pfSense is mentioned as an example of "odd RSA implementation" that provides questionable security, in a paper at iacr.

References:
http://eprint.iacr.org/2012/588
http://doc.pfsense.org/index.php/Captive_Portal_Vouchers


"In particular users of the pfSense voucher system are urgently recommended to choose the
magic number employed in generating and verifying the voucher codes (see [4]) at random,
keep it secret and change it regularly in order to prevent the known-plaintext attack described
above."

CU

It turned out that also the "libpng.so.6" was missing, after transferring the files with pscp (from a virtual installation) it seems the graphs are live again.

I am using Firefox11 on Windows7. It works fine for me uploading to a nanobsd system, on 2.0.1 and 2.1. After browsing to the file then pressing upload the top of the display says:
Uploaded file to /tmp/filename
and executing "ls -l /tmp/filename" lists the file as expected.
So there must be something else special about your environment.

I'm seeing some problems for sure, I guess that Squid f*cked more stuff up somehow perhaps then.. This was a freshly installed box though, actually only the various Squid packages have been added and messed with. I guess I'll do a reinstall soon if things don't start to work as expected.

File upload via Diagnostics|Command prompt|Upload doesn't work.

I have double checked this and compared to a 1.2.3-R that I have running.

In 2.0.1 when selecting and then pressing 'upload' of a file no message is shown on top and the file isn't found in the system either. Not in /tmp and not anywhere else either.

In 1.2.3-R this works very well, message is prompted back on top of page that the particular file was uploaded to /tmp and it's easy to verify, by using ls in the command window on the same page for example, that this is the case.

Since this is a very handy feature and since it used to work it's infortunate that it stopped doing so.

Both tests are done using the same browser, Ffox 11

Here is a copy from my box. It's the 32bit version of 2.0.1, don't use it if you're not running that.
https://sites.google.com/site/pfsensefirebox/home/libfreetype.so.9.png?attredirects=0&d=1
Remove the .png extension, the file should be 535,125 Bytes.

Steve

Edit: Trouble downloading that, use this:
https://sites.google.com/site/pfsensefirebox/home/libfreetype.so.9?attredirects=0&d=1

Thanks for helping out, I'll try to test this.

Do you have libfreetype.so.9 in /usr/local/lib?

I suspect it was incorrectly removed as part of a package uninstall.

Steve

No I don't, I see it's complaining about it in the log.
How do I get it back? Could I install another pfsense and copy the file over? Would that work?..

I would like to have RRD graphs..

My RRD graphs are trashed and gone, see pic.

How to fix?

What I have done latelely are the following:

The captive portal was  not working, due to the usual proble with Squid. Even after I uninstalled squid it didn't work(!). I couldn't uninstall Lightsquid though (got error messages about something not being able to be found) so I reinstalled Squid followed by immediate uninstall of first Lightsquid and then squid. After a reboot it all seems to work then as expected, including the Captive Portal.

Apart from the RRD graphs now not working then.

I assume one of the installations/uninstallations recently trashed them, which one?
And how to fix?

TIA,

[EFFECTS ARE:]

It should all work fine though with that redirect-gateway def1 on there it may be doing something funny like sending traffic back via that other tunnel instead of directly.

I have now double checked this and here are my findings.

What I need to be able to do before it's working for my needs, are all of the below:

a. tunnel working for outbound traffic
b. tunnel being able to handle directing outbound traffic via fw rules (policy routing)
c. tunnel being able to accept incoming traffic, just like the WAN,
  being able to run a SMTP service behind the tunnel for instance. This means you can
  (must) add port forwards and fw rules.

I have ordered and set up a test tunnel.

(I'm skipping most of the setup stuff)

I disable/enable client config, triggering the tunnel to be set up.

These routing entries are added:

0.0.0.0/1    10.8.6.245    UGS    0    13    1500    ovpnc3    =>
10.8.6.241/32    10.8.6.245    UGS    0    11    1500    ovpnc3    
10.8.6.245    link#15    UH    0    0    1500    ovpnc3    
10.8.6.246    link#15    UHS    0    0    16384    lo0    
128.0.0.0/1    10.8.6.245    UGS    0    33    1500    ovpnc3    

My local IP is 10.8.6.246
Tunnel remote endpoint is 10.8.6.245
Tunnel GW is 10.8.6.241

I am unsure whether the advice given on the forum to choose the type of GW to "none" is the most correct one. I think I got it working using that setting though.

I rather quickly got outbound traffic working but inbound seems more uncertain than in 1.2.3, at least that's my assertion right now.

I have set up (as i did on 1.2.3) a GW with static IP, 10.8.6.246 in this case.

So basically what you do is look at the pushed info from the server side and add the local IP as the static IP address.

openvpn[14144]: PUSH: Received control message: 'PUSH_REPLY,route-delay 2,route-metric 1,dhcp-option DNS n1.nn.nn.nn,dhcp-option DNS n2.nn.nn.nn,route 10.8.6.241,topology net30,ping 10,ping-restart 60,ifconfig 10.8.6.246 10.8.6.245'

NOW: pinging in from the outside works. And connecting to a mail server works.
NOTE: I have now NOT removed the routing entries being added.

However now all PCs are being pushed through the tunnel.

I now add an explicit rule forcing this one PC I'm testing on, to use the default GW instead, I even reset states to be sure. It still is pushed through the tunnel. The fw rule is not having any effect.

The only way I can get the fw rules to do their job is to remove the first and last entries above.

NOW: I remove the route entries. I don't reset states.

EFFECTS ARE:
1. policy routing now immediately starts working. I can force the PC by fw rules to use EITHER default or strongvpn gw
2. Inbound traffic stops working. All of a sudden I can't ping in or reach the mail server.

I don't really see the logic in "2" happening here.

Just to test it I reset states. No different. I don't restart (can selldom restart this machine on the fly due to other users)

The "2" from above is AFAICT different from 1.2.3. I useed this exact procedure to get all a/b/c above working, but seem not to be able to do so in 2.0.1.

So, it looks like it's either:
1. all outbound traffic through tunnel and inbound traffic working
OR
2. policy routing enabled for outbound traffic and no inbound traffic


INBOUND traffic above is referring to traffic INITIATED from the outside.


I'm hoping I'm missing something here and it's possible to get it working in 2.0.1. I do know that all these features were working in my 1.2.3 setup.

You can have as many separate OpenVPN servers and clients as you want, with or without TLS, with or without auth (on the server side). 2.0.1 can do a lot more with OpenVPN than 1.2.x could.

Ok, and it doesn't matter if any of those client configs are system gateways then?

I got the whole thing working again yesterday in 2.0.1, having a StrongVPN tunnel set up as gateway with policy roting. However about that time the 2 OpenVPN servers I had added to the system stopped working fully. Before everything worked including surfing via the tunnels (and at first I did not have any AON added which puzzled me).

NOTE to those interested in these kinds of setups
Many seem to forget to remove the routing entries added by the "redirect-gateway def1" directive that typically is used.
I simply give the commands del net 0.0.0.0/1 and 128.0.0.0/1 to do so.
It's also easy to forget that those are added after reboots..

Hi,

I have edited a NAT-rule for WAN, changing the target IP from one alias to another. Seems ok in NAT rule.
However FW rule is not changed automatically, that is the idea right? Furthermore I cannot edit the FW rule since its an associated rule...

How to fix?
Should I stay away from these kinds of associated rules?

-- added 7/3

Unfortuntely I seem to have noticed more strange things. When trying to add rules with "Add unassocieted filter rule" that does not work. The NAT mapping is added and the associated icon is not shown for the rule however there is no fw rule added at all. This worked in 1.2.3.

I used 1.2.3 with TLS-tunnel as one of the interfaces (StrongVPN) for both incoming and outoing traffic (using policy routing for some outgoing traffic). If I rember correctly there was some issue that prevented med from having that set up in the fw and at the same time using the fw as VPN-server accepting roadrunners.

I remember also doing a lot of testing with other VPN alternatives at the same and having some problem getting PPTP to work when redirected etc.

The way I did then was to simply set up a second pfSense in a virtual environoment that acted as VPN server for those users connected from the outside.

Regardless of whether or not I do remember correctly about what actually did or not work in 1.2.3, does this work in 2.0.1? Can I have one or more tunnels to providers, using them as interfaces for both incoming/ougoing traffic and also using the same system for mobile users?

TIA,

Ok cool.

I am paranoid about security so wanted to make sure it doesn't have any SSL certificate exploits that I've been hearing about lately.

Darkk

http://blog.pfsense.org/?p=633

I think its replaced by "route-noexec". This worked for me until last week i upgraded to RC3.
Now pfSense wont see my OpenVPN gateway anymore.

Thanks for the info, I'll check it up.

If you specify:

Code:

route-nopull

in your custom options it should prevent that route from being pulled. Someone else is doing that with StrongVPN.

It seems this only works in OpenVPN 2.1.x or later so it shouldn't work in pfs 1.2.3-R then I guess.

If you specify:

Code:

route-nopull

in your custom options it should prevent that route from being pulled. Someone else is doing that with StrongVPN.

Thanks for the info, don't think I've seen that one before.