I've searched both the list archives and forums, though I wasn't sure what
phrase would yield results, and have not found an answer to the question:
---
Is there a way to ask pfSense something like "would a packet arriving
on from be passed to on
?"
In short, is there a way to quickly tes
luable for (at least preliminary)
testing, but would also be good for admins to check whether they seem to have
gotten things configured correctly.
Bryan D.
http://www.derman.com/
On 2013-Mar-20, at 2:51 AM, mayak-cq wrote:
> On Tue, 2013-03-19 at 23:19 -0700, Bryan D. wrote:
>
>
ntribute a small amount to such a "would it
pass"/what-if capability to be added to pfSense. While I'm a little surprised
that something like this doesn't already exist, given its obvious value, I'd
also guess that it'd be a rather involved task.
On 2013-Mar-20, a
I hope I'm not just having a "senior's moment," but I can't find any place on
the GUI where the OpenVPN server's keepalive option is set but one is being
generated in the server config file.
I'm running pfSense 2.1 release. Couldn't find an answer via the pfSense
forums or via Mr. Google nor c
I have a problem that I've been unable to make much progress with and could use
some suggestions on how to proceed.
The problem is that whenever the WAN interface link on the pfSense box goes
down, pfSense goes into some sort of loop/run-away condition and requires a
reboot. This problem is 10
On 2014-Feb-19, at 6:17 AM, Jim Pingle wrote:
> Try pfSense 2.1.1. There were some issues with link cycling in certain cases
> that you might be hitting which were fixed on 2.1.1.
>
> https://forum.pfsense.org/index.php/topic,71546.0.html
>
> Jim
>
> On 2/19/2014
is
the usual "Interface Address" setting)
I still don't understand why routing doesn't take care of it and why NAT is
required for certain things to work, but this was the only way I could get it
to work in my setup. Of course, I'd like to be "educated" if som
On 2014-Mar-02, at 11:52 PM, Ryan Coleman wrote:
> How do I set up multiple static addresses? I used Virtual IP to create x.2
> and I can ping it internally but not externally.
>
> I’ve tried using guides I’ve found online but I cannot seem to get them to
> work.
>
> What I want to do is have
Is the VIP CARP or IP Alias?
... according to the VIP capabilities chart, they're the only VIP kinds that
can do ICMP:
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses?
Since we don't allow ping-response, I thought I'd test this theory. All 3 of
the following worked (LAN routing
PiBA was correct: only the WAN rule is required for pings (learn something new
every day!). My testing was via an outside network as pings always work
internally, with our setup.
Previously you wrote:
I’ve done this, but I won't route traffic out (NAT) until I have verifiable
traffic coming in
On 2014-Mar-19, at 2:24 AM, A Mohan Rao wrote:
> Hello Team,
>
> Hello,
> i have configured openvpn road warrior also client is properly connected
> from outside internet network.
> but not able to access server end network and servers's.
> can anybody give any help where is do any wrong steps.
I have an issue that I've been unable to solve and could use some suggestions
(or confirmation that it can't be done).
Background
--
The problem is that I can only access IPs on the other side of a VPN connection
via a static route when on one of our LANs. Here's an overview of the setu
On 2014-Apr-20, at 12:33 AM, Volker Kuhlmann wrote:
> Ever since upgrading to pfsense 2.1 I have been let down by it. It looks
> like there are multiple issues and I am trying to separate them. One is
> system suicide by memory gobbling - but it's been a little tricky to
> find out why exactly.
On 2014-Apr-21, at 6:28 AM, Jim Pingle wrote:
>
>
> The Spoofed MAC address issue was a problem in the past with certain
> drivers that sounds very similar because it got into a chicken-and-egg
> scenario that went a little something like this:
>
> * pfSense sets the MAC address
> * The NIC dr
The clients need to know to route all
> traffic for 10.0.0.1/24, 192.168.10.0/24, 192.168.20.0/24, and possibly
> 172.16.0.0/24 over the VPN connection).
I've put up a bunch of stuff on iOS VPN with pfSense that could be of some help
in this:
http://www.derman.com/blogs/Sett
e XML) would also work with OS X.
If you try it and it does, please post a comment on the site (and elsewhere?)
so others can also benefit.
Bryan D.
http://www.derman.com/
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
On Wed, Dec 24, 2014 at 5:15 AM, Lorenzo Milesi wrote:
> Hi. Is it possible to route OpenVPN clients to the available IPSec routes?
>
> I currently have 3 IPSec tunnels on my pfSense, and seldomly I need to access
> those routes outiside my office. Is it possible to do so?
> In my firewall rules
On 2015-Jan-19, at 1:48 PM, Jeremy Porter
wrote:
> The configuration your trying to use in pfsense is TLS Authentication,
> which is a static (shared) TLS key.
>
> In the Server Mode box, you need to select SSL/TLS or SSL/TLS User
> authentication.
> You will need to configure your CA and Openv
On 2015-Jan-19, at 8:28 PM, Mark Wass wrote:
>
>
> I've checked my WAN firewall rules and can see that the Wizard has added an
> open port to 1196 in the rules.
>
> Is there some sort of rule that does not allow me to have multiple OpenVPN
> servers running? I have 3 other PFSense site-to-si
I have a relatively low-traffic pfSense 2.1.5 i386 setup on a system with 1.5
GB of memory that always shows <50% used.
This setup has normally been reliable but, since upgrading to 2.1.5, today is
the 4th time I've run into a problem after making changes to some aliases. For
some reason that
I think this issue has been solved:
- issue was errors similar to:
---
[ There were error(s) loading the rules: pfctl: DIOCADDRULE: Invalid argument -
The line in question reads [0]: ]
---
and/or an error indicating that it can't allocate memory (but there's over 50%
of the memory reported as be
Today, having received a pair of SuperMicro AOC-SG-i2 NICs from the pfSense
store, I asked about the applicable pfSense "offloading" settings (via the
pfSense contact form).
Receiving an oblique (non-)response, I re-sent a query that included the
following text:
---
[...] specifically, what sh
ot;(we)
use these settings" response.
So your effort can be of maximum benefit, I've submitted a slightly
edited/formatted version of this to be included in the WiKi's applicable
pfSense documentation page.
Bryan D.
http://www.derman.com/
_
On 2015-Mar-04, at 2:08 PM, Jim Thompson wrote:
>
>> On Mar 4, 2015, at 2:02 PM, Bryan D. wrote:
>>
>> On 2015-Mar-04, at 6:20 AM, compdoc wrote:
>>
>>> For me, what happens after enabling or disabling those settings are
>>> immediately apparent
On 2015-Mar-05, at 11:46 AM, Chris Buechler wrote:
> The description of what's enabled/disabled got confused from Jim's
> earlier post I think. LRO and TSO are both disabled by default,
> hardware checksum offloading is enabled by default.
Just for the record, Jim's message ended with:
---
It’s
While we're on the topic, I have a functioning v2.2 setup that uses a /29 set
of static IPs:
- 1 IP is the gateway address and 5 IPs are "usable" (quite common, I believe)
- one of the "usable" IPs is assigned to the WAN interface
- the other 4 "usable" IPs are assigned to VIPs
- the WAN IP and VI
On 2015-Mar-08, at 3:53 PM, Espen Johansen wrote:
> I beleive the key to this is proxy arp.
>
> Brgds, Espen
> 8. mars 2015 23:50 skrev "Bryan D." :
>
>> While we're on the topic, I have a functioning v2.2 setup that uses a /29
>> set of static IPs:
On 2015-Mar-09, at 2:38 AM, Brian Candler wrote:
> On 09/03/2015 09:33, Bryan D. wrote:
>> So, for what I'm doing, an IP Alias VIP seems like it should work where a
>> CARP VIP works -- but it doesn't appear that a Proxy ARP VIP should, since I
>> think I'
On 2015-Mar-09, at 2:43 AM, Chris L wrote:
>> On Mar 9, 2015, at 2:38 AM, Brian Candler wrote:
>>
>> On 09/03/2015 09:33, Bryan D. wrote:
>>> So, for what I'm doing, an IP Alias VIP seems like it should work where a
>>> CARP VIP works -- but it d
On 2015-Mar-09, at 2:56 AM, Brian Candler wrote:
> On 09/03/2015 09:51, Bryan D. wrote:
>> So it sounds like the IPsec and OpenVPN traffic would be such traffic?
> IPSEC traffic is addressed *to* the firewall (at least the IKE stuff on udp
> 500 is, since it is received by st
On 2015-Mar-09, at 3:05 AM, Chris L wrote:
>
>> On Mar 9, 2015, at 2:56 AM, Brian Candler wrote:
>>
>> On 09/03/2015 09:51, Bryan D. wrote:
>>> So it sounds like the IPsec and OpenVPN traffic would be such traffic?
>> IPSEC traffic is addressed *to* the fir
On 2015-Mar-09, at 3:11 AM, Chris L wrote:
>
>> On Mar 9, 2015, at 3:07 AM, Brian Candler wrote:
>>
>> On 09/03/2015 10:05, Chris L wrote:
Are you saying you want different clients' IPSEC tunnels to terminate on
different public IP addresses on the firewall WAN side? That I've never
On 2015-Mar-09, at 3:34 AM, Matthias May wrote:
> A CARP address has it's own MAC. The IP alias shares the MAC of it's parent
> interface.
> If you change this while running, your upstream routers/switches will have
> the wrong MAC address for your IP cached.
> Sending a GARP might help with thi
I have a v2.2 64-bit config running on a Core2 Duo system. The config uses a
number of aliases (including aliases that include other aliases, etc.). Rules
are based upon the aliases (du-oh!).
PROBLEM: if I change the name of 1 of the IP aliases, the name of the
corresponding table doesn't cha
hould only have to do a quick
read-through before adding the material ... which means that it's likely to get
done.
Thanks, again, to all who participated.
On 2015-Mar-09, at 6:57 AM, Jim Pingle wrote:
> On 03/08/2015 06:50 PM, Bryan D. wrote:
>> My interpretation of the nice c
We've had a pfSense-to-pfSense "always on" IPsec VPN connecting 2 offices since
2008 (pfSense 1.2 IIRC) and it's:
- been ultra reliable (if VPN is down, suspect ISP issue or pfSense box failure)
- it's been quick to connect (about 1 second, almost unnoticeable)
- it's worked across numerous upgrad
FWIW, since my original report, I've noticed some other things:
- since it's not yet "deployed," the v2.2.1 (at both ends) site-to-site IPsec
VPN has only 1 laptop and 1 wireless access point on the LAN and virtually
nothing else happening on the WAN (it's tied to a cable modem)
- the condition
On 2015-Mar-23, at 5:24 PM, Chris Buechler wrote:
> There's nothing to go on to offer any worthwhile suggestions. IPsec
> logs best place to start.
If you can be more specific, I'll try to help. Sorry, but I don't have enough
background with IPsec to ferret things out on my own. I did try se
On 2015-Mar-23, at 7:34 AM, Christopher CUSE wrote:
> just got dropped again -- fourth time in last few hours -- something is
> definitely wrong.
>
> upgraded all my pfsenses to 2.2.1 over the weekend.
For me, the VPN drops in the absence of "end-to-end" traffic ... within
minutes. The fact t
On 2015-Mar-26, at 4:01 PM, Chris Buechler wrote:
> Go to System>Advanced, System Tunables, and add a new tunable there.
> Name net.key.preferred_oldsa, value 0, then save and apply changes.
> That have any impact on things?
Executive summary: no.
Here's what I did:
- created/applied tunable at
On 2015-Apr-02, at 5:57 AM, Jochem de Waal wrote:
> Hi All,
>
> The last few weeks there was a lot of discussion about IPSEC in pf2.2 and
> 2.2.1
I'm the person who originated that discussion and did sent some info to Chris,
directly. He responded and I have a task to gather some logs, which
On 2015-Apr-08, at 5:37 PM, Adam Thompson wrote:
> I'm running 2.2.1-RELEASE (i386) in a new install, and everything's working
> great so far (or as great as the FUBAR layer 2 lets it work...) except for
> NTP.
>
> No matter what NTP server I pick, it sits in .INIT. state forever.
> Stopping
On 2015-Apr-11, at 2:22 PM, Adam Thompson wrote:
> I recall seeing reports of problems with Sun 'qfe' (quad-port hme) interfaces
> on this list previously; does anyone know what the current status is? Do
> they work properly in 2.2.1 i386?
> Thanks,
> -Adam
I'd reported a "runaway process" is
On 2015-Apr-11, at 12:51 AM, Fabian Wenk wrote:
> I had a similar problem, but already when switching from 2.1.x to 2.2. I got
> it working again with not selecting any interface(s) in the NTP Server
> Configuration.
I've created a bug report (https://redmine.pfsense.org/issues/4604) with an
While testing the previously discussed "stalling connections" with v2.2.1 IPsec
-- which still exist with v2.2.2 (expected as the release notes give no
indication of a fix) -- I noticed (what I suspect is) a new bug
(https://redmine.pfsense.org/issues/4640).
After updating from 2.2.1 to 2.2.2,
On 2015-Apr-24, at 7:37 AM, Gregory K Shenaut wrote:
> I have two pfSense boxes connected via an IPSEC tunnel.
>
> I'm confused about whether a route gets added automatically to the remote
> network end of an IPSEC tunnel when the tunnel comes up.
>
> However, currently the tunnel can be up,
On 2015-Sep-04, at 1:18 PM, David Hatch wrote:
> We are having all the same symptoms above. All of our firewalls are
> running 2.2.4. Everything that has 2 phase 2 entries is on IKE v2. ...
>
> Has anyone figured this out? ... nothing I can do will fix it short of pining
> from
> a non-pfsens
On 2015-Sep-15, at 11:39 PM, Andrej Ferčič [PCklinika]
wrote:
> Hello!
>
> I am sure that this issue has been already discussed, but I can not find any
> arhive. So, please give me some directions where to search or any link to
> thread containig the following:
>
> 1. Is there any routing th
On 2015-Sep-15, at 6:18 AM, Ray Bagby wrote:
> Greetings,
>
>Anyone have any luck connecting iphone via VPN?
>
You can also see:
http://www.derman.com/blogs/Setting-Up-iOS-OnDemand-VPN
___
pfSense mailing list
https://lists.pfsense.org/mailman/
On 2016-May-10, at 10:14 AM, WebDawg wrote:
> Usually the only thing that you
> can do in this situation is put your connection at its lowest setting
> and control the connection from there. The problem with this is that
> the connection will always be this lowest speed.
FWIW, our connection is
I'm in the process of enabling IPv6 on a working IPv4 3-LAN, 2-WAN setup using
pfSense 2.2.6 (I'm also in the process of testing 3.0 and did a cursory test
and got the same results with our 3.0 test setup). We're getting IPv6 via a
Hurricane Electric tunnel.
There are 3 LANs each with a /24 IP
On pfSense 2.2.6, I switched from dnsmasq to unbound.
Resolver/unbound is configured for DNSSEC (i.e., no forwarding) and has about
150 overrides to function as our internal/split DNS (with 5 domain overrides
for internal/private-address reverse lookups). The "Network Interfaces"
setting has o
How does one determine the currently supported packages for the current
released version of pfSense without installing pfSense, first.
I did find https://doc.pfsense.org/index.php/Features_List but, since there's
no stated pfSense version associated with the page and since I've found it to
be i
On 2016-Jun-17, at 2:02 PM, Peder Rovelstad wrote:
> This help? https://forum.pfsense.org/index.php?topic=8640.0
Thanks, but I don't see anything there that tells me what the current packages
are for pfSense 2.3.1 Update 5 (i.e., without having to first install pfSense
2.3.1 Update 5).
__
On 2016-Jun-17, at 2:35 PM, compdoc wrote:
> I think this is complete:
>
Thanks. Looks like I can proceed with an update to 2.3.
Regardless, I still think there should be a way to authoritatively determine
this info via the pfSense web site -- ideally, for all releases, minimally for
the cur
On 2016-Jun-17, at 4:03 PM, Steve Yates wrote:
> I suspect package compatibility is not maintained on per-pfSense-version
> basis. Meaning, packages worked on 2.x up until the package changes on 2.3,
> and probably will work on into the future until the next breaking change.
>
> https://doc.pf
> Good day,
>
> I have an issue routing related..
>
> I found that page:
> https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP%2C_use_syslog%2C_NTP%2C_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F
>
> It represent exactly what I'm having as issue..
>
> I did exactl
On 2016-Aug-16, at 8:47 AM, Gé Weijers wrote:
> Hi,
>
> Trying to define a pfBlockerNG IPv6 alias for the US. It seems that the
> GeoIP database has over a million entries, which causes a crash
>
> Any idea why the US ranges are this humongous?
>
I use pfBlockerNG and various other blocki
On 2016-Aug-21, at 5:50 AM, Paul Mather wrote:
> Even on that page it's incorrect to say it "only" offers the XG-2758. That's
> the only one they show in the main table on that page ...
There's likely good science behind the fact that nearly all e-stores will
present (often overwhelming) deta
Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
---
Applying the suggested "Custom Options" to the Unbound/DNS Resolver
configuration in pfSense 2.2.6 does not work, with logs indicating that
"forward-ssl-upstream" is invalid.
I tried various incantations using "server:ssl-upstre
On 2018-Apr-04, at 10:05 PM, Dave Warren wrote:
> I can also confirm that 9.9.9.9@853 does work here which re-enforces that
> this is a Cloudflare specific issue.
-
So it looks like the following config works on pfSense 2.2.6's unbound/DNS
Resolver (so should work with 1.1.1.1 when Cloudfl
On 2018-Apr-05, at 10:47 PM, Dave Warren wrote:
> Cloudflare has pushed an update, and things seem to be working from here. For
> those having issues, try again now?
Thanks for the "heads up." Works for me, also (i.e., on pfSense 2.2.6
configured as stated in previous posting).
_
62 matches
Mail list logo
