Re: [pfSense Support] Static ARP
On 9/1/2011 4:19 PM, Ivanildo Galvão - IT Services wrote: What does this function in pfSense DHCP? The ARP command, and ifconfig. Static ARP entries are added using the arp command and the info provided in the GUI, and then the interface is configured to be staticarp. It's all handled by the OS then (FreeBSD). Note that it did not work properly in 1.2.3 (it never applied at boot time, only when saved), but it does work in 2.0. At least it did last time I tried it. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Static ARP
I have a client who was using Linux as a proxy server it had this one LAN interface and a WAN, LAN NIC in the virtual one he had, as follows: eth0: 1, eth0: 2, eth0: 3, so he had: We kind of already answered this one yesterday... but What you want to do will not work like they had it on the linux box, and really is not a recommended way to setup a network. It provides NO real security on your network - so what is the reason for segregating? If it is to provide security, then you may as well not bother because it would be trivial to hop networks at that point. If it is for access restrictions after the firewall - you can do what you want with what was recommended yesterday. Open up the network with a 192.168.0.0/22 Put the DHCP Range on 192.168.3.1 -192.168.3.254 Put in STATIC DHCP for devices on 192.168.1.0 and 192.168.2.0 Then setup Rule restrictions for the ip ranges. The only other option I can think of would be to setup 3 NICs for 3 LANs then plug them all into the same switch. Turn DHCP on all of them, restricted 2 of them to STATIC MAC mappings. I have no idea how that would work, or if it would - but you are welcome to give it a shot. Seems like it would be a broadcast nightmare - but if you want to try it -Tim
Re: [pfSense Support] Static ARP entries
Okay, upon turning off the `anti-lockout rule`, my ssh is getting SIGTERM. Continously, every minute. I tried changing its port, but it behaves the same way. Nov 11 12:05:56 sshd[43770]: Server listening on 0.0.0.0 port 22. Nov 11 12:05:56 sshd[43770]: Server listening on :: port 22. Nov 11 12:05:56 sshd[43739]: Received signal 15; terminating. Endre On 11/9/05, Szasz Revai Endre [EMAIL PROTECTED] wrote: Of course, that is normal. But for example any client on the network has access to the captive portal and to echo request, which is normal? If i turn that anti lockout rule off, this shouldn't be possible ? On 11/9/05, Chris Buechler [EMAIL PROTECTED] wrote: to the firewall itself, yeah. The anti-lockout rule assures that. you'll have to disable that rule on the advanced page to prevent this. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Static ARP entries
I have not tested this yet. Does anyone else have these problems? Does anyone else have static arp entries working properly? On 11/11/05, Szasz Revai Endre [EMAIL PROTECTED] wrote: Okay, upon turning off the `anti-lockout rule`, my ssh is getting SIGTERM. Continously, every minute. I tried changing its port, but it behaves the same way. Nov 11 12:05:56 sshd[43770]: Server listening on 0.0.0.0 port 22. Nov 11 12:05:56 sshd[43770]: Server listening on :: port 22. Nov 11 12:05:56 sshd[43739]: Received signal 15; terminating. Endre On 11/9/05, Szasz Revai Endre [EMAIL PROTECTED] wrote: Of course, that is normal. But for example any client on the network has access to the captive portal and to echo request, which is normal? If i turn that anti lockout rule off, this shouldn't be possible ? On 11/9/05, Chris Buechler [EMAIL PROTECTED] wrote: to the firewall itself, yeah. The anti-lockout rule assures that. you'll have to disable that rule on the advanced page to prevent this. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Static ARP entries
On Nov 9, 2005, at 11:05 AM, Robert Goley wrote: I am trying to replace a FireBox Firewall with pfsense. Our current setup has 5 static IP addresses. The range is xxx.xxx.xxx. 138-142. On I did this transition recently and it went very well. What you want to do is set up an ARP alias in pfsense for each of your IPs. I'd recommend also setting up an alias for each one of them so you can refer to them by name in the configs and make life easy if they ever change. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Static ARP entries
I tried adding the ARP entries. That is what this email is about. I was trying to make sure I was doing this correctly. When I added the addresses as single entry per IP (like xxx.xxx.xxx.139/32, xxx.xxx.xxx.140/32) the only one that pfsense answered to was the 139 address. I noticed you could enter these as a whole net, I tried this but only ended up with one alias. Kind of hard to map IPs via nat with only one ARP entry for all the addresses. If you have any andditional input I would appreciate it. Robert On Wed, 2005-11-09 at 13:51 -0500, Vivek Khera wrote: On Nov 9, 2005, at 11:05 AM, Robert Goley wrote: I am trying to replace a FireBox Firewall with pfsense. Our current setup has 5 static IP addresses. The range is xxx.xxx.xxx. 138-142. On I did this transition recently and it went very well. What you want to do is set up an ARP alias in pfsense for each of your IPs. I'd recommend also setting up an alias for each one of them so you can refer to them by name in the configs and make life easy if they ever change. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Static ARP entries
Interesting, sounds like a bug. Are these clients on LAN or other interface? I wonder if we made this only work on LAN. --Bill On 11/8/05, Szasz Revai Endre [EMAIL PROTECTED] wrote: Hello, Why is it, when Static ARP entries are enabled, a user which is not in the DHCP client list still `sees` the server ? (can ping, etc) Even if the user uses an ip that is in the list, and the mac is different, it can still connect to captive portal for example. How to get around this ? Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Static ARP entries
These are on LAN, it's weird.. For a client on the LAN, I have deleted a DHCP mac/ip entry, and that client would still have access to the captive portal, or any other service pfsense would offer. On 11/8/05, Bill Marquette [EMAIL PROTECTED] wrote: Interesting, sounds like a bug. Are these clients on LAN or other interface? I wonder if we made this only work on LAN. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Static ARP entries
On 11/8/05, Szasz Revai Endre [EMAIL PROTECTED] wrote: These are on LAN, it's weird.. For a client on the LAN, I have deleted a DHCP mac/ip entry, and that client would still have access to the captive portal, or any other service pfsense would offer. So basically there was a static-arp entry prior, then you delted the account. Which brings a question, after deleting the entry and rebooting, does this fix the problem? It may be as simple needing to delete the static arp entry from the table when you delete it from the GUI. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Static ARP entries
Szasz Revai Endre wrote: No, a reboot doesn't fix the error. The problem is, as I see, that no client is denied on the network (none of those who have static ip addresses), everyone has access to this machine (pfsense). to the firewall itself, yeah. The anti-lockout rule assures that. you'll have to disable that rule on the advanced page to prevent this. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Static ARP entries
Of course, that is normal. But for example any client on the network has access to the captive portal and to echo request, which is normal? If i turn that anti lockout rule off, this shouldn't be possible ? On 11/9/05, Chris Buechler [EMAIL PROTECTED] wrote: to the firewall itself, yeah. The anti-lockout rule assures that. you'll have to disable that rule on the advanced page to prevent this. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]