[pfSense Support] L2tpd on pfsense?
Hi to all! I was looking for something to replace my linux VPN server (currently used fot L2TP/ipsec vpns with windows clients), and I've seen that there is something about l2tp vpn in CVS. Am I wrong? Could I ask the status of this feature? Thank you in advance! Best regards Tommy
Re: [pfSense Support] L2tpd on pfsense?
mmh, I understand... Is not possible to help in developing it? Thank you very much Tommy On 3/27/07, Holger Bauer [EMAIL PROTECTED] wrote: It's already implemented in out HEAD codetree but pretty untested currently. Don't expect this to appear in a release before 2.0 (might change but there is no plan on porting it to the 1.x branch currently). Holger From: Tommaso Di Donato [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 27, 2007 9:06 AM To: support@pfsense.com Subject: [pfSense Support] L2tpd on pfsense? Hi to all! I was looking for something to replace my linux VPN server (currently used fot L2TP/ipsec vpns with windows clients), and I've seen that there is something about l2tp vpn in CVS. Am I wrong? Could I ask the status of this feature? Thank you in advance! Best regards Tommy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] NAT-T
Sorry if I ask again.. but I would like to help in developing and testing the NAT-T support (for a future version of pfsense). How can I enable it? I have a development installation, so I can recompile a modified iso image.. But I do not know if the problem is in ipsec-tools or in pfsense kernel. Thank you very much Dido
Re: [pfSense Support] Minimium Hardware 96 MRAM?
On 11/6/06, Bill Marquette [EMAIL PROTECTED] wrote: On 11/5/06, Rob Terhaar [EMAIL PROTECTED] wrote: I store my swapfile on a ram drive!I certainly hope that's a joke, cause it's the daftest thing I've ever heard otherwise!!! :)--BillMmmh, sorry for the stupid question... but why it is so nasty? I think it depends on what you do with your swap file. I.E. I used a ramdisk for creatind squid temporary dirs, and it works faster Please, let me understand what I should expect from the future :-) Thank you sooo muchTom
Re: [pfSense Support] Is NAT-T working?
I would like to have it, and help to develope and test it: is it possible to enable it by hand? Today I will install a developer edition, so I thing I could patch it and rebuild.. is there an option to enable in the scripts? TIATomOn 10/23/06, Scott Ullrich [EMAIL PROTECTED] wrote: No, unfortunately NAT-T did not make it into 1.0.ScottOn 10/23/06, Tommaso Di Donato [EMAIL PROTECTED] wrote: Hi all! Sorry, i've benn out for a while, so I misse the important news and I'm trying to get in touch now. Just a question: with the new release, the NAT-T is working or not? Should it be enabled manualy just to make some tests? Thank you guys, and... great works!!! Tommy -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 2 squid/pfsense questions...
On 10/16/06, Bill Marquette [EMAIL PROTECTED] wrote: On 10/15/06, PlanAlpha [EMAIL PROTECTED] wrote: 1. I have pfsense installed on a cf card. I have installed the squid package. Does the diskcaching from squid write to my cf card? (worried about it killing my cf card)Full install to CF card, not an embedded image I take it.Yes, squidsdiskcaching will be writing to your card - expect a short lifeexpectancy.Just my .02: I did some experiments with squid, and I solved this problem creating a ramdisk, and let squid use it for caching. I think it should be even faster, other than saving your cf.. I'm trying to create a custom image, if someone need I can send the scripts I will use: any suggestion will be really appreciated... Tom
Re: [pfSense Support] 2 squid/pfsense questions...
On 10/24/06, PlanAlpha [EMAIL PROTECTED] wrote: Just my .02: I did some experiments with squid, and I solved this problem creating a ramdisk, and let squid use it for caching. I think it should be even faster, other than saving your cf.. I'm trying to create a custom image, if someone need I can send the scripts I will use: any suggestion will be really appreciated... TomTom-That would be great. Also, what do you think it'd take to add adzapper? I use squid mainly for blocking garbage and a few dozenacls, not so much for caching, but would be nice to get both since itsfaster.Thanks!To be honest, i never heard about adzapper, so I am not the right person to answer this...
[pfSense Support] L2TP VPN?
Hi all!I've just installed RC2, and I've seen there is the demon l2tpd.. is it working? I know there is not a menu section, but is it possible to use it?Thank you!Tom
Re: [pfSense Support] D-link DGE-530T not detected
This is not a strage behaviour for D-Link: in the past, I had the same problem with a wireless pcmcia card... It was said that was supported, but after a few they decided to change the chipset. When I complained about it, they said (more or less) that they can do whatever they want. So.. thnk what you want, but I'll never buy D-Link hardware anymore...Tom On 6/30/06, Scott Ullrich [EMAIL PROTECTED] wrote:On 6/30/06, Hofman, Stéphane [EMAIL PROTECTED] wrote: Hello, I've seen on the Pfsense's Website that the Ethernet adpater D-link DGE-530T is supported : http://pfsense.com/index.php?id=37 I've bought one (model DGE530T REV-B1), and it's not detected during the installation. (Tested under Windows and works fine) Can someone explain this Most likely the vendor has changed the chipsets.Verify that the chipset is the same supported chipset that the handbook lists.-To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Free IPsec client software, suggestions?
Try this:http://vpn.ebootis.de/It is intended for linux interop, but I think it could help too!TomOn 4/14/06, Henk van Kester [EMAIL PROTECTED] wrote: The website is off-line :( does anyone has a local-copy of the webpage??-Oorspronkelijk bericht-Van: lartc [mailto:[EMAIL PROTECTED]]Verzonden: vrijdag 14 april 2006 8:20 Aan: support@pfsense.comOnderwerp: Re: [pfSense Support] Free IPsec client software, suggestions?hi jonathan,windows comes free with an ipsec client although it's a pain in the ass to setup.http://ipsec.math.ucla.edu/services/ipsec-windows.htmlcheerscharlesOn Thu, 2006-04-13 at 10:02 -0500, Jonathan Woodard wrote: Is there a free IPsec VPN client I can use with Windows 2000/XP to connect to pfsense through IPsec. I have been using PPTP but I understand it's not as secure and I'm having trouble getting connected with it on my Linux desktop. I realize this is a bit off topic for Pfsense, but someone else might use this discussion later. Thank you very much for any help and please keep up the outstanding work on this project. It's coming along great and I see it really making a name for itself. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]--simplified chinese is not nearly as easy as they would have you believe ... a superlative oxymoron --anonymous-To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Problem with ipsec tunnel
I'm just trying now: now I have prefer old SA checked, and I still have problems...SPD and SAD seem to be right, but still no traffic.. Any ideas?Here are my logs:Mar 3 22:13:50 racoon: ERROR: such policy does not already exist: 172.16.2.0/24[0] 10.0.0.0/24[0] proto=any dir=out Mar 3 22:13:50 racoon: ERROR: such policy does not already exist: 10.0.0.0/24[0] 172.16.2.0/24[0] proto=any dir=in Mar 3 22:13:50 racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.2[0]-x.y.z.t[0] spi=10162747(0x9b123b) Mar 3 22:13:50 racoon: INFO: IPsec-SA established: ESP/Tunnel x.y.z.t[0]-192.168.1.2[0] spi=126076060(0x783c49c) Mar 3 22:13:49 racoon: INFO: no policy found, try to generate the policy : 10.0.0.0/24[0] 172.16.2.0/24[0] proto=any dir=in Mar 3 22:13:49 racoon: INFO: respond new phase 2 negotiation: 192.168.1.2[0]=151.38.62.199[0] Mar 3 22:13:48 racoon: INFO: ISAKMP-SA established 192.168.1.2[500]-x.y.z.t[500] spi:6d2498cba6c612f6:80cd6bdabf281eed Mar 3 22:13:48 racoon: INFO: received Vendor ID: DPD Mar 3 22:13:48 racoon: INFO: begin Aggressive mode. Mar 3 22:13:48 racoon: INFO: respond new phase 1 negotiation: 192.168.1.2[500]=x.y.z.t[500]Thank you!On 3/3/06, John Cianfarani [EMAIL PROTECTED] wrote: I don't see a release of 0.6.5 released yet on their webpage… unless it's recently available in their cvs… Did you try checking the Prefer Old SA option (whose value is reverse making it prefer new sa's see previous thread between me and bill) since checking this my tunnels have been very stable. John From: Pedro Paulo de Magalhaes Oliveira Junior [mailto:[EMAIL PROTECTED]] Sent: Friday, March 03, 2006 10:16 AM To: support@pfsense.com Subject: RES: [pfSense Support] Problem with ipsec tunnel Does Beta2 have fixed mobile IPSEC problem that was related with ipsec-tools-0.6.5? De: Tommaso Di Donato [mailto:[EMAIL PROTECTED]] Enviada em: quinta-feira, 2 de março de 2006 12:58 Para: support@pfsense.com Assunto: Re: [pfSense Support] Problem with ipsec tunnel Yes it is.. and those rules are already present! Thank you again, I'll let you know. On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: For the rules I was speaking about the cisco do you know if these run IOS? I'm not sure if these adsl device run that or just a gui. If it's IOS the rules would be something like: permit esp any any permit any any eq isakmp John From: Tommaso Di Donato [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 9:22 AM To: support@pfsense.com Subject: Re: [pfSense Support] Problem with ipsec tunnel On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: Ah it was late last night misread part of that, no more 3am replies. :P Eh eh, same habits.. don't worry! On the cisco's are you forwarding the appropriate ports (protocol 50/51 ESP/AH, and UDP 500) to the inside pfsense boxes? At the moment, I am forwarding only 500/udp, because of 2 problems: the first is that I am not so good in Cisco programming, so I do not know how to forward AHESP (but I think that I could solve this problem with a bit of google'ng). The second is that I looked for 4500/udp port listening, and I found nothing. So.. I thought that there was a problem (or a misconfiguration in racoon). Now I enabled 4500/udp, this night I'll test again.. In any of your rules are you allowing udp isakmp and esp to the host? They might even have a ipsec passthrough option to do this. I think that psSense does it automatically. Am i wrong? Or you are speaking about the routers? Sorry for the confusion No.. you're welcome! Thank you again! Tom From: Tommaso Di Donato [mailto: [EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 3:25 AM To: support@pfsense.com Subject: Re: [pfSense Support] Problem with ipsec tunnel On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: 1. Even though you need to NAT for your inside hosts IPSec is listening on the WAN interface. I'm sorry... I cannot understand the point.. PC pfSense Cisco 827 --internet Here I have 2 nat: pfsense is natting my pc, and CIsco is natting pfsense. Of course, in pfsense I can see racoon listening on wan interface (only on 500/udp, ton on 4500/udp) 2. Not sure but my guess would be no (without a lot of easy configuration changes) You mean you guess there is no port 4500? One think that was reversed in previous builds (not sure if is changed in 2-20) is the Prefer old IPSec Sa checkbox under System-Advnced. Bill found that in the code pfsense already tries old sa's first, so when you check this box it will make it prefer NEW Sa's. That was the heart of a lot of my Ipsec troubles. mmh, I tried both ways... no differences... Do you have the WAN as the local endpoint and LAN Subnet as the Local
Re: [pfSense Support] Problem with ipsec tunnel
On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: 1. Even though you need to NAT for your inside hosts IPSec is listening on the WANinterface. I'm sorry... I cannot understand the point.. PC pfSense Cisco 827 --internet Here I have 2 nat: pfsense is natting my pc, and CIsco is natting pfsense. Of course, in pfsense I can see racoon listening on wan interface (only on 500/udp, ton on 4500/udp) 2. Not sure but my guess would be no (without a lot of easy configuration changes)You mean you guess there is no port 4500? One think that was reversed in previous builds (not sure if is changed in 2-20) is the "Prefer old IPSec Sa" checkbox under System-Advnced. Bill found that in the code pfsense already tries old sa's first, so when you check this box it will make it prefer NEW Sa's. That was the heart of a lot of my Ipsec troubles.mmh, I tried both ways... no differences... Do you have the WAN as the local endpoint and LAN Subnet as the Local subnet on each side? As I believe there still is an issue with ipsec-tools if you are trying to do host to host setup. (/32s)Yes I have; I'm trying net-to-net. I'm so sorry I do not have my box here in order to send logs... What are you using as your local identified IP or FQDN?I tried both. Obviously, changing psk accordingly... Once you get a session up can you do a "ping –c 5 –S your pfsense lan ip remote pfsense lan ip" from the Diag - Command Prompt tab?Ok, I'll do it.. For now, I am testing pinging from a pc on the lan side.I think this night I'll do some other test, using as second endpoint a linux box (i am more familiar with linux ipsec implementation). Ah, by the way.. when I see a SPD or a SA established, sould something be wisible with netstat -rn?Thank you again... Thanks John From: Tommaso Di Donato [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 2:38 AM To: support@pfsense.com Subject: [pfSense Support] Problem with ipsec tunnel Hi guys! Yesterday I tried to setup a vpn tunnel between me and a friend. The we had mainly 2 problems: first, we both have dynamic IP (but this could be solved for example looking at the ip given by the provider, and setting upt the tunnel with that ip.. . Second, we both are behind a DLS router, so pfsense boxes arte both NATed.. I tried to estabilish a tunnel in many way: net-to-net, net-to-mobile (following the marvellous tutorial), using dyndns record, etc. But I had problems.. ipsec SA establishes, SDP also, but at the end I cannot have traffic passing. NO traffic dropped un firewall logs On the routers, we redirected only port 500/UDP from the router to the pfsense boxes... So, my question are: 1) is it possible to establish such a tunnel (2 NATed endpoint, in agressive mode, PSK)? In early ipsec-over-udp implementation, I can remember there were some problems in such a configuration 2) if it is possible, have I to redirect other ports? In linux ipsec implementation, when I use NAT-T I had to rdr port 4500/upd, but on my pfsense box I cannot see such a port open 3) ..and in the end.. am I missing something? I do not have my box with me now, but I can recall the settings very well.. I'm using 02-20 SNAPSHOT. Thank you, guys.. very much. Tom
Re: [pfSense Support] Problem with ipsec tunnel
On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: Ah it was late last night misread part of that, no more 3am replies. :PEh eh, same habits.. don't worry! On the cisco's are you forwarding the appropriate ports (protocol 50/51 ESP/AH, and UDP 500) to the inside pfsense boxes?At the moment, I am forwarding only 500/udp, because of 2 problems: the first is that I am not so good in Cisco programming, so I do not know how to forward AHESP (but I think that I could solve this problem with a bit of google'ng). The second is that I looked for 4500/udp port listening, and I found nothing. So.. I thought that there was a problem (or a misconfiguration in racoon). Now I enabled 4500/udp, this night I'll test again.. In any of your rules are you allowing udp isakmp and esp to the host? They might even have a ipsec passthrough option to do this.I think that psSense does it automatically. Am i wrong? Or you are speaking about the routers? Sorry for the confusionNo.. you're welcome! Thank you again! Tom From: Tommaso Di Donato [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 3:25 AM To: support@pfsense.com Subject: Re: [pfSense Support] Problem with ipsec tunnel On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: 1. Even though you need to NAT for your inside hosts IPSec is listening on the WAN interface. I'm sorry... I cannot understand the point.. PC pfSense Cisco 827 --internet Here I have 2 nat: pfsense is natting my pc, and CIsco is natting pfsense. Of course, in pfsense I can see racoon listening on wan interface (only on 500/udp, ton on 4500/udp) 2. Not sure but my guess would be no (without a lot of easy configuration changes) You mean you guess there is no port 4500? One think that was reversed in previous builds (not sure if is changed in 2-20) is the Prefer old IPSec Sa checkbox under System-Advnced. Bill found that in the code pfsense already tries old sa's first, so when you check this box it will make it prefer NEW Sa's. That was the heart of a lot of my Ipsec troubles. mmh, I tried both ways... no differences... Do you have the WAN as the local endpoint and LAN Subnet as the Local subnet on each side? As I believe there still is an issue with ipsec-tools if you are trying to do host to host setup. (/32s) Yes I have; I'm trying net-to-net. I'm so sorry I do not have my box here in order to send logs... What are you using as your local identified IP or FQDN? I tried both. Obviously, changing psk accordingly... Once you get a session up can you do a ping –c 5 –S your pfsense lan ip remote pfsense lan ip from the Diag - Command Prompt tab? Ok, I'll do it.. For now, I am testing pinging from a pc on the lan side. I think this night I'll do some other test, using as second endpoint a linux box (i am more familiar with linux ipsec implementation). Ah, by the way.. when I see a SPD or a SA established, sould something be wisible with netstat -rn? Thank you again... Thanks John From: Tommaso Di Donato [mailto: [EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 2:38 AM To: support@pfsense.com Subject: [pfSense Support] Problem with ipsec tunnel Hi guys! Yesterday I tried to setup a vpn tunnel between me and a friend. The we had mainly 2 problems: first, we both have dynamic IP (but this could be solved for example looking at the ip given by the provider, and setting upt the tunnel with that ip.. . Second, we both are behind a DLS router, so pfsense boxes arte both NATed.. I tried to estabilish a tunnel in many way: net-to-net, net-to-mobile (following the marvellous tutorial), using dyndns record, etc. But I had problems.. ipsec SA establishes, SDP also, but at the end I cannot have traffic passing. NO traffic dropped un firewall logs On the routers, we redirected only port 500/UDP from the router to the pfsense boxes... So, my question are: 1) is it possible to establish such a tunnel (2 NATed endpoint, in agressive mode, PSK)? In early ipsec-over-udp implementation, I can remember there were some problems in such a configuration 2) if it is possible, have I to redirect other ports? In linux ipsec implementation, when I use NAT-T I had to rdr port 4500/upd, but on my pfsense box I cannot see such a port open 3) ..and in the end.. am I missing something? I do not have my box with me now, but I can recall the settings very well.. I'm using 02-20 SNAPSHOT. Thank you, guys.. very much. Tom
Re: [pfSense Support] Problem with ipsec tunnel
Yes it is.. and those rules are already present!Thank you again, I'll let you know.On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: For the rules I was speaking about the cisco do you know if these run IOS? I'm not sure if these adsl device run that or just a gui. If it's IOS the rules would be something like: permit esp any any permit any any eq isakmp John From: Tommaso Di Donato [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 9:22 AM To: support@pfsense.com Subject: Re: [pfSense Support] Problem with ipsec tunnel On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: Ah it was late last night misread part of that, no more 3am replies. :P Eh eh, same habits.. don't worry! On the cisco's are you forwarding the appropriate ports (protocol 50/51 ESP/AH, and UDP 500) to the inside pfsense boxes? At the moment, I am forwarding only 500/udp, because of 2 problems: the first is that I am not so good in Cisco programming, so I do not know how to forward AHESP (but I think that I could solve this problem with a bit of google'ng). The second is that I looked for 4500/udp port listening, and I found nothing. So.. I thought that there was a problem (or a misconfiguration in racoon). Now I enabled 4500/udp, this night I'll test again.. In any of your rules are you allowing udp isakmp and esp to the host? They might even have a ipsec passthrough option to do this. I think that psSense does it automatically. Am i wrong? Or you are speaking about the routers? Sorry for the confusion No.. you're welcome! Thank you again! Tom From: Tommaso Di Donato [mailto: [EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 3:25 AM To: support@pfsense.com Subject: Re: [pfSense Support] Problem with ipsec tunnel On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: 1. Even though you need to NAT for your inside hosts IPSec is listening on the WAN interface. I'm sorry... I cannot understand the point.. PC pfSense Cisco 827 --internet Here I have 2 nat: pfsense is natting my pc, and CIsco is natting pfsense. Of course, in pfsense I can see racoon listening on wan interface (only on 500/udp, ton on 4500/udp) 2. Not sure but my guess would be no (without a lot of easy configuration changes) You mean you guess there is no port 4500? One think that was reversed in previous builds (not sure if is changed in 2-20) is the Prefer old IPSec Sa checkbox under System-Advnced. Bill found that in the code pfsense already tries old sa's first, so when you check this box it will make it prefer NEW Sa's. That was the heart of a lot of my Ipsec troubles. mmh, I tried both ways... no differences... Do you have the WAN as the local endpoint and LAN Subnet as the Local subnet on each side? As I believe there still is an issue with ipsec-tools if you are trying to do host to host setup. (/32s) Yes I have; I'm trying net-to-net. I'm so sorry I do not have my box here in order to send logs... What are you using as your local identified IP or FQDN? I tried both. Obviously, changing psk accordingly... Once you get a session up can you do a ping –c 5 –S your pfsense lan ip remote pfsense lan ip from the Diag - Command Prompt tab? Ok, I'll do it.. For now, I am testing pinging from a pc on the lan side. I think this night I'll do some other test, using as second endpoint a linux box (i am more familiar with linux ipsec implementation). Ah, by the way.. when I see a SPD or a SA established, sould something be wisible with netstat -rn? Thank you again... Thanks John From: Tommaso Di Donato [mailto: [EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 2:38 AM To: support@pfsense.com Subject: [pfSense Support] Problem with ipsec tunnel Hi guys! Yesterday I tried to setup a vpn tunnel between me and a friend. The we had mainly 2 problems: first, we both have dynamic IP (but this could be solved for example looking at the ip given by the provider, and setting upt the tunnel with that ip.. . Second, we both are behind a DLS router, so pfsense boxes arte both NATed.. I tried to estabilish a tunnel in many way: net-to-net, net-to-mobile (following the marvellous tutorial), using dyndns record, etc. But I had problems.. ipsec SA establishes, SDP also, but at the end I cannot have traffic passing. NO traffic dropped un firewall logs On the routers, we redirected only port 500/UDP from the router to the pfsense boxes... So, my question are: 1) is it possible to establish such a tunnel (2 NATed endpoint, in agressive mode, PSK)? In early ipsec-over-udp implementation, I can remember there were some problems in such a configuration 2) if it is possible, have I to redirect other ports? In linux ipsec implementation, when I
Re: [pfSense Support] pfSense beta 1 package installation issues...
I'm sorry...I can see there is also thi version, that seems newer:http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-20-06/ (but there is only the update). Is there something wrong with this version?Thank you!TomOn 3/2/06, Scott Ullrich [EMAIL PROTECTED] wrote: http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-19-06/On 3/2/06, Brian E. Tafoya [EMAIL PROTECTED] wrote: Do you have details as to where to get the update? I was unable to find it. Thanks! Brian Tafoya Director of Software Development Hot Stix Technologies 14825 N. 82nd Street Scottsdale, AZ 85260 (480) 513-1333 www.HotStixGolf.com -Original Message- From: Scott Ullrich [mailto: [EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 8:44 AM To: support@pfsense.com Subject: Re: [pfSense Support] pfSense beta 1 package installation issues... FAQ.Update to testing snapshot. On 3/2/06, Brian E. Tafoya [EMAIL PROTECTED] wrote: I have just recently installed the latest version of pfSense, replacing a monowall that ran on a PC and have run into a snag I have not been able to resolve... When attempting to install any package from the web interface I get a packaging installation failed error. Here is the log file created for the package Beginning package installation. Downloading package configuration file... Array ( [0] = Requested space: 1140 bytes, free space: 13426325504 bytes in /var/tm p/instmp.CDV3YR [1] = tar: Unrecognized archive format: Inappropriate file type or format [2] = pkg_add: tar extract of /tmp/apkg_ failed! [3] = pkg_add: unable to extract table of contents file from '/tmp/apkg_' -not a package? [4] = pkg_add: 1 package addition(s) failed ) Package WAS NOT installed properly. The firewall has internet access and is working just fine otherwise. Any help would be GREATLY appreciated! Brian Tafoya Director of Software Development Hot Stix Technologies 14825 N. 82nd Street Scottsdale, AZ 85260 (480) 513-1333 www.HotStixGolf.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]- To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Site-to-site IPSec
Oh.. you're welcome! I experienced same problem with openswan and linux gateway, few years ago. I'm happy you solved some problems.. TomOn 3/2/06, Bennett [EMAIL PROTECTED] wrote: Good call, Tom. Both sites fragment at 1473, but don't fragment or respond when thepacket size is 1419-1472, and finally respond for 1418 and lower.(My home PC fragments at 1372, below theblack holerange, which explains why everything worked from my house.) Lowering the MTU on pfSense didn't do anything for my situation, so I enabled black hole detection on my server per http://support.microsoft.com/kb/900926/ .Haven't thoroughly tested, but at least remote desktop connects now. Thanks, Tom! From: John Cianfarani [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 1:57 AMTo: support@pfsense.comSubject: RE: [pfSense Support] Site-to-site IPSec Tom might be on the right track here you can also try to ping across the link making the packetsize larger and larger with (-l size) and with the do not fragment set (-f). Thanks John From: Tommaso Di Donato [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 2:41 AMTo: support@pfsense.com Subject: Re: [pfSense Support] Site-to-site IPSec On 3/2/06, Bennett [EMAIL PROTECTED] wrote: DOESN'T WORK: 1) Remote desktop gets a response from the remote computer and opens a blank window, but never makes it to the login screen and eventually disconnects citing a possible network failure(note that if there was no initial response, Remote Desktop would say it couldn't connect to the remote computer and not open the window) In my personal experience with Linux, this was due to tcpmss-clamping e path-MTU discovery. Try to specify a fixed MTU.. But I have to say that I'm not a pf guru 2) Exchange 2003 servers on either end of the VPN can't see each other 3) Browse shares by computer name I think they are related..Hope it helpsTom
[pfSense Support] Problem with ipsec tunnel
Hi guys!Yesterday I tried to setup a vpn tunnel between me and a friend. The we had mainly 2 problems: first, we both have dynamic IP (but this could be solved for example looking at the ip given by the provider, and setting upt the tunnel with that ip.. . Second, we both are behind a DLS router, so pfsense boxes arte both NATed.. I tried to estabilish a tunnel in many way: net-to-net, net-to-mobile (following the marvellous tutorial), using dyndns record, etc. But I had problems.. ipsec SA establishes, SDP also, but at the end I cannot have traffic passing. NO traffic dropped un firewall logs On the routers, we redirected only port 500/UDP from the router to the pfsense boxes... So, my question are: 1) is it possible to establish such a tunnel (2 NATed endpoint, in agressive mode, PSK)? In early ipsec-over-udp implementation, I can remember there were some problems in such a configuration 2) if it is possible, have I to redirect other ports? In linux ipsec implementation, when I use NAT-T I had to rdr port 4500/upd, but on my pfsense box I cannot see such a port open3) ..and in the end.. am I missing something? I do not have my box with me now, but I can recall the settings very well.. I'm using 02-20 SNAPSHOT.Thank you, guys.. very much.Tom
Re: [pfSense Support] Site-to-site IPSec
On 3/2/06, Bennett [EMAIL PROTECTED] wrote: DOESN'T WORK: 1) Remote desktop gets a response from the remote computer and opens a blank window, but never makes it to the login screen and eventually disconnects citing a possible network failure(note that if there was no initial response, Remote Desktop would say it couldn't connect to the remote computer and not open the window)In my personal experience with Linux, this was due to tcpmss-clamping e path-MTU discovery. Try to specify a fixed MTU.. But I have to say that I'm not a pf guru 2) Exchange 2003 servers on either end of the VPN can't see each other 3) Browse shares by computer nameI think they are related..Hope it helpsTom
Re: [pfSense Support] very slow GUI respone
Hi! I found that some operations maybe very slow if the box cannot resolve the names correctly (i.e., if the wan interface is not connected, or if the dns server aren't specified.. and so on). I hope it helps. TomOn 2/26/06, Eric dai [EMAIL PROTECTED] wrote: Dear sir :I setup a Pfsense box with below confiugure :1) CPU : Intel Celron D 2.13 Ghz2) MEM: 512MB3)1GB compact flash card4) intel GB NIC * 2but I find the webGUI is very slow to response. How I do can improve it ?thanks and best regardsEric dai
[pfSense Support] Just a little problem with the sound..
Hi guys! Just a small thing: my pfSense stopped beeping when it stars and at te shupdown.. Now I'm using latest snapshot, but I'm experiencing this since few versions (at least before beta1). I found the problem (at least.. I found a solution.. tell me if this it correct in theory, but it practically works): in /usr/local/bin/beep.sh, I changed the line if [ -f /dev/speaker ]; then in if [ -e /dev/speaker ]; then And now it's ok. Hope it helps. Tom
[pfSense Support] Error in build_iso.sh
Hi! I'm trying to build a new custom ISO using pfsense developer ed.; this is not the first time I do this, but few days ago I did a cd /home/pfsense/tools/builder_scripts ./cvsup_current and after that, I cannot make an iso anymore.. This is the error: cut Building world for i386 architecture NO_BUILDWORLD set, skipping build Building kernel for i386 architecture NO_BUILDKERNEL set, skipping build Installing world for i386 architecture Making hierarchy Installing everything Something went wrong, check errors! Log saved on /home/pfsense/freesbie2/.tmp_installworld *** Signal 15 Stop in /home/pfsense/freesbie2. /cut If I look in the log file, this is what I find: === gnu/lib/libstdc++ (install) install -C -o root -g wheel -m 444 libstdc++.a /usr/local/pfsense-fs/usr/lib install: libstdc++.a: No such file or directory *** Error code 71 1 error *** Error code 2 1 error The problem is that.. libstdc++.1 exists!! # find / -name libstdc++.a /usr/lib/libstdc++.a Anybody could help me? TIA Tommy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Error in build_iso.sh
...I was finishing to test it out, but another cvsup_current solved the problem! Scott, thank you again for your quick response! Tom On 2/6/06, Scott Ullrich [EMAIL PROTECTED] wrote: Remove the object directy from /usr/obj* and try over. This is related to the make.conf changes that have been talked about in the last couple of days here. On 2/6/06, Tommaso Di Donato [EMAIL PROTECTED] wrote: Hi! I'm trying to build a new custom ISO using pfsense developer ed.; this is not the first time I do this, but few days ago I did a cd /home/pfsense/tools/builder_scripts ./cvsup_current and after that, I cannot make an iso anymore.. This is the error: cut Building world for i386 architecture NO_BUILDWORLD set, skipping build Building kernel for i386 architecture NO_BUILDKERNEL set, skipping build Installing world for i386 architecture Making hierarchy Installing everything Something went wrong, check errors! Log saved on /home/pfsense/freesbie2/.tmp_installworld *** Signal 15 Stop in /home/pfsense/freesbie2. /cut If I look in the log file, this is what I find: === gnu/lib/libstdc++ (install) install -C -o root -g wheel -m 444 libstdc++.a /usr/local/pfsense-fs/usr/lib install: libstdc++.a: No such file or directory *** Error code 71 1 error *** Error code 2 1 error The problem is that.. libstdc++.1 exists!! # find / -name libstdc++.a /usr/lib/libstdc++.a Anybody could help me? TIA Tommy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Portecting the console menu with password
Hi all. Just a question: is it possible to protect the console menu asking a password, like what it happens when you log in via ssh?Thank you in advance.Tom
Re: [pfSense Support] developer build
Hi! I manually updated /home/pfsense/pfSense/config.default/config.xml and my changes are still there, even after every build... I think cvs do not overewrite this file Try it if it works also for you... TomOn 1/13/06, alan walters [EMAIL PROTECTED] wrote: Just wondering how I can stop the cvs from updating before a build.I want to edit the defulat xml file to allow for automated installs ofour firewall configurations.Is this possibleAlan Walters Aillweecave Company LimitedBallyvaughan Co ClarePh (00353) 65 7077 036Fax (00353) 65 7077 107Lo Call 1890 AILLWEE-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Question about Dev.Ed.
Hi Guys! I'm working with the developers edition, and it is fantastic. I have to fix two problems, and then (if you like) I would like to write down some notes about it, like a documentation Now the questions: 1) I rebuilt the iso yesterday, and I found BETA2. Is it right? if so marvellous! 2) I tryed to use the plugin customroot for customizing /etc/passwd e /etc/master.passwd, but nothing seens to happen.. Do I have to change something? i.e. enable that plugin? 3) I would like to set a different boot timeout (shorter than 10 seconds): how can I do it? Thank you guys, all you are great!! Tom
Re: [pfSense Support] Question about Dev.Ed.
Scott, thank you very much for your answers... 1) I rebuilt the iso yesterday, and I found BETA2. Is it right? if so marvellous!SHH! Don't tell anyone. It's not even close to being ready. Ok, I'll be like a tomb 2) I tryed to use the plugin customroot for customizing /etc/passwd e /etc/master.passwd, but nothing seens to happen.. Do I have to change something? i.e. enable that plugin?Not sure, need to ask Dario. Tank you! 3) I would like to set a different boot timeout (shorter than 10 seconds): how can I do it?Update /boot/loader.conf I'll try immediately! Remember, consider me if you need some docs.. Tom
[pfSense Support] Problem with pfSense Developers Edition
Hi Guys!I know this is not a priority in this moment.. but I would like to report a problem with the new dev.ed. (the one dated 12/14/2005). I just downloaded it, started, updated the firmware with pfSense-Full-Update-1.0-BETA1.tgz , then I did a ./cvsup_current. Everything good. But when I execute ./build_iso.sh I receive:- rootmfsAdding init script for /root mfsSaving mtree structure for /root- varmfsAdding init script for /var mfs cp: /home/pfsense/freesbie2/extra/varmfs/varmfs.rc: No such file or directory*** Error code 1Stop in /home/pfsense/freesbie2.Previously, I was able to build a custom ISO file with the first version of the vm. Did anyone experienced a similar problem? Thank you!Tommaso
[pfSense Support] A question about Developers Edition
Hi!I would like to ask some infos about the developers Edition: it it planned a new release of thet image after the 1st Jan (that is, after the v1.0 will be released)? If not, can I use the last one, and than update that one? I would like to create a personalized version, but using the most updated pfsense version TIA!Tom
[pfSense Support] HW infos
Hi guys!Today I've seen this piece of hw:http://linitx.com/product_info.php?currency=EURcPath=14_49products_id=340 It is based on a LEX CV860A mobo.. I would like to know if anybody out there has experiences of pfsense running on this kind ow hw: I've seen the CPU is the well-known VIA C3, so I'm quite confident about it. But NICs are Intel (in the past I read in the ml that they suck on FreeBSD), or Realtek. Please, could anybody share his experience?TIATom
Re: AW: [pfSense Support] pfSense VMWare Developers Edition
Hi Scott!First, thank you very very much for this edition, it is very useful!!I am trying to include my own personal hack in a iso image (i.e. Clam antivirus, some new binaries, a custom.inc file with my own functions, etc). When I build the image, everything is ok, but the only things that I get replicated into the ISO are the files in www directory. Is it normal? If so, do I have to change build_iso script?Thank you again P.S. Even in my case, the good beer helped a lot!On 12/14/05, Scott Ullrich [EMAIL PROTECTED] wrote: On 12/14/05, Eric Masson [EMAIL PROTECTED] wrote: Scott Ullrich [EMAIL PROTECTED] writes: Hrm?It shoulnt be syncing with cvsup.livebsd.com ... Was this with cvssync? Nope, cvsup_current script.Err, thats what I meant :) If so, edit /etc/current_supfile and change cvsup.livebsd.com to cvsup2.freebsd.org Ok, done, I'll have a beer now ;)But not a cheap one!Scott- To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Are we still in alpha?
Hi guys...Just a bit of curiosity; are we still in alpha, or with the last versions we can consider pfSense in a beta stage? I know that the timeline is not to be intended so strictly, but following that, we shoul be very near to RC... Thank you againTom
[pfSense Support] ipfw and pf
Hi guys! Sorry, I read the last thread about captive portal, and from what I understood it is in plan to abandon ipfw. Does this means that in the future (e.g v1.0) it is planned to remove the ipfw kernel module? I am using ipfw for integrating pfsense with p3scan, so I would like to ask you if it is possible to maintain that module anyway. Thank you very very much. Tom
Re: [pfSense Support] Problems in version 0.92
Thank you! You are always so ready.. On 11/9/05, Scott Ullrich [EMAIL PROTECTED] wrote: This is fixed in CVS. On 11/9/05, Tommaso Di Donato [EMAIL PROTECTED] wrote: I know it is a retired version, but I experienced a problem with the LAN IP: after the first reboot after upgrading, the menu does not show up the lan IP. Note that ifconfig show the right ip, so it seems to be only a menu problem... Tom - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] New releases?
Hi guys! After the release of V. 0.92 (and then pulled), I didn't see any other release... Maybe we are at the final stages, before v1.0!? Great work, guys, and thank you again!! Tom - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] V. 0.92??
Hi to all! I'm sorry, I'm still drunk or v0.92 live cd does not appear in the mirrors anymore? I downloaded it few days ago and now I can't see it.. Is a bad release, or is there a problem with the mirrors? Tom - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] wegGUI modification
My plans were to send out the modification when the gui is in the final version, but if someone wants i now, please let me know. On 11/1/05, Emanuel A. Gonzalez [EMAIL PROTECTED] wrote: This would be a very interesting option! I'm really waiting to se it... -Mensaje original- De: Tommaso Di Donato [mailto:[EMAIL PROTECTED] Enviado el: Lunes, 31 de Octubre de 2005 02:56 a.m. Para: support@pfsense.com Asunto: Re: [pfSense Support] wegGUI modification I would enjoy this solution very much! But I think that should be trickier because you need 2 web server running.. In my opinion, a faster solution could be to prepare a siple opening page, with some statistics and graphs, and from there a link to the real webgui However, we are working in personalizing the menu, with a page that permits you to choose what items to see in the menu. If someone is interested...let me know: (we stopped the developement a bit, because we are waiting for the stable final version...) On 10/31/05, Tim Dickson [EMAIL PROTECTED] wrote: What if you moved the admin site to a different port and left a ripped down read only version on port 80. This would eliminate the need for a user database but still allow both versions to reside. Just a thought. ( I realize it wouldn't be the most secure solution... but a solution none the less :) ) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] wegGUI modification
I would enjoy this solution very much! But I think that should be trickier because you need 2 web server running.. In my opinion, a faster solution could be to prepare a siple opening page, with some statistics and graphs, and from there a link to the real webgui However, we are working in personalizing the menu, with a page that permits you to choose what items to see in the menu. If someone is interested...let me know: (we stopped the developement a bit, because we are waiting for the stable final version...) On 10/31/05, Tim Dickson [EMAIL PROTECTED] wrote: What if you moved the admin site to a different port and left a ripped down read only version on port 80. This would eliminate the need for a user database but still allow both versions to reside. Just a thought. ( I realize it wouldn't be the most secure solution... but a solution none the less :) ) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Transparent Squid proxy in DMZ?
Maybe I did not undestand well, but redirecting http traffic to a host located in DMZ is not a policy-based routing... In my opinion it is a simple redirect for 80/tcp to a particular host. Obviously, here the host is in DMZ. Sorry if I understood wrong.. On 10/26/05, Gary Buckmaster [EMAIL PROTECTED] wrote: Actually the recipe called for here is a policy-based route. Effectively routing all dest port 80 traffic (and another other http-speaking client traffic) to the squid box. Tommaso is correct, however, https traffic cannot be transparently proxied. -Original Message- From: Tommaso Di Donato [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 26, 2005 1:46 AM To: support@pfsense.com Subject: Re: [pfSense Support] Transparent Squid proxy in DMZ? From what I can recall, it is possible to transproxy only http traffic, hot https (because of encrypted http headers). I do not know if, in the meanwhile, something is changed... You have to setup a NAT rule, now I do not have a pfsense box so I cannot write down every exact step... but I am quite sure it is in the FAQs... Tom On 10/26/05, Kyle Mott [EMAIL PROTECTED] wrote: Hey, so I have a Squid box running Dansguardian on my DMZ interface, and I want to be able to direct (transparently of course) any HTTP/HTTPs traffic destined for the internet to my Squid server in my DMZ. Currently, I just use the manual proxy config (which is a PITA). Is there a way to do this? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Transparent Squid proxy in DMZ?
Yes.. it is a very interesting concept, I did not even think about this solution.. Thank you guys, I love to try different solutions!!! Tom On 10/26/05, Bill Marquette [EMAIL PROTECTED] wrote: On 10/26/05, Tommaso Di Donato [EMAIL PROTECTED] wrote: Maybe I did not undestand well, but redirecting http traffic to a host located in DMZ is not a policy-based routing... In my opinion it is a simple redirect for 80/tcp to a particular host. Obviously, here the host is in DMZ. Sorry if I understood wrong.. Depends on if you use port forwarding (rdr) to achieve the goal or treat the squid box as another gateway and use 'route-to' for port 80 traffic. I suspect the latter is what Gary was talking about and is an interesting concept. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Transparent Squid proxy in DMZ?
Hi! Gary, maybe I do not understand perfectly your point of view, because I used Squid mainly under Linux. I understand we are speaking about using Squid as lan-wan web cache; the only thing I cannot understand is why, in your opinion, transproxy could not work simply by redirecting web traffic (instead of using route-to). In linux this is the only possible way of doing this (at least, without using iproute and tc), so I always configured my squid as transproxy, and used the iptables redirection. Anyway, I understand you are speaking about a totally different way of doing it (and in my opinion, both the ways can work.), so I am very happy to learn smthg new! On 10/26/05, Gary Buckmaster [EMAIL PROTECTED] wrote: Because of the way squid works, a squid box should be treated as a second gateway, in this case for http-based traffic only. As a result, using a route-to (or in Cisco parlance, policy-based route) is the solution. To avoid confusion, this is for outbound (LAN-WAN) traffic for the purposes of web caching and content filtering. There are perfectly valid reasons for using squid as an http accelerator sitting in front of web servers, which may have been what confused Tomasso. -Gary -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 26, 2005 8:48 AM To: support@pfsense.com Subject: Re: [pfSense Support] Transparent Squid proxy in DMZ? On 10/26/05, Tommaso Di Donato [EMAIL PROTECTED] wrote: Maybe I did not undestand well, but redirecting http traffic to a host located in DMZ is not a policy-based routing... In my opinion it is a simple redirect for 80/tcp to a particular host. Obviously, here the host is in DMZ. Sorry if I understood wrong.. Depends on if you use port forwarding (rdr) to achieve the goal or treat the squid box as another gateway and use 'route-to' for port 80 traffic. I suspect the latter is what Gary was talking about and is an interesting concept. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Transparent Squid proxy in DMZ?
Oh.. sorry, maybe the confusion came up because in linux we call redirect also when the destination is not on the same host (in this case, even when squid is not on the gateway). I set up such a scenario a lot of times, and never called squid second gateway, because at the end squid access the internet passing again through the firewall.. and not using a separate, dedicated connection. But.. ok, I think this is only a matter of terms.. Thank you again! Tom On 10/26/05, Gary Buckmaster [EMAIL PROTECTED] wrote: I think the confusion here stems from where squid lives on the network. If you run squid on your firewall, then a simple redirect rule can be used to redirect LAN-WAN http traffic up to the port squid is listening on. If, however, you are running squid on a separate machine somewhere on your network (I believe the OP is running his squid box in the DMZ) then you can (and should) have your firewall do the work of redirecting traffic to the squid box. Squid, in this scenario, acts as a second gateway for the network but only for squid-relevant traffic. I hope this clarifies things. -Gary -Original Message- From: Tommaso Di Donato [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 26, 2005 9:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] Transparent Squid proxy in DMZ? Hi! Gary, maybe I do not understand perfectly your point of view, because I used Squid mainly under Linux. I understand we are speaking about using Squid as lan-wan web cache; the only thing I cannot understand is why, in your opinion, transproxy could not work simply by redirecting web traffic (instead of using route-to). In linux this is the only possible way of doing this (at least, without using iproute and tc), so I always configured my squid as transproxy, and used the iptables redirection. Anyway, I understand you are speaking about a totally different way of doing it (and in my opinion, both the ways can work.), so I am very happy to learn smthg new! On 10/26/05, Gary Buckmaster [EMAIL PROTECTED] wrote: Because of the way squid works, a squid box should be treated as a second gateway, in this case for http-based traffic only. As a result, using a route-to (or in Cisco parlance, policy-based route) is the solution. To avoid confusion, this is for outbound (LAN-WAN) traffic for the purposes of web caching and content filtering. There are perfectly valid reasons for using squid as an http accelerator sitting in front of web servers, which may have been what confused Tomasso. -Gary -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 26, 2005 8:48 AM To: support@pfsense.com Subject: Re: [pfSense Support] Transparent Squid proxy in DMZ? On 10/26/05, Tommaso Di Donato [EMAIL PROTECTED] wrote: Maybe I did not undestand well, but redirecting http traffic to a host located in DMZ is not a policy-based routing... In my opinion it is a simple redirect for 80/tcp to a particular host. Obviously, here the host is in DMZ. Sorry if I understood wrong.. Depends on if you use port forwarding (rdr) to achieve the goal or treat the squid box as another gateway and use 'route-to' for port 80 traffic. I suspect the latter is what Gary was talking about and is an interesting concept. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Problem in installing 0.89.2 under VmWare
Do not worry, I worked around installing 0.86.4 and then upgrade.. (I think you have more important things to do!)On 10/24/05, Scott Ullrich [EMAIL PROTECTED] wrote: I've reproduced the problem. Will have it fixed soon.ScottOn 10/24/05, Tommaso Di Donato [EMAIL PROTECTED] wrote: Hi to all.I have a problem in installing pfSense 0.89.2 as a vmware VM. I did a lot of pfsense installation like this (but with previous versions), now I have an error during hard disk installation, that states The installer could not find any disks suitable for installation. It suggest to read a README file that I cannot find...Anyone succeded in such installation? Thank you againTom-To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] LPT2 support
I would like to tell you my personal experience: under Linux I realized a l2tp+ipsec vpn server for winXP road-warrior client. In a first time, I realized it with the same l2tp implementation that we can find for FreeBSD, but i experienced a lot of problems (when clients disconnect the ppp tunnel is not going down, so if you reconnect you cannot create the link..) I had to use rp-l2tp (http://sourceforge.net/projects/rp-l2tp/), but the drawback is that it cannot assign dynamic internal (virtual) IP addresses by itself (I had to use an external ppp plugin). Sorry, just to share my personal experience (I know, it is in linux, so maybe in FreeBSD is different...) TomOn 10/20/05, Scott Ullrich [EMAIL PROTECTED] wrote: If someone wants to write the needed bits then it can be considered.I doubt that I'll be working on this personally as I have 100 otheritems I wish to complete first.On 10/20/05, hanshan [EMAIL PROTECTED] wrote: PPTP is supported but Windows (XP) road-warriors would benefit by using the L2PT option. Any plan to support this too? Regards and thanks in advance Francesco - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Solution: Re: [pfSense Support] VPN NAT Traversal (CISCO VPN Client)
On 10/16/05, stephan schneider [EMAIL PROTECTED] wrote: Got the solution.In the vpn client connection configuration you have to chooseIPSec over TCP and of course Enable Transparent Tunnel.No custom rules, no IPSec passthru (that's a different approach), no custom nat rules (only the default: nat all lan) are needed. Mmmh, sounds very strange.. IPsec NAT-T usually is achieved as IPsec over UDP.. (http://wiki.openswan.org/index.php/Firewalls) ...and from what I know, Cisco VPN is using exaclty this. What kind of implementation is currently used? Please, could someone check if pfSense is really encapsulating over 4500/UDP, or smthg different? TIA Tom
Re: [pfSense Support] Solution: Re: [pfSense Support] VPN NAT Traversal (CISCO VPN Client)
On 10/18/05, Bill Marquette [EMAIL PROTECTED] wrote: On 10/18/05, Tommaso Di Donato [EMAIL PROTECTED] wrote:Mmmh, sounds very strange..IPsec NAT-T usually is achieved as IPsec over UDP.. (http://wiki.openswan.org/index.php/Firewalls)...and from what I know, Cisco VPN is using exaclty this.What kind of implementation is currently used? Please, could someone check if pfSense is really encapsulating over 4500/UDP, or smthg different?pfSense isn't encapsulating anything, that's the job of the client.In this case it sounds like the client needed some extra config to do NAT-T correctly. Maybe I explained myself not very well: ipsec natively do not permit to bypass NAT gateway. So few solutions have been adopted, uone of them is NAT-T (that is, ipsec over UDP). I do not mean that it is pfsense that must do this: generally it is the OS ipsec implementation that takes it into account (during the very fist exchanges between the thwo parties, and so on). I only would like to know if racoon (I think racoon is the one that manage ipsec VPNs) uses NAT-T or another mechanism for bypassing NAT limitation... Sorry Tom
Re: [pfSense Support] Solution: Re: [pfSense Support] VPN NAT Traversal (CISCO VPN Client)
On 10/18/05, Chris Buechler [EMAIL PROTECTED] wrote: In the case of VPN's that are terminated on pfsense boxes, it is racoon,and very recently a kernel patch was added to test NAT-T support withipsec-tools.I'm not sure if it's even made it into a public release yet.It'll be there soon if not, but needs testing. Thank you very much. If you like, I will try to do some tests (not now, but in the near future), and will share my results. Tom
Re: [pfSense Support] Question about pf and ipfw...
On 10/15/05, Bill Marquette [EMAIL PROTECTED] wrote: Not sure I follow with the redirection part.But if I understandcorrectly, yes we can use both ipfw and pf in conjunction fordifferent tasks.This is how our shaper code used to work - define the queues in PF and assign the traffic in IPFW.Our ultimate goal isto get IPFW out of the core system altogether and we had done thatuntil we found some nasty bugs in CP due to it (just stuff that'lltake a little longer to work around). Thank you for your reply. I am trying to run p3scan on pfsense, but it needs a redirection done with ipfw... When I am trying to add the rule, I have the following error: # ipfw add fwd 127.0.0.1:8110 tcp from 10.0.0.0/24 to any 110 ipfw: getsockopt(IP_FW_ADD): Invalid argument When I am loading ipfw module, I see the following in dmesg: ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding disabled, default to accept, logging disabled Does this mean that I cannot do forwarding with this ipfw? TIA Tom
Re: [pfSense Support] Question about pf and ipfw...
You are very kind, in responding so fast!! Module probably isn't loaded (it's only loaded if CP is in use Ibelieve). Mmmh, I think it is (I loaded it by hand with kldload ipfw.ko): # kldstat Id Refs Address Size Name 1 4 0xc040 68cca0 kernel 2 16 0xc0a8d000 55fdc acpi.ko 3 1 0xc25e2000 c000 ipfw.ko But I am not a FBSD guru, so I may be wrong.. Do I have to load some other module? Any reason you wouldn't just create a port forward forthis?Seems like what you want to do is forward any traffic from 10.0.0.0/24 destined to port 110 anywhere to localhost on port 8110(transparent pop3 server? interesting).This can be done easily inour GUI, just use a port forward (it was renamed from Inbound NAT to try and remind people it can be used in either direction). Good question.. You are right, I already tryed it but it does not work with p3scan. P3scan acts as a transparent pop3 proxy, but seems to recognize the real server IP only if I use ipfw redirection (this is what I understood from p3scan mailing list). I already tried with pf, but seems not to work.. Any idea?
Re: [pfSense Support] Question about pf and ipfw...
On 10/16/05, Bill Marquette [EMAIL PROTECTED] wrote: Got it, now I understand the problem (makes sense, I was wondering howit did transparent proxy w/out access to the destination IP:) ).Sobasically, it does a state lookup on the socket connected to it and figures out what the original IP was based on that. Exaclty.. It is marvellous to work with you.. All you guys are so fast in understanding.. Any idea?Maybe Scott will have an idea why IPFW isn't loading your ruleset. Other than that, waiting for the p3scan developers to fix this.BTW, if there's a finite number of pop3 servers you need to access andyou know what they are, you can run multiple instances of p3scan, one for each server and redirect the individual servers to specific p3scaninstances.Not elegant, but it might work in a crunch. Exactly what I did.. at least for few providers.. but it is a very very ugly solution: I am in touch with p3scan guys, but in the meanwhile I would like to fix the problem using ipfw.. I hope Scott could help me in this problem.. Thank you again, very very much. Tom
Re: [pfSense Support] Question about pf and ipfw...
Just a question.. I would like to ask one more thing: rule-based forwarding disabled in dmesg (ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding disabled, default to accept, logging disabled) means that pfsense kernel is compiled without this option (IP-FIREWALL_FORWARD)? Maybe Scott will have an idea why IPFW isn't loading your ruleset. Other than that, waiting for the p3scan developers to fix this.BTW, if there's a finite number of pop3 servers you need to access andyou know what they are, you can run multiple instances of p3scan, one for each server and redirect the individual servers to specific p3scaninstances.Not elegant, but it might work in a crunch. Exactly what I did.. at least for few providers.. but it is a very very ugly solution: I am in touch with p3scan guys, but in the meanwhile I would like to fix the problem using ipfw.. I hope Scott could help me in this problem.. Thank you again, very very much.
Re: [pfSense Support] Question about pf and ipfw...
Thank you very very much!! ( I forgot to mention I am developing on version 0.84...) Thanx again!On 10/16/05, Scott Ullrich [EMAIL PROTECTED] wrote: Reinstall from scratch on the latest version. Your IPFW module iswrong. It should say rule based forwarding enabled.On 10/16/05, Tommaso Di Donato [EMAIL PROTECTED] wrote: Just a question.. I would like to ask one more thing: rule-based forwarding disabled in dmesg (ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding disabled, default to accept, logging disabled) means that pfsense kernel is compiled without this option (IP-FIREWALL_FORWARD)? Maybe Scott will have an idea why IPFW isn't loading your ruleset. Other than that, waiting for the p3scan developers to fix this. BTW, if there's a finite number of pop3 servers you need to access and you know what they are, you can run multiple instances of p3scan, one for each server and redirect the individual servers to specific p3scan instances.Not elegant, but it might work in a crunch.Exactly what I did.. at least for fewproviders.. but it is a very very ugly solution: I am in touch with p3scan guys, but in the meanwhile I would like to fix the problem using ipfw.. I hope Scott could help me in this problem.. Thank you again, very very much. -To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Question about pf and ipfw...
Hi! I recently read a post about captive portal, and the related use of ipfw. If I understood well, it is possible to use at the same time pf and ipfw. Is it true? I mean, can I use ipfw for doing a particular king of traffic redirection, even there is another redirection done with pf (of course, not for the same traffic!! i.e. pf for ftp, ipfw for www)?? TIA Tom
[pfSense Support] Question about mini_httpd
Is it possible to configure a page in the webgui that is accessible w/o authentication? even in a sub-dir... TIA Tom
Re: [pfSense Support] Port Forward of ESP protocol
On 10/4/05, Jörgen Haraldsson [EMAIL PROTECTED] wrote: HiThe line says:rdr on ste0 proto esp from any to 192.168.1.20 port 500 - 192.168.2.100port 500I don't know if port 500 is the right port to use with esp. But It does not matter what port i use. Mmmhh.. I think this is an error!!! ESP is _protocol_ 50, and not port 500.. So, you need 2 rules: ome for protocol ESP, and one for UPD/500 (that is IKE). (I think that here you can find some infos http://wiki.openswan.org/index.php/Firewalls) Tom
Re: [pfSense Support] antivirus and etc
If you refer to my solution (squid+redirector+clamav), I have to say that yes, clamav is running on the local machine, yes it uses tcp socket, but no, it cannot be accessed from outside 127.0.0.1 (the daemon is listening only on lo). First, because of security reasons (that other guys altready told you); second, because this kind of operation (scanning incoming traffic) is something that slow down the navigation a lot! If you have to contact a clamav service outside the box, I expect even worse results. This is my opinion.. but as Gary already told you, if someone really wants to shoot himself in the food... Ah, remember: I am _not_ preparing a package for clam! In the moment, I have only manual updates: I need to spend my time to make it wok, not to make it easy to install..Maybe in a futureOn 9/24/05, Gary Buckmaster [EMAIL PROTECTED] wrote: So you're opening up a port on the firewall to a critical service which hasthe potential to DoS the firewall for a feature that only a handful of IT hobbyists might consider using?-Original Message-From: Dan Swartzendruber [mailto:[EMAIL PROTECTED]]Sent: Friday, September 23, 2005 7:27 PMTo: support@pfsense.comSubject: RE: [pfSense Support] antivirus and etcAt 08:22 PM 9/23/2005, you wrote:Dan,You're opening up a real potential for DoSing the firewall if you have an especially busy Exchange server that gets hit by some mass mailer worm.Iwould rather have a separate instance of clamav running on my postfix (orwhatever MTA you choose to love) box.Well, I did say that was an option.That said, I'm not sure I buy that.Keep in mind, the clamav instance running on pfsense will onlybe as busy as the MTA makes it.Most non-enterprise MTAs (like mine)will only allow a handful of inbound connections at a time, and until the virus check is complete, no further smtp connections will beallowed.I guess it's a decision to make depending on the CPUhorsepower available on firewall and mail server.- To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED] -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] /rescue directory
I would like to underline that I intalled from livecd 0.84, and my /rescue dir is still 356M: # du -h /rescue/ 356M /rescue/ Now.. it cannot depend on VmWare! The only unusual thing is that, during the install, I choose not to create swap partition... Maybe this could be the reason? TomOn 9/13/05, Tommaso Di Donato [EMAIL PROTECTED] wrote: Ok, not a problem.. The important (for me) is to know that in a normal installation it is different
Re: [pfSense Support] /rescue directory
Ok, not a problem.. The important (for me) is to know that in a normal installation it is differentOn 9/13/05, John Cianfarani [EMAIL PROTECTED] wrote: I have a version installed under vmware gsx 3.2 as well and I notice the same thing. John
Re: [pfSense Support] /rescue directory
Mmhh... I have something wrong, then: # du -h /rescue/ 356M /rescue/ What do I have to do? This night maybe I will try a new installation, but I am a bit worried, because this one too is a fresh install...On 9/10/05, Bill Marquette [EMAIL PROTECTED] wrote:They all have the same size cause they're all the same file (hard link). rm'ing that directory will save you a whopping 2.9 or so MB. # ls -la rescue/ |wc -l 131 # du -sk rescue/ 2891 rescue/ # du -sk rescue/* 2880 rescue/[ 7 rescue/dhclient-script 1 rescue/nextboot.sh # ls -li rescue/s* 301254 -r-xr-xr-x 126 root wheel 2937504 Sep 8 18:11 rescue/savecore 301254 -r-xr-xr-x 126 root wheel 2937504 Sep 8 18:11 rescue/sconfig 301254 -r-xr-xr-x 126 root wheel 2937504 Sep 8 18:11 rescue/setfacl 301254 -r-xr-xr-x 126 root wheel 2937504 Sep 8 18:11 rescue/sh 301254 -r-xr-xr-x 126 root wheel 2937504 Sep 8 18:11 rescue/slattach 301254 -r-xr-xr-x 126 root wheel 2937504 Sep 8 18:11 rescue/spppcontrol 301254 -r-xr-xr-x 126 root wheel 2937504 Sep 8 18:11 rescue/startslip 301254 -r-xr-xr-x 126 root wheel 2937504 Sep 8 18:11 rescue/stty 301254 -r-xr-xr-x 126 root wheel 2937504 Sep 8 18:11 rescue/swapon 301254 -r-xr-xr-x 126 root wheel 2937504 Sep 8 18:11 rescue/sync 301254 -r-xr-xr-x 126 root wheel 2937504 Sep 8 18:11 rescue/sysctl Note the first field is the inode...notice how they're all identical? :) If they aren't identical on your machine, it sounds like you copied them at some point which would create individual files. --Bill On 9/10/05, Scott Ullrich [EMAIL PROTECTED] wrote: Say what!? It shouldn't be that big.# du -h2.8M.# pwd/rescueScottOn 9/10/05, Tommaso Di Donato [EMAIL PROTECTED] wrote: Sorry... I am trying to shrink a bit my pfsense installation.. in order to stay in less then 512Mb..So I took a walkabout, and I found that /rescue dir il very big (about 350MB), full of files all ow them of the same size: 2937504 bites. Could anyone explain me how can that be usefull, and why all af them are so big?ThanxTom- To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] /rescue directory
Sorry... I am trying to shrink a bit my pfsense installation.. in order to stay in less then 512Mb.. So I took a walkabout, and I found that /rescue dir il very big (about 350MB), full of files all ow them of the same size: 2937504 bites. Could anyone explain me how can that be usefull, and why all af them are so big? Thanx Tom
[pfSense Support] Brindging Lan and WAN
Sorry if it has already been asked... I am running 0.73.6, and in lan interface setup I see I can brigde it with my wan interf. This is exactly what I am looking for (I want to build a transparent proxy that scans http and pop3 traffic for virus), but I can not understand how the bridge setup works: in previous messages ,I understood that bridging between LAN and WAN was not possible (only between one of them and an opt nterface). I undestood badly? If so.. could someone explain me what happens if I bridge lan and WAN interf.? what IP address the new interface acquire? Could I assign only one IP, or must I have always two? TIA om
[pfSense Support] Serial console
Just a little problem: I enabled the serial port for accessing via null-modem cable.. Nothing happens. And I stil cannot access. In the process list I cannot see any console enabled. I am using 0.73.6 Tom
Re: [pfSense Support] Brindging Lan and WAN
Not at all.It's a brand new option that I commited. Cool! I was thinking to modify the source, because I was needing it! You can assign an IP to either of them. Note that if you do notassign an IP to the LAN subnet you need to access the WebConfigurator from the WAN which will require rules to be set up. Oh, I did not try to save my LAN configuration leaving the IP field blank.. eh eh When I enable this option, does dhcp server changes his configuration automatically, or do I have to change it by hands? Can I modify filter.inc, in order to include web access from WAN when bridging is enabled? Are you interested in it?
Re: [pfSense Support] Brindging Lan and WAN
I'm not sure this is a good idea.This would allow anyone from the WAN in.Besides, how is it gonig to know what to unlock since it used the LAN subnet prior? If I understood well, if I enable lan to wan bridging, and I do not assign an IP to LAN interface, I can only access from the WAN ip. But if I did not create a rule before this change, I lock myself out, is it right? If so, why not add an option, just to permit webconsole access only to connection coming fron the lan interface? Sorry if I am missing something Tom
Re: [pfSense Support] Brindging Lan and WAN
So... you all say that it is better to leave the things as they are.. Ok, I trust you. But in the remote possibility that I become crazy and start to develope something like the thing I imagined, I will share it with you! On 8/11/05, Chris Buechler [EMAIL PROTECTED] wrote:On 8/11/05, Scott Ullrich [EMAIL PROTECTED] wrote: It could be possible but this all gets really hairy and sticky. Same reason that its most likely no doable in m0n0wall in the first place. There is a real chance of shooting yourself in the foot in this configuration so consider yourself warned :)Exactly.The reason it can't be done in m0n0wall is because you haveto have an IP on the LAN and WAN, for various reasons, and it's justmuch easier to leave things that way.Bruce Mah (@ freebsd.org) wrotethe bridging code for m0n0wall and wasn't going to take the time thatwould be required, because it ends up being potentially very messy nomatter how you do it. -cmb-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]