I have a number of remote 1.2.3 installations, that have OpenVPN
Site-To-Site tunnels back to our main office.
We often route VoIP streams through these tunnels primarily to reduce
the risk of PBX fraud by restricting privileged telephony resources to
our 10/8 subnet.
Am I correct in
To prevent 'automatic' configuration of routers, pfSense DHCP can be
configured trivially to only issue DHCP leases to known hosts (based on
mac address), but naturally it wouldn't prevent someone from manually
configuring IP settings or mac spoofing.
As J.C. said, it depends on how much
Can anyone make a recommendation for a pfSense-compatible Mini PCI Wi-Fi
radio that is suitable/compatible for a Soekris 5501. I'm looking for
something that supports 802.11b/g/n on 2.4 GHz. I'll be building this on
2.0RC1.
The Ubiquiti SR71-A would appear to be a great choice, but I've
Question:
My OpenVPN logs contain:
WARNING: file '/var/etc/openvpn_client0.secret' is group or others
accessible
Should I ignore this warning or 'chmod 700' the file to make it only
owner-accessible?
Thanks!
-Karl
-
To
- Original Message -
From: Karl Fife karlf...@gmail.com
To: support@pfsense.com
Sent: Wednesday, December 01, 2010 11:46 AM
Subject: Site-to-site IPsec - 1:1 NAT
I'm looking for a bit of help in an IPsec implementation.
Big picture:
We're allowing some of our vendors fulfillment
I'm looking for a bit of help in an IPsec implementation.
Big picture:
We're allowing some of our vendors fulfillment houses to connect their
agents' workstations to our Oracle database via Site-to-site IPsec:
The Problem:
The IPsec tunnel is already configured, and works great except that
- Original Message -
From: Chris Buechler cbuech...@gmail.com
To: support@pfsense.com
Sent: Tuesday, September 07, 2010 8:05 PM
Subject: Re: [pfSense Support] OpenNTP offset sync
On Thu, Sep 2, 2010 at 2:52 PM, Karl Fife karlf...@gmail.com wrote:
We're running Embedded 1.2.3
We're running Embedded 1.2.3 on Soekris 5501.
We ran into a funny situation last week where ntpd was failing to sync even
though the stratum 1 ntp server was reachable, and the OpenNPT service was
running. pfSense offset grew by about 2 seconds per day, and our ntp
clients were in dutiful
If you want to run the full version on embedded, there are lots of SSD's
these days with wear-leveling subsystems to address the write endurance
issue of nand flash memory. Some SSD's (such as Intel's newest SSD family)
even take it a step further by adding extra blocks to swap out when a
DHCP onto 2 servers (failover).
Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com
That's exactly what I was hoping to hear. I'll post any meaningful
distilled wisdom from our implementation!
THANKS!
-Karl Fife (The original poster, not Tim Dressel
:10 PM, Karl Fife wrote:
I am trying to create a 2-factor authentication system for PPTP on
pfSense, and its feasibility depends upon being able to script the
addition/deletion/modification of PPTP user accounts. Can anyone tell
me what the command-line would be for adding user 'scott' identified
I am trying to create a 2-factor authentication system for PPTP on pfSense,
and its feasibility depends upon being able to script the
addition/deletion/modification of PPTP user accounts. Can anyone tell me
what the command-line would be for adding user 'scott' identified by the
password
We have a couple of pfSense installations that want to 'lock down' their
windows workstations with Win 2K8 Server and Active Directory. As you may
know, normally this requires that Win Server be the DNS DHCP server.
To clarify, we're NOT talking about MS Small Business Server/exchange and
We've been using DHCP Option 66 'Network booting' in the pfSense console for
provisioning our VoIP telephones. Works great. Only problem is that we
need to use Option 66 for network booting of workstations.
No problem, the telephones will actually FIRST look to for a custom ( non
66 ) DHCP
- Original Message -
From: Chris Buechler cbuech...@gmail.com
To: support@pfsense.com
Sent: Saturday, January 09, 2010 12:24 AM
Subject: Re: [pfSense Support] 1:1 NAT - bind actual external IP to an
optional interface?
On Fri, Jan 8, 2010 at 5:27 PM, Karl Fife karlf...@gmail.com
On Wed, Jan 6, 2010 at 1:26 PM, Karl Fife karlf...@gmail.com wrote:
Thanks for the ideas! It's working with the exception of a traffic shaping
problem.
What I did to set this up is
1. Bridged the OPT interface with WAN, leaving all other fields blank
2. Created a rule on the tab of the OPT
I'd read that embedded pfsense 1.2.3 was going to have some package support
but I was pleasantly surprised to see snort!
I've always understood Snort on embedded to be a bad idea -- certainly for
the obvious reasons (limited embedded CPU power), but also due to the write
limitations of flash
:1 NAT - bind actual external IP to an
optional interface?
On Thu, Dec 31, 2009 at 9:52 AM, Karl Fife karlf...@gmail.com wrote:
Like many, I use 1:1 NAT to give one of my public IP address to an
internal
host. This works great for certain applicatons where the host (such as
Asterisk) is 'smart
Like many, I use 1:1 NAT to give one of my public IP address to an internal
host. This works great for certain applicatons where the host (such as
Asterisk) is 'smart' and can be made aware of the fact that the IP address
bound to its own network interface differs from the one the outside
In some of our locations we will need to abandon embedded pfSense in favor
of a full system so we will have package support.
Does anyone have experience running 'full' pfSense on fanless PICO / ITX
type form factors with an SSD (no moving parts)? Our highest priority is
availability, second
Has anyone here successfully run sipproxd on embedded pfSense?
Reading through the sipproxd how-to docs I don't see any mention of
embedded, which usually means (and correct me if I'm wrong) the full
version.
We don't run the full version in many our locations because of the higher
expected
it may/will kill off the media faster. If you need to use packages, then
you need to install the full version, prefereably on a Hard Drive.
--
From: Karl Fife karlf...@gmail.com
Sent: Wednesday, April 22, 2009 4:31 PM
To: support@pfsense.com
Subject
)
Anybody know what's going on? Any help or pointers are MUCH appreciated!
Thank you!
-Karl Fife
by going into the 4801's combios setup menu and
change the baud rate to 9600--that way you can see the POST messages,
followed by the boot messages. Otherwise you literally have to change the
baud rate to match a given stage of the boot process.
-Karl Fife
Just upgraded to 1.2.2 this morning
1
Tested SVG Graphing on both IE 6 7 works on HTTP, but not HTTPS. Nice
work. As documented, I understand the non-support for IE on https if it's
not conforming to de-facto or canonical standards. The HTTP-only support at
least avoids the problem of
Tell them to use a worthwhile browser. The reason the SVG graphs don't
work is because IE is the only browser that doesn't come with SVG
integrated and for whatever reason the plugin has issues if you force
authentication with HTTPS. See the 1.2.2 release announcement for
details. This is a known
It's base 64 encoded, which is easily reversible without SSL. More info:
http://en.wikipedia.org/wiki/Basic_access_authentication
Thanks. This is very helpful.
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For
I just upgraded from 1.2 Embedded to 1.2.1 Embedded:
Is the following a regression?
When using HTTPS for the web GUI:
Status, Traffic Graph DOES NOT WORK:
...with Internet Explorer 6.x
...with Internet Explorer 7.x
...with Google Chrome 1.0.154.36
Status, Traffic Graph DOES WORK:
...with
, December 28, 2008 2:49 PM
Subject: Re: [pfSense Support] 1.2.1 released!
On Sun, Dec 28, 2008 at 3:25 PM, Karl Fife karlf...@gmail.com wrote:
I just upgraded from 1.2 Embedded to 1.2.1 Embedded:
Is the following a regression?
Yep - the SVG graphs used to not require any authentication
in the opposite
direction (about 10% below running traffic alone), but I consider that
to be normal by-product of non-specific resource constraints of the
platform and policy. Comments welcome.
-Karl Fife
-
To unsubscribe, e-mail
On Wed, 29 Oct 2008 10:01:31 +, Paul Mansfield
I think you mean asymmetric rather than half duplex.
Hi Paul.
I do make mistakes, but I did in fact mean to say BOTH asymmetric AND
half-duplex. In other words:
ADSL is Asymetric AND ALSO half-duplex
SDSL @1.5mbs is Symmetirc but only
I ran into a very interesting half-duplex anomaly the other day:
My bandwidth is nominally 2mb/20mb, but is reliably about 1.1mb up and
11mb down
My shaping policy is based on the latter presumptions.
Like most affordable 'net connections (cable, dsl) my speeds are HALF
duplex, unlike expensive
32 matches
Mail list logo