RE: [pfSense Support] Linking 2 Building without VPN
Hi Klaus, Thanks for the initial assistance. I have now added an interface into each pfSense box to use for this link. Just because the rest of my subnets are /24 I have added the same to these two cards. So in 10.0.0.0/24 (Site A) I have added a new interface with 10.0.9.1 and from my pfSense box and all my workstation boxes I can ping 10.0.9.1 10.0.2.0/24 (Site B) I have added a new interface with 10.0.9.2 and from my pfSense box and all my workstation boxes I can ping 10.0.9.2 From 10.0.0.254 I can ping 10.0.9.1 but not 10.0.9.2 10.0.2.254 I can ping 10.0.9.2 but not 10.0.9.1 Even without any routes being created I figure from 10.0.9.1 I should be able to see 10.0.9.2 We did have a lightning strike so now I am questioning if I have my setup correct or some more dead hardware here in the building. Thanks. From: Klaus Wunder [mailto:kl...@net-wunder.de] Sent: Tuesday, August 02, 2011 4:03 AM To: support@pfsense.com Subject: AW: [pfSense Support] Linking 2 Building without VPN Hello, do you have a Layer 2 connections between the buildings? If, I think there are two possible options 1. Creating a Transport LAN to connect the buildings In this case you have to create a new Interface on both sites. You can create a small subnet 10.0.254.252/30 to interconnect the LAN. In this way you can use static routing 2. Creating a Transport LAN with failover I think a other option is to create the transport LAN and use a dynamic routing protocol to interconnect the LANs on booth site. In this case you can use the IPsec connection as a backup link. I think this solution will work with OSPF, you can install on pfSense. If you have questions just let me know. Regards Von: Ron Lemon [mailto:r...@maplewood.com] Gesendet: Dienstag, 2. August 2011 06:24 An: 'support@pfsense.com' Betreff: [pfSense Support] Linking 2 Building without VPN Hello, I have 2 building each with multiple networks. They are currently joined via an IPSec VPN. Building A is 10.0.0.0/24 and 10.0.1.0/24 And Building B is 10.0.2.0/24 and 10.0.3.0/24 Right now I have a 10 Mb/s link to the internet in building A and a 100 Mb/s link in building B so I have an IPSec vpn tying 10.0.0.0 to 10.0.2.0 and 10.0.3.0 and the same for 10.0.1.0 Now I have just been provided a 20 Mb/s dedicated patch cable between the two buildings (this wire has no services on it but is essential a 30 KM patch cable). What is the best way to utilize this new Patch Cable to take the place of my current IPSec VPN links? If need be I can add interfaces to the 2 pfSense boxes or just make configuration changes. Thanks.
[pfSense Support] Linking 2 Building without VPN
Hello, I have 2 building each with multiple networks. They are currently joined via an IPSec VPN. Building A is 10.0.0.0/24 and 10.0.1.0/24 And Building B is 10.0.2.0/24 and 10.0.3.0/24 Right now I have a 10 Mb/s link to the internet in building A and a 100 Mb/s link in building B so I have an IPSec vpn tying 10.0.0.0 to 10.0.2.0 and 10.0.3.0 and the same for 10.0.1.0 Now I have just been provided a 20 Mb/s dedicated patch cable between the two buildings (this wire has no services on it but is essential a 30 KM patch cable). What is the best way to utilize this new Patch Cable to take the place of my current IPSec VPN links? If need be I can add interfaces to the 2 pfSense boxes or just make configuration changes. Thanks.
RE: [pfSense Support] Allow Traffic Between Interfaces
Hi Chris, Ordered my book. Unfortunately they ship via UPS so who knows where I will end up having to go and get it? I hope the book is as good as the product. Thanks for all your work, pfSense is excellent and so is the support, especially considering the cost!! _ Ron Lemon Information Technology Manager, Maplewood Computing Ltd. | 800.265.3482 | www.maplewood.com This email message, and any files transmitted with it, are confidential and intended solely for the use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and attachments. -Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Sunday, September 19, 2010 5:55 PM To: support@pfsense.com Subject: Re: [pfSense Support] Allow Traffic Between Interfaces On Sun, Sep 19, 2010 at 4:23 PM, Ron Lemon r...@maplewood.com wrote: David, Thanks greatly. On my LAN network I had the first rule as allow any protocol from lan to anywhere via my ISP gateway not via default. That was what was killing me, not sure why it was that way. I am now able to pass back and forth with no issues. You did however straighten me out on where and how rules are applied so next rules changes should be easier. Is there anything in pfSense that would allow me to make a group of IP address call GoodGuys or something so that I can just add or remove IPs from the group to allow people in or block them out without having to add/remove rules for their IPs? Firewall Aliases. You should really get a copy of the book. :) http://pfsense.org/book - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Allow Traffic Between Interfaces
David, Thanks greatly. On my LAN network I had the first rule as allow any protocol from lan to anywhere via my ISP gateway not via default. That was what was killing me, not sure why it was that way. I am now able to pass back and forth with no issues. You did however straighten me out on where and how rules are applied so next rules changes should be easier. Is there anything in pfSense that would allow me to make a group of IP address call GoodGuys or something so that I can just add or remove IPs from the group to allow people in or block them out without having to add/remove rules for their IPs? Once again thanks greatly for your assistance. Ron -Original Message- From: David Burgess [mailto:apt@gmail.com] Sent: Sunday, September 19, 2010 12:39 AM To: support@pfsense.com Subject: Re: [pfSense Support] Allow Traffic Between Interfaces On Sat, Sep 18, 2010 at 10:11 PM, Ron Lemon r...@maplewood.com wrote: Hi David, I have switched the rules but I am still unable to ping 10.0.1.100 from any machine in 10.0.0.0 / 24 Just to be sure, I have attached (I hope it makes it through) a screenshot of the rule you should have on your LAN interface. You should have a similar one on OPT1 with the source and destinations reversed. I hope I have this correct now. Looks right to me. If your firewall rule is correct and you're still receiving no ping response then you'll need to check a couple things. 1. Is the receiving host set to respond to pings? i.e., no Windows firewall preventing it? 2. Do both hosts know that pfsense is the gateway and the default route? If 10.0.1.100 receives a ping from 10.0.0.200 and wants to respond, it has to know where to route the response. Because 10.0.0.200 is not on its subnet (and you haven't given it a static route), it will send its response via the default route, so this needs to be the OPT1 interface of pfsense. If you have dhcp service enabled on OPT1 and your OPT1 hosts are getting their address via dhcp, then this is already happening. 3. If you don't want OPT1 to be the default route for the hosts on that subnet, then you must arrange static routes for those hosts, or enable outbound NAT from LAN to OPT1. db
[pfSense Support] Allow Traffic Between Interfaces
Hello, I have 3 NICs in my pfSense box (LAN, WAN, OPT1). I want computers on the LAN interface (10.0.0.0/24) to be able to see 2 computers on the OPT1 interface (10.0.1.100 and 10.0.1.101, these are also /24) On LAN interface I created PASS on LAN for ANY protocol from 10.0.1.100 / 32 (Single Host) on any port to network 10.0.0.0 / 24 On LAN interface I created PASS on LAN for ANY protocol from 10.0.1.101 / 32 (Single Host) on any port to network 10.0.0.0 / 24 On OPT1 interface I created PASS on OPT1 for ANY protocol from 10.0.0.0 / 24 on any port to address 10.0.1.100 / 32 (Single Host) On OPT1 interface I created PASS on OPT1 for ANY protocol from 10.0.0.0 / 24 on any port to address 10.0.1.101 / 32 (Single Host) I cannot ping 10.0.1.100 or 101 from the 10.0.0.0/24 network. What am I missing? Thanks.
RE: [pfSense Support] Allow Traffic Between Interfaces
Hi Dave, Thanks for the quick reply but I am kind of at a loss. Once I see it work I am certain it will make sense but . Right now on my firewall rules LAN tab I have Action: Pass Interface: LAN Protocol: any (I assume this also include ICMP???) Source: Single Host (10.0.1.100) Destination: Network (10.0.0.0 / 24) Gateway: default To me this means that 10.0.1.100 can talk to any machine in the 10.0.0.0 / 24 network about anything (ping, ftp, www, ldap, etc) On OPT1 tab I have Action: Pass Interface: OPT1 Protocol: any (I assume this also include ICMP???) Source: Network (10.0.0.0 / 24) Destination: Single Host (10.0.1.100) Gateway: default To me this means that any machine in the 10.0.0.0 / 24 network can talk to 10.0.1.100 about anything (ping, ftp, www, ldap, etc) Are my assumptions incorrect? I am just starting to do more than simple NAT with pfSense and am finding it has a wide array of configurations, once you get your head screwed on straight. Thanks. -Original Message- From: David Burgess [mailto:apt@gmail.com] Sent: Saturday, September 18, 2010 12:05 PM To: support@pfsense.com Subject: Re: [pfSense Support] Allow Traffic Between Interfaces On Sat, Sep 18, 2010 at 9:59 AM, Ron Lemon rjle...@gmail.com wrote: On LAN interface I created PASS on LAN for ANY protocol from 10.0.1.100 / 32 (Single Host) on any port to network 10.0.0.0 / 24 On LAN interface I created PASS on LAN for ANY protocol from 10.0.1.101 / 32 (Single Host) on any port to network 10.0.0.0 / 24 Looks like your from addresses need to be to addresses. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Allow Traffic Between Interfaces
Hi David, I have switched the rules but I am still unable to ping 10.0.1.100 from any machine in 10.0.0.0 / 24 Yes I would like 10.0.1.100 to be able to initiate a conversion with machines in the 10.0.0.0 / 24 range. So if 10.0.1.100 tries to ping a computer 10.0.0.200 10.0.1.100 sends ICMP to pfSense (10.0.1.254 = OPT1) -- This happens because 10.0.0.200 is outside its subnet mask pfSense sees this request enter OPT1 and it says I see a packet from 10.0.1.100 and it is destined for 10.0.0.200. It checks its rules and says I have a rule that says OK let it thru. pfSense then picks up the packet from OPT1 and hands it to LAN (10.0.0.254) which sends it to 10.0.0.200 Since 10.0.1.100 was allowed to send packet to 10.0.0.200 this means 10.0.0.200 is allowed to send answer back to 10.0.1.100 I hope I have this correct now. -Original Message- From: David Burgess [mailto:apt@gmail.com] Sent: Saturday, September 18, 2010 11:25 PM To: support@pfsense.com Subject: Re: [pfSense Support] Allow Traffic Between Interfaces On Sat, Sep 18, 2010 at 8:54 PM, Ron Lemon r...@maplewood.com wrote: Action: Pass Interface: LAN Protocol: any (I assume this also include ICMP???) Source: Single Host (10.0.1.100) Destination: Network (10.0.0.0 / 24) Gateway: default To me this means that 10.0.1.100 can talk to any machine in the 10.0.0.0 / 24 network about anything (ping, ftp, www, ldap, etc) Almost. In your original post you said that 10.0.1.100 is on OPT1. pfsense's firewall rules operate on packets entering the chosen interface. The rule above doesn't do anything until you change LAN to OPT1. On OPT1 tab I have Action: Pass Interface: OPT1 Protocol: any (I assume this also include ICMP???) Source: Network (10.0.0.0 / 24) Destination: Single Host (10.0.1.100) Gateway: default To me this means that any machine in the 10.0.0.0 / 24 network can talk to 10.0.1.100 about anything (ping, ftp, www, ldap, etc) As you may have guessed by now, if you change OPT1 in the above rule to LAN I think you will be in business. Note also that in your original post you didn't say whether you wanted 10.0.1.100 to talk to LAN hosts. If not, then your first rule is not wanted. (if a LAN host connects to 10.0.1.100, it will be allowed to respond, as pfsense is stateful.) Hope that helps. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Routing Issue
I have 2 facilities that used to be connected via an IPSec VPN Facility 1 had 2 networks 10.0.0.0/24 and 10.0.1.0/24. They are both on the same physical wire, they each have their own NIC in pfSense box. Users were either one or the other with a couple of people being dual homed on both. Now we get new facility 2 which is 10.0.2.0/24. I connected Facility 2 via an IPSec tunnel to Facility 1 and allow computers in the 10.0.1.0/24 network to talk to the machines in Facility 2's 10.0.2.0/24 network. All works great. Now we start to put through too much data for IPSec tunnel to handle so we now have a dedicated PVLan circuit from Facility 1 to Facility 2. I have added a 3rd Nic to my firewall in Facility 1 and assigned an IP 10.0.2.253 to it. Now I can see all computers in Facility 1 from Facility 2 and vice versa. I still only want computers in facility 1 from 10.0.1.0/24 to see the 10.0.2.0/24. I do not want 10.0.0.0/24 to see any computer in the 10.0.2.0/24 network On my LAN interface I have set rule #1 to block traffic from 10.0.0.0/24 to 10.0.2.0/24 but that did nothing. On my Facility 2 interface I put a similar block rule still to no effect. I know the pfSense box it routing traffic from one interface to another so how can I tell it what can pass and what cannot. Thanks, _ Ron Lemon Information Technology Manager, Maplewood Computing Ltd. | 800.265.3482 | www.maplewood.comhttp://www.maplewood.com This email message, and any files transmitted with it, are confidential and intended solely for the use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and attachments. [cid:image001.jpg@01CB4D1D.A472AC00] inline: image001.jpg
RE: [pfSense Support] Routing Issue
Facility 1 LAN interface is 10.0.0.0/24 OPT1 interface is 10.0.1.0/24 OPT2 interface is 10.0.2.253 Facility 2 LAN interface is 10.0.2.0/24 _ Ron Lemon Information Technology Manager, Maplewood Computing Ltd. | 800.265.3482 | www.maplewood.comhttp://www.maplewood.com This email message, and any files transmitted with it, are confidential and intended solely for the use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and attachments. [cid:image001.jpg@01CB4D25.FDDB2F80] From: Hans Maes [mailto:h...@bitnet.be] Sent: Sunday, September 05, 2010 6:02 PM To: support@pfsense.com Subject: Re: [pfSense Support] Routing Issue On 09/05/2010 11:23 PM, Ron Lemon wrote: I have 2 facilities that used to be connected via an IPSec VPN Facility 1 had 2 networks 10.0.0.0/24 and 10.0.1.0/24. They are both on the same physical wire, they each have their own NIC in pfSense box. Users were either one or the other with a couple of people being dual homed on both. Now we get new facility 2 which is 10.0.2.0/24. I connected Facility 2 via an IPSec tunnel to Facility 1 and allow computers in the 10.0.1.0/24 network to talk to the machines in Facility 2's 10.0.2.0/24 network. All works great. Now we start to put through too much data for IPSec tunnel to handle so we now have a dedicated PVLan circuit from Facility 1 to Facility 2. I have added a 3rd Nic to my firewall in Facility 1 and assigned an IP 10.0.2.253 to it. Now I can see all computers in Facility 1 from Facility 2 and vice versa. I still only want computers in facility 1 from 10.0.1.0/24 to see the 10.0.2.0/24. I do not want 10.0.0.0/24 to see any computer in the 10.0.2.0/24 network On my LAN interface I have set rule #1 to block traffic from 10.0.0.0/24 to 10.0.2.0/24 but that did nothing. On my Facility 2 interface I put a similar block rule still to no effect. With LAN interface, do you mean the interface connected to the 10.0.0.0/24 subnet or the 10.0.1.0/24 subnet ? You have to set the block rule on the interface the traffic is coming in. eg to block internet traffic from entering through the WAN interface, the rules have to be defined on the WAN interface. So to block traffic from 10.0.0.0/24 to 10.0.2.0/24 you have to add a block rule on the interface with the 10.0.0.0/24 subnet. (You may already know this but I couldn't find it in your message) Hope it helps. Regards, Hans inline: image001.jpg
RE: [pfSense Support] Routing Issue
I have the link working from Facility 2 to Facility 1 but it is erratic. From 10.0.2.0/24 I can ping 10.0.1.0/24 and am denied access to 10.0.0.0/24 I cannot get it go the other way. From 10.0.1.100 I do a tracert to 10.0.2.100. I see the path go to 10.0.1.254 (the router) and no further. _ Ron Lemon Information Technology Manager, Maplewood Computing Ltd. | 800.265.3482 | www.maplewood.comhttp://www.maplewood.com This email message, and any files transmitted with it, are confidential and intended solely for the use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and attachments. [cid:image001.jpg@01CB4D34.DC3C7960] From: Hans Maes [mailto:h...@bitnet.be] Sent: Sunday, September 05, 2010 6:02 PM To: support@pfsense.com Subject: Re: [pfSense Support] Routing Issue On 09/05/2010 11:23 PM, Ron Lemon wrote: I have 2 facilities that used to be connected via an IPSec VPN Facility 1 had 2 networks 10.0.0.0/24 and 10.0.1.0/24. They are both on the same physical wire, they each have their own NIC in pfSense box. Users were either one or the other with a couple of people being dual homed on both. Now we get new facility 2 which is 10.0.2.0/24. I connected Facility 2 via an IPSec tunnel to Facility 1 and allow computers in the 10.0.1.0/24 network to talk to the machines in Facility 2's 10.0.2.0/24 network. All works great. Now we start to put through too much data for IPSec tunnel to handle so we now have a dedicated PVLan circuit from Facility 1 to Facility 2. I have added a 3rd Nic to my firewall in Facility 1 and assigned an IP 10.0.2.253 to it. Now I can see all computers in Facility 1 from Facility 2 and vice versa. I still only want computers in facility 1 from 10.0.1.0/24 to see the 10.0.2.0/24. I do not want 10.0.0.0/24 to see any computer in the 10.0.2.0/24 network On my LAN interface I have set rule #1 to block traffic from 10.0.0.0/24 to 10.0.2.0/24 but that did nothing. On my Facility 2 interface I put a similar block rule still to no effect. With LAN interface, do you mean the interface connected to the 10.0.0.0/24 subnet or the 10.0.1.0/24 subnet ? You have to set the block rule on the interface the traffic is coming in. eg to block internet traffic from entering through the WAN interface, the rules have to be defined on the WAN interface. So to block traffic from 10.0.0.0/24 to 10.0.2.0/24 you have to add a block rule on the interface with the 10.0.0.0/24 subnet. (You may already know this but I couldn't find it in your message) Hope it helps. Regards, Hans inline: image001.jpg
[pfSense Support] IPSec VPN to Juniper Netscreen Appliance
Has anyone successfully created an IPSec VPN connection to a Juniper Netscreen Appliance? I have one to a Cisco working but cannot get the Juniper to connect. We have tried various settings. Both devices have fixed IPs and are the perimeter devices. Thanks, Ron
[pfSense Support] Split DNS Setup
Good Morning, I have a pfSense box that needs to resolve real world IP addresses (www.google.cahttp://www.google.ca) and also internal office IPs for real world IPs (www.mydomain.comhttp://www.mydomain.com as 192.168.1.1). This way people in the building can use things just as they would outside but never leave our network. I have installed TinyDNS and it was working for the www.mydomain.comhttp://www.mydomain.com with internal addresses but I then lost the ability to find google.com, etc. Any suggestions? I defined and SOA for mydomain.com and created an A record for it. I had it listening on my LAN IP. Restarted TinyDNS and all was well, till I tried google. It would not resolve that. Thanks, Ron
RE: [pfSense Support] Split DNS Setup
Sounds good to me. Where do I find the host file? I am used to C:\Windows\System32\Drivers\ETC doubt that will work in this case. _ Ron Lemon Information Technology Manager, Maplewood Computing Ltd. | 800.265.3482 | www.maplewood.com This email message, and any files transmitted with it, are confidential and intended solely for the use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and attachments. [cid:image001.png@01CA6F52.68DD85B0] From: Gabriel - IP Guys [mailto:gabr...@impactteachers.com] Sent: Friday, November 27, 2009 10:35 AM To: support@pfsense.com Subject: RE: [pfSense Support] Split DNS Setup If your only working with a few servers, 5 - then I would consider just adding those IPs to the host file on pfSense. No need for a shotgun to kill a fly! From: Ron Lemon [mailto:r...@maplewood.com] Sent: 27 November 2009 15:10 To: support@pfsense.com Subject: [pfSense Support] Split DNS Setup Good Morning, I have a pfSense box that needs to resolve real world IP addresses (www.google.cahttp://www.google.ca) and also internal office IPs for real world IPs (www.mydomain.comhttp://www.mydomain.com as 192.168.1.1). This way people in the building can use things just as they would outside but never leave our network. I have installed TinyDNS and it was working for the www.mydomain.comhttp://www.mydomain.com with internal addresses but I then lost the ability to find google.com, etc. Any suggestions? I defined and SOA for mydomain.com and created an A record for it. I had it listening on my LAN IP. Restarted TinyDNS and all was well, till I tried google. It would not resolve that. Thanks, Ron inline: image001.png
RE: [pfSense Support] Split DNS Setup
I have removed TinyDNS and added my overrides to DNS forwarder (which show in the hosts file). I have cleared my dns cache on my workstation and then tried to ping my host and I still get the public ip not my private one. I tried restarting the DNSForwarder then clearing my cache again and I get the same results. _ Ron Lemon Information Technology Manager, Maplewood Computing Ltd. | 800.265.3482 | www.maplewood.com This email message, and any files transmitted with it, are confidential and intended solely for the use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and attachments. -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Friday, November 27, 2009 1:17 PM To: support@pfsense.com Subject: Re: [pfSense Support] Split DNS Setup On Fri, Nov 27, 2009 at 10:10 AM, Ron Lemon r...@maplewood.com wrote: Good Morning, I have a pfSense box that needs to resolve real world IP addresses (www.google.ca) and also internal office IPs for real world IPs (www.mydomain.com as 192.168.1.1). This way people in the building can use things just as they would outside but never leave our network. I have installed TinyDNS and it was working for the www.mydomain.com with internal addresses but I then lost the ability to find google.com, etc. Don't, uninstall that, and use the DNS forwarder with overrides. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Split DNS Setup
I am pinging from a client machine. Just to be sure I cleared the DNS cache on another computer and then tried it. Still the live IP. I have also verified the IP of the DNS server and it is pointed to my pfSense box. _ Ron Lemon Information Technology Manager, Maplewood Computing Ltd. | 800.265.3482 | www.maplewood.com This email message, and any files transmitted with it, are confidential and intended solely for the use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and attachments. -Original Message- From: Bruce Walker [mailto:bruce.wal...@gmail.com] Sent: Friday, November 27, 2009 2:08 PM To: support@pfsense.com Subject: Re: [pfSense Support] Split DNS Setup Ron Lemon wrote: I have removed TinyDNS and added my overrides to DNS forwarder (which show in the hosts file). I have cleared my dns cache on my workstation and then tried to ping my host and I still get the public ip not my private one. I tried restarting the DNSForwarder then clearing my cache again and I get the same results. Are you pinging from within your firewall? Try pinging from one of your internal clients; you should see your private name/host entries from there. The firewall *itself* will report upstream names because by default /etc/resolv.conf doesn't get modified to use dnsmasq's lookups. So within the firewall itself is a special case, but that likely isn't important (it's not an issue in two setups I run that sound much like yours). If you really need to make the firewall see your private names, you should read up on dnsmasq's FAQs for the suggested config. You can create /usr/local/etc/dnsmasq.conf and put custom configs in there. They won't get clobbered by firmware upgrades, at least not in 1.2.3, and so far in 2.0. -bmw - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Sending traffic out a 2nd WAN interface
Thanks to all those that helped. It was changing the gateway to default that did the trick. Ron. -Original Message- From: Evgeny Yurchenko [mailto:evg.yu...@rogers.com] Sent: Tuesday, November 03, 2009 11:08 AM To: support@pfsense.com Subject: Re: [pfSense Support] Sending traffic out a 2nd WAN interface Ron Lemon wrote: Hi Chris and Keenan, It is still not working so this is exactly what I have. I don't usually post all the live IPs but at this point I just need it to work. Windows 2K3 Server (no firewall) 10.0.3.1 This guy needs to receive LDAP and SMPT traffic from OPT1 Interface LAN Rules: Proto Source Port DestPort GW Sched TCP * *142.46.226.22 25 142.47.56.89 TCP * *142.46.226.24 389 142.47.56.89 TCP * *10.250.223.148 389 142.47.56.89 * LAN net ** ** OPT1 Rules: TCP 142.46.226.24 *10.0.3.1389 142.47.56.89 TCP 10.250.223.148 *10.0.3.1389 142.47.56.89 TCP 142.46.226.22 *10.0.3.125 142.47.56.89 ICMP * ** ** TCP 142.46.226.16 *LAN net *142.47.56.89 OPT1 is on a private network with ip of 142.47.56.90/28 with GW of 142.47.56.89 From a workstation I can successfully telnet out to 142.46.226.22:25 but I cannot telnet to either of the 389 addresses When they try and telnet to me I do see traffic in my FW capture from them on OPT1 for 389 but it never gets passed to the inside machine. This is driving me nuts and I am sure I am missing something simple, please any help is appreciated. I do not think you need to specify gateway in OPT1 rules, make it default. Then, you have to set up port forward nat on OPT1, so traffic destined to 142.47.56.90:389 should be forwarded to 10.0.3.1. When you create this forwarding proper rules will be created automatically. If I understand your task correctly... - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Sending traffic out a 2nd WAN interface
Hi Chris and Keenan, It is still not working so this is exactly what I have. I don't usually post all the live IPs but at this point I just need it to work. Windows 2K3 Server (no firewall) 10.0.3.1 This guy needs to receive LDAP and SMPT traffic from OPT1 Interface LAN Rules: Proto Source Port DestPort GW Sched TCP * *142.46.226.22 25 142.47.56.89 TCP * *142.46.226.24 389 142.47.56.89 TCP * *10.250.223.148 389 142.47.56.89 * LAN net ** ** OPT1 Rules: TCP 142.46.226.24 *10.0.3.1389 142.47.56.89 TCP 10.250.223.148 *10.0.3.1389 142.47.56.89 TCP 142.46.226.22 *10.0.3.125 142.47.56.89 ICMP * ** ** TCP 142.46.226.16 *LAN net *142.47.56.89 OPT1 is on a private network with ip of 142.47.56.90/28 with GW of 142.47.56.89 From a workstation I can successfully telnet out to 142.46.226.22:25 but I cannot telnet to either of the 389 addresses When they try and telnet to me I do see traffic in my FW capture from them on OPT1 for 389 but it never gets passed to the inside machine. This is driving me nuts and I am sure I am missing something simple, please any help is appreciated. -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Monday, November 02, 2009 9:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] Sending traffic out a 2nd WAN interface On Mon, Nov 2, 2009 at 8:10 PM, Ron Lemon rjle...@gmail.com wrote: Do I create this rule on the WAN or OPT tab under Firewall rules? Where ever the traffic is initiated (LAN probably). Do I need to enable AON or should I leave automatic? Automatic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.698 / Virus Database: 270.14.45/2476 - Release Date: 11/02/09 02:51:00 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Sending traffic out a 2nd WAN interface
Good Afternoon, I have a pfSense box that has 2 WAN interfaces and 1 LAN interface. I need to be able to send some specific mail traffic out over OPT1 (the second WAN link) depending on the IP that it is destined for. The vast majority of the mail needs to go out over the WAN but a few messages have to be routed to this other interface so that it is kept on someone else's secure network. Do I need to configure Outbound NAT for this? A quick set of steps would be helpful. Thanks, Ron
RE: [pfSense Support] Sending traffic out a 2nd WAN interface
Do I create this rule on the WAN or OPT tab under Firewall rules? Do I need to enable AON or should I leave automatic? Thanks. -Original Message- From: Keenan Tims [mailto:kt...@gotroot.ca] Sent: November-02-09 6:57 PM To: support@pfsense.com Subject: Re: [pfSense Support] Sending traffic out a 2nd WAN interface All you need to do is create a PASS rule that matches the traffic, and select the gateway for the WAN you want it to go out. Make sure it appears before any catch-all rules in the list. Keenan Quoting Ron Lemon rjle...@gmail.com: Good Afternoon, I have a pfSense box that has 2 WAN interfaces and 1 LAN interface. I need to be able to send some specific mail traffic out over OPT1 (the second WAN link) depending on the IP that it is destined for. The vast majority of the mail needs to go out over the WAN but a few messages have to be routed to this other interface so that it is kept on someone else's secure network. Do I need to configure Outbound NAT for this? A quick set of steps would be helpful. Thanks, Ron - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.698 / Virus Database: 270.14.45/2476 - Release Date: 11/02/09 02:51:00 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Multiple WAN Interface and Specific Traffic to Each Interface
I have a pfSense box with a WAN link that goes to the internet. This is where all the web surfing and e-mail comes and goes from. I have a second WAN link (OPT1) that goes to a pubic semi-private network and I need to route traffic for a couple of specific IPs to this interface. I have the NAT rules setup so that when traffic comes from IP 1.2.3.4 on port 25 it goes to 10.10.10.10 what do I need to do the ensure that traffic destined from 1.2.3.4 goes back out via OPT1 and not WAN? Thanks, Ron
[pfSense Support] Virtualizing pfSense
Good Day All, I would like to take a reasonable machine and run some virtualization software on it so that I can run both pfSense and a copy of a standard workstation image so I can use it for remote testing. The workstation image will not need to run that often but I need to make sure it is running in the same type of environment as the rest of the internal workstations. Can I safely run pfSense and another OS in a virtualized environment without compromising security? If so can you give me a basic idea of what I need. Do I need 3 physical NICs in the machine 1 WAN, 1 LAN, 1 for the workstation image. I will probably use VMWare Workstation 6.0 is there anything special I need to do with it, etc. Your help is greatly appreciated. I have pfSense running in a number of buildings and it works great but this is just one more new twist to it for me. Ron.
RE: [pfSense Support] ICMP not Replying on Virtual IPs
Hi Tim, I am using port forward. Right now I am forwarding a TCP port (lets say 3389 for RDP) to the internal server and I have a rule setup for that and it works perfect. What packets are you suggesting I am to forward? There is no forward rule for ICMP. Thanks. From: Tim Dickson [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 3:26 PM To: support@pfsense.com Subject: RE: [pfSense Support] ICMP not Replying on Virtual IPs What kind of NAT are you using? If it is port forward you'll have to forward the packets as well as adding the rule to your Wan ruleset If it is 1:1 it should work for you as long as then respond correctly within your network -tim From: Ron Lemon [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 12:06 PM To: support@pfsense.com Subject: [pfSense Support] ICMP not Replying on Virtual IPs I have setup a rule to allow all ICMP types from any source any port to any destination on any port via any gateway. If I ping my WAN IP it responds correctly. My WAN link also has 6 Virtual Ips of type other configured. I can access the resources via NAT that are on these virtual Ips but when I ping one of them I never get a response. What else do I need to do to get the virtual Ips to respond to ICMP requests. Thanks Ron.
RE: [pfSense Support] ICMP not Replying on Virtual IPs
Hi Gary, My virtual Ips are of type Other not ProxyARP (unless other is another type of ProxyARP). When I try and convert one of them to Carp it tells me I have to put in a password so I do. Then it tells me that it can not locate an interface with a matching subnet for IP/32. It says I have to setup an IP in this subnet on a real interface. Since I want this IP to appear on my WAN interface how do I add this ip in addition to the one currently on it? Thanks. -Original Message- From: Gary Buckmaster [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 3:33 PM To: support@pfsense.com Subject: Re: [pfSense Support] ICMP not Replying on Virtual IPs Ron Lemon wrote: I have setup a rule to allow all ICMP types from any source any port to any destination on any port via any gateway. If I ping my WAN IP it responds correctly. My WAN link also has 6 Virtual Ips of type other configured. I can access the resources via NAT that are on these virtual Ips but when I ping one of them I never get a response. What else do I need to do to get the virtual Ips to respond to ICMP requests. Thanks Ron. ProxyARP virtual IPs don't respond to ping. CARP virtual IPS do, if ping is necessary, convert your virtual IPs over to CARP. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] ICMP not Replying on Virtual IPs
I have setup a rule to allow all ICMP types from any source any port to any destination on any port via any gateway. If I ping my WAN IP it responds correctly. My WAN link also has 6 Virtual Ips of type other configured. I can access the resources via NAT that are on these virtual Ips but when I ping one of them I never get a response. What else do I need to do to get the virtual Ips to respond to ICMP requests. Thanks Ron.
RE: [pfSense Support] 1.2-RC2 beta1 - 1.2-RC4 upgrade
I have had a similar slow boot process with 1.2RC4 when my WAN connection (which uses DHCP) is unavailable. It took almost 15 minutes to boot the other day. When it finally came up I noticed no WAN IP so I reset my ISPs device got an IP then rebooted pfSense and it came right up. So if it is supposed to be fixed in 1.2RC4 what else might cause this issue? Thanks, Ron. -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 23, 2008 10:20 AM To: support@pfsense.com Subject: Re: [pfSense Support] 1.2-RC2 beta1 - 1.2-RC4 upgrade Gabriel Green wrote: Hi all: I have 1.2RC2-beta1 on a PC installed to HD and want to upgrade to 1.2-RC2. However, after picking the appropriate interfaces, the LiveCD halts on Configuring WAN interface... - I try ALT+FunctionKeys to see debugging information; nothing. Then I also tried Ctrl+Alt+Del; again nothing. There was an issue if your WAN was configured for DHCP and there were no DHCP servers available, it would sit there for 20 minutes waiting for a timeout. That's fixed in the updated releases here: http://snapshots.pfsense.org/FreeBSD6/RELENG_1_2/updates/ http://snapshots.pfsense.org/FreeBSD6/RELENG_1_2/iso/ You can either do the firmware upgrade or reinstall. The firmware upgrade works fine. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Dropped WAN connections
The new satellite link is much better than the old, I have been through enough of them to know Hybrid phone out sat in KU Sat in and out 512 K in and 20 K out KA Sat in and out 1024 K in and 200 K out I have been using pfSense since 1.0 I think and generally it has worked quite well. It was only late summer when this started to become an issue my provide said it was my tree (its bare now so .) but I think it was close to the time I put and update to pfSense on I just don't remember whether it was 1.2 RC1 or RC2 It used to stay up for weeks on end. I have a couple of suggestions to try and a week in Jamaica coming up. Maybe one of those things will help. Thanks. -Original Message- From: Paul M [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 5:04 AM To: support@pfsense.com Subject: Re: [pfSense Support] Dropped WAN connections Ron Lemon wrote: I have a satellite internet connection, both in and out, attached to a pfSense 1.2RC3 box. long ago when I played with a satellite internet link, it was windows only, and required some special software on the windows box which spoofed the 3 way handshake and also ACKs to give the IP stack a false sense of improved latency. As long as the signal was good so packet loss was small, it worked OK. It worked well for FTP and WWW when you didn't care about latency, as once data was streaming it came down pretty fast. Interactive use - ssh for example - was almost impossible, and uplink speed was very poor. my point being that you'll have to mess about a lot with timer settings to make satellite link work properly without timeouts, whether you can find some sort of tun/tap driver which will do the spoofing and improve perceived latency is another matter. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Dropped WAN connections
Good Afternoon All, I have a satellite internet connection, both in and out, attached to a pfSense 1.2RC3 box. Lately I have been having a connection issue keeping my connection stable on the stat elite for some unknown reason. When the connection gets dropped it usually comes back up a short time later but it seems that the pfSense box does not always either reacquire an IP or sometimes it does not drop the existing one and I have to do a DHCP renew. I can do this but I do have a need to access this box from the outside world at times and if I am not on site I can not do the DHCP renew. Does anyone have any suggestions for a scheduled job to check and see if it can ping something on the outside and if not cause a DHCP renew to happen automatically or any suggestions for that matter. I am more of a Windows kind of guy so I am kind of lost in the FreeBSD. Any assistance is muchly appreciated. Thanks, Ron
RE: [pfSense Support] Making a VPN Connection
Hi Jeroen, OK. I have the router being configured for IPSec. Are there any tips or tricks to getting this to work? Thanks. From: Jeroen [mailto:[EMAIL PROTECTED] Sent: Sunday, January 13, 2008 6:42 AM To: support@pfsense.com Subject: Re: [pfSense Support] Making a VPN Connection On Jan 10, 2008 10:33 PM, Ron Lemon [EMAIL PROTECTED] wrote: Good Afternoon, I have a pfSense 1.2RC3 box that is working quite well on a dual PIII 800. I have managed to get my routed block of IPs working correctly but I am note sure how to make a permanent VPN connection to our other site which currently has a Cisco router. I am able to connect to the router using the MS VPN client but I am not sure how to do it with pfSense. Use IPSEC; this is the best way to connect a Cisco to pfSense. If you are not familiar with Cisco, ask someone to do it for you because it's not really a piece of cake. -- Jeroen
RE: [pfSense Support] Making a VPN Connection
Thanks Curtis I will give it ago as soon as they tell me my IP Sec is ready. Ron From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 16, 2008 10:02 AM To: support@pfsense.com Subject: Re: [pfSense Support] Making a VPN Connection Here's a link to the best documentation currently available that I know of. http://doc.m0n0.ch/handbook/examplevpn.html#id2606293 Curtis
[pfSense Support] Making a VPN Connection
Good Afternoon, I have a pfSense 1.2RC3 box that is working quite well on a dual PIII 800. I have managed to get my routed block of IPs working correctly but I am note sure how to make a permanent VPN connection to our other site which currently has a Cisco router. I am able to connect to the router using the MS VPN client but I am not sure how to do it with pfSense. Any assistance would be appreciated. Ron.