Re: [pfSense Support] Routing issue between LAN and OPT1 when IPSEC enabled

[Yehuda Katz]

Sounds to me like a NAT Reflection issue

On Wed, Jan 20, 2010 at 5:51 PM, Oliver Hansen wrote:

>
>
> On Wed, Jan 20, 2010 at 2:18 PM, Chris Buechler wrote:
>
>> On Wed, Jan 20, 2010 at 2:55 PM, Oliver Hansen 
>> wrote:
>>
>
>
>> --snip--
>> >
>> > Just last week, I set up a second VPN tunnel between the two routers.
>> This
>> > one has the destination subnet of 192.168.50.0/24 and now from the hub
>> > router we can reach that subnet but from the 192.168.2.0/24 still
>> cannot
>> > reach it. My thinking was that the router with LAN and OPT1 would either
>> > route between the two subnets and if not, it would send data up one VPN
>> > connection because it was "interesting traffic" and then it would get
>> sent
>> > back down the 2nd tunnel to the other subnet. Neither of these things is
>> > happening.
>> >
>>
>> That traffic is going out IPsec because IPsec always wins over
>> anything in the system routing table including other directly attached
>> networks (just how it works in the FreeBSD kernel). You either have to
>> not include that other local subnet within your remote IPsec
>> definition, or use OpenVPN which will work properly in that scenario.
>>
>>
>>
> Thanks for the reply. I can understand that IPsec always wins but why if it
> is getting sent up the VPN tunnel does it not get sent back down the second
> VPN tunnel to the 192.168.50.0/24 subnet? Any of my other networks such as
> 192.168.3.0/24 can send traffic to the .50 network and receive replies. Is
> there something about having two IPsec VPNs between the same two boxes that
> causes this not to work?
>
> Example A: 192.168.3.0/24 -> 192.168.1.0/24 ->
> 192.168.50.0/24 = successful
> Example B: 192.168.2.0/24 -> 192.168.1.0/24 ---X
> 192.168.50.0/24 = no success
>
>

Re: [pfSense Support] Certificate Errors (Safari and Internet Explorer) using GoDaddy Wildcard SSL Certificates for Captive Portal SSL Login Page

[Yehuda Katz]

On Thu, Jan 21, 2010 at 3:58 PM, Chris Buechler  wrote:

> That's a problem with the cert. That means the CA that signed your
> cert isn't trusted by those browsers. That's what you get at times
> with cut rate CAs like Godaddy, though that's where we get our certs
> and I haven't seen any such issues on ours, I have on other certs I've
> gotten from Godaddy in the past. I would contact them and complain,
> any cert you pay for should be recognized by all the major browsers.
>
> I thought I might correct this misconception about why certificate chains
exist.
GoDaddy and other CAs have a master certificate which is installed in
browsers.
If they would use this master certificate to sign regular certificates and
it would be compromised, they would need to have the certificate removed
from everywhere it is installed (not an simple task).
Instead, they create several other certificates and use those to generate
regular certificates.
Then, if there is a problem, they can revoke the sub-certificate.
So your browser almost certainly has the GoDaddy root certificate installed,
it just does not know the chain.

The way I solved this problem (I get certs from StartSSL, and almost no one
has the intermediate certificates from them) was by pasting the intermediate
cert i nthe regular certificate box in the admin area.
I am not sure if that is supposed to work, but I have not had any problems
with it.
- YK

Re: [pfSense Support] NAT with WAN subnet

[Yehuda Katz]

On Sun, Jan 31, 2010 at 7:39 AM, Remko Lodder  wrote:

>
> On Jan 31, 2010, at 12:14 PM, Martin Kruse Jensen wrote:
>
> > Remko Lodder skrev:
> >> On Jan 31, 2010, at 11:27 AM, Martin Kruse Jensen wrote:
> >>
> >>
> >>
> >>> Hi.
> >>>
> >>> I'm having some problems setting up NAT when using multiple external
> adresses (ie. a /29 subnet). I have a WAN interface set up as x.x.x.18/29
> but when making NAT rules, I can't select the individual adresses - only
> "WAN address" or "Any".
> >>>
> >>> When attempting to use 1:1 NAT I can't get it to work either - and yes,
> of course I remembered to add firewall rules ;)
> >>>
> >>> Any hints would be appreciated!
> >>>
> >>> Regards,
> >>> Martin Kruse
> >>>
> >>>
> >>>
> >>
> >>
> >> Consult the "Virtual Addresses" please:
> >>
> >> "
> >> The virtual IP addresses defined on this page may be used in NAT
> mappings.
> >> You can check the status of your CARP Virtual IPs and interfaces here.
> >> "
> >>
> >> Cheers,
> >> Remko
> >>
> >>
> >>
> > I have actually tried setting up "Virtual addresses" but I can't save
> them - it fails with the following error:
> > The following input errors were detected:
> >
> >   • The MANAGEMENT IP address may not be used in a virtual entry.
> >
> > "MANAGEMENT" is the name of my OPT1 interface but when setting up the
> Virtual IP I actually selected WAN.
> >
> > I should problary mention that i am using 2.0-BETA1 built on Fri Jan 22
> 08:25:58 EST 2010
> >
> > //Martin
>
> Did you try a different IP then the one that is defined on the interface
> itself?
>
> so for starts if you have assigned .1 to the real interface, can you create
> the .2 ip address as a virtual ip?
>
>
The WAN should usually be set to /32, and then you will be able to create
the Virtual IPs.


> --
> /"\   Best regards,| re...@freebsd.org
> \ /   Remko Lodder  | re...@efnet
> Xhttp://www.evilcoder.org/|
> / \   ASCII Ribbon Campaign| Against HTML Mail and News
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

Re: [pfSense Support] Microsoft Server 2008 & DHCP relay

[Yehuda Katz]

On Sat, Apr 17, 2010 at 2:17 PM, Karl Fife  wrote:

> We have a couple of pfSense installations that want to 'lock down' their
> windows workstations with Win 2K8 Server and Active Directory.  As you may
> know, normally this requires that Win Server be the DNS & DHCP server.
>
> To clarify, we're NOT talking about MS Small Business Server/exchange and
> all of that crap--just 'regular' 2K8, with AD for lockdown/policy etc.
>
> Can anyone say from experience whether it's 'within scope' to keep pfSense
> as the DHCP/DNS?  In other words, is it feasible to have 2K8 server turn to
> pfSense via something like DHCP relay?  Never played with DHCP relay.
>
> We disabled DHCP and DNS in pfSense and do both from Active Directory.
We have not had any trouble with this setup.

Re: [pfSense Support] Second WiFi WAN link

[Yehuda Katz]

On Sun, May 23, 2010 at 3:45 PM, Chris Buechler  wrote:
> On Sun, May 23, 2010 at 11:34 AM, John Busch  wrote:
>>
>> I think a catch would be that the college has a captive portal on
>> their WiFi.  It redirects to an intranet page requiring credentials
>> prior to allowing traffic out to the Internet.
>
> As for how to keep the connection through the portal up, that's hard
> to say. Depends on how it's configured. Worst case, you manually log
> into it as needed. If it keeps active connections up indefinitely,
> send a constant ping or something through it. If it has a hard cutoff,
> script curl or something to log into it periodically as needed.
>

You do need to be careful and make sure that you are not violating any
of your university's network acceptable use policies.
Many universities may ban you for accessing a campus wireless network
when you are not on campus.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Proxy ARP Trouble

[Yehuda Katz]

We had Verizon DSL for our primary WAN connection.
Our primary IP (the WAN interface IP) was 71.248.x.114
We had this entry in the Virtual IP list:
Type: Proxy ARP
Interface: WAN
IP Address: Network 71.248.x.112/28

To get that to work, we had to set the WAN interface IP to each of the
virtual IPs (ending with 114), after which we had no trouble.


Yesterday we switched to Verizon FiOS which meant that we got new IPs.
I switched the WAN interface IP to the new address 71.179.x.83
and I switched the entry in Virtual IPs to
Type: Proxy ARP
Interface: WAN
IP Address: Network 71.179.x.80/28

We went through the same procedure, setting the WAN to each IP.
Some time during the night, each of the IPs stopped working.
This morning, we set the WAN interface to each of the IPs and they are
working now, but we have no way of knowing what will happen tonight.

Any ideas?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Proxy ARP Trouble

[Yehuda Katz]

On Thu, May 27, 2010 at 1:02 PM, Chris Buechler  wrote:
> On Thu, May 27, 2010 at 10:30 AM, Yehuda Katz  wrote:
>> We had Verizon DSL for our primary WAN connection.
>> Our primary IP (the WAN interface IP) was 71.248.x.114
>> We had this entry in the Virtual IP list:
>> Type: Proxy ARP
>> Interface: WAN
>> IP Address: Network 71.248.x.112/28
>>
>> To get that to work, we had to set the WAN interface IP to each of the
>> virtual IPs (ending with 114), after which we had no trouble.
>>
>>
>> Yesterday we switched to Verizon FiOS which meant that we got new IPs.
>> I switched the WAN interface IP to the new address 71.179.x.83
>> and I switched the entry in Virtual IPs to
>> Type: Proxy ARP
>> Interface: WAN
>> IP Address: Network 71.179.x.80/28
>>
>> We went through the same procedure, setting the WAN to each IP.
>> Some time during the night, each of the IPs stopped working.
>> This morning, we set the WAN interface to each of the IPs and they are
>> working now, but we have no way of knowing what will happen tonight.
>>
>> Any ideas?
>>
>
> Use CARP VIPs instead.
>

Maybe someone could point me to a walk-through for that.
The CARP page looks so much more complicated and I have never used it before.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Proxy ARP Trouble

[Yehuda Katz]

On Thu, May 27, 2010 at 1:41 PM, Evgeny Yurchenko  wrote:
> Yehuda Katz wrote:
>> On Thu, May 27, 2010 at 1:02 PM, Chris Buechler 
>> wrote:
>>> On Thu, May 27, 2010 at 10:30 AM, Yehuda Katz  wrote:
>>>> We had Verizon DSL for our primary WAN connection.
>>>> Our primary IP (the WAN interface IP) was 71.248.x.114
>>>> We had this entry in the Virtual IP list:
>>>> Type: Proxy ARP
>>>> Interface: WAN
>>>> IP Address: Network 71.248.x.112/28
>>>>
>>>> To get that to work, we had to set the WAN interface IP to each of the
>>>> virtual IPs (ending with 114), after which we had no trouble.
>>>>
>>>>
>>>> Yesterday we switched to Verizon FiOS which meant that we got new IPs.
>>>> I switched the WAN interface IP to the new address 71.179.x.83
>>>> and I switched the entry in Virtual IPs to
>>>> Type: Proxy ARP
>>>> Interface: WAN
>>>> IP Address: Network 71.179.x.80/28
>>>>
>>>> We went through the same procedure, setting the WAN to each IP.
>>>> Some time during the night, each of the IPs stopped working.
>>>> This morning, we set the WAN interface to each of the IPs and they are
>>>> working now, but we have no way of knowing what will happen tonight.
>>>>
>>>> Any ideas?
>>>>
>>>>
>>>
>>> Use CARP VIPs instead.
>>>
>>>
>>
>> Maybe someone could point me to a walk-through for that.
>> The CARP page looks so much more complicated and I have never used it
>> before.
>>
>
> http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm
> is very good tutorial
>
Thanks for the tutorial, but that does not do what I am trying to do.
According to the text on the Virtual IP page, Proxy ARP can work for
an entire CIDR block while CARP does not.
Does that mean I need to create an individual rule for each IP?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] block facebook twitter and youtube pfsense

[Yehuda Katz]

On Fri, Jun 4, 2010 at 3:30 PM, Tim Nelson  wrote:

> However, the more savvy users will just find some proxy out there to use.
> 'Proxy' has become a new buzzword for the social networking crowd as of late
> it seems...
>
> It doesn't even require a very savvy user. There are free email lists which
notify you by email of new proxy sites (peacefire.org).
Besides that, don't forget that many sites can be accessed just by their IP
addresses.

Re: [pfSense Support] How to view logs on pfsense 1.2.3 using putty

[Yehuda Katz]

On Mon, Jun 7, 2010 at 7:27 AM, Joseph Rotan  wrote:

> Bula Aarno,
>
> thanks for the tip, but i'm a bit confused on the logs displayed below:
>
> Jun  7 23:13:29 pfSense sshd[7808]: Failed password for root from
> 220.189.230.151 port 48088 ssh2
> Jun  7 23:13:31 pfSense sshd[7810]: Failed password for root from
> 220.189.230.151 port 48910 ssh2
> Jun  7 23:13:34 pfSense sshd[7813]: Failed password for root from
> 220.189.230.151 port 49352 ssh2
> Jun  7 23:13:36 pfSense sshd[7827]: Failed password for root from
> 220.189.230.151 port 50339 ssh2
> Jun  7 23:13:42 pfSense sshd[7831]: Failed password for root from
> 220.189.230.151 port 50994 ssh2
> # Jun  7 23:13:29 pfSense sshd[7808]: Failed password for root from
> 220.189.230.151 port 48088 ssh2
>  I can't understand what the above logs are, can you please advise how can
> i view the captive portal logins or what will be the command on the shell to
> view it.
>
>
I don't know anything about logs for the captive portal, but those lines
from the log indicate that someone tried to log in to your pfSense using SSH
(Putty or similar program) and got the password wrong. If that person was
not you (and you can find your IP address by going to
http://checkip.dyndns.org), then you may want to block that IP address from
accessing SSH. I always recommend when I set up pfSense that the port for
SSH be changed to prevent automated password guessing; I use port 2292. That
setting is under System->Advanced (don't forget to adjust your firewall
rule).

- YK

Re: [pfSense Support] How to view logs on pfsense 1.2.3 using putty

[Yehuda Katz]

On Mon, Jun 7, 2010 at 4:56 PM, Joseph Rotan  wrote:

> Hi,
>
> here's another logs from another site:
>
> How can i block all this invalid users from attempting to access my pfsense
> through SSH.
>
>>
>>>
>>

> I always recommend when I set up pfSense that the port for SSH be changed
>> to prevent automated password guessing; I use port 2292. That setting is
>> under System->Advanced (don't forget to adjust your firewall rule).
>>
>> - YK
>>
>
>

Re: [pfSense Support] blocking https:facebook.com via squidguard & pfsense gui

[Yehuda Katz]

On Fri, Jul 2, 2010 at 8:03 AM, Luke Jaeger  wrote:

> I can't block tcp 443 on a wholesale basis; we need it for lots of stuff.
> If I can do it for a single domain, I'm there.
>
>
The idea is to set up a non-transparent proxy for all traffic and block any
traffic not using the proxy.
The whole purpose of https is to prevent a third party (in this case your
firewall) from seeing anything above the minimum routing information (source
and destination IP address).
I think WPAD is the way to go for this one.

(Where I went to high school, they somehow blocked certain https sites, but
I think it was by IP and the subscription service they used for the block
list actually listed all the IPs for facebook and other blocked sites.)

[pfSense Support] 2.0-BETA4 - Admin logout link?

[Yehuda Katz]

I just installed 2.0-BETA4, logged in as admin, and created a new user.
I have not been able to find a logout link so I can try using that user.
Is it there and I just don't see it or is it really not there?

- Yehuda

Re: [pfSense Support] DynDNS's CheckIP is showing my private IP!

[Yehuda Katz]

On Sun, Nov 7, 2010 at 8:33 PM, Lyle Giese  wrote:

> slamp slamp wrote:
> > http://checkip.dyndns.org/
> >
> > how is this possible? i am behind a standard install of pfSense
> > 1.2.3-RELEASE which means i am NAT'd. how is pfsense publishing my
> > private IP?
> >
> >
> What makes you think pfSense is publishing that data?


It is Squid running on pfSense that is publishing that data. There is no
javascript on that page.
The fact is, it is poorly written applications that is causing the problem.
Squid is mis-configured which causes it to set the HTTP X-Forward header to
the internal private IP.
The application checks for the header to be set and uses the data it
contains without doing a sanity check first.
Several projects that I contribute to have had the same issue, here is a
sample in PHP.

Original (bad) code:
if ($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"] != "") {
$IP = $HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"];
} else {
$IP = $HTTP_SERVER_VARS["REMOTE_ADDR"];
}

Fixed code:
if ($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"] != "") {
   $forwardforip = ip2long($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]);
   if (($forwardforip >= ip2long("10.0.0.0") && $forwardforip
<= ip2long("10.255.255.255")) ||
   ($forwardforip >= ip2long("172.16.0.0") && $forwardforip
<= ip2long("172.31.255.255")) ||
   ($forwardforip >= ip2long("192.168.0.0") && $forwardforip
<= ip2long("192.168.255.255"))
   ){
   $IP = $HTTP_SERVER_VARS["REMOTE_ADDR"];
   } else {
   $IP = $HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"];
   }
} else {
   $IP = $HTTP_SERVER_VARS["REMOTE_ADDR"];
}

Re: [pfSense Support] how to prevent spams

[Yehuda Katz]

On Sun, Nov 21, 2010 at 2:58 AM, Guruprasad  wrote:

> I am using PFSense firewall in my office. I have a windows based mail
> server in LAN and all the systems in LAN send mails thru the
> mailserver(icewarp merak mail server). There is no spam problem.
>
> But the moment I allow my branch office people to send/receive mails using
> my local mail server via my ISP allocated static IP ( this is configured in
> pfsense WAN), lots of spam/virus being relayed thru my mail server and I
> could see the same in my mail server Log.
>
> Since many roaming users/branch office people are connected to this mail
> server, how do I find out which remote client is compromised and sending
> this spams using my internal mail server as a relay host.
>
Thank depends on your mail server.
I would suggest that you ask this on a forum dedicated to the mail server
you are using.

- Y

[pfSense Support] New Widgets

[Yehuda Katz]

What is the proper procedure for sending in a widget for inclusion in
pfsense?
I wrote a widget to do wake-on-lan from the main page.

- Yehuda

[pfSense Support] Snapshot Build Logs

[Yehuda Katz]

Is there a reason the i386 build log uses EST and the AMD64 log uses UTC?

- Yehuda

Re: [pfSense Support] Squid Log and MAC adress

[Yehuda Katz]

On Tue, Jan 4, 2011 at 8:53 AM, Jostein Elvaker Haande
wrote:

> On 4 January 2011 13:53, Koray AGAYA  wrote:
> > Hi,
> >
> > Can I  add computers mac adresses  ( squid logs ) is it possible ?
> >
> >
> > Thank you for everything
>
> Seeing as I'm a bit on the generous side today, I actually took the
> time to Google your question, and after spending two minutes skimming
> through the results, I can't see that you can log the MAC address in
> Squid. And to be honest, I would be surprised if it did. If you are so
> dead set to get the MAC addresses, I think your only option is to make
> a perl script that parses your Squid log files, and uses tools like
> i.e proxy-arp to get the MAC address.
>
> As you can see from Squid's Log Format [1], the only thing logged is
> the client address (read: IP address).
>
> [1] http://wiki.squid-cache.org/Features/LogFormat


I have no idea where you would put this in pfSense, you might need to edit
the package, but:

*%http://www.squid-cache.org/Doc/config/logformat/

Re: [pfSense Support] Intel Gigabit - em0: Watchdog Timeout

[Yehuda Katz]

On Friday, March 4, 2011, Jim Pingle  wrote:
> On 3/4/2011 9:59 AM, Moshe Katz wrote:
>>
>> I am now trying to set up a third box.  It is a Dell Optiplex gx240.  It
>> has an on-board 3Com 3C920-based 10/100 port.  I added a dual-port Intel
>> card (the same one as the first box).  Using em1 of that card works fine
>> but when I plug in em0, I start getting "em0: Watchdog Timeout" messages
>> on the console.
>>
>> What should I look at to troubleshoot this?  Is it a problem with the
>> network card?
>
> Is this on a 2.0 snapshot? If so, what date?
>
> Since the switch to the Yandex Intel drivers a couple days ago my VMs
> all constantly print watchdog timeouts on the console... It seems to
> operate OK, but it makes the console useless.

It is on a snapshot from yesterday (March 3, but I don't have the
exact build number in front of me now.)
It does make the console useless, but if there are no bad side
effects, we might be able to live with it.

- Yehuda

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] List Posting Etiquette [WAS: Re: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout]

[Yehuda Katz]

On Tue, Mar 8, 2011 at 5:12 AM, ozan ucar  wrote:

>  Hello,
> Been there, done that. This is a drive problem. Here is how to fix it
>

Is it too much to request that when you post to this list about a new issue,
that you use a descriptive subject line?
I just got this email with the subject "[pfSense Support] Intel Gigabit -
em0: Watchdog Timeout" (which is part of a conversation about a network card
issue that I have) and the preview line in my email shows "Been there, done
that. This is a drive problem. Here is how to fix it"
Does anyone else see why this is annoying?
(Also, while it does not bother me - because my email client filters the
duplicate parts out of the message - , please keep in mind that many people
on this list ask that you do not "top-post")

- Yehuda

Re: [pfSense Support] Moving configs to different machines

[Yehuda Katz]

On Fri, Mar 18, 2011 at 6:27 PM, Joseph L. Casale  wrote:

>
> Possibly if the initials are set at install, I could utilize the existing
> ones
> in the backed up config?
>
> Usually, I download a config backup from the new machine and do a
side-by-side compare (with a program like beyond compare or araxis merge)
and I copy only the parts I know are important (rules, dhcp config, dns
config, nat 1-1, squid) but not the hardware config (such as interface
assignments)

- Yehuda

Re: [pfSense Support] can't block https://facebook.com via firefox

[Yehuda Katz]

On Tue, Mar 22, 2011 at 5:38 PM, Luke Jaeger  wrote:

> I'll try this - it will also let me know real fast who doesn't have their
> proxy settings configured right!
>
> On Mar 22, 2011, at 1:09 PM, Seth Mos wrote:
>
>  Deny all outbound access to ports 80 and 443, except from the proxy
>> server.
>>
>
We set up a NAT rule that would catch all traffic that was directed outbound
(i.e. not through the proxy) and redirect it to an error page with an
explanation of how to set up the proxy.

- Y

Re: [pfSense Support] can't block https://facebook.com via firefox

[Yehuda Katz]

On Wed, Mar 23, 2011 at 2:56 PM, David Barbero wrote:

> Alberto Mijares  ha escrito:
>
>> Squid can not store in cache the content from https traffic; however,
>> you are still able to create ACL's to control the access to this
>> URI's.
>>
>> Check out your ACL.
>>
>
> Squid cannot stored and cannot filtering https connetions, when the client
> open a https conection the squid only make a tunnel from client to server,
> don't see anything of content or URL (Only see destination IP), the only way
> to block https connetions is filter by destination ip in pf or acl (I'm not
> sure if this work properly with squid acl), but squid o squidguard can't
> filter a SSL connection directly.
>

That is absolutely wrong, Squid (with SquidGuard)  in a TRANSPARENT
PROXY configuration can not filter https traffic.
If you are using explicit proxy settings in your browser, https (and just
about any other protocol) can be filtered.
As I said earlier in this thread, I have the exact configuration that the
original poster was looking for:
- SquidGuard filters according to a third-party blacklist of websites.
- All ports that are handled by Squid/SquidGuard, including 80 (http) and
443 (https) are redirected by the pfSense (using a NAT rule) to an error
page explaining how to set up a proxy in different browsers.
- We are not using Squid for the purpose of caching, only filtering (limited
hard drive space, otherwise we might)

If anyone wants specific details about how to set up this configuration, I
might be able to help you as my time allows.

- Yehuda

Re: [pfSense Support] can't block https://facebook.com via firefox

[Yehuda Katz]

On Wed, Mar 23, 2011 at 5:14 PM, Michael Schuh wrote:

>
> for a bit fun:
> put *.facebook.com into your dns-masquerader and lead him to the
> internal IP of the firewall
> or to 127.0.0.1 :D (* -> www, or whatever else, i am not aware if the
> dns-forwarder can match wildcards)
> Deny all other DNS beside the access to the firewall.
>

Just make sure you block access to other DNS servers at the firewall.
You might not think that so many people have heard of OpenDNS or Google
Public DNS.

- Y

[pfSense Support] Completing certificate requests with changed information

[Yehuda Katz]

I generated a CSR from the pfSense certificate manager and had it signed by
StartSSL.
StartSSL changes the certificate subject (and you can not predict beforehand
what it will be).
OpenSSL and IIS accept the signed certificate anyway, but pfSense gives this
error:

> The certificate subject '[PRIVATE]' does not match the signing request
> subject.

Is there any way around the subject change to get the certificate imported?

- Yehuda

[pfSense Support] Re: Completing certificate requests with changed information

[Yehuda Katz]

On Thu, Apr 14, 2011 at 9:06 PM, Yehuda Katz  wrote:

> I generated a CSR from the pfSense certificate manager and had it signed by
> StartSSL.
> StartSSL changes the certificate subject (and you can not predict
> beforehand what it will be).
> OpenSSL and IIS accept the signed certificate anyway, but pfSense gives
> this error:
>
>> The certificate subject '[PRIVATE]' does not match the signing request
>> subject.
>
> Is there any way around the subject change to get the certificate imported?
>

Ok, I found the line where the subjects are checked (/system_certmanager.php
around line 285).
I am creating nice workaround (I am thinking of a checkbox on the update
page to disable the subject check).

- Yehuda

Re: [pfSense Support] Is anyone scraping pfsense pages in 2.0?

[Yehuda Katz]

On Fri, Apr 15, 2011 at 11:18 AM, Adam Thompson wrote:

> Yes, this has been discussed here recently (check the archives).
> cURL will work properly as long as you do a few things:
> 1. send the POST variables to the login form first,
> 2. track cookies across multiple cURL calls.
>

Here is the thread:
http://marc.info/?l=pfsense-support&m=130065547317941&w=2

Here is the documentation:

http://doc.pfsense.org/index.php/Remote_Config_Backup#Pulling_on_2.0

Re: [pfSense Support] 2.0-RC1 installation problem

[Yehuda Katz]

On Thu, Apr 28, 2011 at 6:55 PM, Lupel  wrote:

> I've also tried to boot and install with pfSense 1.2.3 image and
> everything worked just fine. Seems to be a problem with pfSense-2.0-RC1
> or at least with its installer. Is it possible?
>

pfSense 1.2.3 was based on FreeBSD 7.2 (if I remember correctly).
pfSense 2 is based on FreeBSD 8.1 .
Basically any driver changes in FreeBSD are also in pfSense.

Re: [pfSense Support] A REALLY Simple Question, Really

[Yehuda Katz]

On Fri, Apr 29, 2011 at 4:49 PM, Mehma Sarja  wrote:

> Alix running pf 20 RC1 nano. Trying to change from default 192.168.1.x
> network to 192.168.100.x on the LAN interface - nothing fancy.
>
> WHAT I DID
> With DHCP enabled and serving on 192.168.1.x, tried to change LAN ip using
> the web GUI. I can guess why it does not work - DHCP is trying to serve on
> the old network and the LAN is trying to change it's network. Don't get any
> love on either network. Turning DHCP off - figured I'd assign my laptop a
> new address manually since there is no DHCP. Nothing on either network.
>
> I think it's time to go read the book.
>

It might be easiest for you to fix this from the console.
Log in (if you have it configured to require login), then choose option 2
from the menu ("Set interface(s) IP address").
Make sure you enter the DHCP addresses in full: i.e. 192.168.100.x.

- Yehuda

Re: [pfSense Support] Finding the mac of squid users

[Yehuda Katz]

On Wed, May 4, 2011 at 6:09 AM, Shali K.R.  wrote:

> Dear Sir,
>
> i cant find any "OT: A Dansguardian package" in packages section, do i
> need to configure it manually?
>
>
> On Wed, May 4, 2011 at 2:16 PM, Benjamin Fromme <
> benjamin.fro...@login-online.de> wrote:
>
>> OT: A Dansguardian package would be so nice!
>>
>
Shali:
"OT:" means "Off Topic". In this context, a request related to your message
but not actually a reply to it.
Benjamin was suggesting that in addition to the Squid and SquidGuard
packages that are available on pfSense, he would like to see a
DansGuardian package.


Benjamin:
I was planning to submit a package for it, but due to recent announcements
by the project, I will not.
The problem is that DansGuardian has a large backlog of fixed bugs that have
not been put into a release yet since almost all of the development is done
by SmoothWall developers in their spare time (of which they have none).
SmoothWall has spun-off DansGuardian3 into a new commercial project and
unless the DG2 project becomes more open to the community, it will likely
die.
(Just check out the commit log on the SourceForge SVN server
[link]
and you will see how much development has happened in the last year: 14
commits in 2010, 2 so far in 2011. The last stable release was 05-Jun-2009.)

- Y

Re: [pfSense Support] Blocking Windows Machines

[Yehuda Katz]

On Thu, May 5, 2011 at 11:56 AM, Karl Fife  wrote:

> To prevent 'automatic' configuration of routers, pfSense DHCP can be
> configured trivially to only issue DHCP leases to known hosts (based on mac
> address), but naturally it wouldn't prevent someone from manually
> configuring IP settings or mac spoofing.
>

I tried that...

Unless you can prevent physical connections to the network (including
physically locking any current connection and open port, and MAC address
filtering won't do it either) your users will always find a way to connect.

- Yehuda

Re: [pfSense Support] 802.11n AP success?

[Yehuda Katz]

On Thu, May 5, 2011 at 4:58 PM, Josh Karli  wrote:

> Has anyone had any success in setting up a wireless N AP? According to the
> 2.0-RC1 record of tests on wireless cards, only the Marvell 802.11n card
> works, but the only n card I could find of theirs is mini-PCIe. Does anyone
> have any success to report for other n cards, or any success in using the
> Marvell mini-PCIe card in a mini-PCIe-to-PCIe adapter (for use in a tower)?
>

There is currently no way to use a wireless-n card with pfSense.
When you put in the N card it will fall back to G if it can or it won't
work.

FreeBSD (on which pfSense is based) added support for wireless-n, but there
are no drivers that support it yet.

- Y

Re: [pfSense Support] COM-port Watchguard Firebox X500 with 2.0-RC1

[Yehuda Katz]

On Sat, May 7, 2011 at 8:48 PM, Dimitri Rodis  wrote:

> I hate to break it to you guys, but this has been an issue for quite a
> while in the 2.0 builds (8-9 months now). Not quite sure what started it
> happening, but I did experience this behavior way back then, and still do
> when I try the builds on it every now and then.
>

Well if you know that it has been happening for a number of months you
should have check into it right away.
Builds remain on the snapshot server for almost a month (it looks like,
there are 38 builds there right now).
Now those older builds don't seem to be available anymore it will not be as
easy to find the approximate commit that causes the problem.

A general overview of how to find a bad commit (what I do at least):
Download the last build, try it and see if you have the problem. If not, you
know the change was made after it.
If you have the problem, move back to another build and try again.

- Y

[pfSense Support] pfSense Git resources

[Yehuda Katz]

If there any chance the documentation on http://devwiki.pfsense.org/ about
the Git setup will be updated to include how to connect to the mainline on
GitHub instead of rcs?

- Y

[pfSense Support] PHP Exceptions?

[Yehuda Katz]

I am working on http://redmine.pfsense.org/issues/1437 and running into a
strange problem and I thought I would ask about it before I spend a long
time digging through the source.
I thought the only foolproof way to return openssl errors would be to wrap
them in an exception and throw it, but it seems that the exception never
makes its way to be visible on the page. Even stranger, the action that does
happen appears to be random. I try to generate a CSR with an invalid country
field. sometimes the CSR is generated, other times a self-signed-cert is
generated (I did not test them and they are probably not valid, but
something is added to the config), but the exception never shows up.
Comments?

Re: [pfSense Support] PHP Exceptions?

[Yehuda Katz]

On Sun, Jun 5, 2011 at 12:33 AM, Simon Cornelius P Umacob <
simon...@gmail.com> wrote:

> Hi Yehuda,
>
> I've encountered this problem some time ago too.  The simple fix was
> to limit the country field to two characters only.  I'm not sure why
> you're exception never makes its way to the page (there's a try/catch
> block, right?)-- perhaps it's because errors are disabled in
> php.ini...
>

I am in the habit of putting a fake country in my certificate requests
(since StartSSL rewrites them anyway), which is the error that I am getting.

Yes, the point is that I am trying to create a wrapper around the openssl_
function calls to catch any errors thrown by them, but the exceptions never
make it through the pipe (so to say).

- Yehuda

Re: [pfSense Support] Fwd: m1n1 device w/ ath wireless

[Yehuda Katz]

On Tue, Jul 19, 2011 at 3:58 PM, Chris Brennan  wrote:

>
> OK, I understand now. Thank you. I can browse to my IP and see my local
> web-server from my VPS. The reason I point this out is because when I
> had my linksys (WRT54G) in place, I could navigate to
> http://my_ip:2500/~chris/ and it would work just as if I was
> external, but that isn't working now. Was this some automagical
> configuration of the Linksys? (which btw was running DD-WRT) Or do I
> need to enable some kind of configuration w/i pfSense for this to work?

You are looking for NAT reflection.
I do not have a 1.2.3 box to test it with, but I think it is in the
System->Advanced section.

- Yehuda

Re: [pfSense Support] To integrate AD users to specific rule groups

[Yehuda Katz]

2011/7/30 Vaughn L. Reid III 
>
> The Squid Package for PFSense looks like it will authenticate to a local
> database, Radius, LDAP, or NT Domain.  There are also some ACL capabilities
> in the SquidGuard package.  I'm not aware of any way to configure firewall
> rules on PFSense that communicate with an authentication back-end.
>
Squid will usually authenticate as the user logged in to the computer, not
as an arbitrary user.
This works very well in a school or office environment where each user can
be expected to log into Active Directory (and therefore their username will
match in Squid). This does not work so well in a bring-your-own-equipment
situation or where users share a computer/domain login and authenticate with
the captive portal.
We are currently working on a Squid extension that will allow for a web form
to change the filtering level, but unfortunately I do not have a time
frame for when it will be ready.

- Y