Re: [pfSense Support] DHCP question - OpenDNS or dnsmasq
Because OpenDNS does their filtering based on the source IP address, you would have to have eat LAN have its own outgoing IP(s) using Outbound NAT rules. You can turn off the pfSense DNS altogether and just set the server to forward all requests it cannot resolve directly to OpenDNS. -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Sun, Apr 18, 2010 at 1:24 PM, Tim Dressel wrote: > Hi folks, > > Someone else just asked a question that I responded to, but it actually > triggered a question in my head and rather than highjack the thread I > thought I'd start a new one. > > If you use OpenDNS to filter content, it works pretty seamlessly. > > Lets say that you have 4 LAN connections on different subnets, and a single > WAN connection. How can you use pfSense DHCP to enable different DNS level > filtering using OpenDNS? What I'm after is LAN1 to have no OpenDNS > filtering, LAN2 to have filtering based upon one OpenDNS rule set, LAN3 to > have different filtering from LAN 2, and LAN 4 to have different filtering > again. > > I don't think this is possible with OpenDNS. > > Is there where dnsmasq comes into play? Then to complicate it a bit, I'd > prefer to not use pfSense DHCP, but to use Windows AD integrated DNS, but > use the pfsense server almost like a root hint or bypass server. > > Thanks in advance for your feedback... > > Tim > >
Re: [pfSense Support] DHCP question - OpenDNS or dnsmasq
On Sun, Apr 18, 2010 at 2:06 PM, Tim Dressel wrote: > Because OpenDNS does their filtering based on the source IP address, you >> would have to have eat LAN have its own outgoing IP(s) using Outbound NAT >> rules. >> >> > I've never actually done outbound NAT. So lets say I've got multiple IP > addresses bound as virtual IP's onto the physical WAN interface. I can > create an outbound NAT rule that depending on the source subnet scope I can > have the individual traffic appear to come out a particular virtual IP? Is > that correct? > Yes. > But if I'm using AD integrated DNS, would I just remove all root-hints and > forwarders? So then anything AD DNS could not resolve would got to OpenDNS? > You would set AD-DNS to use forwarders 208.67.222.222 and 208.67.220.220 and you would set your computers to use your server as their DNS server. Anything that your server cannot resolve would be passed to OpenDNS. *Scratch that. See below.* But would the request still come from the client or from the internal AD > DNS? > Do you mean "Would OpenDNS see it as coming from the client or from the server?" That's a good point and now that I think about it, I'm not sure. What you are saying below about using four DNS servers would probably work instead of using forwarders in AD-DNS. In that case, yes you would remove the forwarders and root hints. > I'm thinking I would have to setup DHCP to hand out three or four DNS > servers then. My two internal DNS servers, and then the two OpenDNS servers > at the bottom. Is anyone doing this, and what is timeout like? I.E. How long > does it take for the internal DNS servers to respond that they can't find > the internet resource, and for OpenDNS to respond in the tertiary > and quaternary DNS slots. > I have never tested the timing for this method but since each computer should be caching DNS results, it probably won't be such a big deal. Best thing to do is to try it. Doesn't this create a ton of DNS traffic traversing the firewall? > Why does it create any more DNS traffic than doing it any other way? Or am I missing something simple here? > There's nothing simple here. ;) When I set up my pfSense with OpenDNS, 3 LANs, and 2 WANs, there was a lot of trial and error and I had the luxury of a testing network completely separate from my office network so I couldn't actually break anything. I tried a lot of things and I don't remember all of the things I tried.
Re: [pfSense Support] Large Aliases
You can export a configuration file to see the file structure, build a configuration backup that has the aliases in it based on the sample, and then restore your "backup". That's what we did. -- Moshe Katz KatzNet Computers -- mo...@ymkatz.net -- +1(301)867-3732 On Mon, Aug 23, 2010 at 11:04 AM, Joseph L. Casale < jcas...@activenetwerx.com> wrote: > Is there any undocumented tricks to creating large aliases other than > by hand? I have some I need to create with maybe 100 or more small > networks. Can I import the list at the cli somehow and have the gui > acknowledge them? > > Thanks! > jlc > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense Support] pfSense 1.2.3 - Squid + Active Directory
Try using a program like Apache Directory Studio to test your LDAP settings manually and make sure they are correct. -- Moshe Katz KatzNet Computers -- mo...@ymkatz.net -- kohenk...@gmail.com -- +1(301)867-3732 On Mon, Aug 30, 2010 at 8:25 AM, Dominic wrote: > Hi, > > I am trying to setup pfSense to authenticate against a Windows 2003 AD > machine > and so far have been unsuccessful. > > I've currently configured the squid authentication as follows: > > LDAP Version 3 > Authentication Server: IP of the AD machine > Authentication Port:Blank > LDAP server user DN: cn=administrator,cn=Domain Users,dc=domain,dc=net > LDAP password: Password for administrator account > LDAP base domain:dc=domain,dc=net > LDAP search filter: sAMAccountName=% > > All I get when trying to browse is the popup prompting for username and > password > but this fails. I'ved tried using domain.net\username and just > username in the field > but it just prompts again for the user/pass. > > Can anyone advise as to whether I may have gone wrong or where I could > find a log > file that shows the errors encountered? > > Thank you, > > Dominic. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
[pfSense Support] Logging In to SquidGuard
Hello, I am setting up a content filter on my pfSense box to replace individual instances of BlueCoat K9 that ran on each computer. I want to do one of the following things: - On the SG blocked page, allow a user to log in and (temporarily or permanently) allow the site. - Require all users to log in to the Captive Portal and use the Username from there in the SquidGuard ACLs. The reason I need to do this is that each computer has a single Windows account that is never logged off so I can't have SG check the username. Has anyone done either of these things who can provide some tips? Thanks, Moshe Katz -- Moshe Katz KatzNet Computers -- mo...@ymkatz.net -- +1(301)867-3732
[pfSense Support] Logging In to SquidGuard
Hello, I am setting up a content filter on my pfSense box to replace individual instances of BlueCoat K9 that ran on each computer. I want to do one of the following things: - On the SG blocked page, allow a user to log in and (temporarily or permanently) allow the site. - Require all users to log in to the Captive Portal and use the Username from there in the SquidGuard ACLs. The reason I need to do this is that each computer has a single Windows account that is never logged off so I can't have SG check the username. Has anyone done either of these things who can provide some tips? Thanks, Moshe Katz -- Moshe Katz -- kohenk...@gmail.com -- +1(301)867-3732
Re: [pfSense Support] Squid, squidGaurd and Captive Portal questions
I have been running Squid and SquidGuard on pfSense 2.0 Beta4 for the past three weeks with no trouble. I installed from the package manager with no problems. Moshe -- Moshe Katz KatzNet Computers -- mo...@ymkatz.net -- +1(301)867-3732 On Mon, Nov 1, 2010 at 7:05 AM, James Bensley wrote: > Hi List Peoples :) > > I'm wondering if someone can give me some pointers about getting Squid > and squidGaurd up and running on pfSense 2.0? I tried to install it > once from the package manager and it killed pfSense ;) (I have pfSense > as a VM and upon boot up it would display the following error [0] and > hang indefinitely but as I have a VM I just restored a previous image > rather than spending hours trying to fix it) So has anyone > successfully installed Squid on 2.0 BETA 4 and documented this > process? (as I understand it obviously pfSense is still in beta but > also the Squid package isn't finished yet either?) > > Also I would like to set up captive portal as it were but a Squid & > squidGuard captive portal, i.e. the CP features on pfSense seem to be > for granting users tickets and what not, how can I have all users HTTP > traffic passed through Squid & squidGuard without having to set up the > clients i.e. use Squid and squidGuard as a CP? (Like a transparent > proxy) > > > [0]: > .. > Configuring VLAN interfaces... done > Configuring QinQ interfaces... done > Configuring WLAN interfaces... done > Configuring LAN interfaces... done > Syncing OpenVPN Settings... done > Starting Syslog... done > Configuring firewall... > Warning: require_once(squid.inc): failed to open Stream: No such file > or directory in /usr/local/pkg/squid_configurator.inc no line 51 > > Fatal error: require_once(): Failed opening required 'squid.inc' > > (include_path='.:/etc/inc:/usr/local/www:/usr/local/captiveportal:/usr/local/pkg') > in /usr/local/pkg/squidguard_configurator.inc on line 51 > Starting CRON... done > Syncing packages: squid Removing package... > Removing package... > Removing package... > Removing squid components... > > (It just hangs here forever more) > > -- > Regards, > James. > > http://www.jamesbensley.co.cc/ > > There are 10 kinds of people in the world; Those who understand > Vigesimal, and J others...? > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense Support] DynDNS's CheckIP is showing my private IP!
Lyle, The original poster is correct that pfSense is publishing that data if/when squid is used. Squid can add headers that contain the private IP of the computer that originated the request. In the pfSense Squid package, the setting to send these headers is set ON by default. I had the same issue with one of my locations, where the site owner wanted a SquidGuard filter set up. It was a slightly complicated setup and I did a lot of testing using web sites that I run and then saw a lot of private IP addresses in my site access logs. As I understand it, this feature of Squid is used primarily when Squid is set up as a reverse cache (i.e. in front of a web server). In that case, the web server sees all traffic coming from the proxy's IP address and uses the additional header(s) to find out where the traffic really came from so it can apply access rules and do logging with the actual source IP. Moshe -- Moshe Katz KatzNet Computers -- mo...@ymkatz.net -- +1(301)867-3732 On Sun, Nov 7, 2010 at 8:33 PM, Lyle Giese wrote: > slamp slamp wrote: > > http://checkip.dyndns.org/ > > > > how is this possible? i am behind a standard install of pfSense > > 1.2.3-RELEASE which means i am NAT'd. how is pfsense publishing my > > private IP? > > > > - > > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > > For additional commands, e-mail: support-h...@pfsense.com > > > > Commercial support available - https://portal.pfsense.org > > > > > What makes you think pfSense is publishing that data? I have seen a > java script trick to get the end computer to report it's ip > address(which can be behind a NAT and can be a private ip address(like > 192.168.x.x). > > When I check that url, it displays my public ip address that's on the > WAN side of pfSense here. But since I am connecting to their webserver > via a TCP connection on port 80, they should know the public ip address > I am connecting from. It's part of how TCP/IP works. > > Lyle Giese > LCR Computer Services, Inc. > > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense Support] Swap
Did you try creating a new rc.conf file and seeing if it reads it? Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Wed, Nov 10, 2010 at 6:30 AM, James Bensley wrote: > Hey Listee's > > I am trying to add a swap drive to my pfSense box but I'm failing to > keep it after a reboot. > > I zero out a spare 512MB partition with dd and chmod'd it as per the > this freeBSD doc [0] but then I get stuck. /etc/rc.conf doesn't exist? > I can execute 'swapon /dev/ad1s1' and then under swapinfo my new swap > drive appears, also in the web interface it shows on the front page. > As soon as I reboot it is no longer there and I have to execute > 'swapon' again. > > So how to I complete this process under pfSense? > > > [0] http://www.freebsd.org/doc/handbook/adding-swap-space.html > > -- > Regards, > James. > > http://www.jamesbensley.co.cc/ > > There are 10 kinds of people in the world; Those who understand > Vigesimal, and J others...? > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense Support] Swap
Oh In /etc/rc (around line 310), it deletes /etc/rc.conf. I'd be interested to know why if any of the developers is reading this... Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Wed, Nov 10, 2010 at 11:16 AM, James Bensley wrote: > On 10 November 2010 16:13, Moshe Katz wrote: > > Did you try creating a new rc.conf file and seeing if it reads it? > > Moshe > > > After a restart it was gone :( > > -- > Regards, > James. > > http://www.jamesbensley.co.cc/ > > There are 10 kinds of people in the world; Those who understand > Vigesimal, and J others...? > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense Support] IPMI under pfSense 2.0?
You can try using pkg_add to install one of these: http://www.freebsd.org/cgi/ports.cgi?query=ipmi&stype=all&sektion=sysutils Moshe <http://www.freebsd.org/cgi/ports.cgi?query=ipmi&stype=all&sektion=sysutils> ------ Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Wed, Nov 10, 2010 at 7:21 PM, athom...@athompso.net < athom...@athompso.net> wrote: > > Is there any way to connect to onboard BMCs through IPMI under pfSense > 2.0? I've got a Dell PowerEdge 1650 with an intermittently failing fan (I > think), and I'd like to confirm which fan it is (or even that the problem > is, in fact, a fan) before I take it down and crack it open. I don't have a > redundant firewall sitting there to pick up the slack so downtime is bad... > > > I believe several IPMI packages have been ported to FreeBSD, but I don't > see any trace of any of them at the command-line. > > Suggestions? > > Thanks, > -Adam > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense Support] Squid port redirection on DMZ
You should be able to do it using "Port Forwarding" in the NAT settings. Just set up a rule in there to redirect LAN traffic on port 80 to the desired location. Attached is a picture of my settings. I am using non-transparent proxying so mine is set up that all traffic to port 80 that is not to the pfsense itself will go to a page that explains how to change your proxy settings. Moshe ------ Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Thu, Nov 25, 2010 at 3:53 PM, Jigar SOLANKI wrote: > Hi, > Thanx for the reply. > Actually, i already have an OpenBSD running in the dmz network (squid is > already on this server). > I dont want to install the squid package on my pfsense firewall because > it's my network entry point, so it is dedicated only to TCP/IP Level 3/4 > firewalling, it sees a packets and tells yes or no, that's all. > > I have a dedicated captive portal, a dedicated wireless access point, dns > servers etc... no *other* servers...so i'd rather keep the squid the way it > is now. > > Well, if there is no way to do what I'm asking, I'll do it by writing the > corresponding pf rules by hand in pf.conf on the pfsense firewall :-). > > > Le 25 nov. 2010 à 20:33, Curtis LaMasters a écrit : > > I would install the squid package on pfsense and tell it to forward to an > upstream proxy. > > Curtis LaMasters > On Nov 25, 2010 7:08 AM, "Jigar SOLANKI" wrote: > > Hi list, > > > > The subject speaks by itself : I have a buch of servers within a dmz > > network and a lan. > > I would like to redirect the port 80 (outgoing http connections) on lan > > to 3128 (squid transparent) on dmz. > > I'd like to do that without manually modifying the pf.conf. Is there a > > way to do such a thing in the GUI ? (pfsense stable 1.2.3-RELEASE) > > > > Thanx, may the Lord of All Networks be with you ^_^ > > > > - > > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > > For additional commands, e-mail: support-h...@pfsense.com > > > > Commercial support available - https://portal.pfsense.org > > > > > <>- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: HA: Re: HA: Re: [pfSense Support] 2.0 - don't work Ipsec!
And the other side of the coin: http://bsd.slashdot.org/story/10/12/15/1524202/BSD-Coder-Denies-Adding-FBI-Backdoor <http://bsd.slashdot.org/story/10/12/15/1524202/BSD-Coder-Denies-Adding-FBI-Backdoor> Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Wed, Dec 15, 2010 at 10:50 AM, LM wrote: > I am not sure if PFSense is using code from OpenBSD IPSec but since it this > an IPSec thread this could be interesting too: > > "Allegations regarding OpenBSD IPSEC" > http://marc.info/?l=openbsd-tech&m=129236621626462&w=2 > > Basically it is talking about backdoors in the IPSEC OpenBSD code. > At least it is interesting . > Not my goal to discuss if it is real or just a rumour here. > I am not an IPSec developer at all. > > > El 13/12/10 23:29, Jeppe Øland escribió: > > On Mon, Dec 13, 2010 at 1:37 PM, st41ker wrote: >> >>> On 13.12.2010 9:14, drova...@kaluga-gov.ru wrote: >>> >>>> Please prompt the certificated decisions! To regrets ipsec WHILE, does >>>> not >>>> use (ГОСТ 28147-89), (ГОСТ Р 34.11-94) enciphering, but we hope it will >>>> be >>>> soon included in ipsec! >>>> >>>> Now ipsec does not work! >>>> >>>> As the certification theme, a question is lifted: When Pfsense, ipsec it >>>> will be compiled with support of these cripto algorithms? >>>> >>> I'm not sure what you've tried to say. >>> >> Maybe he is asking if pfSense has any plans for including the GOST >> ciphers in its IPSEC implementation? >> http://en.wikipedia.org/wiki/GOST_%28block_cipher%29 >> http://en.wikipedia.org/wiki/GOST_%28hash_function%29 >> >> Regards, >> -Jeppe >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
[pfSense Support] console menu closes when enter pressed
I noticed that if I just hit enter on the pfSense console without typing an option first, it exits the console. If I am on ssh, it closes the connection and if I am on the local terminal, where I have it set to prompt for a password, it asks the password again. Since option 0 can be used to do the same thing and there are times that I would like to refresh the console (to re-display the connection status at the top), I am wondering why it is set up to exit if no input is given? One of my development boxes gets a new IP address regularly and I like to refresh the console to see when the address has been successfully acquired. The way it is now, I have to log in again and again or go into another option, such as the shell, and then out of it again. I know where to modify this myself in /etc/rc.initial but before I do so, I am curious as to the reason it works this way. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732
Re: [pfSense Support] console menu closes when enter pressed
I added the following two lines at line 83 of /etc/rc.initial
> "'")
;;
Now, it should refresh if I press apostrophe, then . I chose that
key because it is next to the enter key so I can press them both at once.
I also changed ${opmode} on line 82 to have quotes around it (although I
don't know if this is required to make it work or not).
What I don't like about the 15 option is that it displays the banner twice
in a row and to me it just looks messy.
Moshe
------
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
On Wed, Dec 15, 2010 at 1:46 PM, Steven Sherwood wrote:
> I noticed this recently too, and I could have sworn that hitting enter used
> to make a screen refresh, but I when I log back into a couple of different
> 1.2 and 1.2.3 boxes which are still in operation, I see the same result. In
> other words, this isn't a new 2.0 behavior unless something changed with my
> SSH client of choice, Putty.
>
> I would like to see a screen refresh for hitting enter as well.
>
> -Original Message-
> From: Jim Pingle [mailto:li...@pingle.org]
> Sent: Wednesday, December 15, 2010 1:08 PM
> To: support@pfsense.com
> Subject: Re: [pfSense Support] console menu closes when enter pressed
>
> On 12/15/2010 12:27 PM, Moshe Katz wrote:
> > I noticed that if I just hit enter on the pfSense console without typing
> > an option first, it exits the console. If I am on ssh, it closes the
> > connection and if I am on the local terminal, where I have it set to
> > prompt for a password, it asks the password again.
> >
> > Since option 0 can be used to do the same thing and there are times that
> > I would like to refresh the console (to re-display the connection status
> > at the top), I am wondering why it is set up to exit if no input is
> given?
> > One of my development boxes gets a new IP address regularly and I like
> > to refresh the console to see when the address has been successfully
> > acquired. The way it is now, I have to log in again and again or go
> > into another option, such as the shell, and then out of it again.
> >
> > I know where to modify this myself in /etc/rc.initial but before I do
> > so, I am curious as to the reason it works this way.
>
> I don't recall the specifics on why it was done that way, but you could
> use hidden menu option 15 to redisplay the banner section of the console
> menu. (Not sure why that's hidden, except perhaps to save space on the
> menu.)
>
> That, or hit 8 to drop to a shell and then exit (or ctrl-d) to go back
> to the menu.
>
> Jim
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>
Re: [pfSense Support] console menu closes when enter pressed
I have been looking at doing that. I will share what I did if and when I
put something together.
Moshe
--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
On Thu, Dec 16, 2010 at 9:16 AM, Steven Sherwood wrote:
> That’s great – thanks for the howto.
>
>
>
> I’m wondering if the console could alternatively auto-refresh itself (ie.
> on a timer rather than a keypress)?
>
>
>
> *From:* kohenk...@gmail.com [mailto:kohenk...@gmail.com] *On Behalf Of *Moshe
> Katz
> *Sent:* Wednesday, December 15, 2010 6:16 PM
>
> *To:* support@pfsense.com
> *Subject:* Re: [pfSense Support] console menu closes when enter pressed
>
>
>
> I added the following two lines at line 83 of /etc/rc.initial
>
> "'")
>
> ;;
>
> Now, it should refresh if I press apostrophe, then . I chose that
> key because it is next to the enter key so I can press them both at once.
>
> I also changed ${opmode} on line 82 to have quotes around it (although I
> don't know if this is required to make it work or not).
>
>
>
> What I don't like about the 15 option is that it displays the banner twice
> in a row and to me it just looks messy.
>
>
>
> Moshe
>
>
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732
>
>
>
> On Wed, Dec 15, 2010 at 1:46 PM, Steven Sherwood wrote:
>
> I noticed this recently too, and I could have sworn that hitting enter used
> to make a screen refresh, but I when I log back into a couple of different
> 1.2 and 1.2.3 boxes which are still in operation, I see the same result. In
> other words, this isn't a new 2.0 behavior unless something changed with my
> SSH client of choice, Putty.
>
> I would like to see a screen refresh for hitting enter as well.
>
>
> -Original Message-
> From: Jim Pingle [mailto:li...@pingle.org]
> Sent: Wednesday, December 15, 2010 1:08 PM
> To: support@pfsense.com
> Subject: Re: [pfSense Support] console menu closes when enter pressed
>
> On 12/15/2010 12:27 PM, Moshe Katz wrote:
> > I noticed that if I just hit enter on the pfSense console without typing
> > an option first, it exits the console. If I am on ssh, it closes the
> > connection and if I am on the local terminal, where I have it set to
> > prompt for a password, it asks the password again.
> >
> > Since option 0 can be used to do the same thing and there are times that
> > I would like to refresh the console (to re-display the connection status
> > at the top), I am wondering why it is set up to exit if no input is
> given?
> > One of my development boxes gets a new IP address regularly and I like
> > to refresh the console to see when the address has been successfully
> > acquired. The way it is now, I have to log in again and again or go
> > into another option, such as the shell, and then out of it again.
> >
> > I know where to modify this myself in /etc/rc.initial but before I do
> > so, I am curious as to the reason it works this way.
>
> I don't recall the specifics on why it was done that way, but you could
> use hidden menu option 15 to redisplay the banner section of the console
> menu. (Not sure why that's hidden, except perhaps to save space on the
> menu.)
>
> That, or hit 8 to drop to a shell and then exit (or ctrl-d) to go back
> to the menu.
>
> Jim
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>
>
Re: [pfSense Support] Restrict a web site access by remote IP address block, gain access by VPN into that block?
We have experimented with a kind of "reverse captive portal" where logging in to another web site (temporarily) adds your IP to the list in pfSense. Maybe you could try something like that. Moshe On Tuesday, February 8, 2011, Chuck Mariotti wrote: > > I’m not sure how best to describe this situation without it getting word. > > We have a number of servers behind a pfSense firewall at a datacenter. One of > the servers is a web site that needs to be accessible only by computers on > our client’s network (also behind pfSense elsewhere)… This solution has been > implemented > and working based on IP address restrictions. > > Now the client wants to allow a few people access to the web site while at > home. Unfortunately, password protecting it is not an option. VPN access > seems to be the only options but I’m wondering what the best approach would > be. > > We do not want to allow VPN access into the datacenter network and > administratively this would be a hassle. Instead, we would like to force > these home users onto the client network, using the client’s gateway … > resulting in an allowable > IP address to the restricted web site. This is simple to implement, but > creates a lot of additional traffic if we leave them using the default > gateway. > > Unfortunately, the client network is using a wireless connection that pays by > the gigabyte. This will be an issue when a home users forgets to stop > downloading music, movies, etc… We also would prefer not to install a new > VPN client (like > OpenVPN, even though it looks like the best solution). > > I was thinking a simple PPTP connection (not sure if this would work really), > turning off the default gateway on the client end… Then, using pfSense on the > client network, make a rule that would map an internal IP address > (10.10.10.100) > to the web site’s public IP address… Then, make a public DNS entry mapped to > the internal IP address and instruct the users to use this new DNS entry when > remotely accessing this restricted site. Would this work? > > > I guess my other question is, what is the best way to get this to work? > > Regards, > Chuck -- -- Moshe Katz KatzNet Computers -- mo...@ymkatz.net -- kohenk...@gmail.com -- mk...@zment.com -- mmk...@umd.edu -- kohenk...@aim.com -- moshek...@verizon.net -- kohenk...@inbox.com -- kohenk...@protonic.com -- +1(301)867-3732 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
Is your ISP Verizon? We have had many ARP issues with Verizon FIOS. For our pfSense box to get all of our IPs, we have to manually set each of the IPs as the WAN IP (one by one), then set up the Virtual IP settings after we do that. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Thu, Feb 10, 2011 at 7:19 PM, Vaughn L. Reid III < vaughn_reid_...@elitemail.org> wrote: > > > On 2/10/2011 12:57 PM, Evgeny Yurchenko wrote: > >> On 11-02-10 11:07 AM, Vaughn L. Reid III wrote: >> >>> >>> >>> On 2/10/2011 10:42 AM, Vaughn L. Reid III wrote: >>> >>>> >>>> >>>> On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote: >>>> >>>>> On 2/10/2011 2:43 AM, Seth Mos wrote: >>>>> >>>>>> Op 10-2-2011 4:18, Vaughn L. Reid III schreef: >>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> 1. All the Master and backup status notifications in the web >>>>>>> interface >>>>>>> on both PFSense boxes show the correct status >>>>>>> 2. I'll do a packet capture tomorrow and see if the carp-heartbeat >>>>>>> shows up >>>>>>> >>>>>>> I was unaware that any Carp related traffic passed between any of the >>>>>>> interfaces except the one designated as the synchronization >>>>>>> interface. I >>>>>>> need to double-check the multi-cast configuration on the switch >>>>>>> tomorrow >>>>>>> also ( I think I have multi-cast enabled on the switch, but need to >>>>>>> confirm that). >>>>>>> >>>>>> >>>>>> Yes, some switch support multicast filtering, I know from experience >>>>>> with HP switches that it works with the setting on. So I know they have >>>>>> it >>>>>> implemented correctly. This way not all switch ports get the carp traffic >>>>>> unless they participate in the multicast group. This cuts down on >>>>>> broadcast >>>>>> a lot. >>>>>> >>>>>> I recommend the HP switches, they have never given me any grief as >>>>>> long as I've worked with them. I even have a carp cluster spanning 2 >>>>>> building across the street over a fiber connection. It just works. >>>>>> >>>>>> If you need a managed switch on a budget I can confirm that the HP >>>>>> Procurve 1810-8G works well. It's web managed, supports vlans and basic >>>>>> traffic counters. It is also fanless. >>>>>> >>>>>> The smallest I have in use on a carp cluster is a Procurcve 2650 in >>>>>> combination with a 2900-48G. The biggest I have is a 8212zl. Do note that >>>>>> the software in the 1810 differs a lot from the other managed switches. >>>>>> >>>>>> Regards, >>>>>> >>>>>> Seth >>>>>> >>>>>> - >>>>>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >>>>>> For additional commands, e-mail: support-h...@pfsense.com >>>>>> >>>>>> Commercial support available - https://portal.pfsense.org >>>>>> >>>>> >>>>> >>>>> I've run a packet capture and here are the results: >>>>> >>>>> 1. Capture shows a bunch of VRRP announcements from the primary >>>>> firewall to destination 224.0.0.18. The destination confirms this is a >>>>> multicast address I believe. According to Wikipedia, VRRP and CARP share >>>>> the same protocol number. So, I believe that these are CARP >>>>> announcements. >>>>> >>>>> 2. All the VRRP requests had a vrrp.prio value of 0 with a description >>>>> of "Priority: 0 (Current Master has stopped participating in VRRP) >>>>> >>>>> 3. Over a 114 second capture, there were no VRRP announcements from >>>>> the secondary firewall. >>>>> >>>>> 4. There were lots of ARP broadcast requests from the secondary >>>>> firewall asking for who has the IP of the default gateway. There were 0 >>>>> ARP
Re: [pfSense Support] Microsoft updates through pfSense
See the official Squid FAQ about Windows Update. It explains why you are having this problem. http://wiki.squid-cache.org/SquidFaq/WindowsUpdate Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Thu, Feb 17, 2011 at 10:52 PM, Shali K.R. wrote: > Dear db, > > i have tried this, but it showing a high bandwidth usage, is this a proper > way?? > > On Fri, Feb 18, 2011 at 9:14 AM, David Burgess wrote: > >> On Thu, Feb 17, 2011 at 8:42 PM, Shali K.R. >> wrote: >> > Dear all, >> > >> > I am having 500 windows client machines connected through pfSense and >> squid, >> > please suggest me a suitable method for handling updates. >> >> You'll find the appropriate info here: >> >> http://doc.pfsense.org/index.php/Squid_Package_Tuning >> >> db >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > > -- > Thanks & Regards > > Shali K R > Server Administrator > Vidya Academy of Science & Technology > Thrissur,Kerala. > Mob:9846303531 > > >
Re: [pfSense Support] restart command
This may help you a bit: http://lifehacker.com/#!5275652/shut-down-your-windows-pc-remotely-from-linux <http://lifehacker.com/#!5275652/shut-down-your-windows-pc-remotely-from-linux> Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Mon, Feb 28, 2011 at 6:18 PM, Joseph Rotan wrote: > Hi, > > i've been searching in the internet for a linux command that can send a > restart command to a windows PC, i'm not quite sure if this could be > achieved but i'm having a pfsense 1.2.3 box that is connected to 10 PC's in > a LAN and i'm just trying to build up a sequence here on how could each PC > on the LAN restart itself after ending their internet session. > > Something similar to TCP/IP ports when the internet sesion is ended from > pfsense each TCP/IP port activate a command to tell the PC to restart. > > I have been trying some batch file or DOS command process but could not > complete the requirements. > > Has anyone ever tried this application before. > > Appreciate any advise on how I could test it out. > > Thanks > > Joseph. >
Re: [pfSense Support] Only allow DHCP assigned addresses access to network
I think Andy means, "how do I stop people who set a static IP on the same subnet as my network from getting on the network?" The short answer is that you can't do that easily. Internal network traffic does not pass through the pfSense and cannot be stopped by it. You may be able to prevent internet access (or access to other network segments) by programmatically creating an alias built from the DHCP client table. I don't know how easy that is in practice but that is what I might do. Moshe ------ Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Tue, Mar 1, 2011 at 6:49 PM, Cole Devitt wrote: > If a computer doesn't pick up a DHCP address I believe it gets an APIPA > address, a 169.192 address if I recall right. With an apipa address the > computer wouldn't be able to do much of anything anyways as the subnet is > different and there isnt a gateway to my knowledge, so a standard setup of a > DHCP server and client machines sounds like what you want no? > > If a computer isn't receiving a DHCP address from your pfsense then you > have a configuration issue, or your scope is too small (not set to give out > enough addresses), or there is a physical problem somewhere in your network. > > On Mar 1, 2011, at 5:40 PM, "Andy Graybeal" > wrote: > > > Hi, > > I would like every machine on my network to get it's address from > > PFSense's DHCP server. > > > > If it doesn't receive an address from the DHCP server (if they pick some > > arbitrary address on the same subnet) how do I dis-allow them access to > > network services? > > > > Does this make any sense to do this? Does this make sense to not do > this? > > > > -Andy > > > > - > > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > > For additional commands, e-mail: support-h...@pfsense.com > > > > Commercial support available - https://portal.pfsense.org > > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense Support] throughput tuning in 2.0
I am not sure how/where you would check this but maybe the card is operating in simplex mode in which case I believe it makes sense you are getting approximately half of gigabit. Someone please correct me if I am wrong. Moshe On Tuesday, March 1, 2011, David Burgess wrote: > 2.0-RC1 (amd64) > built on Tue Mar 1 15:52:28 EST 2011 > > Core i3 550 3.2 GHz > 4GB RAM > Intel GBE > > I've just set this system up doing some crude throughput testing with > iperf. The most I can push through this box from LAN to WAN is a > steady 503-520 mbps, using the default mtu (higher mtu values produce > no throughput on iperf for reasons I haven't looked into. I'm > suspecting no support in the switch). top -SH is showing ~25% > interrupt usage and 30%+ idle on both cores. Hyperthreading is > disabled. I'm using a single NIC with vlans, but testing in only one > direction, so the NIC is sending and receiving a total of about 530 > mbit x2 during the test. > > iperf test machines show minimal CPU usage during the test, and have > no other significant network activity happening concurrently. The > switch is a Netgear ProSafe GS108E, which is ostensibly non-blocking. > > I expected better throughput than that. Any ideas what is holding this > thing back, or where I could look to find out? > > Thanks, > > db > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- -- Moshe Katz KatzNet Computers -- mo...@ymkatz.net -- kohenk...@gmail.com -- mk...@zment.com -- mmk...@umd.edu -- kohenk...@aim.com -- moshek...@verizon.net -- kohenk...@inbox.com -- kohenk...@protonic.com -- +1(301)867-3732 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Intel Gigabit - em0: Watchdog Timeout
Hello All, I currently have two pfSense boxes with Intel Gigabit cards. The first is a Dell Optiplex gx270 (Pentium 4, 512mb RAM). It has one built-in Intel Gigabit port and two dual-port PCI cards. This gives me em0 - em4. As far as I can tell, this box is working perfectly. The second is also a gx270 with one built-in gigabit port. It has another single-port Intel Gigabit card and a generic 10/100 card whose name I can't find that shows up as fxp0. I am now trying to set up a third box. It is a Dell Optiplex gx240. It has an on-board 3Com 3C920-based 10/100 port. I added a dual-port Intel card (the same one as the first box). Using em1 of that card works fine but when I plug in em0, I start getting "em0: Watchdog Timeout" messages on the console. What should I look at to troubleshoot this? Is it a problem with the network card? Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732
[pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout
The problematic box has a snapshot from yesterday (I am not sure exactly what time yesterday though). One of the working boxes is the first Rc1 snapshot, the other is still on a snapshot from December. Moshe On Friday, March 4, 2011, Jim Pingle wrote: > > Is this on a 2.0 snapshot? If so, what date? > > Since the switch to the Yandex Intel drivers a couple days ago my VMs > all constantly print watchdog timeouts on the console... It seems to > operate OK, but it makes the console useless. > > Jim > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- -- Moshe Katz KatzNet Computers -- mo...@ymkatz.net -- kohenk...@gmail.com -- mk...@zment.com -- mmk...@umd.edu -- kohenk...@aim.com -- moshek...@verizon.net -- kohenk...@inbox.com -- kohenk...@protonic.com -- +1(301)867-3732 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout
On Fri, Mar 4, 2011 at 10:51 AM, Jim Pingle wrote: > > Does em0 seem to work OK for you otherwise? Just log/console spam? > > I just noticed that it doesn't just make the console useless, it also > spams the system log, filling that up as well. > > If it operates OK but just has annoying logs, that should hopefully be > easily solved. > > Jim > It appears to be working properly as far as i can tell. It is just annoying to have in the console and the logs. I have not run extended tests (very large file transfers, etc.) to make sure of that - it just seems to be working for normal internet, Windows File Sharing, and Printing traffic. I may be able to run extended tests next week. >From a curiosity perspective, I would like to find out why this is happening. Also out of curiosity, when was the driver changed? I tried searching on rcs.pfsense.org but search appears to be broken there. Moshe
Re: AW: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout
On Fri, Mar 4, 2011 at 10:09 PM, Kevin Tollison wrote: > 2 B5 was good until a month or so ago. Are you using any vlans? I am > beginning to think it may be in vlans. > -- > Kevin Tollison > > > -Original Message- > From: Mehma Sarja > Date: Fri, 04 Mar 2011 18:35:26 > To: > Reply-To: support@pfsense.com > Subject: Re: AW: [pfSense Support] Re: Intel Gigabit - em0: Watchdog > Timeout > On 3/4/11 2:34 PM, Kevin Tollison wrote: > > Is anyone experiencing traffic to stop passing when these errors happen. > My boxes are Supermicro with Intel gig NICs. They randomly start and stop > passing traffic. Console is still functional when it happens. > Yep - when trying to move to RC1. I'm on a supermicro with GB Intel NICS > and Atom processor. I was contemplating my ssd is at fault. But one NIC > mysteriously disappeared upon upgrading. pf 123 works fine. I put a note > in the forums. > > Mehma > Mine is using VLANs on em0 but not em1. If it is related to VLANs, that would explain why I am only getting these warnings on em0. Since this box is not yet deployed, I am going to try turning off the VLANs tomorrow and seeing what happens. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732
Re: [pfSense Support] IP Routing
Hi, The way I understood it, you are trying to redirect INTERNAL computers that try to access 74.125.224.214 to your server but allow your server access to that IP. There is no easy way to do this in 1.2.x. However, in 2.0, you should be able to do this with Port Forwarding. Try a Port Forward Rule similar to the following: - Interface: LAN - Source: NOT - Dest: 74.125.224.214 - Dest. Port Range: an alias that contains 80 and 443 - Redirect Target IP: - Redirect Target Port: Same alias as above Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Thu, Mar 10, 2011 at 8:44 PM, Anthony Saenz wrote: > Hi, > > I'm new to pfsense and so far haven't found a way to do the following: > > I'm trying to route traffic on ports 80/443 going to a "public" IP (in this > case let's say 74.125.224.214) to a box we have internally here in the > office but if that box itself tries to hit the IP, allow it to pass through > to the intended destination. Is this at all possible or is there another > medium that would allow me to do this? > > Thanks! > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense Support] Fwd: m1n1 device w/ ath wireless
On Tue, Jul 19, 2011 at 3:00 PM, Chris Brennan wrote: > Original Message > Subject: m1n1 device w/ ath wireless > Date: Fri, 15 Jul 2011 12:49:55 -0400 > From: Chris Brennan > To: pfSense Support > > > Greetings! > > > > I've got a Netgate m1n1 2D13 Firewall with an Atheros 4G CM9 Wireless > > card. As far as I can tell, hardware wise, everything works just > > fine. The problem is that after my wireless devices associate with > > the netgate, I am unable to actually go anywhere. I've added a fw > > rule to blanketly let everything out over wireless and it's bonded > > with my LAN so all the traffic is on the same subnet. I'm not sure > > what else I need to/should have to do to make this work. Some help > > would be appreciated. :) > > > P.S. I am new to *this* list, if I missed something, let me know and > > I'll make the necessary adjustments. > > I've been seeing some activity on the pfSense list, so I know it works, > but no one has bothered to followup on this and help me figure this out > and it's 5 days old already :( I've never had mail such as this go so > long, even on a low-traffic mailing list, unanswered. > > Wireless now works and I can correctly route out over the internet. I > have *nfc* what I did, but it works. And the firewall is correctly > blocking all incoming traffic as expected. > > My problem now is that I am trying to open port 2500 on the outside and > redirect it over my lan to my gentoo box where I have a web-server > running (for my own private purposes). I've added the NAT rule and it > successfully created the firewall rule, but the port is still not open. > I'm not sure what I did wrong here but some screenshots can be seen here > > http://imageshack.us/photo/my-images/228/screenshot43e.png/ > http://imageshack.us/photo/my-images/215/screenshot42h.png/ > http://imageshack.us/photo/my-images/853/screenshot44v.png/ > http://imageshack.us/photo/my-images/585/screenshot48p.png/ > http://imageshack.us/photo/my-images/847/screenshot49y.png/ > > If I've missed something, please let me know and I shall provide it. > > > -- > > Chris Brennan > > -- > > A: Yes. > > >Q: Are you sure? > > >>A: Because it reverses the logical flow of conversation. > > >>>Q: Why is top posting frowned upon? > > http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/ > > GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8 9E4A EECD 9A84 D5B2 0C0C) > > Your firewall rule is wrong. It needs to allow from ANY source port to 2500 destination port. The source port is random from the client and the port that you want to open on the firewall is 2500. When you redirect that to port 80 using port forwarding, that is after it has already passed through the firewall successfully. It looks like you are using pfSense 1.2.x. If you can update to one of the 2.0 release candidates (I don't know how updates work for the Netgate-branded version), it has a feature that will automatically create the proper firewall rule when you forward a port. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732
Re: [pfSense Support] Fwd: m1n1 device w/ ath wireless
On Tue, Jul 19, 2011 at 3:18 PM, Chris Brennan wrote: > On 7/19/2011 3:08 PM, Moshe Katz wrote: > > Your firewall rule is wrong. It needs to allow from ANY source port to > > 2500 destination port. The source port is random from the client and > > the port that you want to open on the firewall is 2500. When you > > redirect that to port 80 using port forwarding, that is after it has > > already passed through the firewall successfully. > > > > It looks like you are using pfSense 1.2.x. If you can update to one of > > the 2.0 release candidates (I don't know how updates work for the > > Netgate-branded version), it has a feature that will automatically > > create the proper firewall rule when you forward a port. > > Moshe, > Yes, I am using 1.2.x, it's what was installed on this netgate, I don't > know how to (yet) upgrade to one of the 2.0x RC's of pfSense, I was > thinking about this but unsure how to go about it. if there is some > documentation on this I would be greatly appreciative. > > When I added the NAT rule, it added the fw rule automatically. So I am > not sure what you mean, the FW rule is allowing from any source, > effectively *:2500, which is what I want, to only allow specific ports > though. > > -- > > Chris Brennan > > -- > > A: Yes. > > >Q: Are you sure? > > >>A: Because it reverses the logical flow of conversation. > > >>>Q: Why is top posting frowned upon? > > http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/ > > GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8 9E4A EECD 9A84 D5B2 0C0C) > > In a firewall rule, the "Source Port" means where it is coming from on your computer. Your computer usually picks a random port to use when you visit a site in your web browser. So putting "Source Port"=2500 in your rule will not work. 2500 is the "Destination Port" in the firewall rule. In "screenshot42h.png", that last row should say: - Protocol: TCP - Source Address: * - *Source Port: ** - *Destination Address: WAN_IP* - *Destination Port: 2500* - Gateway: * - ... The bold ones are the ones you need to change. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732
