pfSense Support Subscription

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Xentrk

Pages: [1] 2 3
1
I went back and looked at the VPN providers specs (changed recently for OpenVPN 2.4).  I changed the port on each client configuration and the encryption assigned to that port number.  From the specs table, this should ensure that each client gets a virtual IP address that is on a different subnet.   Snip below

Port    Protocol    Subnet    DNS    Data Encryption    Data Authentication (for signing packets)    TLS Handshake    Diffie-Hellman (session key)
443    UDP    10.9.x.x    10.9.0.1    cipher BF-CBC* cipher AES-128-GCM:AES-256-GCM:AES-256-CBC**    HMAC-SHA1    2048 bit RSA    2048 bit
443    TCP    10.8.x.x    10.8.0.1    cipher BF-CBC* cipher AES-128-GCM:AES-256-GCM:AES-256-CBC**    HMAC-SHA1    2048 bit RSA    2048 bit
80    UDP    10.22.x.x    10.22.0.1    cipher AES-128-CBC* cipher AES-128-GCM:AES-256-GCM:AES-256-CBC:BF-CBC**

2
I have two OpenVPN clients set up, and firewall rules set to divert connections from specific clients down specific VPNs, but all clients with a rule end up being diverted down just one of the VPNs.

I think this is because both my VPNs have the same Virtual Address, when I look in Status > OpenVPN, they both have the virtual address 10.8.0.2.

I'm assuming this isn't normal - how can I get them to have different addresses?

I've tried specifying a different "IPv4 Tunnel Network" in the settings for the client, but this setting was ignored and it still used 10.8.0.2 anyway.

If I just connect one VPN at a time, that one works fine.

I'm running 2.3.3-RELEASE-p1 (amd64) on a PC Engines apu2.

I am having the same issue.

I have two OpenVPN clients configured with firewall rules set to route connections from specific clients and domain names thru specific VPN clients.

I recently added a third OpenVPN client and created firewall rules to route certain traffic to this tunnel. 

It works most of the time. 

Sometimes though, the second and third OpenVPN clients have the same Virtual Address.  This causes my
selective routing firewall rules to not work.  To fix, I have to bounce either the second or third OpenVPN client
until it gets a unique Virtual IP Address e.g. 10.8.0.1.  My provider is TorGuard.  I don't have this issue on my ASUS Router running Asuswrt Merlin.  So, does this make it point to pfSense rather than the VPN provider? :-\

How can two OpenVPN clients get the same Virtual Address?  How to prevent?

If I just have two OpenVPN clients running at a time, everything works fine. Adding the third OpenVPN client
causes the issue.  ???

I can't seem to find an option in the OpenVPN 2.4 manual to help with this issue.

3
pfBlockerNG / Re: DNSBL - Certificate error when acccessing github.com
« on: November 07, 2017, 10:07:30 pm »
github.com is working again!  ???

I did not do anything since I posted.  Perhaps the firewall needed more time to process the whitelist entry?  I saw another post of a similar issue someone reported after the 2.4.1 update with no resolution. So, I thought there was something else going on.  I will monitor to make sure it sticks.

Here is the reply I was getting on my Windows laptop when it was not working:
Code: [Select]
ping github.com

Pinging github.com [10.10.10.1] with 32 bytes of data:
Reply from 10.10.10.1: bytes=32 time=59ms TTL=64
Reply from 10.10.10.1: bytes=32 time=1ms TTL=64
Reply from 10.10.10.1: bytes=32 time=1ms TTL=64
Reply from 10.10.10.1: bytes=32 time=1ms TTL=64

Ping statistics for 10.10.10.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 59ms, Average = 15ms

I now get a valid ping.
Code: [Select]
ping github.com

Pinging github.com [192.30.255.112] with 32 bytes of data:
Reply from 192.30.255.112: bytes=32 time=678ms TTL=53
Reply from 192.30.255.112: bytes=32 time=289ms TTL=53
Reply from 192.30.255.112: bytes=32 time=326ms TTL=53
Reply from 192.30.255.112: bytes=32 time=264ms TTL=53

Ping statistics for 192.30.255.112:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 264ms, Maximum = 678ms, Average = 389ms

Code: [Select]
[2.4.1-RELEASE][admin@pfSense.mydomain.com]/root: grep "github.com" /var/unbound/pfb_dnsbl.conf
[2.4.1-RELEASE][admin@pfSense.mydomain.com]/root: host -t A github.com
github.com has address 192.30.255.112
github.com has address 192.30.255.113


4
pfBlockerNG / DNSBL - Certificate error when acccessing github.com
« on: November 07, 2017, 09:20:28 pm »
I think this started with the 2.4.1 upgrade.

github.com is being blocked by one of the blocklists.  So I whitelisted the domain github.com by clicking on the plus sign to add the entry to the Custom Domain Whitelist in DNSBL. I bounced Unbound and cleared Firefox browser cache. 

I now get this error when trying to access github.com.

Code: [Select]
An error occurred during a connection to github.com. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

If I disable DNSBL, I can access github.com with no issues.


5
2.4 Development Snapshots / Re: New 502 Bad Gateway
« on: October 22, 2017, 02:24:17 am »
I successfully applied the 2.1.2 pfBlockerNG update.  I did a reboot when the update completed.  I am able to access the web GUI and SSH with no issues. I'll report back later today to make sure I can still access the web gui and SSH after it has been running for awhile.
It has been several days since I applied the pfBlockerNG 2.1.2 update. Everything is running normal. The upgrade fixed my 502 Bad Gateway and SSH logon issues.

6
2.4 Development Snapshots / Re: New 502 Bad Gateway
« on: October 19, 2017, 06:54:11 pm »
I successfully applied the 2.1.2 pfBlockerNG update.  I did a reboot when the update completed.  I am able to access the web GUI and SSH with no issues. I'll report back later today to make sure I can still access the web gui and SSH after it has been running for awhile.   

7
2.4 Development Snapshots / Re: New 502 Bad Gateway
« on: October 17, 2017, 07:19:53 pm »
I also get the 502 Bad Gateway error when trying to access the pfSense Web GUI. I can logon a SSH session. But it hangs after entering my password. I noticed it about 24 hours after upgrade to 2.4.  I use pfBlockerNG. Thanks for the information in this thread. I will continue to monitor for updates to the issue.

8
The above solution was a false positive. It did not work.  I ended up removing the Host Overrides in DNS Resolver to get it working. However, ads are now appearing.  We'll, I am paying for the lower tier with ads. So I can live with it. Enjoying it ad free was nice while it lasted though.

9
General Questions / Re: SG-2440 Constant Reboot Issue
« on: September 11, 2017, 09:31:56 pm »
Thanks you bro pfsense 2.3.2 same issue, solved thank you very much!

Boot into safe mode
  Power cycle the pfSense box while you have your USB connected and PuTTY open
  When you see the pfSense boot screen press 2 at the prompt
  Hit enter at the shell prompt

Run FSCK
   /sbin/fsck -p

Then ran
  /sbin/fsck -y

Reboot
  /sbin/reboot

if you still have a pfSense boot loop, then you may have a bad hard disk or controller.
Thank you for posting this. Saved my ass!

10
Your host override isn't quite right.  Make it look like the attached image.  Keep the domains in your whitelist.  I kept the whitelist for both domains.  I'm not sure if DNSBL or the host override is processed first, but it seems to work this way.

reisender,

Is CBS all access still working for you?  It stopped working for me last night.  When I select a video to watch, I get a little spinning symbol for a few seconds followed by a black screen.  I can watch live TV okay.  It is just the on demand videos that are the issue.  It works okay on my ASUS router using AB-Solution.info ad blocker. But I do see ads. Maybe it is time to pay the extra $$ for the ad free version.

I have it working again. I was unable to determine the domain or host file causing the issues. I did some testing with hosts file on my ASUS router using AB-Solution. I had issues when I went to higher levels of hosts files. I found the right combination that made it work on the ASUS. I replicated that on the pfSense. I started with this list:
Code: [Select]
http://someonewhocares.org/hosts/hosts
http://sysctl.org/cameleon/hosts
http://winhelp2002.mvps.org/hosts.txt
http://www.malekal.com/HOSTS_filtre/HOSTS.txt
http://www.malwaredomainlist.com/hostslist/hosts.txt
https://zeustracker.abuse.ch/blocklist.php?download=hostfile
http://www.hostsfile.org/Downloads/hosts.txt
http://www.securemecca.com/Downloads/hosts.txt
http://hosts-file.net/exp.txt
http://hosts-file.net/ad_servers.txt
http://hosts-file.net/emd.txt
http://hosts-file.net/hjk.txt
http://hosts-file.net/fsa.txt
http://hosts-file.net/grm.txt
http://hosts-file.net/psh.txt
http://hosts-file.net/mmt.txt
http://hosts-file.net/hfs.txt
http://hosts-file.net/pha.txt
http://hosts-file.net/wrz.txt
http://raw.githubusercontent.com/michaeltrimm/hosts-blocking/master/_hosts.txt

And narrowed it down to this list
Code: [Select]
https://adaway.org/hosts.txt
http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext&useip=0.0.0.0
http://someonewhocares.org/hosts/zero/hosts
http://winhelp2002.mvps.org/hosts.txt
http://www.malwaredomainlist.com/hostslist/hosts.txt
http://hosts-file.net/ad_servers.txt
http://hosts-file.net/emd.txt
http://hosts-file.net/grm.txt
http://hosts-file.net/mmt.txt
Perhaps one of these days, I will take some the hosts files back in one by one until I determine which one caused me the grief.

11
Your host override isn't quite right.  Make it look like the attached image.  Keep the domains in your whitelist.  I kept the whitelist for both domains.  I'm not sure if DNSBL or the host override is processed first, but it seems to work this way.

reisender,

Is CBS all access still working for you?  It stopped working for me last night.  When I select a video to watch, I get a little spinning symbol for a few seconds followed by a black screen.  I can watch live TV okay.  It is just the on demand videos that are the issue.  It works okay on my ASUS router using AB-Solution.info ad blocker. But I do see ads. Maybe it is time to pay the extra $$ for the ad free version.

12
Thanks for the reply Bill. You confirmed the path I need to take. After my post, I did more research and realized it will take time to tune and learn more about suricata. Thank you for the tip on the forum posting "Taming the Beast".  I will definitely visit that post. I gave google a workout with my searches on suricata but never did come across that thread. 

The reason I did not get impacted until now is I had suricata turned on the WAN interface. Yet, all of my browsing was done on the VPN inteface. My problems only started when testing web browsing over the native WAN interface. That is when the rules started impacting me.  I have some users in the family that want native WAN while the rest of us want VPN to USA 100 percent of the time. I am trying to reduce my router foot print and go 100 percent pfSense.  I think I have things stable now that suricata is turned off.  I noticed my disk space started growing.  For next steps, I plan to do some more reading on the pfSense forum and other resources to learn all I can about suricata before I start testing it again. Thanks again for the advice and help!

     

13
I started having some other issues with traffic blocking for ipv4 traffic later on. I restored pfSense to an earlier version that did not give me any issues. I then uninstalled snort and put suricata in monitor mode only, then rebooted. Things appear to be going okay now and I am no longer seeing any blocks to valid websites. Keeping my fingers crossed.

14
Firewalling / Re: Firewall blocking some websites
« on: August 17, 2017, 01:18:35 am »
Thank you for the reply. I restored my config to an earlier version that did not have this issue. I then uninstalled snort and reconfigured suricata for for no blocking. Then did a reboot. I let things settle for awhile.  I have not see the issues appear since then. I will keep hitting the pfsense box to see if I can replicate the issue.  I will post the log file as you suggest if it starts happening again.     

15
Firewalling / Firewall blocking some websites
« on: August 16, 2017, 03:21:47 am »
For the past year, I routed all of my traffic to the VPN tunnel and everything went well. I now need to route some clients thru the WAN interface. I have created policy rules and at first, everything worked okay.  I started experiencing issues with http traffic being blocked for the clients that went thru the WAN interface.  Most of the sites were news and speed test sites.  I posted the issue here.

https://forum.pfsense.org/index.php?topic=135175.0

I thought I had the issue resolved earlier today by removing snort and unchecking some of the Suricata rules.  But now a new issue is appearing.  I started getting blocked on cnn.com.  The other news and speed test sites are okay so far.  So, I removed Suricata all together to eliminate that as the potential issue.  When I look at the logs and click on the X, I see the message:

The rule that triggered this action is:

@9(1000000103) block drop in log inet all label "Default deny rule IPv4"

Attached are sample entries.

When I do a nslookup, I see the ipv4 ip address did not get returned:

nslookup cnn.com
Server:  pfSense.mydomain.com
Address:  192.168.4.1

Name:    cnn.com
Addresses:  2a04:4e42:600::323
          2a04:4e42::323
          2a04:4e42:400::323
          2a04:4e42:200::323


A few minutes later, I try again, and they appear:

nslookup cnn.com
Server:  pfSense.mydomain.com
Address:  192.168.4.1

Non-authoritative answer:
Name:    cnn.com
Addresses:  2a04:4e42:600::323
          2a04:4e42::323
          2a04:4e42:400::323
          2a04:4e42:200::323
          151.101.129.67
          151.101.1.67
          151.101.65.67
          151.101.193.67

I did not do anything that I am aware of to get the ipv4 address working again.   

I also run pfBlockerNG on the WAN and two VPN Client interfaces.  Any ideas are welcome.  Thank you!

Update
After posting this, I left for two hours and returned home. I wanted to go to the pfsense doc web site to read more about firewall and what  could be causing my grief. The page doc.pfsense.org could not be loaded. Good grief!  Notice how the ipv4 ip address for the site is not listed when performing a nslookup.

nslookup doc.pfsense.org
Server:  pfSense.mydomain.com
Address:  192.168.4.1

Name:    doc.pfsense.org
Address:  2610:160:11:11::68


Pages: [1] 2 3