Netgate Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - yarick123

Pages: [1] 2 3 4 5 ... 7
1
Russian / Re: Не открывается web интерфейс
« on: May 18, 2018, 02:39:46 pm »
Может у вас в сети ещё одно устройство с таким же IP адресом завелось? Попробуйте сменить 192.168.0.1 на что-нибудь другое и посмотреть, что получится.

2
Russian / Re: 2 wan и web сервер
« on: May 09, 2018, 06:21:50 am »
Я бы просто сделал split DNS resolving.
Если же очень не хочется, почему бы не организовать routing через wan1 для _всех_, кто идёт (изнутри) на веб-сервер через внешний адрес?

3
Deutsch / Re: Routing von Public IPs
« on: April 30, 2018, 05:15:06 am »
Hallo,

Mein erster Instinkt war VirtualIP's anlegen und ein 1:1 NAT? Da ich es aber gerne richtig machen würde, frage ich lieber.

genau so funktioniert es. Ich nutze "CARP" VirtualIP Typ, weil ich zwei pfSense habe. Ohne CARP würde ich "Other" VirtualIP Typ nutzen. Schau hier, was Dir am besten passt: https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

Aus Sicherheitsgrunden mache ich 1:1 NAT fast nie.

P.S. Wir verstehen, dass die Server interne IP-Adressen haben müssen, oder? D.h., die Adressen X.X.X.3, X.X.X.4 werden nur auf der Firewall benutzt. (Ich spreche jetzt nicht darüber, dass die Server von intern trotzdem über die externen IP Adressen erreichbar sein können.)

4
...
So it looks like charon is creating the packet and pfSense should fragment it before sending, but simply drop it to the floor without notice. Is there any setting to enable/disable fragments with IPv6?


there is a System Tunable  net.inet.udp.maxdgram, default value 57344 . It is much greater as 1712 ...
And in my case everything works under IPv4 .

5
IPv6 / Re: Configure fixed IP with PPPoE and /56 assignment
« on: April 18, 2018, 06:25:14 am »
Quote
You can assign any static LAN address from your /56 (in fact, /64) range. It is the recommended way. Do not ask me why -

Why?   ;)

On IPv6, something called SLAAC is often used to provide addresses to devices.  This works only with a /64 prefix.  A /56 is normally divided into 256 /64s, each of which can be assigned to a network or VLAN.

https://en.wikipedia.org/wiki/IPv6#Stateless_address_autoconfiguration_(SLAAC)

;) I thought, that it was not recommended to have the server LAN interfaces addresses dynamically assigned. This is why I do not use SLAAC for them. Do I understand something wrong?

As far as I understand, it goes about the pfSense LAN interface address. I would not use SLAAC to assign an IP address to it.

P.S.
2.  ...  Can I assign an additional address?

Yes: Firewall / Virtual IPs, add, Type: "IP Alias"

6
IPv6 / Re: Configure fixed IP with PPPoE and /56 assignment
« on: April 18, 2018, 05:39:13 am »
1.  Do I really care about the WAN address?  If OpenVPN can listen to V4 WAN and V6 LAN addresses, I don't really care, do I?  Is there any other reason I would care about WAN address?  If the answer is no, I don't need a static /127

E.g. I do care about the static WAN IP addresses because of having IPsec and CARP on them. The static IP address is referred on my DNS server. For me it is simpler than having dynamic WAN addresses. And in case of CARP I need bigger range than /127 and an assurance, that the CARP address will not be dynamically assigned to one of my firewalls.

2.  If I can get by with a dynamic /127, I still don't get how to assign a static LAN address.  I hate the idea of hard coding it based on my knowledge of the Routing Prefix (extremely bad practice).  So I prefer to use the configuration to enter the Routing prefix and Prefix ID via Track Interface on the LAN interface but the Interface ID seems to be beyond my control.  Can I force it to a static value?  Is it static given a static MAC?  Can I assign an additional address?

You can assign any static LAN address from your /56 (in fact, /64) range. It is the recommended way. Do not ask me why - I do not understand it, especially when I think about changing of the external IPv6 addresses.
You can also use IP addresses from the unique local range fc00::/7 - I use this way. Then NPt must be configured, your local prefix must be mapped to a global one, e.g. fc00::/64 -> 1234:5678::/64
As far as I understand, you cannot use Track Interface feature, because your routing prefixes for WAN and LAN are different. E.g. I cannot use it primarily because of static WAN address and secondary because of the different routing prefixes.

3.  If a static WAN is the choice, how do I assign the WAN interface given that my ISP will only give me a /64 if I want a static WAN.  Don't quite understand (again without hard coding) how to use a /64 to configure my WAN interface.

"Hard coding" only. Just assign any IPv6 address from the given /64 range (excluding the router address if you do not use PPPoE). The same as for IPv4 if you have a static WAN.

Regards
yarick123

7
Russian / Re: Bogon networks lists
« on: April 13, 2018, 09:43:55 am »
... А если сделать так, как на скине, то эти алиасы будут работать правильно? Мой pfsense писок ipv6 не смог пережевать. )

Не очень понял, зачем Вам это делать руками, если оно автоматически с того же места загружаться должно (поправьте, пожалуйста, если не прав).

Что касается указанной проблемы, то она некоторое время обсуждается в английской ветке. Вкратце - надо увеличить параметр "Firewall Maximum Table Entries" в System / Advanced / Firewall & NAT до 400000.

Вот оригинал:

The size of the IPv6 bogons table in the April update changed and pushed some systems over the edge.

The default has been changed to 400000 in 2.4.4

The timing of the bogons table monthly update and the release of 2.4.3 was simply coincidental.

8
IPsec / Re: Phase 1 IPv6 broken with IPSec remote access
« on: April 12, 2018, 08:08:18 am »
By me phase 1 could not be finished on IPv6 single stack VPN on pfSense 2.4.2-p1 if the host was behind another firewall:

https://forum.pfsense.org/index.php?topic=145581.0

9
Russian / Re: Настройка статического IPv6
« on: April 12, 2018, 07:56:12 am »
Поздравляю!  :)

10
Russian / Re: Настройка статического IPv6
« on: April 10, 2018, 01:16:51 pm »
... adverse маршруты (как я понимаю у IPv6 есть спецификация по обмену маршрутами),..

Не могли бы Вы кинуть ссылкой на какой-нибудь ресурс. Мне такое не попадалось, если речь не идёт о протоколах для роутеров e.g. RIPv6. Хотел бы устроить себе ликбез.

... можно воспользоваться Firewall/Virtual IP/Proxy ARP на внешнем интерфейсе

Как раз это я и имел в виду под "ценой значительного неоправданного усложнения конфигурации."

11
Russian / Re: Настройка статического IPv6
« on: April 07, 2018, 06:00:42 pm »
... Видимо, действительно придется обратиться за помощью к моему ISP.

Если речь идёт о конфигурации маршрутизации, то это не совсем помощь. Это услуга, которую ISP, в моём понимании, обязаны предоставлять клиентам, имеющим соответствующие контракты.

12
Russian / Re: Настройка статического IPv6
« on: April 07, 2018, 12:33:14 pm »
Похоже, у Вас всего одна /60 сеть, маршрутизируемая роутером провайдера 2001:db8:1234:10::1. Честно распространить её за pfSense нельзя. (Насколько я понимаю, это можно сделать для конкретных IP-адресов, ценой значительного неоправданного усложнения конфигурации.)

У Вас должен быть как минимум один IP-адрес, маршрутизируемый роутером провайдера, который будет WAN адресом pfSense и как минимум одна сеть, которая на уровне провайдера (конфигурация роутера), будет маршрутизироваться через Ваш WAN адрес, т.е. pfSense. Внутренней сетью и будет являться эта сеть. Её имеет смысл разделить на несколько внутренних /64 подсетей.

Запрос на такую конфигурацию нужно направить провайдеру.

Например, Вы можете сказать провайдеру, что выделенную Вам сеть 2001:db8:1234:10::/60 Вы хотите разделить на две сети: 2001:db8:1234:10::/61 и 2001:db8:1234:18::/61. Вторая сеть, которая и будет Вашей внутренней сетью, должна маршрутизироваться через WAN адрес pfSense, 2001:db8:1234:10::2/61.

13
Ошибочка вышла. Не обратил внимание, что речь идёт о сквиде. Хотя общие правила остаются в силе.

14
Скорее всего Вы установили СА-сертификат не в то хранилище.

Чтобы работало с Chrome и IE, СА-сертификат, насколько мне известно, нужно устанавливать в "Local Machine" хранилище. Гляньте сюда https://thomas-leister.de/en/how-to-import-ca-root-certificate/#windows или сюда https://www.bounca.org/tutorials/install_root_certificate.html. Правда, я использую это для VPN. Возможно, для браузеров достаточно "Current User".

FF по умолчанию использовал своё собственное хранилище. Эту настройку можно было изменить. По вышеуказанным ссылкам есть информация и о FF.

P.S. сертификат сайта тоже должен быть сгенерирован правильно. Если URL не соответствует тому, что указано в сертификате сайта, будут проблемы.

15
Hello,

I have configured IPsec IKEv2 road warrior VPN over IPv6 on a pfSense 2.4.2-RELEASE-p1 box. I have tested it on a host, which was directly in an Ineternt segment. Everything was ok.

On a host behind an(other) firewall, the connection process started successfully, but then no IKE_AUTH request seemed to be received by the host. Starting from this point, pfSense got "retransmit of request with ID 1", answers, and after some time initiated an timeout error.

I played with different values of MSS: 1000, 1340.  It did not help. The first host could establish IPsec connection, the second - not.

On another pfSense box (2.3.5-RELEASE-p1) I have IPsec (IKEv2) over IPv4. Both hosts can establish connection to the VPN.

Could you please suggest, what could be done, to fix the problem?

Best regards
yarick123

P.S. Here are pfSense logs for the second host:
Code: [Select]
Mar 22 16:08:03 charon          13[NET] <10> received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[500] to 2003:c8:4011:8000::2[500] (616 bytes)
Mar 22 16:08:03 charon          13[ENC] <10> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Mar 22 16:08:03 charon          13[IKE] <10> received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar 22 16:08:03 charon          13[IKE] <10> received MS-Negotiation Discovery Capable vendor ID
Mar 22 16:08:03 charon          13[IKE] <10> received Vid-Initial-Contact vendor ID
Mar 22 16:08:03 charon          13[ENC] <10> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Mar 22 16:08:03 charon          13[IKE] <10> 2a02:810c:c1bf:f788:71:4cb0:eb92:af04 is initiating an IKE_SA
Mar 22 16:08:03 charon          13[IKE] <10> sending cert request for "yyyyy"
Mar 22 16:08:03 charon          13[ENC] <10> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 22 16:08:03 charon          13[NET] <10> sending packet: from 2003:c8:4011:8000::2[500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[500] (337 bytes)
Mar 22 16:08:03 charon          13[NET] <10> received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] to 2003:c8:4011:8000::2[4500] (1440 bytes)
Mar 22 16:08:03 charon          13[ENC] <10> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Mar 22 16:08:03 charon          13[IKE] <10> received cert request for "yyyyy"
Mar 22 16:08:03 charon          13[IKE] <10> received 53 cert requests for an unknown ca
Mar 22 16:08:03 charon          13[CFG] <10> looking for peer configs matching 2003:c8:4011:8000::2[%any]...2a02:810c:c1bf:f788:71:4cb0:eb92:af04[2a02:810c:c1bf:f788:71:4cb0:eb92:af04]
Mar 22 16:08:03 charon          13[CFG] <con1|10> selected peer config 'con1'
Mar 22 16:08:03 charon          13[IKE] <con1|10> initiating EAP_IDENTITY method (id 0x00)
Mar 22 16:08:03 charon          13[IKE] <con1|10> peer supports MOBIKE
Mar 22 16:08:03 charon          13[IKE] <con1|10> authentication of '2003:c8:4011:8000::2' (myself) with RSA signature successful
Mar 22 16:08:03 charon          13[IKE] <con1|10> sending end entity cert "xxxx"
Mar 22 16:08:03 charon          13[ENC] <con1|10> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar 22 16:08:03 charon          13[NET] <con1|10> sending packet: from 2003:c8:4011:8000::2[4500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] (1712 bytes)
Mar 22 16:08:04 charon          13[NET] <con1|10> received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] to 2003:c8:4011:8000::2[4500] (1440 bytes)
Mar 22 16:08:04 charon          13[ENC] <con1|10> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Mar 22 16:08:04 charon          13[IKE] <con1|10> received retransmit of request with ID 1, retransmitting response
Mar 22 16:08:04 charon          13[NET] <con1|10> sending packet: from 2003:c8:4011:8000::2[4500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] (1712 bytes)
Mar 22 16:08:05 charon          13[NET] <con1|10> received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] to 2003:c8:4011:8000::2[4500] (1440 bytes)
Mar 22 16:08:05 charon          13[ENC] <con1|10> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Mar 22 16:08:05 charon          13[IKE] <con1|10> received retransmit of request with ID 1, retransmitting response
Mar 22 16:08:05 charon          13[NET] <con1|10> sending packet: from 2003:c8:4011:8000::2[4500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] (1712 bytes)
Mar 22 16:08:33 charon          11[JOB] <con1|10> deleting half open IKE_SA with 2a02:810c:c1bf:f788:71:4cb0:eb92:af04 after timeout

Here are pfSense logs for the first host, which establishes the VPN connection without problems:
Code: [Select]
Mar 22 16:58:44 charon          07[NET] <11> received packet: from 2003:c8:4011:8000::56[500] to 2003:c8:4011:8000::2[500] (616 bytes)
Mar 22 16:58:44 charon          07[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Mar 22 16:58:44 charon          07[IKE] <11> received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar 22 16:58:44 charon          07[IKE] <11> received MS-Negotiation Discovery Capable vendor ID
Mar 22 16:58:44 charon          07[IKE] <11> received Vid-Initial-Contact vendor ID
Mar 22 16:58:44 charon          07[ENC] <11> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Mar 22 16:58:44 charon          07[IKE] <11> 2003:c8:4011:8000::56 is initiating an IKE_SA
Mar 22 16:58:44 charon          07[IKE] <11> sending cert request for "yyyyy"
Mar 22 16:58:44 charon          07[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 22 16:58:44 charon          07[NET] <11> sending packet: from 2003:c8:4011:8000::2[500] to 2003:c8:4011:8000::56[500] (337 bytes)
Mar 22 16:58:44 charon          07[NET] <11> received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (1056 bytes)
Mar 22 16:58:44 charon          07[ENC] <11> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Mar 22 16:58:44 charon          07[IKE] <11> received cert request for "yyyyy"
Mar 22 16:58:44 charon          07[IKE] <11> received 33 cert requests for an unknown ca
Mar 22 16:58:44 charon          07[CFG] <11> looking for peer configs matching 2003:c8:4011:8000::2[%any]...2003:c8:4011:8000::56[2003:c8:4011:8000::56]
Mar 22 16:58:44 charon          07[CFG] <con1|11> selected peer config 'con1'
Mar 22 16:58:44 charon          07[IKE] <con1|11> initiating EAP_IDENTITY method (id 0x00)
Mar 22 16:58:44 charon          07[IKE] <con1|11> peer supports MOBIKE
Mar 22 16:58:44 charon          07[IKE] <con1|11> authentication of '2003:c8:4011:8000::2' (myself) with RSA signature successful
Mar 22 16:58:44 charon          07[IKE] <con1|11> sending end entity cert "xxxxx"
Mar 22 16:58:44 charon          07[ENC] <con1|11> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar 22 16:58:44 charon          07[NET] <con1|11> sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (1712 bytes)
Mar 22 16:58:44 charon          07[NET] <con1|11> received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (96 bytes)
Mar 22 16:58:44 charon          07[ENC] <con1|11> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Mar 22 16:58:44 charon          07[IKE] <con1|11> received EAP identity 'testuser'
Mar 22 16:58:44 charon          07[IKE] <con1|11> initiating EAP_MSCHAPV2 method (id 0x8A)
Mar 22 16:58:44 charon          07[ENC] <con1|11> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Mar 22 16:58:44 charon          07[NET] <con1|11> sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (112 bytes)
Mar 22 16:58:44 charon          07[NET] <con1|11> received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (144 bytes)
Mar 22 16:58:44 charon          07[ENC] <con1|11> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Mar 22 16:58:44 charon          07[ENC] <con1|11> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Mar 22 16:58:44 charon          07[NET] <con1|11> sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (144 bytes)
Mar 22 16:58:44 charon          07[NET] <con1|11> received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (80 bytes)
Mar 22 16:58:44 charon          07[ENC] <con1|11> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Mar 22 16:58:44 charon          07[IKE] <con1|11> EAP method EAP_MSCHAPV2 succeeded, MSK established
Mar 22 16:58:44 charon          07[ENC] <con1|11> generating IKE_AUTH response 4 [ EAP/SUCC ]
Mar 22 16:58:44 charon          07[NET] <con1|11> sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (80 bytes)
Mar 22 16:58:44 charon          14[NET] <con1|11> received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (112 bytes)
Mar 22 16:58:44 charon          14[ENC] <con1|11> parsed IKE_AUTH request 5 [ AUTH ]
Mar 22 16:58:44 charon          14[IKE] <con1|11> authentication of '2003:c8:4011:8000::56' with EAP successful
Mar 22 16:58:44 charon          14[IKE] <con1|11> authentication of '2003:c8:4011:8000::2' (myself) with EAP
Mar 22 16:58:44 charon          14[IKE] <con1|11> IKE_SA con1[11] established between 2003:c8:4011:8000::2[2003:c8:4011:8000::2]...2003:c8:4011:8000::56[2003:c8:4011:8000::56]
Mar 22 16:58:44 charon          14[IKE] <con1|11> scheduling reauthentication in 35221s
Mar 22 16:58:44 charon          14[IKE] <con1|11> maximum IKE_SA lifetime 35761s
Mar 22 16:58:44 charon          14[IKE] <con1|11> peer requested virtual IP %any
Mar 22 16:58:44 charon          14[IKE] <con1|11> no virtual IP found for %any requested by 'testuser'
Mar 22 16:58:44 charon          14[IKE] <con1|11> peer requested virtual IP fddf:c8:4011:11::1
Mar 22 16:58:44 charon          14[CFG] <con1|11> reassigning offline lease to 'testuser'
Mar 22 16:58:44 charon          14[IKE] <con1|11> assigning virtual IP fddf:c8:4011:11::1 to peer 'testuser'
Mar 22 16:58:44 charon          14[IKE] <con1|11> CHILD_SA con1{2} established with SPIs ca6b2145_i e8c59f9c_o and TS ::/0|/0 === fddf:c8:4011:11::1/128|/0
Mar 22 16:58:44 charon          14[ENC] <con1|11> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR6 DNS6 U_DEFDOM U_SPLITDNS U_BANNER U_SAVEPWD) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Mar 22 16:58:44 charon          14[NET] <con1|11> sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (480 bytes)

P.P.S. For the IPv4 the IKE_AUTH response  1 is even longer than 1712 bytes, but everything is o.k.:
Code: [Select]
Mar 22 16:12:22 charon          05[NET] <con4|3697> sending packet: from xxx.yyy.zzz.uuu[4500] to 77.21.251.9[31236] (1824 bytes)
Mar 22 16:12:22 charon          05[NET] <con4|3697> received packet: from 77.21.251.9[31236] to xxx.yyy.zzz.uuu[4500] (96 bytes)
Mar 22 16:12:22 charon          05[ENC] <con4|3697> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Mar 22 16:12:22 charon          05[IKE] <con4|3697> received EAP identity 'testuser'

Pages: [1] 2 3 4 5 ... 7