Re: [pfSense Support] Traffic shaping for specific file type

[Michel Servaes]

u can come on chat Google chat)  i will help u my best..  .

mohanra...@gmail.com



Though this answer might be interesting for the person who has asked It.
It is totally useless to the mailing list.


If everybody acted the same, mailing list would be filled with 0 answer…

Please post your answer on the mailing list.


Thanks.



Yes, I was thinking the very same thing here... I am not going to use 
bandwidth throttling right now - but I would love to know a bit on a 
howto described right here :-)

It's like learning using it in every possible aspect...

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] MSN blocking (squid on Alix ?)

[Michel Servaes]

I want to block MSN completely.
Maybe scheduled, but if not possible then all day long !

I have blocked ports 1863, 901 and 6891:6900 on the pfSense (scheduled for
nighttime)
Added the DNS forwarders for msn messenger to 127.0.0.1 (this cannot be
scheduled)


Should I use SQUID, or are the above rules enough ?
And will it be working "nighttime" only, or with the added DNS entries,
it'll probably work 24/24 now ?

Kind regards,
Michel

[pfSense Support] wifi access logging

[Michel Servaes]

Does anyone have a succes story with pfSense and logging wifi accesses ?
It appears that in the near future, activity of all wifi access granted to
customers outside your organization needs to be logged... so that in case of
misuse, you can show it was a customer and not an employee...

I was first thinking on using the captive portal... but this wouldn't allow
me to log their accesses.
I then thought on using the proxy squid in pfSense, but to have logging
enabled, I probably shouldn't use an Alix solution with a CF card, since
this will do many writes onto the CF, and ultimately destroy it. (and I feel
that that the Alix-CPU isn't quite up to the task for squidproxy).

So how does one solve this on quite an economic way ? Since my customer
doesn't want to make his customers pay for this solution, but he also
doesn't like the idea of being accused of misuse...

I could think about a low-level computer, with a SATA disk... install
pfsense on that, and have a 3-legged network solution :
1 WAN, 1 LAN, 1 PUBLIC   (in which the PUBLIC needs to be authenticated with
CARP, and have proxysquid active on all the users on the PUBLIC port).

Can the captive portal tokens be linked into the squid-log ?


Kind regards,
Michel

Re: [pfSense Support] User with limited privileges

[Michel Servaes]

oops, didn't see that the same response has been given already... sorry

On Mon, Feb 28, 2011 at 1:55 PM, Michel Servaes  wrote:

> To my belief there are no users to create in 1.2.3 !
> This would only work on a 2.0 platform... unless there is a hidden way to
> make this work ofcourse :)
>
>
> On Fri, Feb 25, 2011 at 3:25 PM, RB  wrote:
>
>> On Fri, Feb 25, 2011 at 05:53, Carlos Vicente 
>> wrote:
>> > My question is: is there a way of creating a user, without elevated
>> > privileges, to give access only to the reports of LightSquid. I don't
>> want
>> > any client to have access the others features of pfSense.
>>
>> No, not in pfSense 1.2.3.  Multi-user authentication and user-specific
>> privileges were introduced in 2.0 and have worked quite well for
>> nearly as long as the 2.0 development has been going on.
>>
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>> For additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
>>
>

Re: [pfSense Support] User with limited privileges

[Michel Servaes]

To my belief there are no users to create in 1.2.3 !
This would only work on a 2.0 platform... unless there is a hidden way to
make this work ofcourse :)

On Fri, Feb 25, 2011 at 3:25 PM, RB  wrote:

> On Fri, Feb 25, 2011 at 05:53, Carlos Vicente 
> wrote:
> > My question is: is there a way of creating a user, without elevated
> > privileges, to give access only to the reports of LightSquid. I don't
> want
> > any client to have access the others features of pfSense.
>
> No, not in pfSense 1.2.3.  Multi-user authentication and user-specific
> privileges were introduced in 2.0 and have worked quite well for
> nearly as long as the 2.0 development has been going on.
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

Re: [pfSense Support] pfsense 1.2.3 ipsec stopping to work after too many unsuccessful connects

[Michel Servaes]

I run pfsense 1.2.3 and use 4 ipsec tunnels with dynamic endpoints.

Everything works fine, but when one endpoint continuously gets a new 
WAN-IP due to numerous reconnects, raccoon stops working and has to be 
started manually…


Can anyone confirm this issue ?


I have the same issue; and almost all my endpoints are pfsenses too on a 
dynamic ADSL connection.
I now have built in some tricks to make racoon work a little bit more 
stable :


1. the endpoints have a built-in restart at 4 AM (our provider restarts 
PPPoE on 36 hours, which makes it disconnect each and every 1,5 days), 
so I have setup pfSense to do the restarting.
2. I restart the racoon service on the central pfSense machine at 4:15 
AM using a cronjob.


And then hope for the best :)
This helped me come through the day, as before I had to restart racoon 
at least each and every 3 days... this has become a weekly task or 
longer from time to time now.


Regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfSense 2.0 : 512MB images have no use anymore ?

[Michel Servaes]

Hi,

Have posted it on the forum too, I think that the 512MB images have no 
use anymore.
Yesterday I tried to update to the latest snapshot, but it told me that 
the file was corrupted.


When checking into SSH, I saw that only 43MB was free on the CF card. 
(this can't store a 63MB image obviously). I have not a single package 
installed.


Today, I reflashed a 4GB cf-card with a 1GB image - this seems to give 
me enough space for the near future :) (I now have 217MB free on one 
slice of the CF card).



Kind regards,
Michel



ps. I have a question about the Slices... how does it perform a choice 
to the other slice, if one of the parts is not working... let's say 
slice1 does not respond, or reboots for an unknown reason, will it 
automatically choose slice2 ?? (or does on have to be on the console to 
make that choice ?)



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense and adsl

[Michel Servaes]

On 18/12/10 10:16, Evgeny Yurchenko wrote:

my only concern now is PPPoA... But I need public IP on pfSense for sure
to do port-forwarding.

Not really; if you can ask the modem to port-forward to the pfsense box,
you can then ask pfSense to port-forward to the final destination.

So the public IP stays on the modem's WAN interface, you burn a small
private network for the connection between the modem's LAN and pfSense's
WAN (using DHCP so that pfSense gets the modem's sense of DNS
providers), and provide ordinary services over pfSense's LAN.

This means you end up with double-NAT, which isn't ideal in a busy
environment, but is stable enough for quieter locations.


You could do that, but then you would have to disable the private 
address filtering on the WAN side ofcourse !


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense and adsl

[Michel Servaes]

Can I reconfigure Netgear in 'bridge' mode so I get Public IP on 
pfSense WAN? What would be WAN type on pfSense (DHCP? static? PPPoE?)?
Or if you can answer more generally what is genereal pfSense set up if 
you get DSL line from ISP?

Thanks.


Can't tell for netgear, but I have 5 locations with a DSL line and 
either a Speedtoch router or SagemRouter 3436.
I configure PPPoE on pfSense and the routers goes bridged 
automatically... I do however remove all settings from the PPPoE login 
at the Speedtoch or Sagem boxes to make sure that during a reboot of 
pfSense they won't go connecting.


I need pfSense to get the public IP adress, as I am using IPSEC in 
between (and I don't like to use IPSEC NAT-T).


That said, I can only tell for PPPoE - don't know how PPPoA should be 
done...



Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 1.2.3 - ipsec racoon watchdog ?

[Michel Servaes]

Is it possible to have some kind of watchdog installed on the racoon 
service ?
I have scheduled a racoon restart at 4am, and this seems to resolve 
the racoon shutdowns that occured sometimes in the week...


But today, racoon ended in the middle of the day - and as such, the 
printserver could not connect to the remote printers ofcourse...
Some kind of watchdog, that would automatically restart a service 
(eg. racoon in this case), would be some cool solution... the 
watchdog should not retry more than 3 times within 10 minutes or so - 
as an errorneous config could be the base of this ofcourse...


I tried checking the log; and it seems to be appearing after DPD 
detected a dead pear this time... right after that, the printserver 
started mailing errors (so I'm sure it happened right after this in 
the log)


I currently disabled DPD for this tunnel; I have entered "0" for DPD 
(this means disabled - I hope ?)
The FVS-318 on the client site, is also handling DPD - I guess one 
site is enough ?



Looks like DPD perfectly worked - detected dead pear.
And it seems that you just stopped receiving anything from remote end. 
Can you when it happens the next time do tcpdump on WAN and see 
whether there is any communication between these sites?


Evgeny.
PS: as far as I know DPD settings should be identical on both sides of 
the tunnel (intervals may differ but both either ON or OFF).


Evengy, thank you for your reply,

But the service racoon has ended (crashed)... I don't think any 
ipsec-traffic will be generated after this, will it ? (besides the 
end-nodes on the other side trying to connect ofcourse).
And because my printserver started mailing me about offline printers at 
around the same time - I gather that racoon ended the same time...


I'm having quite some time issues with this racoon-service, and tried 
many things (the restart of racoon around 4am already helped me out a 
great deal)
The end nodes are somewhat different, I might have to look to replace 
them all...


DLINK DI804 & DLINK DI824VUP+ 3 devices
NETGEAR FVS318GS   3 devices
LINKSYS RV0423 devices
ALIX board with pfSense embedded 1.2.35 devices(including my 
home-device that is (this one is running 2.0 beta4))


I'll run over all devices, to make sure DPD is the same as on the 
pfSense side.

Setting it to "0" on pfSense disables the DPD detection, right ?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfsense 1.2.3 - ipsec racoon watchdog ?

[Michel Servaes]

Is it possible to have some kind of watchdog installed on the racoon 
service ?
I have scheduled a racoon restart at 4am, and this seems to resolve the 
racoon shutdowns that occured sometimes in the week...


But today, racoon ended in the middle of the day - and as such, the 
printserver could not connect to the remote printers ofcourse...
Some kind of watchdog, that would automatically restart a service (eg. 
racoon in this case), would be some cool solution... the watchdog should 
not retry more than 3 times within 10 minutes or so - as an errorneous 
config could be the base of this ofcourse...


I tried checking the log; and it seems to be appearing after DPD 
detected a dead pear this time... right after that, the printserver 
started mailing errors (so I'm sure it happened right after this in the log)


The ip 194.23.45.67 is the main-site
The ip 84.23.45.67 is the client-site... an FVS-318G.

I currently disabled DPD for this tunnel; I have entered "0" for DPD 
(this means disabled - I hope ?)
The FVS-318 on the client site, is also handling DPD - I guess one site 
is enough ?




The logs :

18:14:30  racoon: INFO: unsupported PF_KEY message REGISTER
18:14:03  racoon: INFO: begin Identity Protection mode.
18:14:03  racoon: INFO: initiate new phase 1 negotiation: 
194.23.45.67[500]<=>84.23.45.67[500]
18:14:03  racoon: INFO: IPsec-SA request for 84.23.45.67 queued due to 
no phase1 found.

18:13:34  racoon: INFO: delete phase 2 handler.
18:13:34  racoon: ERROR: phase2 negotiation failed due to time up 
waiting for phase1. ESP 84.23.45.67[0]->194.23.45.67[0]
18:13:20  racoon: ERROR: phase1 negotiation failed due to time up. 
751ac323c27fbdfe:
18:13:03  racoon: INFO: request for establishing IPsec-SA was queued due 
to no phase1 found.

18:13:01  racoon: INFO: delete phase 2 handler.
18:13:01  racoon: ERROR: phase2 negotiation failed due to time up 
waiting for phase1. ESP 84.23.45.67[0]->194.23.45.67[0]

18:12:30  racoon: INFO: begin Identity Protection mode.
18:12:30  racoon: INFO: initiate new phase 1 negotiation: 
194.23.45.67[500]<=>84.23.45.67[500]
18:12:30  racoon: INFO: IPsec-SA request for 84.23.45.67 queued due to 
no phase1 found.
18:10:35  racoon: ERROR: phase1 negotiation failed due to time up. 
c299ca1329443b2a:

18:10:16  racoon: INFO: delete phase 2 handler.
18:10:16  racoon: ERROR: phase2 negotiation failed due to time up 
waiting for phase1. ESP 84.23.45.67[0]->194.23.45.67[0]

18:09:45  racoon: INFO: begin Identity Protection mode.
18:09:45  racoon: INFO: initiate new phase 1 negotiation: 
194.23.45.67[500]<=>84.23.45.67[500]
18:09:45  racoon: INFO: IPsec-SA request for 84.23.45.67 queued due to 
no phase1 found.
18:07:22  racoon: ERROR: phase1 negotiation failed due to time up. 
50bbf00862056d6e:

18:07:03  racoon: INFO: delete phase 2 handler.
18:07:03  racoon: ERROR: phase2 negotiation failed due to time up 
waiting for phase1. ESP 84.23.45.67[0]->194.23.45.67[0]

18:06:33  racoon: INFO: phase2 sa deleted 194.23.45.67-84.23.45.67
18:06:32  racoon: INFO: begin Identity Protection mode.
18:06:32  racoon: INFO: initiate new phase 1 negotiation: 
194.23.45.67[500]<=>84.23.45.67[500]
18:06:32  racoon: INFO: IPsec-SA request for 84.23.45.67 queued due to 
no phase1 found.

18:06:32  racoon: INFO: phase2 sa expired 194.23.45.67-84.23.45.67
18:06:30  racoon: ERROR: phase1 negotiation failed due to time up. 
b66e338d78bf87f2:

18:06:03  racoon: INFO: phase2 sa deleted 194.23.45.67-84.23.45.67
18:06:02  racoon: INFO: request for establishing IPsec-SA was queued due 
to no phase1 found.

18:06:02  racoon: INFO: phase2 sa expired 194.23.45.67-84.23.45.67
18:05:40  racoon: INFO: begin Identity Protection mode.
18:05:40  racoon: INFO: initiate new phase 1 negotiation: 
194.23.45.67[500]<=>84.23.45.67[500]
18:05:40  racoon: INFO: IPsec-SA request for 84.23.45.67 queued due to 
no phase1 found.
18:05:12  racoon: INFO: ISAKMP-SA deleted 
194.23.45.67[500]-84.23.45.67[500] spi:93973802dd93a2d475
18:05:11  racoon: INFO: DPD: remote (ISAKMP-SA spi=9358032ed:d604d75) 
seems to be dead.



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Adding OpenVPN to an existant IPSEC solution

[Michel Servaes]

If want to add OpenVPN to my IPSEC situation.
But, I find IPSEC a safer solution on pfSense, as it standard blocks 
access on the created tunnels.


I know I can do this too with OpenVPN, but have to add an adaptor OPT1 
that handles the traffic for all OpenVPN tunnels... this however also 
tells me that all the IPSEC tunnels have to be created with a manual 
rule for access.


This is not a problem, but what will happen with the already existant 
IPSEC tunnels created with the automatic rule creation ?? Will they stay 
in place ?
If so, I guess it's not really a problem to have both OpenVPN & IPSEC 
running...



Kind regards,
Michel


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Captive Portal & Logging

[Michel Servaes]

Hi,


I was wondering, if it would be possible to log all traffic from a captive
portal point of view ?

When handing out "captive portal" - access keys to users, it's use and
whereabouts should be logged in case of misuse !
Can I log per login on CaptivePortal level to some kind of database ??

Ideally, it would keep it's records into a MySQL database centrally (and in
case of offline, to cache it's records locally)... but then again, this
would be the ideal situation ofcourse :)



If pfsense can't handle this, can pfsense be used together with some other
product that can log this use ?
It really should need to log the username, and his whereabouts when he
visits the internet.

Maybe I should use a dedicated pfsense machine, and install proxy on it...
that would be a workaround I guess (that is, if not using transparant proxy
ofcourse - but to my knowledge, this would only log HTTP traffic (which is
already quite good, but I want it all logged ofcourse).


I've heard about Untangle a lot - but I have no idea whatsoever what to
expect about this software... (I've seen nifty screenshots, and it looks
quite cool - but I just hope all the eyecandy isn't a cover-up for it's real
use)


Kind regards,
Michel

[pfSense Support] OpenVPN changing auto-added rules on pfSense 1.2.3

[Michel Servaes]

Hi all,

After a few hours fiddling with both TomatoVPN & OpenVPN into pfSense, I 
got it all working now... this is my first working OpenVPN connection by 
the way, so I am quite happy here :)


The tunnel is working fine, rebooting the TomatoVPN (on a wrt54) just 
connects back to my pfSense cheerfully.
I just changed everything from UDP to TCP - and this seems to do the 
trick, and have added a custom configuration (into TomatoVPN) : route 
192.168.10.0 255.255.255.0   (192.168.10.0 being the main office)


Added a route into the TomatoVPN, and it works great.


But - a bit "too" great... the tunnel is open for everyone that are 
sitting behind the TomatoVPN router... and this is not what I had in 
mind... (being used to IPSEC tunnels, I was somewhat surprised that 
tun's and taps are being (by default) allowed all traffic...


Reading on, I read that I should disable all the auto-added VPN rules, 
and add the tun-interface, so I could fiddle with the rules back 
there... now being already using about 12 IPSEC tunnels, I am a bit 
worried in doing this, will it affect the already existant IPSEC VPN 
rules ??


Or is this only for the next IPSEC VPN's that from now on, I need to add 
additional rules for them... if this is the case, then I don't need to 
worry (it'll be even more secure this way, no ?)



This is not a 100% crystal clear for me, reading the book at chapter 12.3


Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] OpenVPN pfsense -- Linksys wrt54 (TomatoVPN)

[Michel Servaes]

Does anyone have a working example with this combination...
Are there things to look for ?

I have tried to follow the book - but somehow the VPN doesn't come up... 
I can ping the first 10.8.0.1 (but I guess this is the OpenVPN server of 
pfSense itself ?)
I have created the shared key, and pasted this in both the 
Linksys(tomato) and into pfSense... but it seems not to connect correctly ?



The local network has 192.168.150.0/24  (this is where pfSense is)
The remote network has 172.21.190.0/24(this is where the TomatoVPN 
is running).


I decided to take 10.8.0.0/24 as OpenVPN network (on both sides - 
TomatoVPN suggests this as default).


I furthermore opened port 1195/udp on pfSense... should 1195/udp also be 
opened on the TomatoVPN (the WRT54 is acting as client, so I would 
presume not).



Kind regards,
Michel


(I am used in using IPSEC... which works just fine, but I would like to 
move over to OpenVPN due to cheaper hardware of Linksys)


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] CARP between pfSenses (server & embedded) - is it possible

[Michel Servaes]

Hi,


I was wondering, if I have a fully installed pfSense on a real server
platform... it would be possible to add an Alix-embedded as backup ?
And in the case of hardware failing, it would jump to the Alix (without
packages installed)...

The "real" server, has packages like proxy and so on (transparant that is) -
so there is no real need to have packages installed on the Alix board in my
case (I think)...
Has this already been done by someone... if not, then I guess it'll be my
duty to try this (guess to try this at home first - lol).


I read that when using multiple WAN interfaces, CARP isn't behaving well...
on a 1.2.3 platform... true to be cautious, or true to indeed have issues ?



Kind regards,
Michel

Re: [pfSense Support] Write 512MB image onto 4GB CF-card ?

[Michel Servaes]

>  On 16.09.10 21:40, Jim Pingle wrote:
>> And IIRC if the card has any kind of built-in wear
>> leveling, it will extend the life of the card to 8 times what it would
>> have otherwise been.
>>
> This calculation is IMHO a bit too optimistic. I think wear levelling
> works with some percentage, maybe 5 or 10% defects but not 87,5%. But I
> am not expert.
>

In any case, this just seems to work just fine... unfortunately I
didn't find sandisk at my reseller, they had dane-elec or kingston.
Being with kingston last time and these boot issues, I chose
dane-elecs this time... they were the same size, but 3x more expensive
than kingston...
Not that "more expensive" is better - but having no other alternative
at hand - I chose to go this way...

Other than that - when using Physdiskwrite to write the 4GB image - it
consistently failed at about 400kbytes written...
When I took the 512MB image, all 5 cards wrote without a hassle... (I
tried 3 cards with the 4GB image, only one succeeded !)

I decided to rewrite all 5 cards with the 512MB image - this went well
(also, when duplicating the slice to s2, this is also far much faster
now - logically :) )

Thanks for the explaining - don't know if this dane-elec has
wear-levelling though (I'd suspect they would mention this, if it was)

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Write 512MB image onto 4GB CF-card ?

[Michel Servaes]

 Would it hurt, to write a 512MB image onto a 4GB CF-card ?
I don't need the extra space, and this shortens my write-time drastically :)

I'm trying it right now... if no-one knows, I'll tell how it turned out 
anyway (if intrested).


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] power-out and Alix-boards

[Michel Servaes]

Hi,

I am a reseller of Alix boxes and one of my client has also complained about 
problem with Power Outage and Alix not rebooting.

When you talk about power outage and Alix board, I think all kind of weird 
thing can happen…
If you want a more secure environment, don't buy Alix board, buy higher end 
products with a better power supply.


That being said, I have sold more than one hundred Alix boards and had no more 
than one problem related to Power Outage.
So I guess that even though Power Outage can and will happen, most of the time 
you'll reboot without problem.

My advice : buy a second CF card ready to be plugged in.



Today, at home, I decided it was time to do some cable-cleanup time in 
the cellar.
I decided to pull the plug of the Alixboard with pfSense on it (ok, a 
2.0 beta4 version (snapshop of 11/sept))... and guess what... it won't 
start up anymore.

It isn't a boot failure now, but isn't handing out any ip adresses no more.

Checking via the serial-cable, I can go into shell... but trying to do a 
"Set LAN ip", won't work at all... (it just comes back at me telling me 
that /libexec/ld-elf.so.1: shared object "libxml2.so.5" not found, 
required by php).


This is also an Alix board, but bought via another channel... the CF 
card is also a 4GB version (but not of any brand - it's directly from 
pc-engines)...
Being a bit fedup with it - I decided to putt monowall on a left-over 
32MB Sandisk card (that's the only Sandisk card I have here)


This is the third system that fails to start after a powerout... (be it 
a 2.0 system now, ofcourse - I cannot claim I didn't know it could 
happen)...
The only reason I need pfsense, is because of the pppoe-restart function 
(this is a very rare function, in either monowall nor any other 
commercial product to be found)...



A second CF card would be handy - if the CF-card reader would be easier 
to reach from the outside... the little boxes are quite a job to alter a 
CF card into by some novice user at that site...


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] ipsec between two pfsenses (one being a Proliant server, the endpoint being Alix board(s)).

[Michel Servaes]

Op 12/09/2010 4:15, Paul Peziol schreef:

Do both sides have static ip's?

On Fri, Sep 3, 2010 at 3:15 AM, Michel Servaes <mailto:mic...@mcmc.be>> wrote:


I am having issues from time to time (and when they start, it's almost
every morning) that my ipsec tunnel dies on the Alix board...
When checking the proliant server (the central one) - all tunnels
are up.

Restarting racoon on the Alix didn't help.
Restarting racoon on the Proliant server; works out fine.

I've read somewhere that disabling DPD on the Alix could help - but
how to disable, entering "0", nothing or a very large value ??
For now I have emptied the DPD entry in both the Alix side as the
Prolaint side (for one site) ~ I hope this helps.




No, only the main-site does have a static ip.
All the others have a DYNDNS account assigned (and every pfSense is 
being setup to do a PPPoE restart at 4 AM)


Other endpoints that are not yet reverted to a pfsense - do reset every 
36hour and 4 minutes (this is set by the ISP - very annoying indeed).


Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] power-out and Alix-boards

[Michel Servaes]

 Wow, thanks for this one...
I replaced the Alix board, and took the "broken" one with me... I'll 
dive into the CF-card tomorrow to see what went wrong...


The thing that disturbs me a bit, is that I had two different locations 
- with a week interval, with exactly the same issue after a power 
failure...
I didn't bother last week, just reflashed the CF-card, and restored the 
configuration.


Anyway, I hope your info here will shed some light on this... I'm not 
really willing into driving to each and every location every two weeks :)



Op 9/09/2010 21:22, Bob Gustafson schreef:
No boot device usually means the first 512 bytes of the CF disk have 
been disturbed.


If you have the failed CF, try the following commands: (on Linux or Mac)

put the CF disk into a reader and do

df

From the resulting output, try to figure out your device name. It will 
probably be the last one in the list:


/dev/sda(hard disk)
/dev/sdb(hard disk - raid clone of sda ??)
/dev/sdc(cdrom drive..)
/dev/sdd

Using the CF disk name (/dev/sdd assumed below), give the following 
command:


dd if=/dev/sdd bs=512 count=1 | od -c

You should see a bunch of lines - with each byte decoded as an ascii 
character and an octal number

Save this output and paste it into a document.

As I recall, the first octal number should be a 353 if you have a good 
boot segment.


---

When you rewrite the CF disk, again check the boot block using the 
same command above.
Save the output and paste it into your debug document and compare the 
first few lines.


If the first few lines are different, it might indicate that something 
whacked that segment.
It could have been an errant log entry, a reconfig that went wrong, or 
just a glitch.


You would not notice that this data had been disturbed until the next 
reboot - which does seem to fit your symptoms.


If your system now is fixed, eyeball the original 512 char output to 
see if any of the ascii characters seem to be part of a log message or 
config line. This would give a clue as to what might have happened.


Hope this helps

Bob G

On Sep 9, 2010, at 12:28, Michel Servaes wrote:

On Thu, Sep 9, 2010 at 6:02 PM, Beat Siegenthaler  
wrote:

 On 09.09.10 16:18, Michel Servaes wrote:

 What could be the cause here ? Should I install an UPS... or should I
buy better CF-cards ?



As long You use the CF read-only I am pretty shure there is another
problem...


PC Engines ALIX.2 v0.99h
640 KB Base Memory
261120 KB Extended Memory

No boot device available, press Enter to continue.



I am using the "embedded" version on a 4GB Kingston CF card... (it's
not an industrial one...). But when using embedded - I guess I am
using read-only, no ?


For as long as the bios firmware, I guess 0.99h was the latest one...

This is the second time, and the second Alixboard that gave me this
after a power outage (in a very short time : last week I had another
one)...


Thank you already for the responses here...

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] power-out and Alix-boards

[Michel Servaes]

As long You use the CF read-only I am pretty shure there is another
problem...

---

I am a bit worried about the fact that the CF card should be set read-only.
To my knowledge, when we install the embedded image, isn't the CF card mounted 
read-only by default (only when changing configuration, it would write to the 
CF card - no ?)
And if I am correct, it also only writes RRD graphs to the CF card when 
rebooting the firewall - unless a power failure ofcourse :)

I've been searching the webgui, to check if I could find a parameter to set the 
CF read only... but I am almost positive that this isn't needed to modify 
anywhere in case of an embedded nanobsd installation.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] power-out and Alix-boards

[Michel Servaes]

On Thu, Sep 9, 2010 at 6:02 PM, Beat Siegenthaler  wrote:
>  On 09.09.10 16:18, Michel Servaes wrote:
>>  What could be the cause here ? Should I install an UPS... or should I
>> buy better CF-cards ?
>>
>>
> As long You use the CF read-only I am pretty shure there is another
> problem...

PC Engines ALIX.2 v0.99h
640 KB Base Memory
261120 KB Extended Memory

No boot device available, press Enter to continue.



I am using the "embedded" version on a 4GB Kingston CF card... (it's
not an industrial one...). But when using embedded - I guess I am
using read-only, no ?


For as long as the bios firmware, I guess 0.99h was the latest one...

This is the second time, and the second Alixboard that gave me this
after a power outage (in a very short time : last week I had another
one)...


Thank you already for the responses here...

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] power-out and Alix-boards

[Michel Servaes]

Hi,


I never installed an UPS on a firewall device before (eg. dlink,
linksys, netgear)... but it seems to me that when using an Alix + CF
card solution, together with pfSense... you better install an UPS in
between.
I myself have pulled the DC-plug multiple times at home, without any
issue whatsoever...

But now I had two Alix boards being cut from the power (and failed to
boot afterwards).
Connecting the serial, shows me that there is no boot-device...

Reformatting the CFcard, putting pfsense and config file, repairs the
situation...


What could be the cause here ? Should I install an UPS... or should I
buy better CF-cards ?


Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Over 2GB File can not copy LAN to WAN Pfsense

[Michel Servaes]

On Tue, Sep 7, 2010 at 3:09 PM, Rabeendran, Rajeevan
 wrote:
>
> Hello
>
> In the WAN side there is a Server (in our Lab) and i have to copy Files from 
> there to my LAN Interface. When I copy an huge File that is more then 2 Gb 
> the Firewall disconneted the connections and shows me that the Source is 
> not.
>
> Do you know what I mean? Is just simple WAN to LAN with a Share to the Server.
>
> Regards
> R
>

I hate to quote google here, but did you try to google it : "NFS files
larger than 2GB"...
It seems a lot of things can go wrong using NFS and files larger than
2GB (most of the time, it's version related to NFS itself... but I am
not really a Unix/Linux specialist...)

What happens, if you transfer the file in direct (eg. without the
pfsense in between ?)

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Over 2GB File can not copy LAN to WAN Pfsense

[Michel Servaes]

On Tue, Sep 7, 2010 at 11:20 AM, Rabeendran, Rajeevan
 wrote:
> Hello
>
> Thank's.
> Where is the option on the Firewall "on anti-virus being unable to scan big 
> file"?
>
> Our Filesystem is NTFS:-).
>
> Thank's and Regards
> Rajeevan
>

I think he meant on your local computer, not the firewall :)
How are you transferring your files, what is in between ?

Are you transferring over IPSEC or OpenVPN ? - I would imagine that
transferring through NFS approach, you'd do it over a secure
channel...
If not did you try to check the states-table - to see if no timeout
occurs there (I would recommend checking the states-table via the
console...)

Also, can it it be that the other end disconnects (from where you are
downloading ??)... maybe your IPSEC tunnel breaks each and every
xxx-minutes... I think we need more info, one how and where you are
transferring the file to- or from.
Maybe one can test the same thing, to compare results...

I have a 2-side pfsense setup, one with pfSense 2.0 beta4 and the
other side (where the corporate network passes through) a 1.2.3
version... maybe I can try out what you are doing.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] ipsec between two pfsenses (one being a Proliant server, the endpoint being Alix board(s)).

[Michel Servaes]

I am having issues from time to time (and when they start, it's almost
every morning) that my ipsec tunnel dies on the Alix board...
When checking the proliant server (the central one) - all tunnels are up.

Restarting racoon on the Alix didn't help.
Restarting racoon on the Proliant server; works out fine.

I've read somewhere that disabling DPD on the Alix could help - but
how to disable, entering "0", nothing or a very large value ??
For now I have emptied the DPD entry in both the Alix side as the
Prolaint side (for one site) ~ I hope this helps.


Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] cron job to restart racoon ?

[Michel Servaes]

On Thu, Jul 8, 2010 at 7:41 PM, Curtis Maurand  wrote:
>
>> I already played with "prefer old IPSEC" on or off, but this seems not to
>> help.
>> Keep in mind that all the end-nodes are dynamic ip's (and each and
>> every night at 4AM I let them restart the PPPoE at the end nodes)
>>
>
> I have a two part cron job.  on an inside host I have a perl script that
> checks for a host on the other end of the tunnel with a ping.  If it gets no
> response, it sends a text file to the firewall via scp.  The firewall has a
> script that checks for the existence of that file.  If it finds it, the
> firewall resets ipsec and deletes the file.  I've set up ssh keypairs to
> allow the sending of the file without having to enter a password.  The file
> is passed using unprivileged accounts.
>

Curtis, can you elaborate a bit more on how you did this ?
I don't mind an outage of 5 minutes (in fact, I'd love to wait 5
minutes before taking any action whatsoever)...

A VPN can die (randomly), and most of the time it fixes itself too...
but it's for those moments, that it didn't fix itself, I want to
"script" this.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] cron job to restart racoon ?

[Michel Servaes]

I currently have from time to time, that my VPN inside dies.
The VPN itself (in the overview) keeps running fine (they all show
that they are up) - but I cannot reach the destination (ping gives me
timeout).

When restarting the racoon service on the main pfSense box (an older
proliant ml370 with intel nic-cards inside) they all become pingable.
How can I create a script (inside cron or so), that will check if the
destinations are pingable - and if not, to restart the cron-server
after 5 minutes of unavailable ip at the other end.

I don't want to restart racoon, if it is not needed - but currently I
have almost a weekly job in having to do this...


I already played with "prefer old IPSEC" on or off, but this seems not to help.
Keep in mind that all the end-nodes are dynamic ip's (and each and
every night at 4AM I let them restart the PPPoE at the end nodes)


Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Fwd: Re: [pfSense Support] Wireless Access Point

[Michel Servaes]

Op 28/06/2010 0:59, Joseph Rotan schreef:

 Hi,
 i have a setup on pfsense 1.2.3 and have configured a VPN PPTP remote
 access and have sucessfully accessing the box remotely and can RDP to
 the connected PC's on the LAN. Also on the remote LAN we have a
 wireless access point installed that also broadcast Prepaid Internet
 access, is there a possibilty to access the Access point through the
 pfsense box remotely.
 Thanks,
 Joseph.


Why not create a rule to access the IP of your AP, through HTTP ?



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] HELP ROUTING

[Michel Servaes]

i have install PFSENSE in production and i have configured
it properley (imho), but i'am novice of pfsense...
I have this problem, 
  
internet <- pfsense ---> switch ---> servers
  rl0   vr0
  
I have 2 web servers and they works perfectly from internet, but i have
a mail server qmail that can't delivery emails to some domains!
I try directly from mailserver:
  
traceroute to libero.it
(195.210.91.83), 30 hops max, 40 byte packets
1 192.168.2.1 (192.168.2.1) 0.472 ms 0.352 ms 0.410 ms -- pfsense
gateway
2 * * *
3 * * *
  


Did you add a NAT forward for port 25/TCP ?
Also make sure, you choose "auto-create ruleset for nat-entry", this
makes it easy at first hand... afterwards you can tweak a bit, if
needed.

In general, I don't tweak the ruleset for SMTP though :)



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] IPSEC vpn dies silently when backing up with this script

[Michel Servaes]

Hi,


When I use the below script, my IPSEC dies without closing (no 
IP-traffic possible, but for the rest still open and running according 
to the pfsense system dashboard).


Script used:
--

C:\_TOOLS\GnuWin32\bin\wget.exe -q --no-check-certificate --post-data 
"Submit=download" --user=admin --password=xx 
"https:///diag_backup.php" -O d:\backup\pfsense-config.xml




I am a bit puzzled, as the firewall dashboard (and the other side - 
albeit pfSense or DLINK) are showing also being IPSEC running fine.


What can I check more, to see what is causing this behaviour... I am 
pretty sure it's the backup-script doing this.
I did this every 2 days, and each and every 2 days I had to restart 
racoon due to printers not being reachable over IPSEC.


I then stopped backing up for about 3 weeks (and never had to restart 
racoon anymore).
Yesterday I backed up again... and guess what, later on today I had to 
restart racoon due to printers not being possible to be reached 
anymore... this is very odd !!




Now I don't mind restarting racoon at nights - can this be scripted in 
cron (printers are not really needed at night - lol)


Kind regards,
Michel


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: RES: RES: [pfSense Support] Is it possible?

[Michel Servaes]

Op 8/06/2010 21:21, Tiago schreef:

Ok guys

I will try your advices...but I'm a newbie yet. So I will take a time to
post the results Lol...
But I will as soon as possible

Thanks a lot

   

We all were newbies sometime :) (guess I'm a midbie :) )

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: RES: [pfSense Support] Is it possible?

[Michel Servaes]

I understand, but would be great if If I do a rule that have a address like:

login.live.com

but when I try to do this, I receive the error

A valid destination IP address or alias must be specified.

I tried to do a firewall>Aliases but they ask me a valid IP... but
login.live.com change the IP sometimes...
What is your advice?
   


You can't add a DNS name in an IP field !
You should only add IP's in this list - but that would make you have to 
enter dozens and dozens of ip's.


You'd probably be better of, using squidguard - but then again, this 
won't stop them from using https !!


I am using trendmicro worry free solution, which has a built in URL 
filter based on per category... I almost always have to add the category 
"social networking" and "webmail"... these will block them from using 
facebook and/or hotmail/gmail and the alikes !!


kind regards,
Michel


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] block facebook twitter and youtube pfsense

[Michel Servaes]

What is the antivirus you use to block stuff?

On 6/4/10, Michel Servaes  wrote:
   

How does one go by blocking facebook twitter and youtube also how does
one autoblock malicous sites
Thanks
Justin

   

By the way : I didn't solve this by using squidguard (I've used to use
this solution), but now we have an antivirus capable of blocking
categories (webmail, social networksites, ...)
This can be managed by computername, which is quite good to block only
several computers of abusing the net...
 


I'm using TrendMicro Worry Free (standard is enough), it has all the 
entries needed (you'd need a windows-server (can be a workstation too) 
though, to install it on - to manage all your workstations !)
Check out their website, you can download a trial, to see if it fits 
your needs...


Don't know what you have available :)
The hosted version, doesn't require you to have a windows-server, but 
then again, this one doesn't have the blocklist yet (they once claimed 
to have it in the future sometime - but when  ??)


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] block facebook twitter and youtube pfsense

[Michel Servaes]

> How does one go by blocking facebook twitter and youtube also how does
> one autoblock malicous sites
> Thanks
> Justin
>

By the way : I didn't solve this by using squidguard (I've used to use
this solution), but now we have an antivirus capable of blocking
categories (webmail, social networksites, ...)
This can be managed by computername, which is quite good to block only
several computers of abusing the net...

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] block facebook twitter and youtube pfsense

[Michel Servaes]

> How does one go by blocking facebook twitter and youtube also how does
> one autoblock malicous sites
> Thanks
> Justin

Install the proxy package, and use squidguard to block keywords...
Though I must say, the package only works best on a true pc/server
with a harddisk - not recommended on an Alix board.

An option to use an USB drive as temporary storage for caching sites,
would be a nice option...

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 1.23 rc3 - ipsec VPN dies randomly, but stays active in the overview

[Michel Servaes]

Op 26/05/2010 17:37, Trevor Benson schreef:

Is there a reason your still running RC3 instead of the final 1.2.3 release?  RC's 
shouldn't be considered stable production releases however many people use them in 
production for testing.  I had quirks in 1.2.3 RC2&3 but would have rolled back 
to 1.2.2 if I wanted stability instead of testing the newer release.  Try upgrading 
to 1.2.3, setup the internal IP to ping to keep the tunnel alive.  Also are you 
using DPD or not?
   


Trevor, this error was in the RC release indeed.
But I am seeing this also in the normal release... I am running release 
versions on all ends now... (almost 4 months I think).


However, I have replaced a rogue situation, where a DLINK sat behind a 
NAT router... which did IPSEC vpn through NAT. For some (unknow) reason 
the DLINK router wouldn't want to make a PPPoE connection, so I had to 
configure this NAT situation there !
Now when I have replaced this situation with a PFSENSE, using an Alix 
board - it seems that the issue is resolved for now... just have to wait 
for a couple more days/weeks, to really be sure about this ofcourse :)


I still have one location, with this bizarre NAT situation - If the 
problem keeps coming from those, I bet that replacing this unit with a 
PFSENSE too, that my problems will vanish :)
In fact, this is always true, when replacing one end, you'd better 
replace all the other ends as well... IPSEC seems to behave really odd 
when two different vendors are in place... (which shouldn't be, but is)


Anyway, I will repost when the issue occurs between two PFSENSE's :) 
(but reading all the other posts, I guess this will not happen)


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 1.23 rc3 - ipsec VPN dies randomly, but stays active in the overview

[Michel Servaes]

IPSEC still dies silently from time to time.
I have to restart racoon each and every now and then... (and I am
preffering the old IPSEC sa's on all pfsense ends (which are 3 nodes
now)

I did install cron, but am not an active cron user (or
knowledgeable)... would it be wise to restart the racoon service every
now and then (or each morning at 5AM ?)

I am using my VPN tunnels only for network printers... so it's not
really disturbing to have an on/off situation...
The odd thing is, when IPSEC dies between two PFSENSE platforms,
nothing is being showed (the tunnel also seems active on both ends !!
- but I cannot reach the destination anymore).

On the linksys or dlink devices, the tunnel shows a state of "unreachable"...

Restarting racoon on both pfsense-ends, helps me out this situation...







On Wed, Nov 25, 2009 at 12:20 AM, Michel Servaes  wrote:
>
>
>
>>> Since I have added two IPSEC tunnels to both Linksys' RV042 - my VPN
>>> connections start to die randomy, but stay active in both the webgui's
>>> overview (both, I mean pfSense and the DLINK's) - but either way is
>>> impossible to ping each other !!
>>>
>>
>>
>> Have you tried checking the "Prefer old IPsec SAs" option under System >
>> Advanced?
>>
>> Jim
>>
>>
>>
>
> No I haven't tried this one yet - as of now, I changed this option - will
> see if this helps... should I repost the outcome ?
> Thanks in advance.
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Manual Outbound NAT needed ?

[Michel Servaes]

Hi,


I'm trying to avoid the use of the manual outbound NAT. But I reccon I
cannot escape this one :)
My situation and desired solution explained :

I have one VDSL connection, just for internet reasons at the main office.
Further on, I have an SDSL connection that is meant for remote co-workers.

The SDSL is running just fine on the gateway address... and until now,
this just works fine... but I am being blacklisted for backscatterer,
and delisting takes 4 weeks (or a payment of 50 euros).
Being scrooge, I don't want to pay up for delisting... but I want to
change my outgoing SMTP IP... but currently I can only choose either *
or GATEWAY (* being the VDSL, and GATEWAY being the SDSL connection).

Obviously, the WAN isn't usable - as this is a dynamic address... but
the GATEWAY is only the default IP... and I cannot choose somehting in
my range...

Regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] IPSEC stack dies, when backing up configuration with script

[Michel Servaes]

Hi,


I use the script with WGET that comes explained in the book... but for
some reason (can't explain why or how), the IPSEC dies afterwards...
(but not immediately !).
When I wait a month to backup my firewall(s) - all goes well...

Yesterday, I created a backup once more by using the script... some
time later (noticed this only in the morning, so I don't know when)
IPSEC stack is stopped...

Can I create a CRON script to restart IPSEC every time at 4AM (that is
the time, my firewalls do a PPPoE RESTART, I would reccon that this
might be the best time to restart IPSEC everyday !?)


Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Issue with virtual floppy drive

[Michel Servaes]

On Thu, Apr 1, 2010 at 12:21 PM, Stefan Baur
 wrote:
> Hi,
>
> I wanted to use pfSense as a m0n0wall replacement in a virtual machine setup
> (VMware Server 2.0.2 Linux host).
> With m0n0wall, I had a virtual floppy disk so that m0n0wall thought it was
> saving its configuration data to a floppy.
> After powering off the VM, I could loop-mount the floppy image from the host
> and save the config file somewhere else for backup purposes.
> The idea behind that was that I don't have to back up the entire VM image
> when the config changes.
>
> Trying to do this with pfSense 1.2.3 or a recent 2.0 Beta fails, as it
> doesn't recognize the floppy:
>
FWIW
You could and try to save to an USB flash (let VM port the USB port to
your VM environment) ?
I thought that saving to an USB flash disk was one of the options...

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] The digital signature on this image is invalid.

[Michel Servaes]

On Mon, Mar 29, 2010 at 1:31 PM, Kai Rosenlund
 wrote:
> Hi,
>
> I am, long over due,  going to upgrade 1.2. from aug 2007 to 1.2.3.
>
> Have loaded the file from one of the mirrors, checked it with md5, was
> similar with exception of capital and small letters and the little square at
> the end of the string in the md5 file from the mirror.
>
> But when loading it up to the pf box i get this message:
> 
> The digital signature on this image is invalid.
> This means that the image you uploaded is not an official/supported image
> and may lead to unexpected behavior or security compromises. Only install
> images that come from sources that you trust, and make sure that the image
> has not been tampered with.
>
> Do you want to install this image anyway (on your own risk)?
>
> -
>
> Is this a normal message since the vesion is so old, and is my check of md5
> secure enough? or should I try yet an other mirror (have tried some)?
>

If I am not mistaking myself here - you should add a package first, to
extract the signature of your previous install.
I was just checking the packages list, and it is pubkey you need to
install first...

On the package page, you would have a link to the doc-site, that tells
you a bit more about the issue.

Hope this Helps.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] captive portal, bypass for certain sites

[Michel Servaes]

On Thu, Mar 25, 2010 at 11:23 AM, Remko Lodder  wrote:
>
> Did you read the configuration options from the captive portal?
>
> On my 2.0 machines that means that you can bypass certain IP's for the
> captive portal; and even use MAC-bypass to bypass machines based on their
> MAC.
>
> Does that answer the question?
>

No, that's not what I meant :)
I mean - I don't want to install heavy proxy add-on onto my Alix
board... to block the whole internet (if you didn't logon).

Basically I want to block complete internet, but our own site (to
logon to citrix). (this is a single IP, so that shouldn't be too much
work for me) on several client computers behind the pfsense...
Furthermore I want to only allow certain client computers (but that
can be achieved by adding their mac-adresses), without having to go
through captive portal.
And if possible (that would be the cherry on the pie) - I want to
block only during the weekends.

But I don't think I can add an HTTP/HTTPS rule to circumvent the
captive portal, can I ?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] captive portal, bypass for certain sites

[Michel Servaes]

Hi,


I have an Alix board, with pfsense on it. I could use proxy, but I
feel this is quite a load on the system (even when setting things to
0).
So to avoid people visiting internet, I was thinking on using captive portal...

But for some sites, (fixed ip-adresses) it shouldn't try to
authenticate... can this be achieved by using some kind of ruleset ??
I do have a VLAN capable switch - but again, some ip-adresses need to
be passed (they logon to a citrix site).

Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] OT: VLAN

[Michel Servaes]

> Bear with me, this might become a long explanation. :-)
>
> I think you are making this overly complicated. VLANs are really easy to
> config once you get the hang of it. That said, there are a few different
> ways to set up VLANs, depending on the make and series of the managed switch
> you are using.
>
> There's also a terminology problem here with the definition of the word
> trunk I think.
> The trunking you are referring to is actually 'bonding' which is combining
> several (more than 2) ethernet ports into one big virtual ethernet port, for
> the purpose of failover or greater bandwidth (or both).
>
> You don't really _need_ that kind of trunk in your case. VLANs and trunks
> are two completely different things, but to make things confusing the
> setting you need to set on VLAN ports to 'tag' packets with the VLAN ID
> (We'll get to that later) is called 'trunk' on cisco switches. (the other
> trunking is called bonding on cisco switches)
> You _could_ use it, but for the sake of simplicity I would first test it
> without bonding and see whether you get that running. Afterwards, the setup
> with bonding is similar, since the bonding interface acts as a big virtual
> interface anyway.
>
> For my own network, I usually use VLAN 1 (the default vlan) for my LAN since
> most switches have their management IP address in VLAN 1 by default. This
> way you can manage your switches from your LAN, and this means you don't
> loose a switch port just for managing the switch. On your home LAN, where
> you usually trust your clients, the security risk is neglectable.
>
> Another side note: From your explanation, I'm guessing you have telenet and
> the telenet digicorder settop box. The 10.x.x.x address for the settop box
> you are referring to is assigned by the ISP based on MAC address. They have
> the list of MAC addresses for the settop boxes since they sell them
> themselves. They feed this list into their DHCP servers to assign non-public
> IP addresses  and different gateways to the settop boxes. Any non-settopbox
> MAC address is considered as an internet device and is assigned a real
> public IP address. This is the way they keep both kind of devices apart.
> This also means you cannot use a 1:1 mapping on your pfsense to assign a
> 'public' 10.x.x.x IP to your settop box without messing with fake MAC
> addresses and such.
>
> What I would do in your case:
> (And I have a more or less similar setup running great at home with 7 VLANs)
>
> Switch 1 is at your cable modem. Switch 2 is under your television.
> If not set already, give both switches an IP address in your LAN range, and
> attach it to VLAN 1 (normally the default)
>
> Set up 2 VLANs on both switches.
>   VLAN 1 = LAN
>   VLAN 2 = WAN
>
> Connect both switches to eachother using port 1 on both switches.
> Connect the cablemodem to port 2 on switch 1
> Connect pfsense to port 3 on switch 1
> Connect settop box to port 2 on switch 2
> All other switch ports on both switches are LAN ports and can be used for
> any LAN device.
>
> Set port 1 on both switches to 'trunk' mode, sometimes also called 'tagged'
> mode.
> Set port 2 on switch 1 to 'untagged' mode IN VLAN 2 (!!!) (switchport 'mode
> access' on cisco switches)
> Set port 3 on switch 1 to 'trunk' mode
> Set port 2 on switch 2 to 'untagged' mode IN VLAN 2
> Set all other ports to 'untagged' mode IN VLAN 1
>
>
> There are 2 port settings you need to know when using VLANs. The first being
> 'trunk' or 'tagged' mode, the second being 'untagged' mode.
> 'tagged' mode is for switchports attached to devices that also know how to
> speak 'VLAN' (other switches, firewalls, ...)
> 'untagged' mode is for switchports attached to devices that don't know what
> VLANs are and only need access to 1 VLAN.
>
> The 'tagging process' means the switch will set a header in each packet with
> the ID of the VLAN, so that the device attached to the other end of the
> cable can then separate all packets again into the correct VLAN. In this
> mode, the switches will send all packets for all VLANs to the device
> attached to this port. This means that you should not connect devices to
> this port that do not have the same VLAN configuration, since they will get
> packets sent to them they will not understand.
>
> When setting the 'untagged' ports, these ports will be assigned to ONE
> specific VLAN. The VLAN ID will not be written in the headers of the
> packets, and only packets for that specific VLAN will be sent to the
> attached device. That device will only be connected to that VLAN.
>
> Important step: setup the VLAN 1 and 2 on your pfsense, assigning your LAN
> and WAN interface to the correct vlan interface. Maybe add another interface
> (not vlan) with another subnet for management purposes in case you mess up
> your VLAN config and can't reach pfsense anymore.
>
> If you think setting up VLANs on your pfsense is too complicated, let me
> know, I can explain it in another email or on IRC if you want.
> Or you c

Re: [pfSense Support] OT: VLAN

[Michel Servaes]

>> Since a new networkcable is practically impossible, I'll assign 4
>> wires to each (that way I'll be limited to 100mbit - but that's enough
>> for either settop & other peripherals that resides under the tv)...
>> I splitted an 8-wire cable before, into two pairs of 100mbit,
>> succesfully - and reading Vick's comment... i'll jump out of the idea
>> with vlans :)
>
> In my humble 0.02CHF I'd rather share 1x Gigabit Ethernet in 2 VLANs
> than to have 2x 100Mbps physically divided...
> Put a small managed switch under the tv (I used a linksys slm2008 for
> that) and split the trunk in the required vlans. Use another managed
> switch or pfsense itself on the other end.
>

Aarno, I have two HP Procurves (1810G) for this reason... I am aware
on how VLAN should work, but the trunking part is somewhat "woozy" for
me.
But I've been reading, and it seems that this is merely for adding up
channels (up to 4) to have a greater bandwidth between them...

However, I would be able to only use one trunk in between the two
switches - and I can add VLAN's to the trunk - but after that, all
communications get lost (as I also change the port where I'm managing
(not a good point apparently)).

So if I would do it right, I lose one port on each switch, for
management reasons. That leaves me at the end 4 available ports on
each switch - or is this wrong seen ?

One management port (when things start to go wrong, I could just hook
up a laptop or something)
One uplink port (to be seen as a trunk, with the default VLAN1 for the
settopbox - and VLAN1001 for normal LAN)
One port for the cable modem (on one end, the other end would be
hooked up to the settopbox)
One port for the LAN side of the PFSENSE (I gather, that I here change
the VLAN to something else, and that all other ports are tagged for
that VLAN port ?)

I'll give it a try tomorrow...

On the other end, putting things at a 100mbit isn't that bad - the
cable modem is capped at 12mbit - so it wouldn't hurt that much.
And the playstation to stream stuff from a freenas server (that might
give something - but I'm sure that 100mbit for normal videos would
still be enough)
It's still better as wireless :)

Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] OT: VLAN

[Michel Servaes]

>
> I'm not sure I understand fully. You have a pfsense firewall, hosts on
> LAN segment(s), and a settop box that wants a public IP address? If
> that's the case, I would put a switch on the modem: pfsense gets an
> IP, settop box gets an IP, LAN is firewalled.
>
> Otherwise you could bridge an OPT interface (physical or virtual) to
> WAN and just connect the settop there.
>
> Did I totally misunderstand the question?
>
> db

I have a pfsense (alix 2d13) - but that's not really a problem (i think).
But reading the comment of Vick - I agree, it might be risky to put
WAN together on the LAN.

The settop box has its own private address range... where my pfsense
gets a public address, the settop box has a 10.x.x.x address. (while
my own LAN is 172.16.x.x).
This way, my provider has it's way to track internet-traffic and
settop-box traffic (since they only count the internet one in our
monthly limit).

Since a new networkcable is practically impossible, I'll assign 4
wires to each (that way I'll be limited to 100mbit - but that's enough
for either settop & other peripherals that resides under the tv)...
I splitted an 8-wire cable before, into two pairs of 100mbit,
succesfully - and reading Vick's comment... i'll jump out of the idea
with vlans :)

Many thanks for the many OT replies (and sorry to put this here - but
searching google, only made me doubt even more)

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] OT: VLAN

[Michel Servaes]

Guys,

What would I need to transport WAN & LAN over one network cable ?
I was thinking about setting up two VLAN's (but since my cablemodem
isn't VLAN aware, I guess this setup isn't the right way to go ?)

Basically, I have a cable-tv settopbox, that needs a direct WAN - but
I only have one ethernetcable to the TV...
I could install a powerline - but this would take the fun away

Any ideas are welcome :)

Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] torrent

[Michel Servaes]

> Would like to use allow a machine to access the internet directly and
> download torrents. Am a newbie in pfsense but been able to port
> forward the necessary ports to the mail server but am unable to allow
> a machine to use squid in pfsense to dowload  the torrent or even
> allow an IP to download the torrent.


Squid won't come in the picture to my best knowledge, as it only acts
in between HTTP traffic.
I only open up a range of ports (generally 6881-6889) to the machine
that acts as a Torrent device (freenas for instance).
The management port of Torrent is outside this range (for obious reasons :) )

good luck.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] testing OpenVPN on a Multi WAN setup

[Michel Servaes]

Hi,


I am trying to make OpenVPN work (for the very first time in my life).
At home I have a single WAN, at the office I have a DUAL WAN (one SDSL, 
with fix IP - and one ADSL with a Dynamic IP).


MultiWAN in my case is only used for fast ADSL at the office, and 
coworkers(vpn) & mail all come in over the SDSL.



I try to connect to the fixed IP, and this goes as far as it works for 
connecting (I guess, at reading the logs) - but in the OpenVPN I notice 
that it still tries to use the Gateway of the ADSL (the dynamic one))
The log shows "Peer connection initiated...", but no "Init Sequence 
completed".


I already added on the office site, custom options :

management 127.0.0.1 1194; local ; route-gateway ;

But reading the logs it keeps trying to use the gateway of my adsl.
I can see that my home-adsl is coming in... I haven't added the tun 
adaptor yet - I guess not doing this, will allow ALL traffic for now ?


What am I missing here... can someone point me in a direction...


SIDENOTE:
--
When however using the ADSL side (at the office, all works fine (besides 
the OpenVPN monitor - it shows nothing is connected, though pings are 
being replied - and remote desktop to the server is working fine (it 
looks faster than over IPSEC, but I guess that'll be because I am the 
only one connecting over the ADSL line).
When connecting to ADSL, I gave the custom options "management 127.0.0.1 
1194; local name.dyndns.org;"


I'd really like to have the OpenVPN working on the second WAN (in this 
case SDSL) - should I add a static route, and if so from where should it 
be initiated ?



Another note : I did use IPSEC before, and I've disabled it on both ends 
(home & office) - so they are not interferring.


Kind regards,
Michel


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Re: force dyndns to update (not so smart maybe)

[Michel Servaes]

There is a default check around 1h01 am, for an IP change ?

/usr/bin/nice -n20 /etc/rc.dyndns.update
Why is this there, and can I safely remove it ?
I do a pppoerestart around 4AM, and have rescheduled the above rule 
around 4h04... but this seems to give me no advantage (instead an 
entry in the logfile that the IP address hasn't changed (guess doing a 
pppoerestart initiates the dyndns.update itself).


In my case, might it be a better choice to do an update around 1PM 
instead ?




Today I had an issue using dyndns, it couldn't reach 
"members.dyndns.org" - and only the pfsense boxes were affected 
somehow ??
Was there an issue today with dyndns ? Can I install a dyndns server 
myself ??





It seems that I have again a DYNDNS problem... I now have scheduled a 
1PM resync, but the VPN won't come up now (until 1PM has passed I guess).
I know you get kicked off, of Dyndns if you refresh the ip too many... 
but now I have to wait for about 1,5 hours until 1PM passes.


Is there another solution available ??

Would OpenVPN be better for my dynamic IP !?
If I read the book, I'm not sure on what to go for... OpenVPN or IPSEC...

I used IPSEC a lot, because of the commercial routers being used in the 
"mix"... but now being equipped with multiple pfSense's... I'm guessing 
on trying OpenVPN instead.


What are your recommendations ?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] DNS usage with multiwan (one static, one PPPoE) - question about from within the book

[Michel Servaes]

The book explains, to divert some DNS'es via static routes to OPT1 (if
you have multiwan-setup).
And it also explains to put an entry for the other DNS, for clarity,
to your WAN (though not needed, just for documentation reasons).

But, what if your WAN is using PPPoE - and is a dynamic IP all
together, can I still add a gateway ??


For now, I just added a static route for the second DNS to our OPT1 -
and this works amazingly (not really, but it's fun to see a product
evolve - and certainly improve at almost every chapter I've read so
far)... every request to the other DNS'es are going just fine to the
PPPoE connection.


Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] force dyndns to update (not so smart maybe)

[Michel Servaes]

There is a default check around 1h01 am, for an IP change ?

/usr/bin/nice -n20 /etc/rc.dyndns.update 


Why is this there, and can I safely remove it ?
I do a pppoerestart around 4AM, and have rescheduled the above rule 
around 4h04... but this seems to give me no advantage (instead an entry 
in the logfile that the IP address hasn't changed (guess doing a 
pppoerestart initiates the dyndns.update itself).


In my case, might it be a better choice to do an update around 1PM 
instead ?




Today I had an issue using dyndns, it couldn't reach 
"members.dyndns.org" - and only the pfsense boxes were affected somehow ??
Was there an issue today with dyndns ? Can I install a dyndns server 
myself ??


Kind regards,
Michel



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multiple IPs via MAC/DHCP

[Michel Servaes]

I use pfSense and have it running well.
I just obtained a static block of IPs from my ISP
but they are handed out via DHCP to the ISP equipment.

Once I have an DHCP IP, then I can go into the ISP hardware
and change it to a public IP.

Ok. well with that in mind, I have 1 WAN NIC in the pfSense box.
Is there any way to fake out my ISP equipment by sending different 
fake MACs to it to obtain multiple static IP for the pfSense box?


I am trying to just have pfSense do all my routing and networking.
Otherwise, I need to essentially plug in each server into the back of 
the ISP equipment directly and would prefer NOT to do that.




If I am not mistaking, you should either add multiple NIC's as WAN... or 
a more elegant way of obtaining this, would be setting up a VLAN on your 
WAN side, hook up a VLAN capable switch - and assign the virtual IP's to 
the different VLANS...


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] block a country (.com)

[Michel Servaes]

Would there be an easy option to block or allow a certain country to a 
pfSense box ?


Let's assume that I don't want any Korean traffic on my pfSense... or China.
As I see that most attempts to the firewall (blocked ones, so not really 
an issue) are from chinese ip's... I was wondering, if I could add 
something from the "blockacountry.com" site to my rules to completely 
reject any request coming from china.


Or just redirect them to a "honeypot" - that would just show an HTTP 
page... (a friendly one :-))


I guess manually editing the config.xml would be the only way for now ?

Kind regards,
Michel




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] how does one test for stability?

[Michel Servaes]

How many walls do you have?


Mehma
===

On Mon, Feb 1, 2010 at 2:13 AM, Michel Servaes <mailto:mic...@mcmc.be>> wrote:


>
> Web surfing happens on port 80 and tcp only. There should be no
udp port 80
> traffic going out. I think I read it in the pfsense book which
just came
> out.
>
>

Didn't read it yet (but, then again - I'm only at page 147 ;-) )
In the meanwhile, I blocked 80/udp on my firewalls :)



I'm managing about 20 firewalls, most of them being entry level Linksys 
RV042/82 or DLINK DFL-200
But I am changing each and every broken device by a pfSense (or 
monowall) one... and currently I have 4 pfSense boxes running.


2 proliant servers, and 2 Alix boards. (a 2D3 and a 2D13)


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] how does one test for stability?

[Michel Servaes]

>
> Web surfing happens on port 80 and tcp only. There should be no udp port 80
> traffic going out. I think I read it in the pfsense book which just came
> out.
>
>

Didn't read it yet (but, then again - I'm only at page 147 ;-) )
In the meanwhile, I blocked 80/udp on my firewalls :)

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] how does one test for stability?

[Michel Servaes]

I suspect my Alix embedded appliance (500 MHz 586 class with 256 MB 
RAM) is getting maxed out via either heat or traffic.


e.  Rejecting UDP port 80 on LAN
f.   Rejecting TCP 6667 (IIRC), 135 (MS RPC) on LAN
g.  Rejecting TCP/UDP 445 (SMB/CIFS), 137-139 (NetBIOS) on LAN. My 
imac and a PC laptop generate a lot of 137 traffic that gets blocked.

h.  Doing Vonage VOIP traffic shaping
i.  I use the Internet mainly via a D-Link N wifi router connected to 
a HP Procurve switch. The firewall is also connected to that switch.



Mehma


Why rejecting port 80/UDP on LAN ? I'm just curious, as I don't do that 
- and it might be a good idea :)
I also have an Alix 2D13 (same specs like yours I guess) - but with some 
packages installed, and three VPN IPSEC.
Also traffic shaping is active, though only for one dedicated LAN IP 
only... (for VOIP).


The only time the Alix gets some trouble (seems to me), is when doing 
torrents... vr0: promiscous mode enabled/disabled all the time then.


But for normal http traffic (even when downloading service packs or 
whatever that is large enough to test sustainibility) I have no troubles 
whatsoever...


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] VMWARE test for Pfsense

[Michel Servaes]

Hi,

I would like to ask how to setup Pfsense on a Vmware workstation on a 
windows host, i have tested it but i cant access the LAN ip of the 
pfsense web configurator, please help me on this. Thanks

--
Ruben

Ruben,


What I mostly do to test pfsense in a vmware (or virtualbox) 
environment, is setup a workstation as well in the vm solution.

I then assign two NICS to the pfsense VM.

1 NIC will be bridged to assign as "WAN".
The other NIC is being setup as "Host-only".


The workstation (the VM one, not your physical one) on the other hand is 
being given one NIC, and "Host-only".



That ought to solve your problem... and easy :) hope this helps!

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] sip device disconnects every 2 days.

[Michel Servaes]

Michel,

I had the same problem
This is caused by a wrong entry in the state table.

The workaround is posted in 
http://forum.pfsense.org/index.php/topic,18053.0.html


H.

Michel Servaes wrote:

Hi,

I stepped over to pfsense (using monowall before for years), because I
liked the extras :)
But my Voip device keeps disconnecting each and every 1,5 to 2 days...
and there is nothing I can do about on the sip-device itself...
rebooting won't help.

I always have to reboot the pfSense (1.2.3).



Installed CRON, left the PPPoErestart command in... added a command to 
do a "pfctl -k " which seems to kill the right states... 
after some seconds, the VOIP is back up, without any further user 
assistence...


I now made a cron command to do pfctl -k  5 minutes after the 
pppoerestart command - that should fix it I guess ;-)

I might as well disable siproxd again...

Will give follow up, if needed.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] sip device disconnects every 2 days.

[Michel Servaes]

Hi,

I stepped over to pfsense (using monowall before for years), because I
liked the extras :)
But my Voip device keeps disconnecting each and every 1,5 to 2 days...
and there is nothing I can do about on the sip-device itself...
rebooting won't help.

I always have to reboot the pfSense (1.2.3).

I tried your recommendations for the "registering" part - and that went well...
But now it disconnects every 2 days (and forever after that, until I
restart pfsense itself). I also am guessing that it might be my DSL
line that the provider disconnects each 36 hours... (I tried the
pppoerestart schedule - but somehow this doesn't listen to good to the
scheduler (when doing the ppporestart by hand in the CLI, it does what
it supposed to do).

I was thinking to upgrade to the 2.0 beta release ~ but will it help my case ?
Also, if I'm upgrading (already tried it once) I have the distinct
feeling, that the packages aren't well upgraded either...
How can I do an "inplace" upgrade without the packages being
installed... or might it be better to just take the CF card out,
rewrite it with a full image ?? (I guess I answered my own question
here :-) )

Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Re: Squidguard question

[Michel Servaes]

user authentication is somehow not working... I'll definitely made a
mistake, but don't see where.

I have some admin users defined into the userlist (and I am using the
integrated user-list within Squid).
For example :

I have added admin, user & guest.

By ACL rules
Admin and User are allowed on almost everything from the downloaded blacklist.
Guest is only allowed to a searchengine, hospitals... but the default
rule (all) is deny !
As a last rule I have setup a rule for my subnet, to deny everything.

The rule seems to interpret my 'guest' as an Admin... which I can't understand.

I do have added "google.com" in the whitelist in Squid itself... don't
want all computers to ask authentication on the first page, they open.

Any ideas here ? thank you in advance.
  


I just saw a post of someone else here, that the guy making this package 
isn't reading here... so I took it upto the forum :)

Sorry to bother here ;)

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Squidguard question

[Michel Servaes]

user authentication is somehow not working... I'll definitely made a
mistake, but don't see where.

I have some admin users defined into the userlist (and I am using the
integrated user-list within Squid).
For example :

I have added admin, user & guest.

By ACL rules
Admin and User are allowed on almost everything from the downloaded blacklist.
Guest is only allowed to a searchengine, hospitals... but the default
rule (all) is deny !
As a last rule I have setup a rule for my subnet, to deny everything.

The rule seems to interpret my 'guest' as an Admin... which I can't understand.

I do have added "google.com" in the whitelist in Squid itself... don't
want all computers to ask authentication on the first page, they open.

Any ideas here ? thank you in advance.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Find out my top bandwidth user?

[Michel Servaes]

I think its called rate, it let's you see in near real-time the bandwidth
in KBps in the System->Traffic Graph (correct me if wrong).

says for wan and lan, and I can see just what people are using right now.
great tool.

matheus

  
rate only shows the current activity... it's quite difficult to pinpoint 
a heavy user afterwards.


when you know the top bandwidth user might be an HTTP downloader, I'd 
suggest the Squid package, and put squid as transparant proxy.

Though bandwidthd is also good
Ntop fails too many times under different circumstances... (with me that is)

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense embedded : how to pronlong states sessions

[Michel Servaes]

I have a SIP solution behind pfSense now (this morning it was sitting
behind a monowall setup on a pentium3 computer).
PfSense being installed on an Alix 2D13 now, opened up ports 5060
tcp/udp and the SIP device (an SPA-2102) registers every 180 seconds.

But the ip-state is being deleted every 60 seconds... and this is
every 180 seconds so.




See #2 here:
http://doc.pfsense.org/index.php/VoIP_Configuration

-

  

You are the gr8est - but that is info you already knew ;-)
I was searching the book how to prolong this by the means of searching 
through states - but step2, setting the firewall to conservative works 
brilliantly !


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfSense embedded : how to pronlong states sessions

[Michel Servaes]

I have a SIP solution behind pfSense now (this morning it was sitting
behind a monowall setup on a pentium3 computer).
PfSense being installed on an Alix 2D13 now, opened up ports 5060
tcp/udp and the SIP device (an SPA-2102) registers every 180 seconds.

But the ip-state is being deleted every 60 seconds... and this is
every 180 seconds so.

Ok, I can lessen the amount of time between registers, but what
bothers me that this worked without a configuration-change (besides
NAT ofcourse) on a monowall setup.


Can I prolong the time of a certain state (for instance, only SIP traffic ?)...

I already tried it within RULES, in the Advanced - there is a
state-timeout... but setting this to 240 doesn't seem to help...
I did this on both LAN outgoing, as on WAN incoming 5060.

I'll install the sipproxd package, if this would solve things, but
this sounds to me that it would only solve issues when using multiple
SIP devices behind NAT...

Any thoughts ?

Kind regards,
Michel Servaes

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] prolly an OT question : VPN networking -p2pVPN alike ?

[Michel Servaes]

Would it be possible to setup a VPN network, but in such a way that all 
nodes are inter-connected, without having to build-up each separate 
vpn-networks ?


Site1 connects to Site2
Site2 connects to Site3

Site1 now can connect to Site3, through Site2, maybe even interchange 
the parameters to connect in direct, the next time.



In understand, that this will give delays... but in some instances it 
might ease my work to setup any new network in our country-wide LAN setup...


If I am not mistaking, this can't be done by IPSEC VPN ??
But it can be done using OpenVPN ?

Currently my setup exists of one central IPSEC VPN (pfsense box) - and 
each site connects to the pfsense.
Which already works just great... but somekind of p2p-vpn would kinda 
nifty to have (reading wippien.com, seems that a software solution is 
already present)









-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] port 80 -> 443

[Michel Servaes]

>
> That's exactly what I thought on first seeing this - there's
> absolutely no difference. It makes no sense at all to use a different
> port on the server for security reasons.
>

I would agree.  And whether you like Microsoft or not, there are 
thousands of IIS instances running on the net with out any problems so 
I don't think its worth the hassle.  If you are that concerned about 
IIS being a security vulnerability then run a different web server.  :)






Okay - I got the picture.
I just thought that it would be possible doing some maneuvre on the 
pfSense - but seeing the responses, I guess I've been asking a stupid 
question - sorry about that ;-)




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] port 80 -> 443

[Michel Servaes]

Also, the machine is acting as a Secure Gateway for Citrix - so I don't want
to tamper a lot on a (for the rest) working config...
I just want to avoid the obligation to let my users type 'https' :-)



The problem is that 'https' doesn't just specify the port, it also
tells the browser whether it needs to negotiate SSL/TLS or not.  If a
browser is pointed at http://something, it's not going to expect the
SSL negotiation and your user will see garbage.  The proper way to do
this is to have a minimal service running on port 80 providing 302's
for every request to https://.  This is trivial to do in
Apache, and I'd be surprised if it wasn't trivial in IIS.


RB

  
Oh okay, I thought an Internet Explorer or any other browser would see 
what the server is posting, if I'd redirected port 80 to 443.
I know I can something to IIS, or Apache... and I am using IIS in first 
instance to serve the https part... but I just didn't want to have to... 
as I don't really like port 80 at all on an IIS server...


But if there is no other way, I'll put up a box with Apache instead to 
forward to the https part of IIS...


thanks for you guys responses ;-)


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] port 80 -> 443

[Michel Servaes]

Is there a way to redirect a port 80 (wanside) to 443 (lanside).
I can do port translation, but the IIS doesn't seem to accept this way 
of redirection...


I know I can alter IIS, to accept port 80 - but I just don't like any 
IIS to be open on port 80 to the worldwide web.
I could install an apache somewhere to redirect again - but that seems a 
bit overkill to setup apache just to forward traffic to 443.



Also, the machine is acting as a Secure Gateway for Citrix - so I don't 
want to tamper a lot on a (for the rest) working config...

I just want to avoid the obligation to let my users type 'https' :-)


ps. I received the book today... it's really a good one to have- great 
work (as the product itself ;-) )


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] embedded install on a Pentium III system

[Michel Servaes]

The reason it works out of the box on ALIX/Soekris is because the
default network adapter names for those are vr0/vr1 on both platforms so
those are in the default configuration.

Jim


  


Jim,

I was experimenting with the pfSense embedded, but it does indeed use 
the serial console to show it's output.
I was just wondering, if I pop in a RTL8139D card (or any other that 
would be a VIA Rhine chipset) - I guess pfSense would assign "vr0" to 
this adaptor - and thus, being able to configure the firewall without 
the need for a serial-console...


Unfortunately, my P3 seems not quite happy to handle the 2GB CD card, 
because it hangs at boot on the BTX loader (just tested another mobo, 
and here I really can see activity on the CF card (led on the IDE/CF 
adaptor is much more nervous, than on the P3 mobo)) - I'll see if an 
add-on IDE pci-adaptor might load it up, otherwise I need to upgrade the 
mobo... would really hate it, since the P3 only consumes 25 watts (while 
the newer mobo uses 65 watts) - guess an Alix isn't going to wait for 
long now ;-)


Happy holidays everyone!

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] embedded install on a Pentium III system

[Michel Servaes]

>>
>> Thanks for your replies though !
>
> Yeah, sorry for the wild goose chase on the embedded install. Still,
> monowall should differentiate those for you.
>
> Kurt
>

Hey, rather a wild goose chase, than some other forums do reply when
asking a trivial question ;-) (if you catch my drift)

~ Happy newyear to the pfsense team, and it's members !

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] embedded install on a Pentium III system

[Michel Servaes]

I do get VGA output... but it simply hangs on "BTX loader version ..."
Anyway, I saw this kind of replies, need to be posted to the 2.0
forum... so I'll take it up to there (googling to the BTX loader hang
phenomen, gave a lot of feedback on the net - I guess it rather is a
FreeBSD issue than a pfSense one.)

Thanks for your replies though !

On Mon, Dec 28, 2009 at 5:06 PM, Michel Servaes  wrote:
>>>
>>>
>>>
>>> My big question - how would I tell which network interface will be the LAN,
>>> to run the WebGUI wizard on... (on an Alix, it's the first one - but how can
>>> I tell on this P3-600 (old compaq) board, which would be the first one ?)
>>>
>>> Or won't it run at all ? Any first thoughts here ?
>>
>> Hook up a monitor and keyboard. Get into the console. Plug in the one
>> of the NICs to a switch (probably the one on your LAN). Do an
>> ifconfig, and see which of your NICs is active.
>>
>> Or, since you're already running monowall, check it to see which it
>> thinks is which - how did you figure that one out?
>> Kurt
>>
>
> Well I gathered that installing the 2.0 nanobsd embedded wouldn't have
> a VGA output possible, in which monowall has.
> But if this is the case, I could hook it up the serial one ofcourse...
> will see what happens this evening.
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] embedded install on a Pentium III system

[Michel Servaes]

>>
>>
>>
>> My big question - how would I tell which network interface will be the LAN,
>> to run the WebGUI wizard on... (on an Alix, it's the first one - but how can
>> I tell on this P3-600 (old compaq) board, which would be the first one ?)
>>
>> Or won't it run at all ? Any first thoughts here ?
>
> Hook up a monitor and keyboard. Get into the console. Plug in the one
> of the NICs to a switch (probably the one on your LAN). Do an
> ifconfig, and see which of your NICs is active.
>
> Or, since you're already running monowall, check it to see which it
> thinks is which - how did you figure that one out?
> Kurt
>

Well I gathered that installing the 2.0 nanobsd embedded wouldn't have
a VGA output possible, in which monowall has.
But if this is the case, I could hook it up the serial one ofcourse...
will see what happens this evening.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] embedded install on a Pentium III system

[Michel Servaes]

I was wondering, and am going to try this, this evening... how would an 
embedded-install go onto a normal pc system ?



I downloaded the 2.0 Beta, physdiskwrite'ed it to a CF card of 2GB
Going to place it in the CF to IDE adaptor (where monowall currently 
runs fine, on another CF card).


And boot the system up...



My big question - how would I tell which network interface will be the 
LAN, to run the WebGUI wizard on... (on an Alix, it's the first one - 
but how can I tell on this P3-600 (old compaq) board, which would be the 
first one ?)


Or won't it run at all ? Any first thoughts here ?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] ip range, how to setup a rule for using a different outgoing ip from within that pool

[Michel Servaes]

Does the book cover my kind of issue... I guess I'd better buy one 
very soon now :-)


If you understood what you were doing you would definitely save lots 
of your time.

Evgeny.


Till now I understood what I was doing :-)

But I've never made use of the advanced outbound routing before... so 
yes, this is quite new for me.
Whilst using "automatic" I never really had issues... but now I'm 
fiddling with some new things - true ! Once I get through this, I am 
sure I can add this knowledge onto me ;-)


It's just the combination now, of two new things - a duplicate server 
setup AND using outbound rules... (inbound rules and any other stuff on 
pfSense is quite common to other routers... but the setup of a DLINK 
DFL-200 for instance is quite easy in this kind of setup... hence, I 
succeeded this setup on a DFL200)
Now I want this on a pfSense, which is quite something else... anyway, I 
am going to order the book tonight !


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] ip range, how to setup a rule for using a different outgoing ip from within that pool

[Michel Servaes]

Yes you have to setup eveything when changing to manual outbound, even
the default outbound for your LAN.
You can use outbound for a subnet (/24) or specific host only (/32)


  

That is a lot of work then...
I also have the distinct impression, that when using the manual rules, 
internet is terribly slow, to nothing at all.


I gathered - oh well, that might be that my internal DNS server (the 
primary domain controller) isn't able to access the internet properly 
(since old fetched domains are blazing fast), I added an outbound rule 
for my first dns server 192.168.150.1 to access our ISP's DNS...
But hence, this also seems to be not working so well... all new domains 
entered aren't resolved... so it's not slow, it just relies on cached 
information.



Might the internet be slow, because I didn't enter source/dest ports ??
Citrix being the old server setup, XenApp being the new setup.

NAT :

.1 : domain controller
.2 : mailserver
.9 : webserver

SDSL = range of ip's x.y.18.17/29
WAN = ADSL backup (to allow the local lan for a speedy connection (being 
SDSL 1M/1M)



Does the book cover my kind of issue... I guess I'd better buy one very 
soon now :-)


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] ip range, how to setup a rule for using a different outgoing ip from within that pool

[Michel Servaes]

Raouf Daghbouche schreef:

On Sun, Dec 27, 2009 at 1:49 PM, Michel Servaes  wrote:
 

- Go to  Firewall > Virtual IP and Create a Virtual IP as CARP, with
your x.y.18.20
- Go to Firewall > NAT and set Manual Outbound NAT rule generation
(Advanced Outbound NAT (AON))
- Then add a rule for your outgoing server/ip, in the Translation
section you will find your x.y.18.20 ip address.

r@



  

The 2 first instructions went just fine.
The third one, seems to be not working for me.

I tried adding an outbound rule on the LAN interface (since it 
should be

listening to the inside of my network ?)
I've added the internal ip 192.168.150.9/32 as source, and used the 
virtual

ip .18.20 as translation.
Also tried adding 192.168.150.9/32 as destination, just to make sure I
didn't mistake myself - but this seems not to work either...

I tried to check using upon http://checkip.dyndns.org to see if my 
outgoing
connection would be using x.y.18.20, but instead it uses my default 
LAN to

ADSL backup route (a dynamic ip).
When I disable my default LAN to ADSL route; no comms are possible 
no more

to the internet.

I have a "SERVERS" rule to make them by default go over to WAN2 
(first IP of

that range by default : .18.18)
Default LAN to ADSL route is setup for all leftovers that any other 
rule

isn't taking care of.

I would like a "SECOND SERVER" rule, to make them by default go 
over to WAN2

(second IP of that range : .18.20)





So you have the default outgoing NAT rule for your LAN and then the
rule for your second server, both are on the same subnet 192.168.150.x
Try to move it above the default LAN rule and see if it works


  
I just checked if it was something I do wrong, or the system is 
mis-interpreting my "wanted" :)
When enabling Manual Outbound NAT (in opposite of Automatic outbound 
NAT), I simply can't surf nowhere nomore !


However one outbound rule is automatically created when changing to 
"manual", to allow 192.168.150.0/24 to the WAN (in my case the ADSL 
backup line)... but it just simply won't allow me to access the 
internet nomore.

When reverting to "automatic" the internet starts working again.

To explain the situation somewhat more :

I have an older Citrix server, that need to stay in service for my 
transition phase... which is listening to .18.18 (outside world).
I have setup a new Citrix server (nowadays called XenApp) - and 
obviously this one comes back to .18.18 since this is the first 
address after the gateway... but this won't work, as this is the 
older Citrix serverfarm.


To test if it is working, I would allow my XenApp server (currently 
only one) to pass onto the internet with all it's ports... therefore, 
there are no rules for their current allocated internal addresses...
Should a normal rule be inserted as well ?? (however, can't choose 
for a virtual ip there)



Okay, thanks for your help...
Got it working now - didn't realize that I also had to make a rule in 
the firewall itself !


I though adding an outbound rule would do enough, but it seems you 
also have to add a rule in the general LAN rule list, to make it leave 
the other gateway (the one with the pool of ip's).


Thank you very much!
Darn, it seems when changing to manual outbound, you'd have to rewrite 
everything that already was in place ?
My mailserver now goes out onto the ADSL line as well, instead onto my 
pool... is this correct ?


I just reverted back to the automatic mode... for now.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] ip range, how to setup a rule for using a different outgoing ip from within that pool

[Michel Servaes]

Raouf Daghbouche schreef:

On Sun, Dec 27, 2009 at 1:49 PM, Michel Servaes  wrote:
 

- Go to  Firewall > Virtual IP and Create a Virtual IP as CARP, with
your x.y.18.20
- Go to Firewall > NAT and set Manual Outbound NAT rule generation
(Advanced Outbound NAT (AON))
- Then add a rule for your outgoing server/ip, in the Translation
section you will find your x.y.18.20 ip address.

r@



  

The 2 first instructions went just fine.
The third one, seems to be not working for me.

I tried adding an outbound rule on the LAN interface (since it 
should be

listening to the inside of my network ?)
I've added the internal ip 192.168.150.9/32 as source, and used the 
virtual

ip .18.20 as translation.
Also tried adding 192.168.150.9/32 as destination, just to make sure I
didn't mistake myself - but this seems not to work either...

I tried to check using upon http://checkip.dyndns.org to see if my 
outgoing
connection would be using x.y.18.20, but instead it uses my default 
LAN to

ADSL backup route (a dynamic ip).
When I disable my default LAN to ADSL route; no comms are possible 
no more

to the internet.

I have a "SERVERS" rule to make them by default go over to WAN2 
(first IP of

that range by default : .18.18)
Default LAN to ADSL route is setup for all leftovers that any other 
rule

isn't taking care of.

I would like a "SECOND SERVER" rule, to make them by default go over 
to WAN2

(second IP of that range : .18.20)





So you have the default outgoing NAT rule for your LAN and then the
rule for your second server, both are on the same subnet 192.168.150.x
Try to move it above the default LAN rule and see if it works


  
I just checked if it was something I do wrong, or the system is 
mis-interpreting my "wanted" :)
When enabling Manual Outbound NAT (in opposite of Automatic outbound 
NAT), I simply can't surf nowhere nomore !


However one outbound rule is automatically created when changing to 
"manual", to allow 192.168.150.0/24 to the WAN (in my case the ADSL 
backup line)... but it just simply won't allow me to access the 
internet nomore.

When reverting to "automatic" the internet starts working again.

To explain the situation somewhat more :

I have an older Citrix server, that need to stay in service for my 
transition phase... which is listening to .18.18 (outside world).
I have setup a new Citrix server (nowadays called XenApp) - and 
obviously this one comes back to .18.18 since this is the first 
address after the gateway... but this won't work, as this is the older 
Citrix serverfarm.


To test if it is working, I would allow my XenApp server (currently 
only one) to pass onto the internet with all it's ports... therefore, 
there are no rules for their current allocated internal addresses...
Should a normal rule be inserted as well ?? (however, can't choose for 
a virtual ip there)



Okay, thanks for your help...
Got it working now - didn't realize that I also had to make a rule in 
the firewall itself !


I though adding an outbound rule would do enough, but it seems you also 
have to add a rule in the general LAN rule list, to make it leave the 
other gateway (the one with the pool of ip's).


Thank you very much!

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] ip range, how to setup a rule for using a different outgoing ip from within that pool

[Michel Servaes]

Raouf Daghbouche schreef:

On Sun, Dec 27, 2009 at 1:49 PM, Michel Servaes  wrote:
  

- Go to  Firewall > Virtual IP and Create a Virtual IP as CARP, with
your x.y.18.20
- Go to Firewall > NAT and set Manual Outbound NAT rule generation
(Advanced Outbound NAT (AON))
- Then add a rule for your outgoing server/ip, in the Translation
section you will find your x.y.18.20 ip address.

r@



  

The 2 first instructions went just fine.
The third one, seems to be not working for me.

I tried adding an outbound rule on the LAN interface (since it should be
listening to the inside of my network ?)
I've added the internal ip 192.168.150.9/32 as source, and used the virtual
ip .18.20 as translation.
Also tried adding 192.168.150.9/32 as destination, just to make sure I
didn't mistake myself - but this seems not to work either...

I tried to check using upon http://checkip.dyndns.org to see if my outgoing
connection would be using x.y.18.20, but instead it uses my default LAN to
ADSL backup route (a dynamic ip).
When I disable my default LAN to ADSL route; no comms are possible no more
to the internet.

I have a "SERVERS" rule to make them by default go over to WAN2 (first IP of
that range by default : .18.18)
Default LAN to ADSL route is setup for all leftovers that any other rule
isn't taking care of.

I would like a "SECOND SERVER" rule, to make them by default go over to WAN2
(second IP of that range : .18.20)





So you have the default outgoing NAT rule for your LAN and then the
rule for your second server, both are on the same subnet 192.168.150.x
Try to move it above the default LAN rule and see if it works


  
I just checked if it was something I do wrong, or the system is 
mis-interpreting my "wanted" :)
When enabling Manual Outbound NAT (in opposite of Automatic outbound 
NAT), I simply can't surf nowhere nomore !


However one outbound rule is automatically created when changing to 
"manual", to allow 192.168.150.0/24 to the WAN (in my case the ADSL 
backup line)... but it just simply won't allow me to access the internet 
nomore.

When reverting to "automatic" the internet starts working again.

To explain the situation somewhat more :

I have an older Citrix server, that need to stay in service for my 
transition phase... which is listening to .18.18 (outside world).
I have setup a new Citrix server (nowadays called XenApp) - and 
obviously this one comes back to .18.18 since this is the first address 
after the gateway... but this won't work, as this is the older Citrix 
serverfarm.


To test if it is working, I would allow my XenApp server (currently only 
one) to pass onto the internet with all it's ports... therefore, there 
are no rules for their current allocated internal addresses...
Should a normal rule be inserted as well ?? (however, can't choose for a 
virtual ip there)



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] ip range, how to setup a rule for using a different outgoing ip from within that pool

[Michel Servaes]

- Go to  Firewall > Virtual IP and Create a Virtual IP as CARP, with
your x.y.18.20
- Go to Firewall > NAT and set Manual Outbound NAT rule generation
(Advanced Outbound NAT (AON))
- Then add a rule for your outgoing server/ip, in the Translation
section you will find your x.y.18.20 ip address.

r@


  

The 2 first instructions went just fine.
The third one, seems to be not working for me.

I tried adding an outbound rule on the LAN interface (since it should be 
listening to the inside of my network ?)
I've added the internal ip 192.168.150.9/32 as source, and used the 
virtual ip .18.20 as translation.
Also tried adding 192.168.150.9/32 as destination, just to make sure I 
didn't mistake myself - but this seems not to work either...


I tried to check using upon http://checkip.dyndns.org to see if my 
outgoing connection would be using x.y.18.20, but instead it uses my 
default LAN to ADSL backup route (a dynamic ip).
When I disable my default LAN to ADSL route; no comms are possible no 
more to the internet.


I have a "SERVERS" rule to make them by default go over to WAN2 (first 
IP of that range by default : .18.18)
Default LAN to ADSL route is setup for all leftovers that any other rule 
isn't taking care of.


I would like a "SECOND SERVER" rule, to make them by default go over to 
WAN2 (second IP of that range : .18.20)




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] please help me

[Michel Servaes]

thanks for prompt reply

yes i got dns from my isp.

but can not ping google.com  from pfsense

And the option "Allow DNS server list to be overridden..." in general 
setup is also enabled ?

Your public ip-adress isn't by any chance a natted one ?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] please help me

[Michel Servaes]

i have configured pfsense in new box having two lan cards on it. one 
is lan and one is wan.


wan interface set to dhcp , i got public ip address from my isp, i 
have set both dns.


but i can not ping google.com  from pfsense. i can 
ping my  isp dns


can please any one help me


If you check "interfaces" under diagnostics... does your WAN receive the 
DNS servers of your ISP ?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] ip range, how to setup a rule for using a different outgoing ip from within that pool

[Michel Servaes]

I have a pool of ip-adresses... the gateway is x.y.18.17, and the
ending is x.y.18.22
I have two servers, that use the same outgoing protocol and the first
is working fine, as I have setup a rule to use the default gateway
.18.17 on the WAN side.

But I want to setup the second server to go out on .18.20 for
instance... but setting up rules, will allow me only to choose
"default" or ".18.17" (mind you, that the "default" is a second
network card, used for backup)
I have added virtual ip's (.18.18, .18.19, .18.20, ...), but cannot
choose them for outgoing rules... I'm sure I'm missing something basic
here.

Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense embedded installed on an Alix 2D3

[Michel Servaes]

On Mon, Dec 21, 2009 at 7:09 PM, Michel Servaes  wrote:

This seems to work fine...
But, is it normal that I can install packages if I want to ?




Yes, see "embedded switched to nanobsd" here:
http://blog.pfsense.org/?p=531

Only the ones that can reasonably run from CF are available, but
that's most of them. It mounts read write, installs, and mounts back
read only.


  

Thanks, should of been paying a bit more attention I guess ;-)
But when the nanoBSD came out - I wasn't interested yet, as I wasn't 
installing on any embedded device yet !


I guess I'll be contacting pcengines anytime soon now, to go and upgrade 
to a greener environment !!
This is really cool ! (but reading the thread you gave me, I am not the 
only one thinking this way)


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfsense embedded installed on an Alix 2D3

[Michel Servaes]

This seems to work fine...
But, is it normal that I can install packages if I want to ?

The option is just there, and I tried to install "rate", which by the 
way on an embedded system seems not to have the issue of cutting the 
last digit of the IP !



I thought packages were not supported on an embedded system...
Maybe the 1.2.3 release, just saves to NVRAM... so with a reboot 
everything is gone again... ??


Anyway, it really runs quite smoothly... must say that I am happy with it !

Kind regards,
Michel


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Windows Deployment Services - DHCP options 60/66/67

[Michel Servaes]

Might it be, that these options should be possible to add to pfSense.
I can add options 66 & 67 (boot-server & boot-filename)... but option 60 
would be the name which should be set to (PXEClient)


I guess that would be the reason, for not being able to boot via PXE, to 
the WDS ? (it's all fairly new to me, I might talk jibberish here)


Kind regards,
Michel


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Windows Deployment Services & DHCP/PFsense TFTP ?

[Michel Servaes]

I was wondering on how to enable WDS (Windows Deployment Server) 
together with DHCP within pfSense.

Anyone being succesful with this ?

When using DHCP of Windows Server itself, it works just fine... but when 
using the DHCP within pfSense, it seems the WDS cannot be found.
The bootfile would be "boot.wim", I do add the IP address of the WDS and 
as filename boot.wim - but the PXE boot comes back with the message that 
the file would be invalid ?



Any clues here ?

thank you in advance...

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 1.23 rc3 - ipsec VPN dies randomly, but stays active in the overview

[Michel Servaes]

Since I have added two IPSEC tunnels to both Linksys' RV042 - my VPN
connections start to die randomy, but stay active in both the webgui's
overview (both, I mean pfSense and the DLINK's) - but either way is
impossible to ping each other !!




Have you tried checking the "Prefer old IPsec SAs" option under System >
Advanced?

Jim


  
No I haven't tried this one yet - as of now, I changed this option - 
will see if this helps... should I repost the outcome ?

Thanks in advance.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfsense 1.23 rc3 - ipsec VPN dies randomly, but stays active in the overview

[Michel Servaes]

Hi,


My pfSense setup ran for about 30 days without a problem.
I had a setup with all DLINK DI804 or DI824VUP (wireless variant of
the DI804), which ran smoothly. (exclluding mine at home a monowall
setup).

Since I have added two IPSEC tunnels to both Linksys' RV042 - my VPN
connections start to die randomy, but stay active in both the webgui's
overview (both, I mean pfSense and the DLINK's) - but either way is
impossible to ping each other !!

If I restart the DLINK router, or if I restart within pfSense the
IPSEC stack - all starts running again fine ?!

Some years ago, I had almost the same problem (pinging back then was
possible, but no RDP or VNC) - and someone pointed out to add 4 lines
of code in the config, for your convienience I have added them to this
posting...
But I am wondering, if this is still accurate, and if this also
addresses this issue as well ?

Kind regards,

-->

In /etc/rc.bootup add there near the comment
/* start IPsec tunnels */

exec("/sbin/sysctl net.enc.out.ipsec_bpf_mask=0x");
exec("/sbin/sysctl net.enc.out.ipsec_filter_mask=0x0001");
exec("/sbin/sysctl net.enc.in.ipsec_bpf_mask=0x");
exec("/sbin/sysctl net.enc.in.ipsec_filter_mask=0x0002");

save and reboot.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] little offtopic - using cron to monitor ipsec tunnels

[Michel Servaes]

Hi,


I was wondering, if there would be a way (by not installing third
party software) to monitor the uptime of your ipsec VPN tunnels.
Sure, I can ping every LAN printer that is in the other subnet - or
install third party software... but some kind of cronjob checking this
would also be a cool way to accomplish this.

And as soon a VPN is out for xxx minutes, a mail should be sent to the admin.

That way - I could anticipate on power outages, or any other reason
why a VPN does not come up.


Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] traffic shaper multiwan

[Michel Servaes]

Hi,


I have traffic shaper issue (that will be for the most of us).
I have one SDSL 1/1mbit, and one VDSL PPPoE connection (as thus, this
is the WAN, and the SDSL being the OPT1).

When using the traffic shaper wizard, and defining the SDSL (OPT1) as
being 1024/1024 - it also shapes my VDSL to a 1024/1024 channel...
which is not my intention ofcourse !

Is there a way to circumvent this, by modifying some parameters ?
I already asked a question (some time ago) for manually adding
shaping-rules, and someone implied by using the full URL that you get
after the wizard... but this just tumbles me into the wizard again :)


I am using the SDSL mainly for terminal-server traffic, and due to the
fixed ip-adress, as an SMTP server as well... so I want to lower the
needed speed of my SMTP server to a 256/256 (or something).


Any clues someone... or is this also a 2.0 related matter :) (then I
will have patience)

Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] more users for the webgui (running 1.2.3 rc3)

[Michel Servaes]

a, patience will be rewarded then.
thanks for the info!

On Mon, Oct 19, 2009 at 11:44 AM, Fuchs, Martin
 wrote:
> You'll have to wait for 2.0...
> It's a feature there...
>
> Regards,
>
> Martin
>
> -Ursprüngliche Nachricht-
> Von: Michel Servaes [mailto:mic...@mcmc.be]
> Gesendet: Montag, 19. Oktober 2009 11:28
> An: support@pfsense.com
> Betreff: [pfSense Support] more users for the webgui (running 1.2.3 rc3)
>
> Hi,
>
> I am wondering, if it would be possible to add more users to the webgui 
> access ?
> Currently I have a monowall & pfsense - and in such, monowall does
> allow me to do this...
> But the pfSense seems to be missing this function.
>
> What I want to do, is to offer regular users (with a bit of IT
> background) access to the captive-portal user administration.
> That way, when a "stranger" passes by, we can give him access to our
> WLAN. (the WLAN itself, would be handled by a normal Access Point).
>
> Kind regards,
> Michel
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] more users for the webgui (running 1.2.3 rc3)

[Michel Servaes]

Hi,

I am wondering, if it would be possible to add more users to the webgui access ?
Currently I have a monowall & pfsense - and in such, monowall does
allow me to do this...
But the pfSense seems to be missing this function.

What I want to do, is to offer regular users (with a bit of IT
background) access to the captive-portal user administration.
That way, when a "stranger" passes by, we can give him access to our
WLAN. (the WLAN itself, would be handled by a normal Access Point).

Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Re: pfsense, ipsec & dyndns clients

[Michel Servaes]

Okay, I updated to 1.2.3 RC3, which seems to work just fine with
dynamic adresses :D
thanks for this RC3 update ;)

On Sun, Oct 18, 2009 at 12:06 AM, Michel Servaes  wrote:
> Hi,
>
> I am trying (again) to configure IPSEC vpn to dynamic clients.
> I have this central firewall with pfsense on a fixed IP, and my family
> should connect to the IPSEC stack... but they all have dynamic
> addresses.
> They also have simpeler firewalls like DI-824 with builtin ipsec vpn...
>
> When adding in pfsense a dynamic ip-adress as endpoint - the racoon
> log complains about a parsing error - is there a quick way around this
> ?
>
>
> I tried the mobile client setup, but that doesn't seem to work - or I
> did something wrong :-)
>
> What to go from where, any clues would be great (apart from giving my
> parents a fixed ip - ofcourse / and I really would like to arrange the
> VPN by the firewall on the other side, instead of installing PPTP
> tunnels through XP/Vista machines)
>
>
> Thank you in advance
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfsense, ipsec & dyndns clients

[Michel Servaes]

Hi,

I am trying (again) to configure IPSEC vpn to dynamic clients.
I have this central firewall with pfsense on a fixed IP, and my family
should connect to the IPSEC stack... but they all have dynamic
addresses.
They also have simpeler firewalls like DI-824 with builtin ipsec vpn...

When adding in pfsense a dynamic ip-adress as endpoint - the racoon
log complains about a parsing error - is there a quick way around this
?


I tried the mobile client setup, but that doesn't seem to work - or I
did something wrong :-)

What to go from where, any clues would be great (apart from giving my
parents a fixed ip - ofcourse / and I really would like to arrange the
VPN by the firewall on the other side, instead of installing PPTP
tunnels through XP/Vista machines)


Thank you in advance

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] 192.0.2.112

[Michel Servaes]

Fuchs, Martin schreef:


Hi !

A friend of mine has a strange problem: everytime he reboots his 
pfsense his dyndns updates with 192.0.2.112


He had this problem with 1.2.2 and now updatet to 1.2.3 RC3 and it 
still exists…


Anyone hast he same issues ?

Any ideas ?

Regards,

Martin



Is 192.0.2.112 not a public range ?
I saw people responding NAT related issues... but I thought 192.168.x.y, 
172.16.x.y - 172.32.x.y AND 10.x.y.z were NAT'ted addresses. All the 
rest (other than 234.x.y.z) are public addresses.


It might still be a natted situation, but then it would be a bad choice 
to have 192.0.x.y as a private range !!


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] dynamic load balancing

[Michel Servaes]

Only if you want to write code or a script of some sort to detect that
and automatically switch. That's somewhat involved though. No easy way
to do that.

  


Thank you for the replies... guess I'll first see how things go from 
here - might be better to upgrade the ADSL as soon as it reaches it's 
limit anyway...
This question belongs to the "stupid questions" - but I thought, maybe 
there is an easy way to do this.


I still have to implement the pfSense someday - but my provider only 
changes IP during the day... just need to search for a good day to make 
this happen.
(the change of IP has nothing to do with me implementing pfSense - but 
since this would cause troubles for everyone involved, I gather that 
this might be the best time to setup the pfSense anyway)


Kind regards, and again thank you for looking into this one (at everyone)

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] dynamic load balancing

[Michel Servaes]

Hi,


I am wondering, if the following would be possible - and how to start with it.
I have this SDSL and ADSL connection - in where our ADSL has a
download limit of 25GB/month

If one bypasses the 25GB - the connection drops from 10mbits to 64kbits !
How can I make pfSense see this, so if this happens the connection
switches over to the SDSL connection (being 1mbit, still better than
64kbits).


ps. the SDSL connection must be preserved as much as possible - so it
only should jump to the SDSL, when the ADSL doesn't go any faster than
64kbits... (or if I can use an internal counter, that checks if the
25GB limit is passed - that's also ok)

Would this be possible, and where to start ?

Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org