RE: [pfSense Support] PFSense advocacy

2009-12-03 Thread Borowicz, Paul 
Commercial support is top notch.  We had an obscure issue with Xenserver, but 
it was only affecting a subset of our users who had a VPN connection.  I 
thought it was a VPN issue, so the pfsense guys worked with me all the way down 
to a detailed packet analysis.  They gave me great information that led back to 
the server and helped me diagnose this tricky issue that had nothing to do with 
pfsense.

Thank you!

-Original Message-
From: Scott Ullrich [mailto:sullr...@gmail.com] 
Sent: Wednesday, December 02, 2009 4:54 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] PFSense advocacy

On Wed, Dec 2, 2009 at 4:26 PM, Ron García-Vidal  wrote:
> I realize this is a support forum, so if there is a better place to 
> post this, I will take it there.
>
> So, I'm trying to get a pfsense box in the shop because I've enjoyed 
> working with it on my own setup.  The boss is fairly open-minded and 
> open to a healthy discussion on the topic, but in the end, he wants to 
> know why this would be preferable to a Cisco solution.
>
> Since I've never worked extensively with Cisco, can someone give me a 
> few salient points to throw at him. I already used the cost argument, 
> he wants more.

Commercial support should help put Boss's worries at bay:

https://portal.pfsense.org/

Between this, the mailing list and forum you are covered.

Scott

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional 
commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] possible bug

2009-10-02 Thread Borowicz, Paul 
I am 1.2.3-RC3
built on Mon Sep 14 02:04:35 UTC 2009

I have a DMZ, WAN, and LAN on this box.  I have been getting bleed through from 
the DMZ to the LAN and vice versa.

I have a WAN rule, all stars except destinaition is DMZ net

I have two DMZ rules, the are both applied to source DMZ net, one blocks an 
alias I have defind called internal_subnets and one allows anything except 
things destined for internal_subnets.

I also had a rule on the lan that blocks anything destined for 10.1.1.0/24 (my 
dmz subnet), it did not work until I changed it to block DMZ net.

Is this a bug where the subnets are not being recognized in the firewall 
interface?

A curious thing is that I can now not ping 10.1.1.4 from a computer plugged 
into the LAN, but I can ping it from the diagnostics ping interface if I source 
the ping from the LAN interface.

Paul Borowicz
BehaviorCorp Network Administrator
(317) 587-0521
pborow...@behaviorcorp.org

[pfSense Support] OpenVPN and ICA

2009-08-25 Thread Borowicz, Paul 
I have some Igel thin clients that are at remote sites.  I use a pfsense router 
at these sites and there is a vpn from that router to my main pfsense router.  
I recently switched from Ipsec to OpenVPN for these sites so I could access 
multiple subnets.

Once I did this ,I started to get frequent disconnects, they seemed to be 
somewhat random, but consistantly interupted the connection with a half hour or 
so.  The terminal would have an ICA session and just drop the connection, if I 
ran a ping from the terminal, it never faltered.

The solution seems to be to change the MTU on the terminal to 1400, this allows 
for the MTU overhead of 40 for citrix and 60 for the VPN (as far as I 
understand).

I am posting this in the hope someone else will find it useful, and if anyone 
has input or suggestions.

This problem doesn't seem to affect the PC's or Wyse terminals, which is good 
since I can't change the MTU on the wyse terminals.

Paul Borowicz
BehaviorCorp Network Administrator
(317) 587-0521

RE: [pfSense Support] Vpn LAN > Client Connection

2009-07-15 Thread Borowicz, Paul 
Your probably missing a route on whatever router your office uses for a gateway.

Paul 

-Original Message-
From: Oytun Yılmaz [mailto:oytunyil...@gmail.com] 
Sent: Wednesday, July 15, 2009 6:50 AM
To: support@pfsense.com
Subject: [pfSense Support] Vpn LAN > Client Connection

Hi,

I have a server connected to my office network through openvpn. The server 
takes IP 10.69.36.x

My office network IP pool is 10.69.11.x


Server can reach any IP on office network. But I can not reach the server from 
the office through VPN.



Thanks in advance.


oytun

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional 
commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] IPsec VPN times out requires ping to restart

2009-04-03 Thread Borowicz, Paul 
I have a problem with a vpn between my pfsense box and an ASA box.  I've
noticed the same problem between PIX and pfsense.  The VPN works fine,
but when there is no traffic for awhile it will stop receiving
connections.  The ASA side will try to send, but the pfsense side will
not respond.  If I ping across the VPN from the pfsense side the VPN
comes back up instantly.
 
This has not been an issue before because my monitoring system pings
across all my VPN's periodically.  Now I have a VPN that is limited to
one server a windows server, so I can't even use cron to ping
periodically.
 
Any suggestions.
 
Here is my VPN config, I took out the keys and ip's but it works fine
until it times out so none of that should be relevent.
 

Hospital HL7 
  60 
  
-


  wan 
-


  x.x.x.x 
  
  x.x.x.x/32 
  x.x.x.x 
-


  aggressive 
-


   
  
  3des 
  sha1 
  2 
  86600 
   
   
   
   
  pre_shared_key 
  
-


  esp 
  3des 
  hmac_sha1 
  0 
  86600 
-
 
Paul F. Borowicz
Network Administrator
Behavior Corp
(317) 587-0521
pborow...@behaviorcorp.org

RE: [pfSense Support] Template to connect a Cisco router toPFSense using IPSec

2009-04-01 Thread Borowicz, Paul 
Different PIX versions have different configs.  This worked fine for a 515e. 

-Original Message-
From: luismi [mailto:asturlui...@gmail.com] 
Sent: Wednesday, April 01, 2009 8:11 AM
To: support@pfsense.com
Subject: RE: [pfSense Support] Template to connect a Cisco router toPFSense 
using IPSec

We have PIX too, but the configuration we received from previous team is 
well, I don't have words to tell you how bad is. :P

El mar, 31-03-2009 a las 22:43 -0400, Borowicz, Paul escribió:
> I was just collaborating on this for the wiki, here is the link.
> http://doc.pfsense.org/index.php/IPSec_between_pfSense_and_a_Cisco_PIX
> 
> 
> 
> -Original Message-
> From: luismi [mailto:asturlui...@gmail.com]
> Sent: Mon 3/30/2009 3:05 PM
> To: support@pfsense.com
> Subject: [pfSense Support] Template to connect a Cisco router to 
> PFSense using IPSec
>  
> Is there anyone here, in the list, with a template to configure a 
> Cisco router against a pfsense firewall using ipsec?
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional 
> commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional 
> commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional 
commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Template to connect a Cisco router to PFSense using IPSec

2009-03-31 Thread Borowicz, Paul 
I was just collaborating on this for the wiki, here is the link.
http://doc.pfsense.org/index.php/IPSec_between_pfSense_and_a_Cisco_PIX



-Original Message-
From: luismi [mailto:asturlui...@gmail.com]
Sent: Mon 3/30/2009 3:05 PM
To: support@pfsense.com
Subject: [pfSense Support] Template to connect a Cisco router to PFSense using 
IPSec
 
Is there anyone here, in the list, with a template to configure a Cisco
router against a pfsense firewall using ipsec?




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org


<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Question about traffic graphing

2009-03-30 Thread Borowicz, Paul 
I using Cacti to graph the interfaces on my Pfsense box.  Before I
replaced the PIX I was graphing, LAN, DMZ, and WAN.  WAN showed all
traffic, so I used that to estimate my 95th percentile cost.
 
Now I am graphing, LAN, DMZ, enc0 (ipsec VPN's), and tun0 (openVPN
clients).  I like the ability to see these granular views.  I assumed
that WAN would still show all traffic, since it is really the only
externally accessible interface.  Is this the case, or does the VPN
traffic not show up on the WAN interface?
 
Paul F. Borowicz
Network Administrator
Behavior Corp
(317) 587-0521
pborow...@behaviorcorp.org

RE: [pfSense Support] Re: Can't get more than 15kpps.

2009-03-30 Thread Borowicz, Paul 
I purchased some HP dl360 G5's a year and a half ago.  They are still
avaliable 1U.  I was able to buy a PXI-X riser card to put a fibre
channel HBA into them.
 



From: Lenny [mailto:five2one.le...@gmail.com] 
Sent: Tuesday, March 24, 2009 2:15 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] Re: Can't get more than 15kpps.



Well, actually, it's not the NICs that pushed me away from this server,
but the expansion slots.

I intend to insert my dual port Intel, and it's PCI-X, but the Sun only
has PCI-e, so it was no good.

Also, today, looking on ebay, I realized that it's not such an easy task
- to find a modern server with a dual core AMD (second generation) and
at least 1 PCI-X slot. The same is with Intel. And I already have 4
PCI-X cards, so I'd rather use them. 

By the way, will AMD 275 do the job? Or is it too old and weak?

Regarding the 2 CPUs, I'm not sure I need them, cause I'll only be using
2 cores(each for 1 card), and as far as I saw on the previous servers -
the other 2 cores were just idle 99% of the time. (Although they were
logical cores via HT, but I don't think it makes much of a difference).




And now I'm about to ask a very stupid question: is it possible to just
resize the packets? (because I understand that this way I'm gonna have a
better throughput). I know changing the MTU is not advisable. 







thanks,




Lenny.




P.S. How's IBM x3550? any opinions?




Bill Marquette wrote:


On Mon, Mar 23, 2009 at 9:26 AM, Vick Khera 
  wrote:
  

On Mon, Mar 23, 2009 at 8:30 AM, Lenny
   wrote:


I got offered a Sun Fire X2200 with Opteron Dual
Core 2210(that's 1.8GHz).
Will that do it? (for ~150kpps)
  

That's a little slower than what I use in prod (2218's),  but it
should work - I'd want to make sure there were two physical dual
core
CPUs in the box (paranoia - and well...that's what I tested
;-P).

  

Double check the NICs in that box.  I believe they're
broadcom and
nvidia (yes, Sun does a mix and match on the same
motherboard!  You
get two of each.)  Also, one of the NICs doubles as the
network port
for the service processor, so if you're inclined to use
the SP, you'll
need to account for that dual use on the NIC port 1.


Yeah, when I looked at the X2100's, they had 2 nvidia and 2
broadcoms
onboard.  The real issue wasn't the nics...other than they all
suck
IMO, but that to use the lights out management, you lost both
broadcoms (unless you run Solaris on them - that _might_ have
changed
in the last couple years).  Now, I'm not a huge fan of broadcom
nics,
but leaving me with only nvidias meant I had a machine with four
completely unusable nics and I was _still_ putting a quad port
nic in
the box, thus costing me more than an equivalent machine from
any of
Suns competitors.

--Bill


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] VPN into a network allowing access to two subnets?

2009-03-09 Thread Borowicz, Paul 
I saw that OpenVPN allows that, I'm going to use OpenVPN for my dynamic
users, I prefer it to PPTP, but I've always used IPsec for static VPN's.
I now have Pfsense on both ends of most of my VPN's, is OpenVPN a good
solution for static site-to-site VPN's?

Paul



From: Tim Nelson [mailto:tnel...@rockbochs.com] 
Sent: Friday, March 06, 2009 8:23 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] VPN into a network allowing access to two
subnets?


Use OpenVPN and push some routes out to your users.

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

- "Chuck Mariotti"  wrote: 
> 
> 

I have a similar situation it sounds like to Paul.

 

Specifically, I would like to setup pfSense to allow access to a
10.10.10.1 network to access other computers there. But I also need to
allow the VPN users access to another subnet that hosts the telephone
system (10.10.200.1).

 

How can this be done? If so, how does one do this?

 

Chuck

 

> 

From: Borowicz, Paul [mailto:pborow...@behaviorcorp.org] 
> Sent: Friday, March 06, 2009 11:23 AM
> To: support@pfsense.com
> Subject: [pfSense Support] VPN routing

 

I'm in the process of transitioning the subnet of my datacenter, I only
have a dozen or so servers.  Everything is currently on a nonstandard
subnet (192.0.1.0/24) due to a previous network admin.

 

I want to move everything to 10.97.0.0/24, but I have alot of VPN's that
terminate into the datacenter on my pfsense firewall.  I know you can't
route VPN's, if I use a second interface on my pfsense box can I bridge
those two subnets?  Can someone give me a quick example?

 

If that's not possible, should I just create a second VPN for each site
that points to the other subnet?  Since both subnets will have a port on
the pfsense box I should be able to point an ipsec VPN at either one,
right?

 

thanks,

 

Paul F. Borowicz

Network Administrator

Behavior Corp

(317) 587-0521

pborow...@behaviorcorp.org

[pfSense Support] VPN routing

2009-03-06 Thread Borowicz, Paul 
I'm in the process of transitioning the subnet of my datacenter, I only
have a dozen or so servers.  Everything is currently on a nonstandard
subnet (192.0.1.0/24) due to a previous network admin.
 
I want to move everything to 10.97.0.0/24, but I have alot of VPN's that
terminate into the datacenter on my pfsense firewall.  I know you can't
route VPN's, if I use a second interface on my pfsense box can I bridge
those two subnets?  Can someone give me a quick example?
 
If that's not possible, should I just create a second VPN for each site
that points to the other subnet?  Since both subnets will have a port on
the pfsense box I should be able to point an ipsec VPN at either one,
right?
 
thanks,
 
Paul F. Borowicz
Network Administrator
Behavior Corp
(317) 587-0521
pborow...@behaviorcorp.org

RE: [pfSense Support] pfSense to use with production web server

2009-03-04 Thread Borowicz, Paul 
yes



From: Raleigh Guevarra [mailto:death...@yahoo.com] 
Sent: Wednesday, March 04, 2009 11:22 AM
To: support@pfsense.com
Subject: [pfSense Support] pfSense to use with production web server


With no disrespect to the community, I just need to know the facts after
reading about firewalls esp packet filtering types of firewall.
Is it safe and secured to use pfSense infront of a web server in
production, hosting dozens of websites? Thanks in advance