RE: [pfSense Support] Custom OpenVPN configs overwritten on restart
>Now, as I half-expected, every time pfSense restarts, it reverts to >its version of the conf files. What changes are making? Are they something you can't add to the Advanced configuration section? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Blocking Windows Machines
>Is there a simple way to block access to a windows machine? I'm setting >up a network in a remote, far away location and will have little >physical control. I want to control/stop people from sticking a wifi >router and connecting windows machines to the network. The OS doesn't matter, the approach depends on how secure you need it. If they actually stick a router in there, unless its setup as a bridge (ie wan not used) it will be nat'ing connections so only its mac/ip will appear. So blocking by ip/mac doesn't help as you can spoof either of those anyway. What you may need is something that performs authentication for each connected user for example... - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Providing wol
I need to create some openvpn up scripts that send wol packets for a series of users who cannot leave their internal wksts running all the time. In 2.0 the wol packages all need perl, while not a pfsense specific question, does anyone know of a wol util written in C for example without the obtrusive deps? Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Logging/Alerts for a specific interface
What if any provisions exist to facilitate delivering firewall logging alerts for a specific interface? I have one with very low traffic that I am interested in knowing if a block was encountered on and getting some type of alert. Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] packagelock stuck after upgrade in 2.0rc1
>That can happen if a package you had installed failed to properly >reinstall itself at boot time. Check your console to find out which one >it was. Ah, looks like open-vm-tools failed to install. What is the correct procedure to repair this, I doubt it's as simple as a pkg_add, is it? Thanks! jlc
[pfSense Support] packagelock stuck after upgrade in 2.0rc1
Did a quick look through redmine and didn't see anything, anyone know what triggers the packagelock variable as it seems to be stuck causing the dash to trigger the warning permantly? Thanks, jlc
RE: [pfSense Support] Spoofed wan mac issues in 2.0-RC1
>Works fine for me. Well, I managed to get tech support at the ISP to mitigate my issue as they had a binding issue in their lame mgmt system. They don't hand out statics, they only give dhcp reservations for static accounts. I can confirm that the description of Bug#996 is still a scenario I experienced. Not sure that's a bug more so as a limitation in the OS, but it's all good now. thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Spoofed wan mac issues in 2.0-RC1
It appears as if the wan int can only acquire a dynamic ip when its spoofed from a fresh boot. If you down it from the gui interfaces page, it cannot re-acquire an ip when you up it again. jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Moving configs to different machines
>You may also need to adjust other settings that might >affect things like RAM, DMA, checksum offloading, polling, powerd, etc >if your hardware is different in those respects. David, Thanks for the info. Are those parameters set by the installer? I probably wouldn’t know how to adjust them, the hardware is different as I am moving from an AMD based server to an Intel unit. Possibly if the initials are set at install, I could utilize the existing ones in the backed up config? Thanks! jlc
[pfSense Support] Moving configs to different machines
I have to transfer a config from one server to another. Looking at the backup I can replace the ifnames and correlate the vlans etc but I am wondering about the nat/filter pair id's or any other caveats? Is this known not to work, or if care wrt ifnames is taking should it be fine? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] OpenVPN default cipher
Hey guys, Given the default in the client software when left unspecified is BF-CBC, shouldn't the dropdown start with that as well? When I migrated my first install over, this bit me at first as well. If the opinion is shared, I'll file it in Redmine. jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] OpenVPN issues -solved
>Adding "cipher AES-128-CBC" to the client file fixed the problem, I'm able to >ping > >Thanks all for the help I was just replying saying it looked fine, didn’t your log suggest this to start?
RE: [pfSense Support] OpenVPN issues
>Here is my config > >Server /snip That’s a mess of xml, log in with ssh and post the /var/etc/openvpn/server2.conf or whichever # is applicable. >-client--- >Client /snip That looks right.
RE: [pfSense Support] OpenVPN issues
>Even with "Force all client generated traffic through the tunnel" checked >I'm unable to ping any of the clients or the local net You'd get a definitive answer immediately if you sanitized and posted or paste binned your client *and* server conf files.
RE: [pfSense Support] OpenVPN issues
On 3/8/2011 3:02 PM, k_o_l wrote: > I had working OpenVPN with pfsense 1.2.3, however with 2.0-RC1 the > server is handing the wrong mask and no gateway to the clients, I have > tried the wizard and changing different subnets, no matter what the > server is handing out /30 instead of /32. Firewalls rules are in place > to allow clients through the firewall. Any ideas? Are you manually specifying any options through 'Advanced configuration'? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] url table alias in 2.0rc1
Today after a fresh update I tried to generate a url table alias for the first time with a list that was ~17k networks long on a server with 4gig ram and it popped up a warning suggesting it couldn't allocate memory. A quick search on redmine didn't show anything, does the size and ram look acceptable? Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 2.0 LDAP Auth
Maybe I am missing something, but is it possible to configure the parameters such that the query checks for group membership? I tried to set the container it searched for as a group cn that included a user, then that user attempted to log in but the query failed. So far I can only set the auth container to that of which holds the users for a successful login. Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Nut Package update.
>By slave modes, do you mean that it us just monitoring the UPS. We have >implemented a check box that says "Does this firewall rely on power from >this ups?" If checked it makes the firewall shutdown if the battery >becomes critical(and doesn't shutdown if it isn't checked). If you >could give me a quick run down of the layout you're trying to achieve I >may be able to help. Also if possible please provide ups vendor/models. By Slave, I mean on non snmp capable ups's, its directly connected to one server which then controls several other's like apcupsd does that way these smaller ups's that have the capacity to support several small servers can still safely shut them all down, not just the connected one. I also don't think nut has snmp capability for the larger ups's, right? So for now, I manually pkg_add apcupsd and hack around getting it configured. thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 2.0 Openvpn questions
How comes the openvpn configuration forces a "client-cert-not-required" when using an LDAP auth backend in 2.0b5x64 (Sat Feb 5 snap)? I don't believe that's a mandatory limitation, we use certs _and_ secondary auth via ldap. jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Firewall security compromised by auxillary programs?
>Well, I hear of people running pfSense in a VM, and I wonder how do you >avoid exposing the host OS to the network? How can a firewall be run in a >VM and not leave the host OS hanging out to be attacked? Well, if the interface is setup in a bridge with nothing else, what exactly is addressable that you can connect to and then hack? Now add a vm and plug a nic into this bridge and put pfsenses wan designation on it. When you show me one case of the host being compromised I'll believe it, until then it's not been done as far as I know... - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Error deleting opt int
>http://www.mail-archive.com/support@pfsense.com/msg19120.html My bad, should have searched... I found it anyway, it was obvious once I ssh'ed in. Is that case handled in 2.0 or is this something I need to watch there as well? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Error deleting opt int
I tried to delete an opt interface and got the following error: XML error: OPT at line 2103 cannot occur more than once After which the web ui no longer responded. Look familiar, otherwise is there a log I can provide to glean insight? Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Trouble with openvpn client
>In the OpenVPN Status page the client instances section shows that the >connection is up, >but in the list of routes, I don't see a route for my remote network. In that case, you almost certainly haven't used the right parameters, or clicked the right options in the gui (I haven't played much with 2.0 yet). Post your config, probably easy to figure out once we know the setup... jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
>Thank you, I corrected the ticket to the exact scenario. Scott, >From pfSense's pov, what happens in this exact scenario when you assign the tun device to an interface? I followed this thread closely as I have a similar issue plaguing me that I am unable to resolve as of yet... Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] USB Wifi nic
I have a vm running under esxi 4.1 that I need to pass in a usb wifi dongle. It's a dev environment so I am not too worried about the fact 1) it's a vm and b) passing the dongle in could be unstable. Would pfsense work happily with this so long as the chip in the dongle was on the HCL and supported AP mode? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] autorollback?
>> So how does one do a restore from the cli in pfSense? > >cd /cf/conf/backup && cp config-xxx.xml ../config.xml && reboot > >replacing config-.xml with whichever one you want. Chris, That's simple enough. So utilizing what comes stock, would you suggest a cron job be the best thing to use for this if you are worried about losing your shell? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] autorollback?
>The feature on cisco/juniper is a two phase application process. > >Phase one applies the configuration. > >Phase two rolls it back if you don't confirm it. So if you did something >that blocked you out of the device for example, it would auto roll back. > >I miss this feature on pfsense. It's on Juniper and Cisco devices and >would be useful on pfsense. I know exactly what you mean and on RHEL systems I am doing iptables changes remotely with, I always `echo orig_script.sh |at now +10 minutes` then make changes and if I am happy I atrm the job. If I overlooked or fat fingered something, I just have to wait... So how does one do a restore from the cli in pfSense? You could accomplish the something... jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] 2.0 Beta Openvpn dev node
>Same as IPsec always has, that's a group of all OpenVPN interfaces, server and >client. You can still manually assign them if you want. Cool, I was hoping to stumble on something that makes my client-to-client filtering issue easy, defining the rule seems easy but as openvpn would no longer be routing internally with the client-to-client switch off, I need to craft the routes myself which is proving to be an issue, nothing I have tried works. Thanks for any suggestions, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 2.0 Beta Openvpn dev node
I take it assuring a consistent dev name is now handled automagically by 2.0. I now a see an OpenVPN tab in the Rules dialogue but it doesn't increment or correlate in any obvious way to the # of vpn instances setup. How does one accomplish filtering now, same as before, what is the single pre-existing OpenVPN tab for now? The help link suggests "plus a tab for each active VPN type" as I have more than one, is something broken, or is this feature not yet finished? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Custom Routes
I am trying to understand how to add some custom routes so I can control the traffic of a client-to-client vpn wrt what downlevel clients can see between each other. With client-to-client enabled and openvpn doing the routing internally, it works so iptables rules on the connected clients are working and pushed/advertised routes as well. If I disable this and run a tcpdump on the tun int on both the pfsense server and client A, then ping a lan client of A from Client B, I can see the traffic hit the pfsense box and client A but doesn't get returned. I assume I need custom routes here but don't know how to craft them, the clients all have ifconfigs specified in their csc files (each has a /30 applied). Any hints as how to setup the routes? Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Openvpn client to client filtering
How do I setup rules from within the gui to accomplish what traffic may enter and exit the same tun interface if client-to-client is disabled and openvpn would then allow for such rules to manipulate what clients may access between clients? Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] RE: Openvpn routing config help
>Make sure you follow all the steps here (order doesn't matter if you've >already done some/most) >http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3 All done, and double checked. I actually use this for a standard road warrior setup for my first openvpn config running on 1194, and it works, clients can only see tcp3389 for one remote desktop server. The second instance on 1195 has a custom option of `dev tun1` and is associated with a new opt int and it has a block** yet remote clients can see any resource. Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] RE: Openvpn routing config help
>What has to be done to let LAN clients access resources across the tunnel now >from the pfsense side of the config? Found http://forum.pfsense.org/index.php/topic,12888.0.html which worked well. I didn't use client-to-client and did specify a tun device that is associated to an opt interface, as well as specifying a network in each client-specific configuration matching each connection's common name. Clients can't see each other now, I can see the clients take the applicable address but filtering has no effect, all traffic gets passed through the opt interface into the lan interface even if a block any/any rule is first? Any ideas? Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Openvpn routing config help
I was using a client mode config to connect to an OpenVPN server which worked well, clients on the Lan interface routed correctly across the vpn and could access the remote server and its clients. I now needed to change this and use a server config on my pfsense side and let the remote side be the client. What has to be done to let LAN clients access resources across the tunnel now from the pfsense side of the config? Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] interface shorthand
>If you only have LAN and WAN interfaces then you should just be able to define >the rule on the LAN interface. >If you have more interfaces than that then someone smarter than me will have >to answer it. :) Hah. yeah I have 5 physical and several vlan based. jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] interface shorthand
Is there a way to craft a rule that is specific to anything outbound on the WAN interface only? I would imagine an alias of all internal networks, then a 'Not' rule, but is my only option, I just don't like the fact that list has to be manually updated or it leaves a hole. Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Rules question
Making some changes this weekend and I wanted to simplify how I wrote rules on a series of opt ints. I blocked this opt int's network from all other opt ints it didn't need access to. Many rules here. I allowed specific traffic from certain hosts to other hosts in other opt ints. A few rules here. Allowed ports 80/443 to all (for internet connectivity). I am sure there is a better way to write this with less rules, could I allow traffic from certain hosts to other hosts in other opt ints, then allow this opt int out to the internet and block anything else? Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Errors in logs
>Cosmetic, not an error. Thank you Chris. jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Errors in logs
I rebooted last night and see this, any idea which file line 1 refers to? Thanks! jlc Sep 22 03:17:06 last message repeated 2 times Sep 22 03:17:06 php: : XML error: not well-formed (invalid token) at line 1 Sep 22 03:17:06 php: : Resyncing configuration for all packages. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Multiple wan issue
I have a specific setup that I am remote to, it has a dsl modem plugged into the wan port on the server and several internal nics servicing various vlans. I need to perform port translation to different internal ip's for the same external port, our isp allots our 5 specific ip's dynamically with mac reservations. Given that I can't add a physical switch and additional nic, is it at all possible to add another dynamic ip to wan interface? (The routing issue aside?) Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Large Aliases
>> Also, in 2.0 we have support for nested aliases. What you can do with >> this is pretty straightforward ofcourse. You can then update 1 specific >> alias which is part of the parent alias. >> >> This should make management a lot easier, the chances of error smaller >> and possibly the number of firewall rules smaller. > >In 2.0 we also have a URL table alias type that can periodically update >its contents from a URL that has IP and IP/CIDR format entries (one per >line). > >We've tried it with 40k+ entries and it works fine. You can't edit the >lists on the box though, they only refresh via the contents of the URL. >There was no practical way to handle editing that large of a list in the >GUI and storing the data in the actual XML file. > >There is a package for 1.2.3 that imports that functionality as well. This is exactly what I need, the Country Block package was what I wanted but I need finer grained control, so an Alias to work with would do this. A quick pfctl show of the Table enumerated as expected. How does one keep an eye on this? I am confused with the update frequency versus no cron job added msg? Thanks guys! jlc
RE: [pfSense Support] Large Aliases
>You can export a configuration file to see the file structure, build >a configuration backup that has the aliases in it based on the sample, >and then restore your "backup". That's what we did. That’s a good idea, but the lists need updating and something scriptable would be easier so I could do this at the cli less obtrusively... Thanks, jlc
[pfSense Support] Large Aliases
Is there any undocumented tricks to creating large aliases other than by hand? I have some I need to create with maybe 100 or more small networks. Can I import the list at the cli somehow and have the gui acknowledge them? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] FreeRADIUS users
>For the purposes of that status page, the port number of the management >daemon must match the port number for OpenVPN. For example, if OpenVPN >is running on port 1194, the management daemon must be on 127.0.0.1 1194. Cool, I was hoping this package provided some sort of cumulative view as I was looking to do away with my munin setup I use for this, shame:)
RE: [pfSense Support] FreeRADIUS users
>Not that I know of. Could you tell us the error message ? Hey, Well, I have a couple installs I tried it on, each on their openvpn server config have: management 127.0.0.1 7050; (port varies between installs etc...) and yet I get: [error] No Management DaemonSee Note Below... I know the mgmt daemon works as I telnet to it for other needs... Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] FreeRADIUS users
>In 2.0, this is built-in. > >In 1.2.3, install the "OpenVPN Status" package and follow the instructions. > >Works great, even shows you the traffic usage over the VPN from every >user and such. Any additional config needed on this aside fm the mgmt port? I have had that port enabled since day one for other uses as described in this packages notes yet it still shows error upon access? The server instance is configured to use unique clients certs for all remote users. Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] OpenVPN Client
>That's why you need remote network filled in on both sides. Can I simply write acl's on the lan interface to the remote segment or is creating an additional interface required/better? Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] OpenVPN Client
>Shared key can't push routes. Put them in on both sides. Well, my remote openvpn config has route statements that allow the pfsense appliance access to its segment, but I don't know how to allow the pfsense lan clients access to the remote segment. Can you shed some insight Chris? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] OpenVPN Client
>Shared key can't push routes. Put them in on both sides. Actually, I was using tls, I noticed that field was grayed out in that scenario only but as I am remote and don't want to tank my only connection into the non pfsense side by editing its openvpn config, I was going to hold off changing to Shared Key. But now with what you say I am confused, is TLS supposed to add routes? I am free to use either method, just used to tls. In the mean time, I'll test by adding a route... Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] OpenVPN Client
Trying to setup a site-to-site and the remote network field is grayed out which I presume is what obviously prevents automatic route generation so that only pfsense has access though the tunnel atm... Anyone know why this is? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Disabling Services
How do I correctly set the default state for a service of an installed package like ntop or pfflowd to stopped? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] ntop is dumped
>I have seen this as well, but not on every system. I have some customer >routers where it has run indefinitely (weeks, months, etc) and then I >have some routers where it only runs for about 10 minutes. So far I >haven't been able to track it down or find any correlations, but I >haven't really gotten in-depth with it yet. When I use it to monitor a very non-busy opt interface on one system, it can run for weeks, if I switch that to lan for example it sh!ts the bed asap...
RE: [pfSense Support] ntop is dumped
>I use pfsense 1.2.3-RELEASE and I installed ntop v.3.3.8. but Ntop working 5 >minutes and then stop logs is below "kernel: pid 49342 (ntop), uid 0: exited on >signal 11 (core dumped)" How can I resolve my problem ? > >Thank you for your help Pretty much my experience as well across several platforms, ntop is a memory pig. Without any way to retain state its really only useful for short interactive use anyway. What size of system, and what other packages are installed? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Tunning pfflowd parameters
Does there exist any means to tune any parameters related to when a flow is deemed ready for export? A quick look at pfflowd at the cli yields nothing. Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Squid via OPT1
>Is there a way I can set Squid to route all traffic via OPT1 instead of my WAN >interface? You said it yourself, "set squid to route..." More info on your topo would be needed to say exactly how to do it. You can define a route on your Linux box to push all outbound traffic to a gateway defined by your opt int, you can also leverage the tcp_outgoing_address conf param... - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pfflowd anomaly
With ntop, I can accurately see the traffic to several vpn users on unique subnet tied to an opt interface. As they work, ntop increments the data count up as expected for their ip (set by the openvpn client config). I have enabled flows, and am monitoring it from a wkst but for one user, I monitor them by the ip of their remote tap interface, 192.168.100.9 (openvpn cc of 192.168.100.8/30) and it looks right. Another user, 192.168.100.4/30 isnt showing traffic for 192.168.100.5 (wtf) but monitoring their subnet, 192.168.100.4/30 shows *some* traffic while they are in the middle of a wide open scp from a server in the lan interface. Is there something I am missing, maybe some anomaly wrt to flows on this box? As I understand, the pfsync interface will dump data for everything (flows are set "any"). One odd thing I noticed was that changes ni the pfflowd settings tab don't take place until you apply twice as verified with wireshark on multiple remote hosts. Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Monitor traffic through vpn
>If you have your OpenVPN tun interface assigned as an OPT, you can >probably use any of the existing bandwidth monitoring software packages: > >http://doc.pfsense.org/index.php/How_can_I_monitor_bandwidth_usage%3F Wow, the ntop package out of the box displayed what I needed exactly as I wanted. No need to produce anyting better. Thanks! jlc
[pfSense Support] Monitor traffic through vpn
I have been asked to monitor traffic, per user through our openvpn pfsense setup, as its setup for filtering (Therefor I know what ip each user uses), I presume this can easily be done by looking at traffic between the opt int and the lan int. Are there provisions built in to pfsense to make this easy, can I send the data to a different host for example w/ a mysql backend? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Bogons file overwritten w/ bad data
>Check out the rc_updatebogons.sh script in /etc. That's how the file is >updated. I kind of figured it updated on its own... Given that the WAN mac is not rewritten until the config is restored, I figured that's why some of the isp redirection html was pushed into the file. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Install w/o cdrom
>Have you actually tried this? My experience was that the PC gets as far >as the unetbootin boot program but it fails to hand off to the pfsense >booter. Worked okay when I tried the "preloaded" FreeBSD. Probably did >something wrong or failed to do something right. > >Is it possible to use the pfSense LiveCD to install a LiveCD or embedded >version on a bootable usb stick? Didn't work for me, same results. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Bogons file overwritten w/ bad data
My conf restore went smooth except for one problem, the /etc/bogons file got overwritten with looked like some html from an ISP redirected web page of some sorts (should have saved it, sorry). Luckily I had ssh access, I copied the one over from the iso and rebooted and it came up fine... How does that file update or get written to? Anyway to prevent this, or was there something I overlooked during the restore? jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Install w/o cdrom
>It's a lot easier to install with the drive in another machine that >has a CD-ROM and then move the drive to the target machine. That's a possibility, but given I don't have another system with this mass storage device I possibly wrongly assumed the drive geometry difference would render it unusable. I'll try that though. Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Install w/o cdrom
>1: Google for something called 'unetbootin' I forgot about that one (Saw it on a Fedora list...). It didn't work though. I made sure the partition was <2gb and FAT, but it couldn't boot it. OTOH, using BootMyISO I got it to load the iso but after selecting the first option to boot, pfSense attempts to mount the iso I presume as cd9660:/.../ at which point it can't find it. Any idea if there is a workaround? No way simply copy the install image from a shell within the booted embedded environment? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Install w/o cdrom
Anyway to do this, there is an HD now in a server running a usb based embedded version. Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Migrate from Embedded
I have a machine that was setup as embedded but now we need packages functional so I need to migrate it to install based. Given it's the very same server, can I simply restore the xml config from the embedded install w/o issue? Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] PFI w/ floppy
Does the PFI work with a floppy? I tried it, but saw a read error for the floppy but I am sure there is nothing wrong with the floppy, is it just not supported? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] pkg_add and openvpn-auth-ldap in 1.2.3-RC1
>No officially supported way until 2.0. Well, I suppose I could wait, users are just complaining about the two fold scenario as the certs require a pass phrase. I think I got it working, I missed: setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/ How obtrusive was that, btw?:) Thanks for all the help! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] pkg_add and openvpn-auth-ldap in 1.2.3-RC1
>If you're going to do this, upgrade to RC3 and start from there, then >at least you can upgrade to the final 1.2.3 release (no FreeBSD >version change). Chris, I greatly appreciate the guidance there. If it's not supported, I don't want to go there as to many people depend on the vpn being available. Given I also have zero experience w/ FreeBSD, that concerns me. Is it just a matter of maintaining the OpenVPN config (That I can handle) or do I risk breaking anything else? Is there a supported method to accomplish what I need with either ldap or radius etc? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pkg_add and openvpn-auth-ldap in 1.2.3-RC1
Searching the forum showed others who received the Shared object "libgssapi.so.9" not found, required by "libldap-2.4.so.6" error but the solution was to use 1.2.3-RC1. I have a fresh install lab'ed up but still get this error, the file is not to be found anywhere, I don't know FreeBSD at all, but isn't pkg_add supposed to fetch deps? What package contains this lib? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] OpenVPN LDAP Auth
I am just about to migrate off an embedded setup so I can utilize the openvpn-auth-ldap plugin against active directory. Does anyone know of it is at all possible to bind against ldap with the username/pass of the authenticating user to alleviate the need of a service account? If not, has anyone accomplished the same thing using another approach? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] lost in openvpn: policy routing depending on the client
>i have a pfsense 1.2.2 running in vmware virtual machine. all working >nicely :-) http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3 Starting with pfSense version 1.2.3... >any advice would be sincerely appreciated! Upgrade :) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] potential pfsense hardware
>I'd rather have neither. Won't argue that:) All of this has me concerned, I am waiting on some other issues but was about to order a 3 nic Alix board and saw it uses Via VT6105M 10/100 nics? I haven't used Via in years, how do these perform, and issues you have seen Chris? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] potential pfsense hardware
>Anybody else? >I don't have any experience with Marvell other than in my Laptop. >I assume they are better than Realtek... I have a myriad of Intel, Broadcom, 1 marvell now and several realtek nics on various equipment I manage. Although the realtek's aren't performers like the Broadcoms or Intels and some need additional drivers in some distro's they all work. I have seen every preposterous event with a Yukon like providing bad mac address during pxe boot, poor performance and some needed some absolutely pedantic methods to configure parameters like Yukon's under Solaris. I'd rather have a Realtek if I had to. jlc
RE: [pfSense Support] potential pfsense hardware
>Has anybody tried pfSense with a board like this? >http://www.avalue.com.tw/products/ECM-945GSE.cfm I don't know about FreeBSD's support of Marvell nics, but based on my experience with them in Solaris and RHEL I won't even let one in my site without calling the janitor and his garbage cart. Just my 2 cents:) jlc
RE: [pfSense Support] Filter Rules for OpenVPN connections
>How can i create an OPT interface assigned to a tun interface? I knew that reply I wrote was a bit sloppy:) Make the OpenVPN config first specifying the Custom Opt as tun0. Save it. Then go back to your Interface Assignments and the Network port selection will now have a tun0 interface. jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Filter Rules for OpenVPN connections
>We have several Road Warrior stile open VPN Users. Today they are >directly routed to the LAN interface without any Filter Rules. >New security policies request that we restrict some of the OpenVPN Users. > >It's a bit unclear to me how this can be done. Create an OPT interface (do not assign this to a vlan, assign it to a persistent tun interface). The notion of vlan provides nothing here, also needs to be assigned to the persistent tun device here. >- Based on their CN we assign them fix ip adresses. >- We understand that we can do outgoing rules on the LAN interface Setup the OpenVPN connection to hand out a unique range of IP's such as 192.168.100.0/24. Also setup a Custom Option of "dev tun0" for example (This gets assigned to the OPT interface *after* you save the vpn config and it is created). Setup a Client-specific Config that hands out a unique block of that above reserved space, like: Common name: jcasale Interface IP: 192.168.100.4/30 Some Ops if you need them, like: push "route 192.168.1.0 255.255.255.0" Common name: jdoe Interface IP: 192.168.100.8/30 Some Ops if you need them, like: push "route 192.168.10.0 255.255.255.0" Common name: fbar Interface IP: 192.168.100.12/30 Some Ops if you need them, like: push "route 192.168.10.0 255.255.255.0" >But how can we do incoming rules for those users, is it possible to >create an interface to assign the rules for them? Now, setup rules on the outbound side of the OPT interface allowing 192.168.100.4/30 access to whatever it needs. HTH, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Block rule creates syntax error
>That's what happens when you have a rule with an interface that is >deleted and you don't remove the rule, though that should never be the >case for LAN. Email me a backup of your config. Possibly a better method on my end given the Opt ints have vlans associated with them is not to use "OPTn Subnet" option from the pulldown, but choose "Network" and write it explicitly, such as 10.0.10.0/24. I am guessing that shortcut might get broken when: Interface Network port OPT3VLAN nn on em3 for example? Thanks guys! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Block rule creates syntax error
>Please switch to raw logs and show us the entry text and syntax error >from the alert. > >Sanitize before-hand if you want. I am not sure if this is what you want, but: php: : There were error(s) loading the rules: /tmp/rules.debug:256: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [256]: block return in quick on $OPT2 proto tcp from any to /32 flags S/SA label "USER_RULE: Vendor Restrictions" Raw is enabled, but this what I see in the System log, not sure there was anything in the Firewall Log relevant. Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Block rule creates syntax error
I all of a sudden am getting syntax errors in the logs which I don't recall seeing before with respect to a few generic block rules I have on an opt interface. Action: Reject Interface: OPT2 Protocol: Any Source: Any Destination: LAN Subnet I use this to block anything destined to the LAN interface? Is this not the right way to do this? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Wireless Setup
>You should have a look which wifi chip supports the AP mode. >I know that the old intel (example 2200BG) chips couldn't be used in AP >mode. > >I have bought a Wistron CM9 with Atheros chip and use it with Askozia >(Asterisk PBX based on FreeBSD). Works fine in AP mode. So it should ok >for pfSense too. > >Best is to have a look at >http://www.freebsd.org/releases/7.0R/hardware.html#WLAN for supported >cards. Thanks Dominik and Ralf, That was something I didn't know (ap mode). jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Wireless Setup
I need to set some equipment up at the boss' digs and looking at all I need to do (OpenVPN client, DDNS w/ hmac keys back to our Bind Server and wireless ap for his family) I figured I can do all of this w/ pfsense. I looked through the archives and see that it can be setup as a wireless ap (I know nothing of wireless really) so that begs a couple simple questions. Is there any specific network card I should choose? I was going to use a ALIX 2D3 with a miniPCI wifi card. Or does any miniPCI based wifi card provide whatever functionality pfsense would need to make a wireless AP out of it? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] vlan troubles
>it could also be a bogus switch; it might not like you trying to run >tagged and untagged frames on the same port. I'd advise changing to use >vlan2, say, as your LAN and ensure all switch ports are marked untagged >vlan2, (or in cisco speak, in access mode, access vlan 2, and nonegotiate). Everything works as it should now, thanks for all the patience. Fresh cabling across the board made it tick. No surprise, all the cables were recently re-routed in a new trough. jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] vlan troubles
>yes, play with the Interfaces->Assign menus Paul, Thanks for the confirmation. In the VLAN Tab, I have: Interface VLAN tagDescription em2 50 NegriBossi In the Interface Assignment Tab, I have: Interface Network port LAN em0 WAN bge0 OPT1em1 OPT2VLAN 50 on em2 OPT3em3 In the rules page on the OPT2 tab, I have: a * rule allowing all from all. The LAN tab has its * (from LAN net) rule. So when you say create rules for vlan50, the Rules interface still refers to the name of the Interface, not the vlan itself, correct? As a test to make sure there wasn't anything wrong in between switches etc, I untagged a non vlan aware wkst into vlan 50 on the switch pfsense is plugged into and it can see the remote machine fine. I then removed the vlan from pfsense and untagged OPT2 into vlan50 and had issues? I swapped ports and it sort of works, sporadic connectivity that sometimes works and sometimes does not. At this point, I think there is a cabling issue possibly or another problem outside the pfsense setup. I have to purchase some new cables and try this again. Thanks everyone, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] vlan troubles
>Does the vlan interface have an allow rule? >You said opt2 does, but what about your vlan interface Yes, only Opt2, I didn't know you could create rules for the vlan interface itself? R u sure you can do this? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] vlan troubles
I have a vlan (50) setup who's parent interface is Opt2. This parent interface is setup with a static ip of 192.168.1.1/24 and is plugged into a switch "A" that has that has this port tagged into the specific vlan id of 50 as well. Switch "A" has a fibre connection to another switch "B" and the ports are both tagged into vlan 50. Switch "B" has a non vlan aware computer connected and its port is untagged into vlan 50. >From the lan side on a workstation and from the console as well, I can ping 192.168.1.1 but not the IP of the device on the untagged port of Switch "B". Opt2 has a default * rule allowing everything. Did I miss something wrt to the vlan setup in pfsense? I did reboot as it mentioned while configuring this. Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] GBE toe
>FWIW - I have not been able to get these to work in PFSense -at all-. > >http://www.newegg.com/Product/Product.aspx?Item=N82E16833106019 I am running this one currently. >Which versions of pfsense did you try them in? 1.2.3-RC1 jlc
[pfSense Support] Importing SSL certs for Web GUI
Anyone know what is involved in setting up a cert when using a windows CA? I can use OpenSSL on a Linux host to do the conversion from the format the Windows CA outputs (I don't know if I can output it natively?). What do I use for the RSA private key, or more to the effect, how do I get that out of the Windows CA? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Re: 1.2.3-RC1 Web gui logout
>> Can ff be setup to do this? > >In Windows FF3.5 > >Tools>Clear Recent History>Details>Active Logins > >I believe that should do it. Fantastic, thanks! jlc
RE: [pfSense Support] Re: 1.2.3-RC1 Web gui logout
>You could close your browser, or you could use a browser that implements >a method to forget HTTP authentication. I would be interested in a reco for an alternative browser then, sure. I use ff only because its foot print is light and it works well, hell I'd use ie on my windows workstation if it weren't such a pig. Can ff be setup to do this? jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] 1.2.3-RC1 Web gui logout
>There isn't one in the 1.2 series since it uses HTTP authentication. Argh, that means I have to close my browser:) I always have so much open like Nagios etc in other tabs... Thanks! jlc
[pfSense Support] 1.2.3-RC1 Web gui logout
Silly question, where the heck is the logout button? jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] OpenVPN, Vlans and filtering
First off, Thanks everyone who helped me get my setup running so far, the erroneous subnet and the embedded image on the HP server. So now that the server is running minimally configured, I have a built-in bge0 interface and a quad port Intel nic. I have the WAN setup on bge0 (no VLANs) and hope to actually use the device to route between VLANs securely based on rules at the gig speeds (our pix used to do this at _low_ speeds) as well. Based on previous input, I understand that I should setup phys switch ports for all 4 internal interfaces as tagged into each vlan I require. So after creating VLANs on each Parent interface, I then intend to create Opt interfaces assignments for each of those VLANs. Most important to us will be the vpn filtering, most users will need very few port/host provisions whereas admin users might need whole subnets unfiltered. In reading the end of http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN#Filtering_OpenVPN_Traffic I am still unsure how this works. Previously with my pix, I created various VPN groups, (RDPgroup, AdminGroup) etc and gave them each unique subnets, then simply wrote rules from the WAN interface with those source subnets to the internal interface with the lan subnets governing what traffic was permitted. So a user with connection credentials to RDPGroup would get on a subnet that could that only passed TCP 3389 to certain hosts on the Lan. Can I still replicate this with my intended setup? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] trying to boot embedded image fails
>The nanobsd/embedded images switch to a serial console during the boot >process, did you try using the serial console with that snapshot? Darn, no. I have to wait until tomorrow. Would the KB become unresponsive during the switch such that numlock/capslock no longer functions? The lights on the intel quad port nic don’t light up so I was pretty sure it tanked before that driver initializes. >Any FreeBSD install will work for that packet/nopacket change, even a >pfSense system. Ok, does FreeSBIE have the needed tools? This way I don't have to open a case and shove a spare disc in:) Thanks! jlc
RE: [pfSense Support] trying to boot embedded image fails
>Are you speaking of these: >http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/nanobsd/ > >The pfSense-1.2.3-512mb-20090723-1908-nanobsd.img image didn’t hang the server >but it just sat at a blinking cursor:) Sorry, spoke to soon! Same result. I wait for a suggestion on what freebsd iso to yank and get a desktop installed tomorrow to make that change you suggested. Thanks! jlc
RE: [pfSense Support] trying to boot embedded image fails
>I have seen some BIOS that would only boot from a USB key in that case >after a BIOS update and some option twiddling (though I don't recall what). > >We have also seen that some embedded devices require booting in packet >mode or nopacket mode, depending on the BIOS it could be one or the >other. This can be changed, but required plugging the device into >another FreeBSD box or another pfSense box and running: > >boot0cfg -o packet /dev/da0 > >Where packet can also be nopacket, and /dev/da0 is the full path to the >USB device as seen by the OS (check dmesg). Wow, I don't have any bsd machines, lol. Can you reco what I should pull down to install on a recent desktop, with AHCI sata for example? >I don't recall what the RC1 images are, but the current nanobsd >snapshots should be using packet mode. > >Before doing much else, I'd also try a more recent snapshot than RC1. I didn't know there was anything newer except 2.0, which I read has all the embedded images not functional. Where do i get a more recent 1.2.3 image? Are you speaking of these: http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/nanobsd/ The pfSense-1.2.3-512mb-20090723-1908-nanobsd.img image didn’t hang the server but it just sat at a blinking cursor:) Thanks for all the advice! jlc
RE: [pfSense Support] trying to boot embedded image fails
>Have you tried connecting to it using a serial cable? I could, but it does hang, I am sure of that and I can see it clearly on the monitor. jlc
[pfSense Support] trying to boot embedded image fails
I have an HP DL120 G5 I am trying to use pfSense-1.2.3-RC1-Embedded on and it just hangs on the bootloader. I am using a 4gig USB key that I wrote the img to. Are there any particular bios requirements for this to work or other setup requirements? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] VPN Questions
>>> You can filter OpenVPN. Short howto is here: >>> http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN >> >> if you're running multiple openVPN servers, how does pfSense know which >> tun device is allocated to which server/daemon? >> > >Updated that page. Chris, does the OpenVPN setup with the DHCP-Opt.: DNS-Domainname and DHCP-Opt.: DNS-Server config params mimic the Cisco Split-DNS concept where once the client connects, and queries for a host qhos FQDN has a search domain equal to "DHCP-Opt.: DNS-Domainname" will be redirected to the "DHCP-Opt.: DNS-Server" server? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Automatic outbound NAT
Does this have some bounds as to the ports it will gen rules for? I am trying to reach a high destination port, 1 and it's not working? The wiki http://doc.pfsense.org/index.php/Automatic_NAT_Rules_Generation didn't really say much regarding that. Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Understanding Rules
>pfSense applies rules when packets enter Interface. You do not need a >rule for packets to return. If return packet belongs to established >connectioin it is allowed. Eugene/Joshua, This is what I assumed, but in a test traffic was blocked, or at least I may have thought it was, it was Friday night and I was bagged and wanting to go home:) So if I make a rule blocking all traffic from OPT1 to LAN, but have a rule allowing a port/host in LAN to a host in OPT1 I should be ok? As soon as I get a window, I will retry this. Thanks for the help guys! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org