[pfSense Support] VLAN Problems
Hi Everyone, I have an interesting VLAN setup/problem question. I followed the pfSense doc on setting up multiple vlans on the same interface (VLAN Trunking) and the switch is setup with trunking going to the pfSense box (vlan1 untagged, all other vlans tagged). However, the VLANs do not pass traffic or respond unless we are running a tcpdump or packet capture on the VLAN interface. We have a system behind one of the vlans we are testing with and it will is not able to hit the pfSense box or internet, until we turn on tcpdump i vlan2 or packet capture on vlan2 interface. Has any one else seen this problem or know how to fix it? We will be happy to send out screen captures and other stuff if that will help. Thanks Joe
[pfSense Support] pfSense Blocking some traffic
Greetings everyone, I have noticed some strange behavior, I have setup a Bridge and setup specific blocking rules for access to systems behind our firewall, I also have explicit access rules for port 80: pass in quick on $wan reply-to (em0 GATEWAYIP) proto tcp from any to any port = 80 keep state label USER_RULE: HTTP Port Allow Access at the bottom of the firewall rules I have this entry to allow everything that I am not specifically blocking: pass in quick on $wan reply-to (em0 GATEWAYIP) from any to any keep state label USER_RULE: Allow Everything Else On my internal interface of the bridge I have the following entry: pass in quick on $InternalNetwork from any to any keep state label USER_RULE However I am seeing entries captured in my firewall logs where visitors are being denied per the Default deny rule at the very bottom of the pf rules. My question is why are my explicit rules not capturing the entries before it gets to the last rule? And also, how can I disable those two rules or can they be disabled? Thanks Joe -- This message has been scanned for viruses by Colocube's AV Scanner - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense Blocking some traffic
Jim Pingle wrote: Joseph Hardeman wrote: However I am seeing entries captured in my firewall logs where visitors are being denied per the Default deny rule at the very bottom of the pf rules. My question is why are my explicit rules not capturing the entries before it gets to the last rule? And also, how can I disable those two rules or can they be disabled? My guess is that you're really seeing this: http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection%2C_why%3F And no traffic is actually being dropped. Jim Very interesting, but definitely makes sense, specially since I can't seem to get a blocked session to my systems. Thanks Jim for the link. Joe -- This message has been scanned for viruses by Colocube's AV Scanner - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] AINA Bogon List Update
Greetings Everyone, Just wanted to make you aware, if you weren't already, that on Aug 3rd 2009 IANA has recently assigned two IP Ranges that were previously Bogon Ranges out to the wild. The IP Ranges are: 175/8 APNIC 2009-08 whois.apnic.net ALLOCATED 182/8 APNIC 2009-08 whois.apnic.net ALLOCATED I received the notification from the Team Cymru group, their master bogon list can be found here: http://www.team-cymru.org/Services/Bogons/ Just wanted to let everyone know, so you don't block legitimate traffic thinking its from Bogon networks like has happened to me in the past. *S* Have a great day Joseph -- This message has been scanned for viruses by Colocube's AV Scanner - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] AINA Bogon List Update
Evgeny Yurchenko wrote: Joseph Hardeman wrote: Greetings Everyone, Just wanted to make you aware, if you weren't already, that on Aug 3rd 2009 IANA has recently assigned two IP Ranges that were previously Bogon Ranges out to the wild. The IP Ranges are: 175/8 APNIC 2009-08 whois.apnic.net ALLOCATED 182/8 APNIC 2009-08 whois.apnic.net ALLOCATED I received the notification from the Team Cymru group, their master bogon list can be found here: http://www.team-cymru.org/Services/Bogons/ Just wanted to let everyone know, so you don't block legitimate traffic thinking its from Bogon networks like has happened to me in the past. *S* Have a great day Joseph Thanks for update. Could somebody explain when /etc/rc.update_bogons.sh is supposed to run on pfSense? Joseph, I could not find any subscription available on their site, how are you receiving notifications? Thanks. Eugene Hi Eugene, I joined their mailing list at: bogon-announce mailing list bogon-annou...@puck.nether.net https://puck.nether.net/mailman/listinfo/bogon-announce As for the rc.update_bogons.sh, you can look in /etc/crontabs and see that, at least my setup, is set to run: 1 3 1 * * root/usr/bin/nice -n20 /etc/rc.update_bogons.sh on the first day of each month at 3:01 am. Joe -- This message has been scanned for viruses by Colocube's AV Scanner - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Multiple WANs on a Single Bridge
Hi Everyone, I have been trying to figure out how to setup multiple wan networks on a single bridge. For instance: 111.111.111.111/25 - em0/bridge0/opt1 - internal servers 222.222.222.222/25 - em0/bridge0/opt1 - internal servers I see a way to add a virtual IP in the Firewall section, but not to add a VIP to the em0 Interface. I have em0 bridged with em1 and my bridge is setup with allowing certain ports through to internal servers, each server has an external IP so I have to use bridged mode, not NATing. Any help would be much appreciated. Thanks Joe -- This message has been scanned for viruses by Colocube's AV Scanner - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] CARP and Bridging
One other question now that I think of it. Does CARP work between two firewalls that are running in full Bridge mode, no NATing done at all, just port blocking on the WAN interface? We have two firewalls and I want to make sure any states are kept intact on the chance we have to failover to the secondary. Joe -- This message has been scanned for viruses by Colocube's AV Scanner - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple WANs on a Single Bridge
Chris, Thanks for your reply, I found this out earlier today. Yes, all of the gateways are outside of the firewall so when I changed the IP on my laptop after getting the firewall upgraded it was able to get out with no problem. Again, thank you for your reply. I appreciate it. Joe Chris Buechler wrote: On Thu, Jun 25, 2009 at 3:43 PM, Joseph Hardemanjharde...@colocube.com wrote: Hi Everyone, I have been trying to figure out how to setup multiple wan networks on a single bridge. For instance: 111.111.111.111/25 - em0/bridge0/opt1 - internal servers 222.222.222.222/25 - em0/bridge0/opt1 - internal servers Nothing to it, if what you really need is a bridge. If the gateway IP is outside the firewall, it's no different to use two subnets than it is one. If the gateway IP isn't outside the firewall, you don't need bridging, you need a routed public IP subnet on an OPT interface. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- This message has been scanned for viruses by Colocube's AV Scanner
[pfSense Support] Configuration Questions
Hi Everyone, I have a question that I am hoping someone will be able to help me with. I am about to migrate to a network that has two circuits to the same provider with BGP on each circuit so if one circuit goes down we will be able to keep our traffic flowing. Our pfSense firewall is setup in Bridge mode connecting on the front interface of the bridge to one of our routers and the backend interface of the bridge to one of our switches which then connect to the front side of all of our servers. What I want to do is use the Multi-WAN and possible Load Balancing functionalities and have one circuit as primary and the other circuit as secondary then have CARP running as a hardware failover between two identical pfSense boxes. My question is can this be done in bridge mode and if so, how would I go about setting it up in pfSense so that three interfaces are part of the bridge? The multi-wan load balancing shows connecting to two separate carriers and using NAT not Bridge mode which is what I want to use. Has anyone set up this sort of configuration before or can point me to a document or information on how to accomplish this? Thanks Joe -- This message has been scanned for viruses by Colocube's AV Scanner begin:vcard fn:Joseph Hardeman n:Hardeman;Joseph org:Colocube, LLC;Operations adr:;;4311 Communications Dr;Norcross;GA;30093;US email;internet:jharde...@colocube.com title:Data Center Manager tel;work:678-427-5890 tel;cell:678-427-5890 note:This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Thank you. x-mozilla-html:FALSE url:http://www.colocube.com version:2.1 end:vcard - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org