I understand, if you are behind a Pfsense and it is running a PPTP >server for other people to connect to this network (just like you are trying >to connect to the other), then your PPTP client will not connect to anyone one >else. What I do is to temporarily turn off the PPTP server and remember (at least I try) to turn it back on again, when I am done. I hope this helps. Anil Garg Jeremy Bennett <[EMAIL PROTECTED]> wrote: Hello all, I think this has been asked in the past, but I'm looking for current (1.2) info. If I am sitting behind a PFsense firewall (which happens to be running its own PPTP server), can I connect to another PFsense firewall's PPTP VPN at a client location? I'm not interacting with my own PPTP firewall while attempting to connect to my client location... If anyone can confirm that this is possible, I will continue troubleshooting. Mahalo, Jeremy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Disable the userland FTP-Proxy application
Thanks dave. I am trying out different settings to figure out some problems I get with open VPN. Part of the problem is in my lack of knowledge and that makes me shy asking so many question and consume air time. Thanks again. Best Anil Garg David Rees <[EMAIL PROTECTED]> wrote: On Fri, Mar 7, 2008 at 4:07 PM, Anil Garg wrote: >> David Rees wrote: >>> On Thu, Mar 6, 2008 at 12:06> PM, Anil Garg wrote: >>> Is there any harm in Disable the userland FTP-Proxy application ?? >>> >>> Any pointers or lead to read somewhere else would be appreciated. >> >> If you don't use FTP, then no. If you do use FTP, then yes, keeping >> the FTP-Proxy enabled can help. >> >> Google for ftp proxy and bsd to learn more about FTP proxies. > > It appears that if I am using FTP, pfsense is creating some rules for > that duration that helps me do FTP smoothly. Most of times we are > using FTP to download patches and documents even on google search > that use FTP - Correct? > > Thats why we should leave this on... Please keep messages on the list, thanks. The real question is - if it's not broken, what are you trying to "fix" by turning it off? It's on by default for a reason. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Disable the userland FTP-Proxy application
Is there any harm in Disable the userland FTP-Proxy application ?? Any pointers or lead to read somewhere else would be appreciated. Thanks
Re: [pfSense Support] Message repeating in System Log, can't find the reason
Now that the broadband is very reliable, why would anyone use more than one WAN at home. What are the benefits you have seen or desired in multiple dhcp wan at home. Chris Buechler <[EMAIL PROTECTED]> wrote: RB wrote: >> I may be mistaken but I though pfSense only supported 1 DHCP >> connection on the WAN >> > > It was my understanding that only the interface designated 'WAN' could > do PPPoE, but the others in a multi-WAN setup could do DHCP or static. > That is correct. There are at least a couple people using 5 or more WANs on one box all configured for DHCP. I personally use multiple DHCP WANs on my home network. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Disable the userland FTP-Proxy application
Is there any harm in Disable the userland FTP-Proxy application ?? Where can I read about this? Thanks Anil Garg
[pfSense Support] DMZ
Progressing to DMZ with pfsense. Say we have a WAN with 203.xxx.xxx.201 (IP provided by the IS) Gateway is 203.xxx.xxx.001 DNS1 is 203.xxx.xxx.002 DNS2 is 203.xxx.xxx.003 LAN is 192.168.1.1/24 with NO DHCP Not bridged to any interface One server is configured as 192.168.1.10/32 Gateway 192.168.1.1 DNS 192.168.1.1 DMZ is 192.168.100.1/24 with NO DHCP Not bridged to any interface One DMZ server is configured as 192.168.100.10/32 Gateway 192.168.100.1 ===>> Is this correct? DNS 192.168.100.1 ===>> Is this correct? Am I right in assuming that after the firewall rules are applied 203.xxx.xxx.201 and 192.168.1.1 and 192.168.100.1 are all same address of the firewall itself Sorry if this is stupid question. Best Anil Garg
RE: [pfSense Support] icon
Thanks Tom. This pfsense story just gets better and better all the time. Tim Dickson <[EMAIL PROTECTED]> wrote:On a side note, Youll also see a themes folder, copy one of those folders down edit to your hearts desire and then reupload with a new name. Youll then have a custom them for your firewall that you can select from your GUIs drop down list. -Tim From: Tim Dickson [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 10:28 AM To: support@pfsense.com Subject: RE: [pfSense Support] icon This is the favicon Use WinSCP to connect to your firewall using root as the username and your gui password as the password. Browse to \USR\LOCAL\WWW Youll see favicon.ico in there overwrite and when you browser refreshes its favicon list youll have your new icon! -Tim From: Anil Garg [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 9:41 AM To: support@pfsense.com Subject: [pfSense Support] icon The web browser shows the three circle of pfsense branded icon. Where is this stored and how can it be branded with my own icon using a file called say... garg.ico?
[pfSense Support] icon
The web browser shows the three circle of pfsense branded icon. Where is this stored and how can it be branded with my own icon using a file called say... garg.ico?
Re: [pfSense Support] IPSEC
Bryan - This is ingenious. Awesome. Why can this not run on the pfsense router itself as a scheduled task/ cron job. and update the ip address. Sounds like that would be a simple ping to .dyndns.org. Even if the ping fails the first line provides the last known IP address for the dyndns. Which can then be used... I will try and study this more but I am sure the greatest and the best on the forum can solve this in minutes!!! Thanks again for the utility. Best Regards Bryan Derman <[EMAIL PROTECTED]> wrote: Re: [pfSense Support] IPSEC Re: --- It looks like that it needs a public ip address to create a tunnel. I could try and get public IP address at one place but it looks like it still will not work because I need public IP address on both sides. --- We use pfSense 1.2 to support a VPN between 2 offices. In our case, one site has a static IP and one has a dynamic IP but the dynamic IP doesn't change very often. Originally I didn't have time to look into the "Mobile Clients" setup (and still wouldn't want to use it because of the reduced security when using aggressive mode). I decided to use the dynamic IP of the other office (i.e., as 'though it was static) and auto-update it, as required. Since we use DynDNS for the other/remote office, I wrote a shell script that checks to determine whether the remote-office's IP has changed and, if it has, updates pfSense's VPN IPSec setup to reflect that change. In our case, the script is run via cron every few minutes and that's sufficient, for us. The shell script uses fairly common UNIX tools (curl, sed, etc.) to interact with pfSense via its web pages. While it might have been nicer to do this on the router, it wasn't obvious how to do so (I'm not fluent in php) and I didn't have much time to play. In case anyone else might find this useful, a PDF of the (sanitized) VPN IPSec setup and the (commented) shell script can be downloaded via http://www.derman.com/Download/Special/UpdateRemoteGateway.zip It'll be nicer when pfSense 1.3 makes this obsolete. #;-) ______ Original message from Anil Garg on 2008-02-27 at 7:51 PM -0800 -- Hey guys - I am a happy camper with pfsense and recently upgraded to 1.2 and have no issues to report so far. I am trying to hook up two pfsense boxes with IPSEC site to site It looks like that it needs a public ip address to create a tunnel. I could try and get public IP address at one place but it looks like it still will not work because I need public IP address on both sides. Have looked at all documents and spent many hours without avail... Will some of you learned people suggest a way out.. I can only get a Public IP address at one location and I am happy to do pay for that. But the second location being a AT&T DSL in San Jose, CA - this is not an option,. Much appreciate your help and guidance. Best Regards Anil Garg
Re: [pfSense Support] IPSEC
Mathew - I read your write up many times and this thing is clear like day and night. Since both sides need to have a matching rule and the side that has static IP can not write a dynamic address in its remote gateway is the main difficulty. I have an old Linksys and that accepts static IP for its wan. It also accepts dynamic IP for ipsec and so it connected wih my pfsense 1.2rc4 within seconds. See the picture attached... It worked... You should be a teacher. You are so good in conveying the fundamentals & concepts. Thanks a ton. Best Regards Anil Garg Matthew Grooms <[EMAIL PROTECTED]> wrote: > Von: Anil Garg [mailto:[EMAIL PROTECTED] > Gesendet: Donnerstag, 28. Februar 2008 04:51 > An: support@pfsense.com > Betreff: [pfSense Support] IPSEC > ... > Have looked at all documents and spent many hours without avail... > Will some of you learned people suggest a way out.. I can only > get a Public IP address at one location and I am happy to do pay > for that. > > But the second location being a AT&T DSL in San Jose, CA - this > is not an option,. > > Much appreciate your help and guidance. > Anil, To answer your question with respect to IPsec in general, the solution to your problem depends on a lot of different factors. Having one IPsec peer using a non-public address pre-supposes that the address will be translated to a public address by a NAT device. So the question could have been stated as "can one IPsec peer operate behind a NAT device?". The answer is yes, but the question is still complicated. Who controls the NAT device and how sophisticated is the NAT logic? The IKE protocol, which based on UDP, is typically used to establish IPsec connectivity. The source address of UDP traffic is easily NATd on the outbound path. With this in mind, if the peer behind the NAT device always initiates negotiations then you shouldn't have too much of a problem. Where an issue will occur is when the peer that has the public address attempts to initiate an exchange to the peer behind the NAT device. If you control the NAT process and the NAT device is somewhat sophisticated, you can teach it to perform a static NAT which will translate the destination address of a packet sourced from the public peer to the private peer address. This is typically referred to as port forwarding. If traffic always originates from the peer behind the NAT, you can typically turn contact off for the publicly addressed peer and avoid this situation all together. So that addresses IKE traffic which provides negotiation and key setup, but there are other protocols that make up IPsec. To provide protection and message authentication, the ESP protocol is typically used to encapsulate and encrypt protected traffic. ESP is an IP protocol, like TCP or UDP, but its header contains no port values. This makes it difficult to pass transparently through a NAT device because you don't have ports to translate and build state information with. For NAT devices that hide many privately addressed hosts behind a single public address, valid state information is an essential key to translating a public destination address to the appropriate private destination address when processing inbound packets. The only data a NAT device has to work with to correlate state to an inbound ESP packet is the source and destination addresses. However, this should be adequate if there is only one IPsec peer behind the NAT device communicating with the publicly addressed peer and traffic is bidirectional. Once again, if you control of the NAT device it should be possible to always translate the destination address of all ESP traffic sourced from a specific peer to the private destination address of the NATd peer. Why do I feel like I need my dry erase board? :) What if you don't have control over the NAT device or its too primitive? Your probably out of luck unless both ends of the connection support NAT-T or Nat Traversal which is an extension to the IKE/IPsec protocol family. What it does is multiplex both IKE and encapsulated ESP traffic onto a single UDP port which passes more easily through NAT devices. It also defines ways of keeping Firewall/NAT states from expiring by constantly sending traffic between the two hosts. This allows rekey attempts to be initiated by either IPsec peer. As far as I know, NAT-T is not currently supported by pfsense but I have high hopes that it will be introduced into the mainline FreeBSD sources soon. Probably more info than you wanted but I hope it helps, -Matthew - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <>- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: [pfSense Support] IPSEC
Thanks. In the end this just might be the best way to bring in flexibility. I am experimenting the Mobile client route and although it has not worked for me yet, the system logs make it look like they are talking to each other and have made friends as yet...!!! wayne <[EMAIL PROTECTED]> wrote: Hi I don't think this will solve your problem, There is a huge difference between a Dynamic IP and a private IP as you have, I solved this problem like this::: I have two Private IP's , so I rented a vserver with root access (SOMEWHERE on the planet)something small only to handle redirects, BTW you can also setup a APACHE redirect also on it to host from your Private IP. Set it up as a OPENvpn server and had both points connect to it thus completing the circuit. W Fuchs, Martin wrote: > So then go on and use OpenVPN site-to-site it works woth 2 dynamic IPs > > > > Dynamic IPs for IPSec will be in 1.3 > > > > Regards, > > > > Martin > > > > *Von:* Anil Garg [mailto:[EMAIL PROTECTED] > *Gesendet:* Donnerstag, 28. Februar 2008 04:51 > *An:* support@pfsense.com > *Betreff:* [pfSense Support] IPSEC > > > > Hey guys - I am a happy camper with pfsense and recently upgraded to 1.2 > and have no issues to report so far. > > I am trying to hook up two pfsense boxes with IPSEC site to site > > It looks like that it needs a public ip address to create a tunnel. I > could try and get public IP address at one place but it looks like it > still will not work because I need public IP address on both sides. > > > Have looked at all documents and spent many hours without avail... > > Will some of you learned people suggest a way out.. I can only get a > Public IP address at one location and I am happy to do pay for that. > But the second location being a AT&T DSL in San Jose, CA - this is not > an option,. > > Much appreciate your help and guidance. > > > Best Regards > Anil Garg > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC
Mathew - Wow. Thank you so much for taking time to write such detailed thoughts. I will fully use this and write again . Best Regards Anil Garg Matthew Grooms <[EMAIL PROTECTED]> wrote: > Von: Anil Garg [mailto:[EMAIL PROTECTED] > Gesendet: Donnerstag, 28. Februar 2008 04:51 > An: support@pfsense.com > Betreff: [pfSense Support] IPSEC > ... > Have looked at all documents and spent many hours without avail... > Will some of you learned people suggest a way out.. I can only > get a Public IP address at one location and I am happy to do pay > for that. > > But the second location being a AT&T DSL in San Jose, CA - this > is not an option,. > > Much appreciate your help and guidance. > Anil, To answer your question with respect to IPsec in general, the solution to your problem depends on a lot of different factors. Having one IPsec peer using a non-public address pre-supposes that the address will be translated to a public address by a NAT device. So the question could have been stated as "can one IPsec peer operate behind a NAT device?". The answer is yes, but the question is still complicated. Who controls the NAT device and how sophisticated is the NAT logic? The IKE protocol, which based on UDP, is typically used to establish IPsec connectivity. The source address of UDP traffic is easily NATd on the outbound path. With this in mind, if the peer behind the NAT device always initiates negotiations then you shouldn't have too much of a problem. Where an issue will occur is when the peer that has the public address attempts to initiate an exchange to the peer behind the NAT device. If you control the NAT process and the NAT device is somewhat sophisticated, you can teach it to perform a static NAT which will translate the destination address of a packet sourced from the public peer to the private peer address. This is typically referred to as port forwarding. If traffic always originates from the peer behind the NAT, you can typically turn contact off for the publicly addressed peer and avoid this situation all together. So that addresses IKE traffic which provides negotiation and key setup, but there are other protocols that make up IPsec. To provide protection and message authentication, the ESP protocol is typically used to encapsulate and encrypt protected traffic. ESP is an IP protocol, like TCP or UDP, but its header contains no port values. This makes it difficult to pass transparently through a NAT device because you don't have ports to translate and build state information with. For NAT devices that hide many privately addressed hosts behind a single public address, valid state information is an essential key to translating a public destination address to the appropriate private destination address when processing inbound packets. The only data a NAT device has to work with to correlate state to an inbound ESP packet is the source and destination addresses. However, this should be adequate if there is only one IPsec peer behind the NAT device communicating with the publicly addressed peer and traffic is bidirectional. Once again, if you control of the NAT device it should be possible to always translate the destination address of all ESP traffic sourced from a specific peer to the private destination address of the NATd peer. Why do I feel like I need my dry erase board? :) What if you don't have control over the NAT device or its too primitive? Your probably out of luck unless both ends of the connection support NAT-T or Nat Traversal which is an extension to the IKE/IPsec protocol family. What it does is multiplex both IKE and encapsulated ESP traffic onto a single UDP port which passes more easily through NAT devices. It also defines ways of keeping Firewall/NAT states from expiring by constantly sending traffic between the two hosts. This allows rekey attempts to be initiated by either IPsec peer. As far as I know, NAT-T is not currently supported by pfsense but I have high hopes that it will be introduced into the mainline FreeBSD sources soon. Probably more info than you wanted but I hope it helps, -Matthew - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ping
Paul - Many thanks. I just ordered the book and will surely read that ... I agree and therefore I had put a session limit of 5 against ICMP to limit risk. But I am a newb and there will be many newb enthusiasts coming to pfsense and thats what I think will put this ahead of all firewalls. I started with all flavors of boxed sub $100 devices but the QoS for vonage drove me to m0n0wall. At that time (one year ago) PPTP and traffic shaping was still a problem there and since modern waste hardware is way more powerful, I settled with pfsense. Since then there are 8 pfsense installs due to me which are install and forget. Again I love you Geek Gods for overwhelming support to wannabe's like us. Paul M <[EMAIL PROTECTED]> wrote: Anil Garg wrote: > In my pass-through for PPTP and IPSEC, I had a rule that allowed > any...all..any for only TCP IP protocol. > I have now changed that to any protocol all the way to the end any. > Is this ok on the VPN interfaces like PPTP and IPSEC? adding rules which permit any-any, even if it's all kinds of icmp is a bad idea. if you don't know why, you need to read a good book on firewalls etc. here's a good start. http://preview.tinyurl.com/26fm8z I don't want to be rude, in the main, pfsense is a product for people who understand internet security at least in some detail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Ping
In my pass-through for PPTP and IPSEC, I had a rule that allowed any...all..any for only TCP IP protocol. I have now changed that to any protocol all the way to the end any. Is this ok on the VPN interfaces like PPTP and IPSEC? Anil Garg Anil Garg <[EMAIL PROTECTED]> wrote: My ISP has created a CLAN for me with the following public address: xxx.xxx.xxx.64/27 Gateway for my pfsense is xxx.xxx.xxx.65 I have configured the pfsense to static IP of xxx.xxx.xxx.66/27 and given an gateway of xxx.xxx.xxx65 Everything works fine and I can VPN into xxx.xxx.xxx.66 But my router does not respond to the ping. Any suggestions? Thanks Anil
Re: [pfSense Support] Ping
Thanks - I will try this... After the first rule that says block RFC 1918 networks and is automatically created by the WAN setting, If I put a rule on the WAN saying like following: TAB Selected : WAN Proto/Source/Port/Dest/Port/Gateway/Schedule/Description Pass => Any /Any /Any/Any/any /any /any/Allow all traffic on WAN Will it compromise my LAN of DMZ servers? I tried to decipher from the m0n0wall document. Thanks Anil Garg "Vaughn L. Reid III" <[EMAIL PROTECTED]> wrote: Try creating a firewall rule on the Wan interface to allow ICMP packets. Vaughn Anil Garg wrote: > My ISP has created a CLAN for me with the following public address: > > xxx.xxx.xxx.64/27 > Gateway for my pfsense is xxx.xxx.xxx.65 > > I have configured the pfsense to static IP of xxx.xxx.xxx.66/27 and > given an gateway of xxx.xxx.xxx65 > > Everything works fine and I can VPN into xxx.xxx.xxx.66 > > But my router does not respond to the ping. > > Any suggestions? > > Thanks > Anil > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Ping
My ISP has created a CLAN for me with the following public address: xxx.xxx.xxx.64/27 Gateway for my pfsense is xxx.xxx.xxx.65 I have configured the pfsense to static IP of xxx.xxx.xxx.66/27 and given an gateway of xxx.xxx.xxx65 Everything works fine and I can VPN into xxx.xxx.xxx.66 But my router does not respond to the ping. Any suggestions? Thanks Anil
Re: AW: [pfSense Support] IPSEC
Heiko This is an amazing news. Let me try some guidance from you. One Machine A(PFSENSE), I have to create a rule and in that I use the "public IP" of the remote gateway. And for my identifier I will use [EMAIL PROTECTED] Then on Machine B(PFSENSE), I have to create a corresponding rule and in that I again have to use the "public IP" of the remote gateway. And for my identifier I can use [EMAIL PROTECTED] This appears to be the case when two pfsense talk to each other. However, if I put either a netscreen or linksys on the other side my problem will be solved. I looks like at least one of the node has to support a DYNDNS for remote gateway. Did I understand it correctly? Anil Garg Heiko Garbe <[EMAIL PROTECTED]> wrote: with 1.2 you needn´t static ips on both sides, one side dynamic pfsense and one side static pfsense and it works greetings heiko Jeppe Ãland schrieb: > Try this one: > http://pfsense.untouchable.net/tutorials/openvpn/pfsense-ovpn.pdf > > Regards, > -Jeppe > > On Thu, Feb 28, 2008 at 8:04 AM, Anil Garg wrote: > >> Thanks for your response Martin - >> Rev 1.3 might be some time away... I'd like to do an Open VPN site-2-site. >> Do you have a link or two to point to me as I am a Newb on computers >> Best >> Anil Garg >> >> >> >> "Fuchs, Martin" wrote: >> >> >> So then go on and use OpenVPN site-to-site⦠it works woth 2 dynamic IPs⦠>> >> Dynamic IPs for IPSec will be in 1.3⦠>> >> Regards, >> >> Martin >> >> >> Von: Anil Garg [mailto:[EMAIL PROTECTED] >> Gesendet: Donnerstag, 28. Februar 2008 04:51 >> An: support@pfsense.com >> Betreff: [pfSense Support] IPSEC >> >> Hey guys - I am a happy camper with pfsense and recently upgraded to 1.2 and >> have no issues to report so far. >> >> I am trying to hook up two pfsense boxes with IPSEC site to site >> >> It looks like that it needs a public ip address to create a tunnel. I >> could try and get public IP address at one place but it looks like it still >> will not work because I need public IP address on both sides. >> >> >> Have looked at all documents and spent many hours without avail... >> >> Will some of you learned people suggest a way out.. I can only get a Public >> IP address at one location and I am happy to do pay for that. But the >> second location being a AT&T DSL in San Jose, CA - this is not an >> option,. >> >> Much appreciate your help and guidance. >> >> >> Best Regards >> Anil Garg >> >> >> >> -- Mit freundlichen GrüÃen H. Garbe "Der Computer ist eine logische Weiterentwicklung des Menschen: Intelligenz ohne Moral! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: [pfSense Support] IPSEC
Thanks for your response Martin - Rev 1.3 might be some time away... I'd like to do an Open VPN site-2-site. Do you have a link or two to point to me as I am a Newb on computers Best Anil Garg "Fuchs, Martin" <[EMAIL PROTECTED]> wrote:So then go on and use OpenVPN site-to-site it works woth 2 dynamic IPs Dynamic IPs for IPSec will be in 1.3 Regards, Martin Von: Anil Garg [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 28. Februar 2008 04:51 An: support@pfsense.com Betreff: [pfSense Support] IPSEC Hey guys - I am a happy camper with pfsense and recently upgraded to 1.2 and have no issues to report so far. I am trying to hook up two pfsense boxes with IPSEC site to site It looks like that it needs a public ip address to create a tunnel. I could try and get public IP address at one place but it looks like it still will not work because I need public IP address on both sides. Have looked at all documents and spent many hours without avail... Will some of you learned people suggest a way out.. I can only get a Public IP address at one location and I am happy to do pay for that. But the second location being a AT&T DSL in San Jose, CA - this is not an option,. Much appreciate your help and guidance. Best Regards Anil Garg
[pfSense Support] IPSEC
Hey guys - I am a happy camper with pfsense and recently upgraded to 1.2 and have no issues to report so far. I am trying to hook up two pfsense boxes with IPSEC site to site It looks like that it needs a public ip address to create a tunnel. I could try and get public IP address at one place but it looks like it still will not work because I need public IP address on both sides. Have looked at all documents and spent many hours without avail... Will some of you learned people suggest a way out.. I can only get a Public IP address at one location and I am happy to do pay for that. But the second location being a AT&T DSL in San Jose, CA - this is not an option,. Much appreciate your help and guidance. Best Regards Anil Garg
Re: [pfSense Support] Memory
Thanks Curtis for your response. I have some really old machines that come with 1GB of SDRAM and that memory no longer fits anything current and no one wants them. So Its a lot of memory for nothing... pfsense dmesg says I am using 34MB out of that. The IPSEC has become so reliable since 1.2 that I am thinking of taking it to my office which has 25 people and dont have a good way to handle DMZ and many public IP addresses mapped to LAMP servers inside. I am also thinking there is no IDS we own... So I am hoping to convince my IT guy. SQUID wont be useful but SNORT might be. Not sure if they are stable or still in beta.. Curtis LaMasters <[EMAIL PROTECTED]> wrote: By default it'll try to use the memory, however, you can monitor your SWAP usage on the system screen or the graphs. Do you have any special need for 1Gb. If you use SNORT it'll hike up your memory usage a bit as will SQUID. Curtis
[pfSense Support] Memory
Hi guys You might have noticed that pfsense got picked as the best among 7 other firewalls... Yehhh! I have a general question... If my PC has 1GB of memory, is there anything we can do to make it use all the memory?? Thanks Anil
Re: [pfSense Support] 1.2rc4 fresh install - Disable Paging
Guys - My bad that I had not fully read the liveCD functionality. I eliminated HDD by using a very old keychain USB with LiveCD. Hurray - No HDD now - Original Message From: Bill Marquette <[EMAIL PROTECTED]> To: support@pfsense.com Sent: Friday, January 25, 2008 7:29:04 PM Subject: Re: [pfSense Support] 1.2rc4 fresh install - Disable Paging On Jan 25, 2008 2:47 PM, Anil Garg <[EMAIL PROTECTED]> wrote: > > Ok. I will leave paging on. I just kind of think its silly that for one > user at home I still hear my hdd constantly make noise of read-write... But > then I am not technical enough to know what is causing that.. I'm reasonably confident this isn't swapping. There's very little of pfSense that can actually be swapped out to disk - less than 128M of ram. And if anything in userland is getting swapped out to disk it's likely not being used, or you have a serious shortage of ram for the kernel to operate. We recommend a minimum of 128M (and throw appropriate warnings for those with less), but can operate in 64M environments (if you know what you are doing) without swap (and without panics). Things that might make the disk write are: Excessive blocked packets - you'd have to be on an abormally busy network though 3rd party packages - ntop (this one can eat lots of ram too), squid, etc Other thoughts...maybe it's not disk? Or maybe your disk is actually going bad and just making lots of noise. During normal operation disk should actually be used very little. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 1.2rc4 fresh install - Disable Paging
Bill thanks. This is insightful as I have 512MB of ram. No custom packages. Basic traffic shaping to set 128kb for Vonage. Thats it. I will change the drive and see. Is there a way to switch off the log? - Original Message From: Bill Marquette <[EMAIL PROTECTED]> To: support@pfsense.com Sent: Friday, January 25, 2008 7:29:04 PM Subject: Re: [pfSense Support] 1.2rc4 fresh install - Disable Paging On Jan 25, 2008 2:47 PM, Anil Garg <[EMAIL PROTECTED]> wrote: > > Ok. I will leave paging on. I just kind of think its silly that for one > user at home I still hear my hdd constantly make noise of read-write... But > then I am not technical enough to know what is causing that.. I'm reasonably confident this isn't swapping. There's very little of pfSense that can actually be swapped out to disk - less than 128M of ram. And if anything in userland is getting swapped out to disk it's likely not being used, or you have a serious shortage of ram for the kernel to operate. We recommend a minimum of 128M (and throw appropriate warnings for those with less), but can operate in 64M environments (if you know what you are doing) without swap (and without panics). Things that might make the disk write are: Excessive blocked packets - you'd have to be on an abormally busy network though 3rd party packages - ntop (this one can eat lots of ram too), squid, etc Other thoughts...maybe it's not disk? Or maybe your disk is actually going bad and just making lots of noise. During normal operation disk should actually be used very little. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 1.2rc4 fresh install - Disable Paging
This is the response I get: $ pstat -s Device 512-blocks UsedAvail Capacity - Original Message From: Vivek Khera <[EMAIL PROTECTED]> To: support@pfsense.com Sent: Friday, January 25, 2008 12:59:06 PM Subject: Re: [pfSense Support] 1.2rc4 fresh install - Disable Paging On Jan 25, 2008, at 3:47 PM, Anil Garg wrote: Ok. I will leave paging on. I just kind of think its silly that for one user at home I still hear my hdd constantly make noise of read-write... But then I am not technical enough to know what is causing that.. login to your box (ssh [EMAIL PROTECTED]) select option 8. type "pstat -s" it should show 0 pages swap used. if not, you don't have enough RAM. my office firewall never hits swap.
Re: [pfSense Support] 1.2rc4 fresh install - Disable Paging
Ok. I will leave paging on. I just kind of think its silly that for one user at home I still hear my hdd constantly make noise of read-write... But then I am not technical enough to know what is causing that.. Thanks for your advice. - Original Message From: Vivek Khera <[EMAIL PROTECTED]> To: support@pfsense.com Sent: Friday, January 25, 2008 11:09:37 AM Subject: Re: [pfSense Support] 1.2rc4 fresh install - Disable Paging On Jan 25, 2008, at 1:46 PM, Anil Garg wrote: I have a machine with 1GB of Ram on which I wish to install pfsense 1.2rc4. Does anyone know how to disable paging after installation since we have much more memory than we need. Essentially, is there a way to run pfsense entirely from ram. Unless your system needs more than that RAM, you will never hit the swap partition. However, what you're asking is essentially to run your system without swap, means that when you *do* need more memory, you would rather the system panic than degrade performance. I'd recommend monitoring if you ever go to swap, and then react to it, rather than making the system panic for out of memory.
[pfSense Support] 1.2rc4 fresh install - Disable Paging
I have a machine with 1GB of Ram on which I wish to install pfsense 1.2rc4. Does anyone know how to disable paging after installation since we have much more memory than we need. Essentially, is there a way to run pfsense entirely from ram.
Re: [pfSense Support] Live CD
Thanks a ton. What directory should the file be placed at? What should we name the file as? And, how do we tell the liveCD to look for configuration file on live CD itself. Thanks in advance for the help. - Original Message From: Daniel Lloyd <[EMAIL PROTECTED]> To: support@pfsense.com Sent: Monday, January 21, 2008 6:24:24 PM Subject: Re: [pfSense Support] Live CD mkisofs on unix, winrar on windows? On Jan 21, 2008 6:22 PM, Anil Garg <[EMAIL PROTECTED]> wrote: Needless to say that I am one very happy user of pfsense and the added sense of having BYOR is pure delight!! I have a question: 1.I want to open live CD using some ISO read compatible software and then insert my config file on it. 2.Burn the new image and boot my machine from it. (Even though I have a floppydrive on the machine, I consider anything floppy not MANLY enough. LOL) Any suggestions? Anil Garg
[pfSense Support] Live CD
Needless to say that I am one very happy user of pfsense and the added sense of having BYOR is pure delight!! I have a question: 1.I want to open live CD using some ISO read compatible software and then insert my config file on it. 2.Burn the new image and boot my machine from it. (Even though I have a floppydrive on the machine, I consider anything floppy not MANLY enough. LOL) Any suggestions? Anil Garg
[pfSense Support] awesome RC4
I used to have some little IPSEC (keep alive when traffic is zero) problem and then some traffic shaper problem. Installed RC4 update and boy this is a trouble free upgrade and awesome traffic shaper (use bare minimum rules).
[pfSense Support] IPSEC VPN
Can anyone help with IPSEC VPN on 1.2 Beta1 I am getting following error and I never got any such error say in last two months on this release or on 1.0 earlier... There were error(s) loading the rules: pfctl: upper-limit larger than interface bandwidth/tmp/rules.debug:27: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [ upper-limit larger than interface bandwidth /tmp/rules.debug]: No changes have been made to my config file over last 10 months. Thanks Much Anil Garg
Re: [pfSense Support] Beta2
Sean Thanks a ton for taking a moment to respond. I am just not the HDD guy. I feel besides being silent, flash will perhaps save some energy too but I am not that sure. Let me know your thoughts to the following: A Install a disk Flash BUse CD to install a full version on Flash CUse to configure all interfaces etc. DSave Configuration file on the laptop EUse the Menu item "System" > Firmware to enable firmware upgrade on the flash drive FUpload the Embedded firmware and reboot Before the upload of Embedded Firmware, there may be some configuration setting changes I may have to do.. Will this method avoid the traditional RAW write etc., which is a rather convoluted method for lesser geeks like us. Thanks again for your prompt response. Anil Garg Sean Cavanaugh <[EMAIL PROTECTED]> wrote: I would prob recommend the HDD since its upgradeable with packages and all. most of the runtime I believe is kept on a RAM style partition unless yer saving logs. but if you want silent, the flash based isnt a bad way to go either. -Sean - Original Message - From:Anil garg To: support@pfsense.com Sent: Monday, July 23, 2007 10:06 PM Subject: [pfSense Support] Beta2 Hi learnedones: I am doing a greenfield install of PFSENSE on a fairly nicemachine with P3 1GHZ and 1GB ram. I have a choice to either put aDisk on Flash - 2GB OR Put a very old HDD with3.2 GB Should I use the embedded one:pfSense-1.2-BETA-2-Embedded-128-MB.img.gz Or shouldI use the regular install. I am inclined for the flash because it willbe silent. I am going to do site to site VPN in addition to built in PPTPserver. Not planning for SQUID or any fancy packages. Thanks very much for your help and guidance
[pfSense Support] Beta2
Hi learned ones: I am doing a greenfield install of PFSENSE on a fairly nice machine with P3 1GHZ and 1GB ram. I have a choice to either put a Disk on Flash - 2GB OR Put a very old HDD with 3.2 GB Should I use the embedded one: pfSense-1.2-BETA-2-Embedded-128-MB.img.gz Or should I use the regular install. I am inclined for the flash because it will be silent. I am going to do site to site VPN in addition to built in PPTP server. Not planning for SQUID or any fancy packages. Thanks very much for your help and guidance
[pfSense Support] pfsense Beta 1.2B1 (built on Mon Apr 30 10:47:18 EDT 2007)
I just did a fresh install of pfsense on P3(500mhtz) with 384mb ram and 6GB disk. I think this is by far the cleanest install and least buggy software I have seen. I have a site-2-site vpn with linksys, PPTP server, dyndns, etc.etc.. Also have seen that pptp passthrough also worked like a charm right out of box in default installs. The only change I made, when installing, I deleted the swap because I saw no need for that since my machine has so much memory. I have a 2GB DOM (flash in IDE). Is there a way to use the software by installing it on flash. I don't want to loose any of the flexibilities by going to embedded version. Memory/disk etc are so cheap these days ..
Re: [pfSense Support] VPN tunnel connects properly, but it frequently drops
I set up a cron job that pings the internal ip of the router on the other side of the VPN every 120 seconds and the link has not come down as yet. Perhaps this is a work around... This is my cron job set to execute on boot : ping 192.168.100.1 -i 120 Hope this will solve the problems for all who are struggling to solve the vpn problem with pfsense. Anil garg <[EMAIL PROTECTED]> wrote: Chris/Scott The only reason we purchased a RV016 on the other end was because we have three DSL on load balancing and I could not figure out how to put 3 DSL, one DMZ, and Lan on one box, even though PC has 4 Intel pro cards plus one built on the motherboard. Someday someone will write a recipe for non-geeks like us. Coming to tunnel problem, we matched every parameter uniformly on both sides and it works fine usually. Except when there is some idle time and then the VPN link drops. If I just click save without making any change the VPN starts to function again without making any changes to Linksys at all. I tried to move to 1.2 Beta 1 and it looked great but I faced problem with my wife unable to connect to pptp to her work using gre and we also faced some instability with calling in to connect to pptp from outside which works flawlessly on the current PFSENSE 1.01 So we were hesitant to move to 1.2B1 to fix one time (which only time will tell) but break pptp pass through which is working like a charm. I don not remember what build it was. If you recommend we can try and migrate again. Best Anil Garg Scott Ullrich <[EMAIL PROTECTED]> wrote: It should also be noted that we where shipping a "invalid" racoon recently with NAT-T enabled in racoon but not in the kernel. Somehow along the way NATT was changed to "enabled" and our BATCH port building system picked this up. Basically what I am trying to say is make sure all endpoints are on the same version. Preferably 1.2-BETA-1. Scott On 7/2/07, Chris Buechler wrote: > Anil garg wrote: > > Guys this is a problem in 1.01 release and not sure if it is fixed in > > 1.2 beta. > > A lot has changed between 1.0 and 1.2, so it's hard to say if 1.0 had > some IPsec issues, but 99% of IPsec issues reported are user error, > including seemingly all the "tunnels drop all the time" stuff that > constantly comes up. That's what happens when you screw up lifetimes, > have some non-pfsense/m0n0wall box on the other side that's buggy, or > have any number of other settings mismatched. It's possible you have > things configured completely correctly, and racoon has some sort of > issue with that device for whatever reason, but I've yet to see anybody > actually prove that's the case. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VPN tunnel connects properly, but it frequently drops
Chris/Scott The only reason we purchased a RV016 on the other end was because we have three DSL on load balancing and I could not figure out how to put 3 DSL, one DMZ, and Lan on one box, even though PC has 4 Intel pro cards plus one built on the motherboard. Someday someone will write a recipe for non-geeks like us. Coming to tunnel problem, we matched every parameter uniformly on both sides and it works fine usually. Except when there is some idle time and then the VPN link drops. If I just click save without making any change the VPN starts to function again without making any changes to Linksys at all. I tried to move to 1.2 Beta 1 and it looked great but I faced problem with my wife unable to connect to pptp to her work using gre and we also faced some instability with calling in to connect to pptp from outside which works flawlessly on the current PFSENSE 1.01 So we were hesitant to move to 1.2B1 to fix one time (which only time will tell) but break pptp pass through which is working like a charm. I don not remember what build it was. If you recommend we can try and migrate again. Best Anil Garg Scott Ullrich <[EMAIL PROTECTED]> wrote: It should also be noted that we where shipping a "invalid" racoon recently with NAT-T enabled in racoon but not in the kernel. Somehow along the way NATT was changed to "enabled" and our BATCH port building system picked this up. Basically what I am trying to say is make sure all endpoints are on the same version. Preferably 1.2-BETA-1. Scott On 7/2/07, Chris Buechler wrote: > Anil garg wrote: > > Guys this is a problem in 1.01 release and not sure if it is fixed in > > 1.2 beta. > > A lot has changed between 1.0 and 1.2, so it's hard to say if 1.0 had > some IPsec issues, but 99% of IPsec issues reported are user error, > including seemingly all the "tunnels drop all the time" stuff that > constantly comes up. That's what happens when you screw up lifetimes, > have some non-pfsense/m0n0wall box on the other side that's buggy, or > have any number of other settings mismatched. It's possible you have > things configured completely correctly, and racoon has some sort of > issue with that device for whatever reason, but I've yet to see anybody > actually prove that's the case. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] VPN tunnel connects properly, but it frequently drops
Guys this is a problem in 1.01 release and not sure if it is fixed in 1.2 beta. In a very simple setup, I too have a PF 1.01 connected to one RV016. The VPN connection is dropped after some time say a few hours. If I go into pfsense and click on VPN>IPSEC and click "Save" even if i make no change in the VPN set up, THE PFSENSE launches the filter reloads and something happens correctly which makes the vpn connect. This is again dropped after prolonged inactivity. Usually it would be no problem if all the users were on pfsense side because I could simply ask every one to VPN>IPSEC and click save. But for users on RV016 side, they can not even use the system till someone resets from pfsense side. Hope this helps the RCA... Anil Garg Pedro Paulo Oliveira Jr <[EMAIL PROTECTED]> wrote: Hotbrick VPN800/2 is not based on pfsense. -Original Message- From: Vaughn L. Reid III [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 2 de julho de 2007 08:55 To: support@pfsense.com Subject: Re: [pfSense Support] VPN tunnel connects properly, but it frequently drops I have a pfsense box with the June 30th snapshot, and have it connected to two Linksys RV016's, two Linksys RV082's, and two Hotbrick 800/2. The pfsense box has two adsl connections with static IP's for WAN connectivity, and the remote sites also have adsl connections. Both brands of units are running the most recent firmware posted on their vendor's web site as of June 29, 2007. I was consistently, having trouble with the VPN tunnels dropping after prolonged periods of inactivity. The remote endpoints had to actively look for items on the LAN behind the pfsense box to get the connection to re-establish. Sometimes, for example, if the WAN disconnected for some reason, the VPN's tunnels would not get re-built without rebooting the Linksys or Hotbrick router. Anyway, I contacted Hotbrick's tech support, and asked them for advice since they sell a couple other products that look to be customized and branded versions of pfsense. They sent me a link to one of their help documents here: http://www.hotbrick.com/support_detail.asp?tipo=4 Basically, the documents suggest the following settings for VPN's between Hotbrick products: IPSEC Phase 1: Negotiation: Main Encryption: 3DES Hash: SHA1 DH Key: 2 (1024 Bit) Lifetime: 28800 Authentication: Pre-Shared Key IPSEC Phase 2: Protocol: ESP Encryption: Make Sure 3DES only is checked Hash: SHA1 Perfect Forward Secrecy: 2 (1024 Bit) Lifetime: 28800 So, I have tried these settings on my remote endpoint Hotbrick's and Linksys's and have experienced much more stable VPN connections. I have also noticed that the VPN connection doesn't have to be re-established by the remote endpoint after long periods of inactivity, and I have noticed that the tunnels seem to rebuild correctly after a WAN link goes down and then comes back up. Also, on the Linksys devices I have dead peer detection turned off, but have keep-alive turned on. On the pfsense box, I have the IP address listed to ping as an IP on the remote subnet that is not assigned to any host. I found that on the Hotbrick and the Linksys units that long term pinging of the remote LAN gateway (i.e. pinging the LAN IP of the linksys or hotbrick unit) caused the device to actively start blocking the connection from the pfsense box. -Vaughn Reid III David Strout wrote: > I have had the same experience w/ the RV016 and > pfSense. What is the exact version on the linksys > side (have you upgraded the firmware to the > current?), and what build of 1.0.1 pfSense are you > running? I'd move the the current 1.2-BETA SNAP > and upgrade your Linksys to the current 2.0.17. > > I personally have had very little luck in > conecting linksys to anything but linksys for VPN > connectivity. I have gotten it to work in the lab > and maintain it's stability but under a high load > situation it becomes very unstable and drops quite > often. > > > >> Hi, >> >> >> >> I have PFSense 1.0.1 version configured with >> > open VPN on one site and Dual > >> wan router (Linksys RV016) configured on the >> > other site. VPN connection > >> works fine. However, even though both the >> > routers are configured to be on a > >> Keep Alive status in reference to the VPN >> > connectivity, still the VPN > >> connection drops consistently. Please let me >> > know for any further details > >> you want from me to resolve this issue. Any >> > help from your side would > >> really be appreciated. >> >> >> >> Thanks & Regards, >> >> >> >> Vidit Gupta >>
[pfSense Support] Where can one download 1.2 release candidate 1?
[pfSense Support] DUAL WAN
Is there a document somewhere that shows how to configure an OPT into a second WAN and hook up to Cable? My primary WAN is a PPOE with AT&T Yahoo. Plus there would undoubtedly some trunking bridging and some static rules? Or is there a binding? Basically a step by step for dummies like me? Thanks.
[pfSense Support] Pfsense running entirely from RAM
I have Pfsense installed on a P3/500Mhtz with 768mb ram and a 4GB drive. This stuff is vintage Dell Optiplex machine but a reliable workhorse. Kudos to the pFsense team that this machine never dies. It runs a LAN, PPTP server, IPSEC based OpenVPN like a charm. The only thing irritating is that it makes disk activity noise, where the memory it uses is less than 6% and CPU usage rarely exceeds 3%. Is there a way for this to boot from the HDD and then run entirely from RAM? I am not using SQUID. Any suggestions or pointers to documents online will be greatly appreciated. Anil Garg
[pfSense Support] Acess pfsense from WAN
Is there a way to access and configure pfsense from outside / WAN using HTTPS or something like that?
[pfSense Support] Powersave
Does pfsense use powersave at all. Like slow down CPU, blank out video, spin down HDD (assuming there is enough RAM) etc.?? Thanks. Anil Garg
[pfSense Support] Intel PRO/100 Server NIC with Hardware 3DES
Does anyone know if the pfsense will automatically make use of hardware offloading for 3DES on the Intel PRO/100 Server adapters? There appears to be no mention of this anywhere.
