RE: [pfSense Support] can't block https://facebook.com via firefox

2011-03-23 Thread Raylund Lai 
I think the best is to combine DNS and firewall rule.

Using something like OpenDNS for all the DNS inquiry on your network and
then setup firewall rule so that only DNS inquiry are allowed to OpenDNS.
Then, going to OpenDNS to set your own blocking/allowing rule(s).

-Raylund

-Original Message-
From: Luke Jaeger [mailto:ad...@pvpa.org] 
Sent: Wednesday, March 23, 2011 12:07 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] can't block https://facebook.com via firefox

okay, I took a long hard look at all my rules and tightened them up - I
think it's working now. Will repost if the students figure out another way
around it.

Thanks everyone!

Luke Jaeger | Technology Coordinator
Pioneer Valley Performing Arts Charter Public School www.pvpa.org

On Mar 23, 2011, at 11:20 AM, Ryan Rodrigue wrote:

> I personally would set anything on the local network on Https, and 
> Http to block thus forcing them to use your squid proxy.  (Allow squid 
> proxy of
> course)


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional
commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Microsoft Server 2008 & DHCP relay

2010-04-17 Thread Raylund Lai 
You don't need DHCP relay.  Just use the pfsense's DHCP and set a domain
authoritative to the DC (for DNS).

A number of my remote offices that don't have DC are working like that
(although only my office is using pfsense and others are using SonicWall).

One different though, my is Windows 2003 R2 AD; not Windows 2008.

-Raylund

-Original Message-
From: Karl Fife [mailto:karlf...@gmail.com] 
Sent: Saturday, April 17, 2010 2:17 PM
To: support@pfsense.com
Subject: [pfSense Support] Microsoft Server 2008 & DHCP relay

We have a couple of pfSense installations that want to 'lock down' their 
windows workstations with Win 2K8 Server and Active Directory.  As you may 
know, normally this requires that Win Server be the DNS & DHCP server.

To clarify, we're NOT talking about MS Small Business Server/exchange and 
all of that crap--just 'regular' 2K8, with AD for lockdown/policy etc.

Can anyone say from experience whether it's 'within scope' to keep pfSense 
as the DHCP/DNS?  In other words, is it feasible to have 2K8 server turn to 
pfSense via something like DHCP relay?  Never played with DHCP relay.

Before sinking money into another server, licenses etc, I'm hoping someone 
can at least say "yes, it works, I've tried it--it's solid" so that we don't

find ourselves half-way through realizing the we REALLY DO have to re-tool 
perfectly solid & tested parts of our network just because the Microsoft 
tentacles want to touch & be in control of everything.  As I see it, I don't

mind if Microsoft 2K8 server runs the "Windows parts" of the network but not

the whole network.

Has anyone actually tried this?  Thanks in advance!

-Karl







-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org





-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Exchange RPC/HTTPS outbound client

2009-02-09 Thread Raylund Lai 
It works for me by default settings.  Have a look on the firewall logs.

-Raylund

-Original Message-
From: Joseph L. Casale [mailto:jcas...@activenetwerx.com] 
Sent: Monday, February 09, 2009 9:47 PM
To: 'support@pfsense.com'
Subject: [pfSense Support] Exchange RPC/HTTPS outbound client

I am using 1.2-RELEASE and have a client that needs to connect to an
Exchange Server via
RPC/HTTPS that I know to be in working order. This client cannot connect
when behind pfsense
but can access owa on this server.

Are there any known issues, I couldn't find anything that suggested any
additional config?

Thanks!
jlc

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] strategies for an internet cafe

2008-09-26 Thread Raylund Lai 
Try the solution from Untangle.  Set it up with spam filtering and as
transparent bridge in between your lan and pfsense.

-Raylund

-Original Message-
From: Joe Laffey [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 26, 2008 9:52 AM
To: support@pfsense.com
Subject: Re: [pfSense Support] strategies for an internet cafe

On Fri, 26 Sep 2008, Vivek Khera wrote:

> On Fri, Sep 26, 2008 at 8:45 AM, lartc <[EMAIL PROTECTED]> wrote:
>> hi all,
>>
>> i've got a small internet cafe on a lan behind pfsense (soekris net
>> 4801). works great.
>>
>> yesterday (not the first time) someone connected up their laptop, that
>> started spewing spam mail.
>
> Just plain disallow direct to port 25 connections.  There's no reason
> for it for random client machines.  If they need to use their own ISP
> or office mail server, they can use the SMTP submission port, or a
> VPN.

The problem with this is that most people have no clue how to use a 
submission port or a VPN. So at a cafe blocking port25 will basically be 
tantamount to telling about 90% of your users to go away and not come to 
your cafe. They will go to another cafe where they can send mail without 
trouble.

It's a tough problem because you want to block the spam without driving 
away your customers.

You could try traffic shaping port 25. You could give it 20 seconds of 
high bandwidth followed by shaping down to something really slow.

The bigger problem is that your ips will get blacklisted as spammers.

--
Joe Laffey|   Visual Effects for Film and Video
LAFFEY Computer Imaging   | -
St. Louis, MO |   Show Reel http://LAFFEY.tv/?e11924
USA   | -
. |-*- Digital Fusion Plugins -*-
--

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Pfsense public intenet w/ authentication

2008-01-31 Thread Raylund Lai 
If you want to block by site, better use OpenDNS to block at DNS level.

 

-Raylund

 

From: Sean Cavanaugh [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 31, 2008 12:01 PM
To: support@pfsense.com
Subject: RE: [pfSense Support] Pfsense public intenet w/ authentication

 


security wise, remember that more and more programs are using HTTP tunneling
to get out thru firewalls. this type of traffic cannot really be stopped
that well without layer 4+ firewalls that look at packet content. you will
however block most of the joe blow users that will try stuff. also adding in
blocks to specific sites will help cut down on nefarious activities.
 
-Sean





  _  


> Date: Thu, 31 Jan 2008 10:40:23 -0600
> From: [EMAIL PROTECTED]
> To: support@pfsense.com
> Subject: [pfSense Support] Pfsense public intenet w/ authentication
> 
> I have a small computer shop and would like to setup free / open access
> point so that clients can use it while in the shop. But I don't want it
> so open that my neighbors are using it for nefarious purposes. Can
> somebody recommend a configuration.
> 
> My thoughts:
> Add another nic and a wireless router or access point w/ captive portal
> Add a wireless nic Ad-Hod w/ captive portal
> Setup up some sort of VLan w/ Access point
> 
> Any recommendation on the route I should go? Another route?
> 
> And a lazy questions (I've not really looked into it) - what is best /
> easiest way to lock this connection down to HTTP only. And will failure
> to log into the captive portal block all traffic or just prevent browsing?
> 
> Thanks,
> -Dane
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 



  _  

Connect and share in new ways with Windows Live. Get it now!

Re: [pfSense Support] Problem with RDP and VNC Streams

2007-10-25 Thread Raylund Lai 

May be checking your MTU.   -Raylund

Ronny Forberger wrote:

Hi List,

first of all let me say pfsense is an awesome idea to provide a router 
platform.


But I'm getting a strange problem and can't resolve it:

All my VNC and RDP connections via being tunneled both throght an SSL 
VPN (openvpn) and OpenSSH tunnels after a while will hang. Then 
sometimes it turns back working but most of the time I have to 
reconnect vnc / rdp. I seems pakets are being dropped but I cant 
figure out where.


This is very strange, since I was using this szenario before with the 
same tunnels but another router. (Same external PPPoE connection even).


I do not have any traffic shaping rules enabled - I am stuck on 
finding glues what the problem could be.


Can you maybe give me hints?

Cheers,




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Big Problems with 2wire ADLS modem+Router.

2007-09-03 Thread Raylund Lai 
Set the 2Wire to bridge mode.  Let pfsense to handle all the setting 
(incl. PPPoE).


Your may find more information on www.dslreports.com

-Raylund

Alberto Moreno wrote:


  Hi people.

  This week my ISP told me that i need to change my old modem: DSL 
modem speedstream 5400, just a modem. My LAN was behind pfsense, DHCP, 
one vpn to my office, it was very beautiful. Some times i just connect 
my box and i was at work, didn't need to get there.


  Now, i have this 2wire Modem+Router(Model 2701HG-T), which if came 
with built-in Firewall, wireless, and other cool stuff for someone 
with no acknowledge of  pfsense could say, this is great!!!


   Now i don't how to hell i will have my old settings, i cannot 
disable the firewall from that device, i cannot access my office from 
my LAN clients, the only one who could access my office is the pfsense 
box, because i enable some rule to the 2wire firewall, but any of my 
clients can.


  I'm lost, i don't know how is the gateway now or which one i chose? 
What about my WAN interface? I try to connect my wan interface but i 
don't get any answer from my ISP.


   I disable the DHCP server from the device, but right now my Gateway 
is 2wire, what can i do to bring everything to normal? do i need tot 
add each rule to my LAN and NAT or forward  to my 2wire gateway?


  Someone could point me, what i need to do, or help me understand my 
case and help me find  some  path to this?


  Thanks all for your time.

P.S. Running pfsense 1.0.1 Release.

--
LIving the dream... 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] ntop blank page

2006-11-09 Thread Raylund Lai 

Have you selected the interface(s) when you set the password too?   -Raylund

Bestul, Kurt wrote:


Installed ntop package.  Initially it would not start, but setting the 
password resolved that.  After I did so, it starts and stops upon 
request.  However, when I attempt to view the ntop page 
(dianostics>ntop), I get a completely blank page on the browser with 
the root address of my pfsense server.  Should I have been challenged 
for my recently set password when I requested the page (I wasn't)?  If 
I look at the page source, that is completely blank too.  Seems like 
the underlying configuration must be incomplete, but I can't find any 
documentation or prior mail list entries that provide solutions to 
this problem.  Advice? P.S., I am veiwing the webConfigurator using 
firefox 2.0.





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Access ADSL modem on WAN port

2005-09-17 Thread Raylund Lai 
you may try to alias an ip address on the wan interface (with the same 
submask as the modem).  than has an outbound nat for the interface.


cheers
raylund

Jeroen Geusebroek wrote:

On 9/17/05, John Cianfarani <[EMAIL PROTECTED]> wrote:
  

One thing you might want to double check as well is that the "Block
Private Networks" button is not checked under Interfaces -> Wan right at
the bottom.



Good point! However it was unchecked :(

  



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]