[pfSense Support] site to site VPN, which is best?
is one method better than the other for connecting to pfsense firewalls together, between OpenVPN and IPSec? just curious, as ive been using the OpenVPN more and more lately for site-site connections. thanks, -- Jonathan Horne http://dfwlpiki.dfwlp.org freebsd08 [EMAIL PROTECTED] dfwlp.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] tips for getting started with QoS and queues
i have a client that i have just build 2 pfsense 1.2-RELEASE's for (one outside of san antonio, and one at their main office in here in dallas). so far, its working great. they wanted to be able for their guy in SA to use his IP phone to hit their PBX in dallas, and with the 2 pfsense's, it worked like a champ on the first try. the boss liked it so much, today he mentioned that it will be sooner than later that they need another one in(around) sanantonio, and then one more in LA. so where theres smoke.. theres fire... and this is leading straight to a QoS type setup, as the whole reason these are existing is to get those voip phones onto the internal LAN. so, ive never set up a traffic queue before. can anyone give some tips for generating a setup thats good for IP phones/voip (obviously, im talking about giving the voip traffic priority over plain internet traffic). tips or stories of caveats to watch out for, would be greatly appreciated, or anything i can use to begin my learning of how the queueing works. cheers, -- Jonathan Horne http://dfwlpiki.dfwlp.org freebsd08 [EMAIL PROTECTED] dfwlp.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense + OpenVPN + Kvpnc with certificates
On Saturday 19 January 2008 04:17:35 am Giuseppe Marullo wrote: > Jonathan, > I clearly remember that once upon a time I did it both Cisco and OpenVPN, > but was some time ago and OpenVPN was end to end with no certificates. > > Kvpnc != vpnc: > http://home.gna.org/kvpnc/en/index.html > > If you have another GPL Linux Gui for OpenVPN I would gladly try it. > > Giuseppe > > -Original Message- > From: Jonathan Horne [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 17, 2008 10:30 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] Pfsense + OpenVPN + Kvpnc with > certificates > > [EMAIL PROTECTED] wrote: > > Hi, > > did anyone install pfsense with such configuration? I am > > using it with the Windows GUI (Mathias one, very good > > indeed) but I am unable to configure it using KVPNC on > > Fedora. > > Could anyone help? > > TIA, > > > > Giuseppe Marullo > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > vpnc is for use with cisco vpn concentrators. what you need is along > the lines of this: > > [EMAIL PROTECTED] ~]# rpm -qa|grep openvpn > NetworkManager-openvpn-0.7.0-2.svn3047.fc8 > openvpn-2.1-0.19.rc4.fc7 > knetworkmanager-openvpn-0.2-0.7.fc8 > > > cheers, > -- > Jonathan Horne > http://dfwlpiki.dfwlp.org > freebsd08 [EMAIL PROTECTED] dfwlp.com my apologies... perhaps, my information didnt come from the same source as yours: [EMAIL PROTECTED] /usr/ports]# make search name=vpnc Port: vpnc-0.4.0_3 Path: /usr/ports/security/vpnc Info: Client for Cisco 3000 VPN Concentrator Maint: [EMAIL PROTECTED] B-deps: gettext-0.16.1_3 gmake-3.81_2 libgcrypt-1.2.4_1 libgpg-error-1.5 libiconv-1.11_1 perl-5.8.8_1 R-deps: gettext-0.16.1_3 libgcrypt-1.2.4_1 libgpg-error-1.5 libiconv-1.11_1 WWW:http://www.unix-ag.uni-kl.de/~massar/vpnc/ however, the rpm packages that i mentioned above for fedora, enabled openvpn support in the knetworkmanager application. i didnt see any other way to make it work until i installed those. cheers, -- Jonathan Horne http://dfwlpiki.dfwlp.org freebsd08 [EMAIL PROTECTED] dfwlp.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense + OpenVPN + Kvpnc with certificates
[EMAIL PROTECTED] wrote: Hi, did anyone install pfsense with such configuration? I am using it with the Windows GUI (Mathias one, very good indeed) but I am unable to configure it using KVPNC on Fedora. Could anyone help? TIA, Giuseppe Marullo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] vpnc is for use with cisco vpn concentrators. what you need is along the lines of this: [EMAIL PROTECTED] ~]# rpm -qa|grep openvpn NetworkManager-openvpn-0.7.0-2.svn3047.fc8 openvpn-2.1-0.19.rc4.fc7 knetworkmanager-openvpn-0.2-0.7.fc8 cheers, -- Jonathan Horne http://dfwlpiki.dfwlp.org freebsd08 [EMAIL PROTECTED] dfwlp.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] openvpn client ips
how does pfsense divide up (or decide how to assign) ips to inbound connecting clients? ive noticiced that they arent contiguous or de/incremental IPs, such as the way DHCP hands them out on the lan. im trying to figure out what size of an IP block i need to assign to the openvpn, so that ill have enough IPs for all the connecting clients. thanks, -- Jonathan Horne http://dfwlpiki.dfwlp.org [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] How to schedule shutdown and box heartbeat
On Saturday 22 September 2007 06:05:42 tester wrote: > Hello, > > --- Srdjan <[EMAIL PROTECTED]> wrote: > > echo "/my/command/path" | at "16:45" (or "now + 15 > > min" etc) > > This was the command I typed from the shell: > > echo "shutdown -r now" | at "xx:yy" > > It seems it won't be executed at xx:yy > I've done a search on the net and according to FreeBSD > Man Pages, 'at' command is composed of several > subcommands (such as atd,atq,atrm,atrun) which seem to > be missing in current pfSense's implementation. > If you read here: > <http://nixdoc.net/man-pages/FreeBSD/atrm.1.html> it > says: > "Note that at is implemented through the cron(8) > daemon by calling > atrun(8) every five minutes. This implies that the > granularity of at > might not be optimal for every deployment. If a finer > granularity is > needed, the system crontab at /etc/crontab needs to be > changed". > So I opened /etc/crontab, but atrun entry is missing. > Has 'at' been stripped away from pfSense build, since > its components (e.g atrun, etc...) are missing? > I don't know if something changed and those man pages > are updated or not. > > Regarding heartbeat's feature, I thought to run a > custom script during the FreeBSD startup and its > shutdown, but I don't know how this unix OS works. > > > Cheers, > > Srdjan > > Thanks to all of you! > why not just use the built-in features of the shutdown command? if you are editing files, i would assume you are logged in on a terminal anyway: shutdown -r 1800 (to reboot at 6pm). here is the man page for shutdown (since it wont be on your pfsense box) http://www.freebsd.org/cgi/man.cgi?query=shutdown&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html if you just want to know how long since last reboot... type 'uptime'. cheers, -- Jonathan Horne http://dfwlpiki.dfwlp.org [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] bandwitdthd
does bandwidthd cause any significant performance hit? special situations, yes, no, maybe? thanks, -- Jonathan Horne http://dfwlpiki.dfwlp.org [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] anyone noticed slowdown in RC1 or RC2?
On Monday 03 September 2007 03:20:00 Chris Buechler wrote: > No clue... I haven't heard back since I emailed him offlist with some > info on his captures. I would definitely be interested in knowing what > caused that to happen, hopefully he'll post back. > > I'm running Vista and don't have this issue. hi chris, does your vista have the ipv6 turned off, or are you running the default setup? also, i have to agree with your assesment, here is a tcpdump from my DNS server, looking at "what i ask from my desktop"... 19:08:07.402296 IP athena.dfwlp.com.63407 > castor.dfwlp.com.domain: 19825+ ? www.srh.noaa.gov. (34) 19:08:07.742227 IP castor.dfwlp.com.domain > athena.dfwlp.com.63407: 19825 0/1/0 (95) 19:08:07.742593 IP athena.dfwlp.com.53385 > castor.dfwlp.com.domain: 19826+ ? www.srh.noaa.gov.dfwlp.com. (44) 19:08:07.742673 IP castor.dfwlp.com.domain > athena.dfwlp.com.53385: 19826 NXDomain* 0/1/0 (96) 19:08:07.742967 IP athena.dfwlp.com.55501 > castor.dfwlp.com.domain: 19827+ ? www.srh.noaa.gov.dev.dfwlp.com. (48) 19:08:07.743019 IP castor.dfwlp.com.domain > athena.dfwlp.com.55501: 19827 NXDomain* 0/1/0 (100) 19:08:07.743217 IP athena.dfwlp.com.60487 > castor.dfwlp.com.domain: 19828+ ? www.srh.noaa.gov.heavysystems.com. (51) 19:08:12.746734 IP athena.dfwlp.com.52106 > pollux.dfwlp.com.domain: 19828+ ? www.srh.noaa.gov.heavysystems.com. (51) 19:08:12.830693 IP pollux.dfwlp.com.domain > athena.dfwlp.com.52106: 19828 NXDomain 0/1/0 (130) 19:08:12.831056 IP athena.dfwlp.com.55505 > castor.dfwlp.com.domain: 19829+[| domain] 19:08:17.834446 IP athena.dfwlp.com.57718 > pollux.dfwlp.com.domain: 19829+[| domain] 19:08:17.887176 IP pollux.dfwlp.com.domain > athena.dfwlp.com.57718: 19829 NXDomain 0/1/0 (134) 19:08:17.887663 IP athena.dfwlp.com.63356 > castor.dfwlp.com.domain: 19830+ A? www.srh.noaa.gov. (34) 19:08:17.926964 IP castor.dfwlp.com.domain > athena.dfwlp.com.63356: 19830 1/3/0 A www.srh.noaa.gov (109) i just rebuilt my kernel and pulled INET6 out, so ill test how that operates right now (without doing any switch or pfsense reboots). thanks, -- Jonathan Horne http://dfwlpiki.dfwlp.org [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] anyone noticed slowdown in RC1 or RC2?
all, my network has been functioning correctly for me since the other day... immediatly following a reboot of my switch (netgear, about 7 year old 16 port 10/100). my client who is having the same (but on a much larger, much more painfully slow scale as I, urf..) issue has recently deployed many vista stations (which im sure *all* have ipv6 enabled, as they are all out of the box OS installs). myself, i have a FreeBSD desktop, a mac, and a vista and an XP that rarely get turned on. in my freebsd kernel config, i do have 'options INET6' in there, but i never figured it was affecting me due to my ifconfig looking like this: bge0: flags=8843 mtu 1500 options=1b inet 192.168.125.83 netmask 0xff80 broadcast 192.168.125.127 ether 00:13:21:62:c6:24 media: Ethernet autoselect (1000baseTX ) status: active lo0: flags=8049 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 my freebsd is dhcp... not that i think about ipv6 at all, but i guess i would have thought that if i was using any ipv6 it would ahve been handed out by the pfsense. i really honestly havent looked at any IPv6... ever, as i havent been put into a situation where it affects me (until now i suppose!) either way, thats neither here nor there. for the past few days since my switch reboot, everything has been running smoothly. I also really didnt give any good scientific testing of the other OS's i have around my house... i just kinda figured if FreeBSD (being the best one, of course!) is experiencing it, they all must. and my both freebsd and mac laptops which i use in the field at client sites, had the same problem when visiting my "issue" site as well... so i have seen it on a mac i guess. anyway, thats where i stand for now. i guess it wouldnt be any trouble to rebuild my kernels without the INET6, if that would help. -- Jonathan Horne http://dfwlpiki.dfwlp.org [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] anyone noticed slowdown in RC1 or RC2?
i have a client, who has been running pfsense since january. i recently updated him to 1.2-RC1, and since then, his internet browsing for his site has been really poor. when a browser is opened, the initial connection to the site takes 10-15 seconds, then the site starts to open. other links within the site will seem to work fine, but when you try to open another site, pause.. then opens. a few days ago, my RC1 pfsense started doing the same thing. i updated it to RC2, and for a short while, the problem seemed to have passed, but now its back again. has anyone else experienced anything like this? both of these pfsense boxes in question are p4 1.8 or higher boxes, with 512 or 768 MB ram, and have never been a problem before. also, if i get into a pinch and have a dire need to go back to an older firmware, is that type of downgrade supported, or would i have to do a reinstall/config reload? thanks, -- Jonathan Horne http://dfwlpiki.dfwlp.org [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] spoke and hub ipsec vpn?
if i am site A, and i have an ipsec vpn to site B and site C. right now, i can ping from A-B, and from A-C (and vice versa). is there anyway to set up to allow site B to ping site C, without setting up a tunnel between them (ie, to pass thru site A? just curious, -- Jonathan Horne http://dfwlpiki.dfwlp.org [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Firewall Rule Help?
On Sun, 18 Mar 2007 16:24:10 -0400 "Vaughn L. Reid III" <[EMAIL PROTECTED]> wrote: > I'll post the config file a little later today, when I get to my test > box. In the mean time, I want to make it clear that subnet 2 is not > directly connected to the pfsense box. > > Currently, the pfsense box has 4 interfaces: a Lan interface which is > connected to subnet 1, a Wan interface, and 2 Opt interfaces. Opt 1 is > called ATTDSL. This interface is the point of internet contact for a > proxy server that lives on subnet 1 and was configured for this usage > via a firewall rule as described in the policy routing tutorial on the > pfsense website. The second Opt interface is called Wireless and will > be used to test external VPN connections between offices via 802.11 > access points. Subnet 2 is not directly physically connected to the > pfsense box. An openSuse router sits between subnet 1 and subnet 2 and > handles routing between these two subnets. > > A review of the symptoms of the problem that I'm having is that when I > replace the pfsense with a linksys RV series router or Hotbrick router, > both subnet 1 and subnet 2 are able to access the internet and to ping > the router. When the pfsense box is in place, even with explicit rules > allowing all traffic to all locations from the entire 192.168.0.0/16 > network on the LAN interface, the pfsense box explicitly denies and logs > all traffic trying to pass to it or through it from subnet 2. > > Vaughn > > sai wrote: > > On 3/18/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > >> I have a pfsense firewall in a test network like the one below. > >> > >>Internet > >> provider 1 | | provider 2 > >> Pfsense Firewall -- LAN > >> IP 192.168.10.1/24 > >> | > >> Subnet 1 -- > >> 192.168.10.x/24 > >> | > >>Internal Router -- > >> Subnet 1 IP 192.168.10.14 -- Subnet 2 IP 192.168.12.1 > >> | > >> Subnet 2 > >> 192.168.12.x/24 > >> > >> > >> I am having trouble getting the clients on Subnet 2 to get access to > >> either the Internet or to the interface of the pfsense box. I have the > >> following rules entered into the firewall and NAT: > >> Firewall: > >> LAN > >> Allow * from 192.168.0.0/16 to * > >> > >> NAT: > >> Do Outbound NAT on 192.168.0.0/16 > >> > >> Here are the symptoms of the problem that I'm having. > >> When I try to ping or connect to the pfsense box from subnet 1, I can > >> ping and connect to it without any problems. When I try to ping or > >> connect to it from subnet 2, the connection is refused. In addition, I > >> can connect to Internet resources normally from subnet 1, but not from > >> subnet 2. > >> > >> I thought that maybe the internal router was the problem, so I replaced > >> the pfsense box with an el-cheapo router and everything worked correctly > >> from both subnets without any changes to the internal router. I have > >> also tried specifying allow rules for each subnet in the pfsense > >> firewall rules page, but that seemed to have no effect. I am using the > >> March 18th, 2007 daily build of the pfsense stable. > >> > >> I also noticed that the firewall log on the pfsense box is logging that > >> it is dropping everything that is coming to it from subnet 2. > >> > >> If anyone can help me come up with a solution, I'd appreciate it. > >> > >> Thanks, > >> > >> Vaughn > >> > > > > > > Firewall Rules > add a rule for the subnet2 interface that allows the > > traffic. > > > > post the config for the interface and also the firewall rules for > > subnet2 > > > > sai > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > adding the rule as perviously mentioned should do the trick. the linksys routers and other such dont have the same mandatory ACL's on the internal interface like the pf routing would. i used to have the exact same setup as you are describing, and once i added a rule to allow my 10.0.0.0 network access (even tho just like yours, it didnt have phyiscal access, it had to pass thru a linux router first), everything started working. cheers, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [E
Re: [pfSense Support] Wake-On-Lan
i use the freebsd port net/wakeonlan. i wake up my extra workstation, my dev vmware server, and my backup server with a cron job every morning. 55 7 * * * root/usr/local/bin/wakeonlan -i 192.168.125.127 00:20:ed:35:dc:61 00:07:e9:18:79:e9 00:30:48:21:fd:ea > /dev/null 2>&1 i think the wakeonlan binary also supports inputting from a list of mac addresses, when your list gets too long to manage from a single cron line. just call the binary and its list, and off you go. the man will tell you all about it. cheers, jonathan On Thursday 21 December 2006 04:18, Josep Pujadas i Jubany wrote: > On Thu, 21 Dec 2006 10:18:28 +0100, Holger Bauer wrote > > > Did you see the "wake all clients at once" button above the list at > > services>wake on lan? You also have an option to quickly add wake on > > lan clients at status>dhcp leases (check buttons at the right), at > > least if the pfSense is your dhcp server. > > > > Holger > > Holger, > > No, I did'nt see it. But I would like something more sophisticated, > automatica with schedule. > > Nice buttons, but no enough for our needs ... > > Thanks, > > Josep Pujadas > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] ok throw a bucket of ice water on me and wake me up
i previously had 2 sites, both with pfsense firewalls. site a - 192.168.125.0/26 site b - 192.168.125.64/26 i recently did away with site a, and since those ips were no longer in use, i decided to change my site b from a /26 to a /25. so i started with the pfsense box. it ip was previously 192.168.125.65, and i changed it to 192.168.125.1. saved changes. now, all the hosts at site b are also on the same 192.168.125.64/26, with ips between x.x.x.65-127. theoretically, with site a gone, they should be able to ping nothing below 64, since they are off their network. but, as soon as the pfsense interface was back up, hosts that had ips betwen x.x.x.65-127 were already able to ping 192.168.125.1, and any other hosts on the internet (even tho the gateway on their network was no longer there! .65 was unpingable). uh, i thought i understood the basic concepts of subnetting, and if i had it all wrong, then why was my previous vpn between site b and a working perfectly? or is there some devilry or trickery in the way bsd does its tcp? totally confused, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] an openvpn doc?
does a doc exist, that described how to use openvpn to create a static tunnel between two pfsense boxes? thanks, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] pfsense load balancing question
last night, a site i admin for got slashdotted. the site owner wants to put in another business cable line, but the ISP is unable to bond them into a single double speed connection. our firewall is pfsense 1.0.1. could we use pfsense's load blancing features to balance inbound httpd connetions across 2 connections? i was always under the impression that the load balancing was to serve the internal users going outbound. thanks, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] WOL stopped working [Fixed]
On Tuesday 26 September 2006 22:20, Jonathan Horne wrote: > after i tweaked openvpn today, WOL has stopped working. it was prevously > working perfectly on all my computers. i could wake them up no problems. > > the change i made today on my pfsense box, was to set the openvpn subnet to > 192.168.125.112/28. all my hosts on my lan are 192.168.125.64/26, and all > lan hosts have ip addresses that fall between 192.168.125.65-95 (thus my > openvpn occupying 192.168.125.113-126, and both networks would have > 192.168.125.127 as broadcast address). > > the part im totally head-scratching over, is that i was under the > impression that WOL was a physical connectivity deal, and had nothing to do > with subnets or the like. physical mac-to-mac communications? > > where can i begin for troubleshooting this issue? could my openvpn change > really be the root of this problem? > > thanks, > jonathan > *boggle* when i removed the overlapping openvpn subnet, WOL started working again. i ended up having to revert to my previous openvpn subnet configuration, and create a second VPN tunnel to my other site for the openvpn subnet to use. i hope a future release of pfsense will implement a gui editor to allow more than one subnet to access a single vpn tunnel! i had many sites, it would sure be a pain to create a pair of tunnels for each one, just so that road warriors could have access everywhere they need. cheers, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] WOL stopped working
after i tweaked openvpn today, WOL has stopped working. it was prevously working perfectly on all my computers. i could wake them up no problems. the change i made today on my pfsense box, was to set the openvpn subnet to 192.168.125.112/28. all my hosts on my lan are 192.168.125.64/26, and all lan hosts have ip addresses that fall between 192.168.125.65-95 (thus my openvpn occupying 192.168.125.113-126, and both networks would have 192.168.125.127 as broadcast address). the part im totally head-scratching over, is that i was under the impression that WOL was a physical connectivity deal, and had nothing to do with subnets or the like. physical mac-to-mac communications? where can i begin for troubleshooting this issue? could my openvpn change really be the root of this problem? thanks, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] YAOI (yet another openvpn issue) [Resolved]
> On 9/26/06, Jonathan Horne <[EMAIL PROTECTED]> wrote: >> > On 9/26/06, Jonathan Horne <[EMAIL PROTECTED]> wrote: >> >> > On 9/26/06, Rob Terhaar <[EMAIL PROTECTED]> wrote: >> >> >> On 9/26/06, Jonathan Horne <[EMAIL PROTECTED]> wrote: >> >> >> > i know there has been a million threads about openvpn lately, so >> >> its >> >> >> time >> >> >> > to throw mine into the mix too. >> >> >> > >> >> >> > i have 2 sites, with an ipsec tunnel between them. site 1 is >> >> >> > 192.168.125.0/26 and site 2 is 192.168.125.64/26. both sites >> are >> >> >> just a >> >> >> > simple single pfsense box (no carp or redundants or anything >> fancy. >> >> >> the >> >> >> > ipsec vpn works great, and any host at any site can connect to >> any >> >> >> other >> >> >> > host. >> >> >> > >> >> >> > site 2 has the openvpn on it, and i can connect in fine with >> >> windows >> >> >> xp >> >> >> > from the internet. once connected, i can connect to any host at >> >> site2 >> >> >> > with no problems. my issue, is that i cannot traverse the ipsec >> >> vpn >> >> >> to >> >> >> > hosts at site1. >> >> >> > >> >> >> > anyone have any ideas where i can begin to troubleshoot this >> issue? >> >> >> > >> >> >> >> >> >> are you pushing the additional ipsec routes to your openvpn >> clients >> >> >> via the pfsense custom options field? (see the note in the wiki >> docs >> >> >> on how to do this) >> >> > >> >> > And is the OpenVPN range part of the IPSec tunnel? >> >> > >> >> > --Bill >> >> >> >> if i understand your question correctly, no sir, my openvpn range is >> >> seperate. 192.168.125.128/26. >> >> >> >> thank you, >> >> jonathan >> > >> > Then the IPSec definition doesn't match and the traffic won't be >> > forwarded over the tunnel. >> > >> > --Bill >> >> >> ah, i can see how that would be a problem. where do i need to go in the >> gui to ix this? >> > > We don't have an obvious way to add another network to a tunnel. > However, you can create another tunnel with the same endpoints and the > new network in it. It's a little duplication, but it does work. > > --Bill thank you bill. rather than creating a new vpn tunnel, i just changed the vpn subnet to 192.168.125.112/28 (techically within the 192.168.125.64/26 footprint). this has caused vpn clients to be able to traverse to my 192.168.125.0/26 site1 now. my only inconvenience was that i had to move my site2 dhcp scope a bit, which really isnt a big deal at all. cheers, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] YAOI (yet another openvpn issue)
> On 9/26/06, Jonathan Horne <[EMAIL PROTECTED]> wrote: >> > On 9/26/06, Rob Terhaar <[EMAIL PROTECTED]> wrote: >> >> On 9/26/06, Jonathan Horne <[EMAIL PROTECTED]> wrote: >> >> > i know there has been a million threads about openvpn lately, so >> its >> >> time >> >> > to throw mine into the mix too. >> >> > >> >> > i have 2 sites, with an ipsec tunnel between them. site 1 is >> >> > 192.168.125.0/26 and site 2 is 192.168.125.64/26. both sites are >> >> just a >> >> > simple single pfsense box (no carp or redundants or anything fancy. >> >> the >> >> > ipsec vpn works great, and any host at any site can connect to any >> >> other >> >> > host. >> >> > >> >> > site 2 has the openvpn on it, and i can connect in fine with >> windows >> >> xp >> >> > from the internet. once connected, i can connect to any host at >> site2 >> >> > with no problems. my issue, is that i cannot traverse the ipsec >> vpn >> >> to >> >> > hosts at site1. >> >> > >> >> > anyone have any ideas where i can begin to troubleshoot this issue? >> >> > >> >> >> >> are you pushing the additional ipsec routes to your openvpn clients >> >> via the pfsense custom options field? (see the note in the wiki docs >> >> on how to do this) >> > >> > And is the OpenVPN range part of the IPSec tunnel? >> > >> > --Bill >> >> if i understand your question correctly, no sir, my openvpn range is >> seperate. 192.168.125.128/26. >> >> thank you, >> jonathan > > Then the IPSec definition doesn't match and the traffic won't be > forwarded over the tunnel. > > --Bill ah, i can see how that would be a problem. where do i need to go in the gui to ix this? thanks, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] YAOI (yet another openvpn issue)
> On 9/26/06, Rob Terhaar <[EMAIL PROTECTED]> wrote: >> On 9/26/06, Jonathan Horne <[EMAIL PROTECTED]> wrote: >> > i know there has been a million threads about openvpn lately, so its >> time >> > to throw mine into the mix too. >> > >> > i have 2 sites, with an ipsec tunnel between them. site 1 is >> > 192.168.125.0/26 and site 2 is 192.168.125.64/26. both sites are >> just a >> > simple single pfsense box (no carp or redundants or anything fancy. >> the >> > ipsec vpn works great, and any host at any site can connect to any >> other >> > host. >> > >> > site 2 has the openvpn on it, and i can connect in fine with windows >> xp >> > from the internet. once connected, i can connect to any host at site2 >> > with no problems. my issue, is that i cannot traverse the ipsec vpn >> to >> > hosts at site1. >> > >> > anyone have any ideas where i can begin to troubleshoot this issue? >> > >> >> are you pushing the additional ipsec routes to your openvpn clients >> via the pfsense custom options field? (see the note in the wiki docs >> on how to do this) > > And is the OpenVPN range part of the IPSec tunnel? > > --Bill if i understand your question correctly, no sir, my openvpn range is seperate. 192.168.125.128/26. thank you, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] YAOI (yet another openvpn issue)
i know there has been a million threads about openvpn lately, so its time to throw mine into the mix too. i have 2 sites, with an ipsec tunnel between them. site 1 is 192.168.125.0/26 and site 2 is 192.168.125.64/26. both sites are just a simple single pfsense box (no carp or redundants or anything fancy. the ipsec vpn works great, and any host at any site can connect to any other host. site 2 has the openvpn on it, and i can connect in fine with windows xp from the internet. once connected, i can connect to any host at site2 with no problems. my issue, is that i cannot traverse the ipsec vpn to hosts at site1. anyone have any ideas where i can begin to troubleshoot this issue? cheers, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] YAOI (yet another openvpn issue)
> On 9/26/06, Jonathan Horne <[EMAIL PROTECTED]> wrote: >> i know there has been a million threads about openvpn lately, so its >> time >> to throw mine into the mix too. >> >> i have 2 sites, with an ipsec tunnel between them. site 1 is >> 192.168.125.0/26 and site 2 is 192.168.125.64/26. both sites are just >> a >> simple single pfsense box (no carp or redundants or anything fancy. the >> ipsec vpn works great, and any host at any site can connect to any other >> host. >> >> site 2 has the openvpn on it, and i can connect in fine with windows xp >> from the internet. once connected, i can connect to any host at site2 >> with no problems. my issue, is that i cannot traverse the ipsec vpn to >> hosts at site1. >> >> anyone have any ideas where i can begin to troubleshoot this issue? >> > > are you pushing the additional ipsec routes to your openvpn clients > via the pfsense custom options field? (see the note in the wiki docs > on how to do this) apologies, i forgot to mention that i did carefully follow the wiki article. i did include: push "route 192.168.125.0 255.255.255.192" the XP box does show the route for the site1 network (192.168.125.0/26) and site2 network, so everything on the client end appears correct. cheers, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] OpenVPN
On Friday 22 September 2006 12:39, Scott Ullrich wrote: > Who out there actually uses OpenVPN and it works for them? > > Please either respond here and describe your setup or reply privately to > me. > > We have a influx of OpenVPN problem reports and I am starting to > wonder if it works correctly at all. > i can sucessfully establish an inbound connection from a windows box, and then connect to any host on the openvpn-pfsense's network. but, i cannot traverse the ipsec vpn to hosts on the other side of another remote pfsense box. also, if i set any dhcp settings for the vpn interface, then the lan dhcp server stops working. jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Configuring pfSense box with same range of static IPs?
i would have to agree with robs recommendation, it will truly be the least amount of headache. and with bind 9, you can have dns views, that respond with corresponding 1.1.1.x address to outside hosts, and respond with 192.168.2.x to inside hosts (but all to the same example.com domain namespace). its not hard to set up at all. cheers, jonathan On Tuesday 15 August 2006 11:28, Geoff Brisbine wrote: > We've only got 3 interfaces in our firewall, so there will only be OPT1. > > Is there a way to do this so I'm not required to address the OPT1 > servers with internal IP addresses? I would have to worry about split > DNS/etc to make sure that LAN people could access it via FQDN and I'd > rather not worry. > > Is it possible to have it like... > > WAN - 1.1.1.1 > LAN - 192.168.0.1-255 > OPT1 - (1.1.1.2-1.1.1.5) > > ... so the servers are configured with their actual external IP > addresses? If we are required to use one of the IP addresses for the > actual OPT1 interface I can live with that. > > Any ideas? > > Thanks, > > Geoff. > > On 8/15/06, Robert Mortimer <[EMAIL PROTECTED]> wrote: > > > Greetings, all. > > > > > > We've got 5 static IP addresses (e.g. 1.1.1.1 - 1.1.1.5) from our ISP > > > and we'd like to configure one for our WAN and the other 4 for our OPT > > > (for public servers). > > > > > > WAN (1.1.1.1) > > > LAN (192.168.0.1-255) > > > OPT (1.1.1.2 - 1.1.1.5) > > > > > > I've tried this with bridging the WAN and OPT interfaces, but it > > > doesn't seem to work. > > > > > > Is this possible? If so, how would I go about it? > > > > Alternatively (1) > > > > WAN (1.1.1.1 - 1.1.1.5) virtual interfaces for 1.1.1.2 - 1.1.1.5 > > LAN (192.168.0.1-255) > > OPT (192.168.2.1 - 192.168.2.5) > > > > OPT address is 192.168.2.1 > > > > Put the servers on OPT as 192.168.2.2-192.168.2.5 > > > > Port forward port 80 (and ssl if required) from virtual interfaces > > 1.1.1.2 - 1.1.1.5 to the respective addresses on OPT > > > > Put in more relaxed rules from LAN to OPT so you can upload files for > > webservers in OPT > > > > This is a classic DMZ setup that isolates the severs from your LAN i.e. > > all of your webservers are NOT in the LAN > > > > It makes no difference if the firewall is compromised but it may make all > > the difference if the webservers are. > > > > Alternatively (2) > > > > If you are not using the firewall for load balancing just put a hub in > > front of the router and stick the web servers onto the internet. Be sure > > to configure the local firewall on each webserver before plugging it in. > > If you allow SSH (use SCP not FTP for upload) from your firewall and port > > 80/SSL from ALL then block/drop the rest it should be pretty secure. > > > > Any use of FTP sends a logon password as clear text and rather undermines > > your good work (the same applies to telnet [S 20th century!])(This > > can apply even if FTP is confined to your LAN). > > > > These are just a couple more suggestions if you want you can isolate the > > web servers from each other and so it goes on. Decide what your risk is > > and act appropriately - always have a backup handy. > > > > ---Rob > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
