RE: [pfSense Support] Routing multiple subnets through IPSEC
On Thu, Mar 12, 2009 at 10:46 PM, Chris Buechler wrote: On Thu, Mar 12, 2009 at 9:48 PM, Bennett Lee pfse...@bennettandgina.com wrote: How can I route multiple subnets across the same IPSEC tunnel? You can't in 1.2.x. Solution here: http://doc.pfsense.org/index.php/IPSec_with_Multiple_Subnets Sweet! Thanks, Chris. Supernetting works for me all my clients except one. Is routing over IPSEC a future option in 2.0 or is it too nasty to implement? (My one client who really wants it is, of course, the one for whom supernetting doesn't work.) :P --Bennett - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] WAN configuration without router
I'm helping a buddy get his pfSense (v1.2) setup with a new higher capacity connection and keep his old connection as a dual-WAN. He got some IP assignments from his ISP, the gist of which is: WAN Block: x.x.x.132/30 WAN Subnet Mask: 255.255.255.252 Network Side: x.x.x.133 Customer Side: x.x.x.134 Customer LAN block: y.y.y.0/27 Customer Gateway: y.y.y.1 Usable Range: y.y.y.2 - y.y.y.30 Customer Subnet Mask: 255.255.255.224 My friend's sales rep offered to lease him a layer 3 router for several hundred a month, which he declined, figuring pfSense would do the trick. I haven't been to the office where the equipment is installed (been doing this remotely from a different city), but apparently the ISP installed a switch for the x.x.x.132/30 network. Their piece assumes x.x.x.133 and passes all y.y.y.y to us at x.x.x.134. Seems easy to setup in pfSense with virtual IPs...until I started to play with it. Main problem is that their WAN doesn't specify a gateway, so this is one level higher than my normal cable/DSL bridged setups. Consequently, I'm not sure what to plug where. (1) I tried setting pfSense WAN IP to x.x.x.134 gateway x.x.x.133. At the very least I thought that should allow my pfSense box to ping x.x.x.133 (pingable from outside) on the WAN interface. No luck. And can't connect to pfSense x.x.x.134 from outside despite proper nat/rules. And even if I could, where does the customer gateway come into play? Can I ignore it, since all I want is for pfSense to forward all y.y.y.y to x.x.x.133? Or do I need to setup a virtual PARP for it? And then what? Somehow funnel the other y.y.y.y virtual PARPs through it? (2) I tried setting pfSense WAN to Customer LAN y.y.y.2 gateway y.y.y.1 and PARP for x.x.x.134. This seems most correct. However, no pingable gateway from outside, which I assume is because with no router there's no gateway. So somehow I need to convince pfSense that it's the y.y.y.1 gateway and to forward everything for y.y.y.y to x.x.x.134, but how? Static route? Also, like above, can't connect to pfSense from outside. Any advice? --Bennett
RE: [pfSense Support] Adding new NIC drivers
I figured this out by adding if_myk_load=YES to /boot/loader.conf. I don't know if this is where it's supposed to go, but it works. Now the million-dollar question: can I do a firmware upgrade without loosing this entry in the /boot/loader.conf? I'm confident the .ko files I copied to /boot/kernel won't get deleted during updates, but I want to make sure that the /boot/loader.conf doesn't get overwritten. Otherwise, I'll have a bunch of pissed off clients and a trip to our colocation on my next update. :) --Bennett Bennett Lee wrote: OK, after many problems, like couldn't install because of no known NICs, installing NICs in a 1U case with no riser, figuring out how to mount, if_myk.ko requiring libmbpool.ko, etc., I finally got the drivers installed with kldload and they appear to work. Until I rebooted. The drivers don't reload. What to do I need to change in order to get them to install permanently? --Bennett Bill Marquette wrote: Probably easiest to load them onto a USB keyfob and mount it after boot. Then kldload the if_myk.ko module. --Bill On 9/25/07, Bennett Lee [EMAIL PROTECTED] wrote: I've got a new motherboard with quad-GB LANs that all use Marvell 8056, which isn't supported by pfSense/FreeBSD. I d/l Marvell's Yukon FreeBSD drivers, which supposedly support this board. Their .tgz contains if_myk.ko, +CONTENTS, and myk.4.gz. Inside myk.4.gz is myk.4. How do I add these drivers to the LiveCD so I can try them out? Is it as easy as injecting the files into the CD into some particular folder and maybe adding them to a boot config file? (I hope so--haven't done anything in *nix since I wrote a crappy little client/server app back in college [many, many, many] years ago.) --Bennett - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Adding new NIC drivers
OK, after many problems, like couldn't install because of no known NICs, installing NICs in a 1U case with no riser, figuring out how to mount, if_myk.ko requiring libmbpool.ko, etc., I finally got the drivers installed with kldload and they appear to work. Until I rebooted. The drivers don't reload. What to do I need to change in order to get them to install permanently? --Bennett Bill Marquette wrote: Probably easiest to load them onto a USB keyfob and mount it after boot. Then kldload the if_myk.ko module. --Bill On 9/25/07, Bennett Lee [EMAIL PROTECTED] wrote: I've got a new motherboard with quad-GB LANs that all use Marvell 8056, which isn't supported by pfSense/FreeBSD. I d/l Marvell's Yukon FreeBSD drivers, which supposedly support this board. Their .tgz contains if_myk.ko, +CONTENTS, and myk.4.gz. Inside myk.4.gz is myk.4. How do I add these drivers to the LiveCD so I can try them out? Is it as easy as injecting the files into the CD into some particular folder and maybe adding them to a boot config file? (I hope so--haven't done anything in *nix since I wrote a crappy little client/server app back in college [many, many, many] years ago.) --Bennett - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Adding new NIC drivers
I've got a new motherboard with quad-GB LANs that all use Marvell 8056, which isn't supported by pfSense/FreeBSD. I d/l Marvell's Yukon FreeBSD drivers, which supposedly support this board. Their .tgz contains if_myk.ko, +CONTENTS, and myk.4.gz. Inside myk.4.gz is myk.4. How do I add these drivers to the LiveCD so I can try them out? Is it as easy as injecting the files into the CD into some particular folder and maybe adding them to a boot config file? (I hope so--haven't done anything in *nix since I wrote a crappy little client/server app back in college [many, many, many] years ago.) --Bennett - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Loopback and DNS lookup revisited
About a month ago I posted about my pfSense box that cannot resolve DNS and cannot loopback to WAN IPs (which I suspect is DNS related). A brand new box with a fresh install and the old config uploaded had the same problems, so I thought it was a config prob. It's not. Over the holidays, I reset our pfSense box to factory defaults. I didn't do anything except setup the interfaces, and pfSense still couldn't resolve DNS. So I booted the Live CD, setup interfaces (running off the CD), and it couldn't resolve DNS either. So I'm thinking it's not the config since neither a factory default or even the Live CD could resolve DNS. Our WAN's static IPs, gateway, and DNS are all the same as they were months ago when this was working for us. Hardware on old pfSense box never changed. Our internal servers use the exact same DNS as pfSense, and they're able to resolve. No problems with WAN, inbound/outbound access, VPN, etc.. Everything works except pfSense itself. Can't ping domains because it can't resolve DNS, but pinging IPs work fine. Can't download packages because it can't resolve pfSense.com. Can't sync time because it can't resolve pool.ntp.org. I've got to get this working but I'm not even sure where the problem is. How do I troubleshoot DNS inside pfSense? --Bennett From: Bennett Lee [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 10:50 PM To: support@pfsense.com Subject: [pfSense Support] Loopback and DNS lookup fail I have a pfSense box that cannot loopback to internal addresses via WAN IPs and cannot resolve DNS (and hence cannot contact pfsense.com to download packages). Note that only pfSense itself cannot resolve DNS--our internal servers can resolve DNS using the same external name servers as pfSense. We're running 1.0.1, but this hasn't worked for us on this box since RC3 or so (I think). I have 2 other pfSense boxes and both those work fine. I couldn't figure out why this one can't loopback or resolve DNS, so I built a new pfSense box with all new hardware, installed from CD, then loaded the old config with new interface IDs. Same problem. Thus, I assume there's a problem with my config. However, I've been over and over the config and compared it to the 2 working boxes and to old config backups we have. I can't find any significant differences. I even removed all the features and rules that I could, thinking maybe I was overlooking something. Still can't get it to work. The only thing I can think to do now is to rebuild and start the setup from scratch, manually re-entering our entire config and checking after every change to see if it still works. Can anyone offer any solutions or troubleshooting advice before I'm forced to shutdown our offices for a few hours? --Bennett
RE: [pfSense Support] Asking
I was just about to start testing the ASSP package on my home server, but I see that apparently Scott yanked it back in July? Any reason why? I barely see any mention of ASSP...maybe that's why--lack of interest? I, for one, would like to get it running on pfSense. As for squid, I know it had problems and got yanked. -Original Message- From: saidy [mailto:[EMAIL PROTECTED] Sent: Monday, December 04, 2006 3:14 AM To: support@pfsense.com Subject: Re: [pfSense Support] Asking How to install assp package? Its default in pfsense additional packageor ...? And please give some info about Web filtering (its in squid or ..) - Original Message - From: Craig FALCONER [EMAIL PROTECTED] To: support@pfsense.com Sent: Monday, December 04, 2006 4:08 AM Subject: RE: [pfSense Support] Asking Firewall - yes Anti-spam - yes (you'll need the assp package) Antivirus - no Web filtering - kind of I recommend a separate server machine inside your firewall that runs squid and dansguardian on the unix of your choice. Also you can have a general purpose file server with samba and a general purpose web server with apache. Far more flexible than piling all these tasks on your firewall, which has to be reliable. -Original Message- From: saidy [mailto:[EMAIL PROTECTED] Sent: Friday, 1 December 2006 10:16 p.m. To: support@pfsense.com Subject: [pfSense Support] Asking Hi, Can i use pfsense for firewall, anti-spamming, anti-virus and web-filtering for 30 users. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Loopback and DNS lookup fail
I have a pfSense box that cannot loopback to internal addresses via WAN IPs and cannot resolve DNS (and hence cannot contact pfsense.com to download packages). Note that only pfSense itself cannot resolve DNS--our internal servers can resolve DNS using the same external name servers as pfSense. We're running 1.0.1, but this hasn't worked for us on this box since RC3 or so (I think). I have 2 other pfSense boxes and both those work fine. I couldn't figure out why this one can't loopback or resolve DNS, so I built a new pfSense box with all new hardware, installed from CD, then loaded the old config with new interface IDs. Same problem. Thus, I assume there's a problem with my config. However, I've been over and over the config and compared it to the 2 working boxes and to old config backups we have. I can't find any significant differences. I even removed all the features and rules that I could, thinking maybe I was overlooking something. Still can't get it to work. The only thing I can think to do now is to rebuild and start the setup from scratch, manually re-entering our entire config and checking after every change to see if it still works. Can anyone offer any solutions or troubleshooting advice before I'm forced to shutdown our offices for a few hours? --Bennett