The pfSense Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Presbuteros

Pages: [1] 2 3 4 5
1
Cache/Proxy / Re: Unofficial E2guardian package for pfSense
« on: December 10, 2017, 03:29:27 am »
On a fresh install:
When I navigate to ACLs>Site Lists and click edit on the default list the Save button is partially blocked by the lower banner.
Thank you for your work on this package.

2
Installation and Upgrades / Re: PFsense real implementation
« on: November 29, 2017, 02:09:21 am »
You may consider loading onto just one machine for testing and expand from there.

https://forum.pfsense.org/index.php?topic=61018.0

That is a helpful tutorial to get you started on setting up Snort on pfSense.

3
pfBlockerNG / Re: firehol level 1 list blocking LAN resources
« on: November 29, 2017, 02:06:25 am »
Yes, thanks to all who are contributing here.

With the larger list, is there a substantially increased potential for false-positives?
Will this larger list slow down the pfSense box?
Ari

I loaded the list from seanr22a. I took a while to download and compile. It did not "appear" to slow down the pfSense box. My mobo is a Gigabyte GA-J1900N-D3V so a Celeron quad-core 2Ghz and 8 GB of RAM. What I did notice was a lot of issues loading news sites like cnn, foznews, drudgereport, etc. Videos were stalling out and certain essential elements of the page would not load. However, I would like to hear from others on their use of the list and if they had any obvious issues. I simply disabled the list until I have more time to test later.

4
pfBlockerNG / Re: firehol level 1 list blocking LAN resources
« on: November 20, 2017, 03:24:27 am »
Tried again with updated URL

https://dnsbl.dyndns.org:9443/modules/mymod/MyBlocklist.txt

Code: [Select]
[ Comp ] Downloading update .
**Saving configuration [ 11/20/17 09:21:40 ] ...
 cURL Error: 51
SSL: no alternative certificate subject name matches target host name 'dnsbl.dyndns.org' Retry in 5 seconds...
. cURL Error: 51
SSL: no alternative certificate subject name matches target host name 'dnsbl.dyndns.org' Retry in 5 seconds...
. cURL Error: 51
SSL: no alternative certificate subject name matches target host name 'dnsbl.dyndns.org' Retry in 5 seconds...
.. unknown http status code

5
NAT / Re: Tunneling 2 VPN services via 2 routers
« on: November 20, 2017, 03:11:01 am »
I have confirmed that my pfSense router is connecting properly to VPN A.  I am unable to get the VPN B-enabled DD-WRT router to tunnel through the pfSense router. The connection delivers the requested web pages using VPN A's exit point, but does not persist to VPN B's exit point.

I would note the following for future reference:

https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

I use a VPN exit location (Germany, let's say) on pfsense. I use a separate VPN exit location (Paris) on a client on the LAN of the pfsense router. The client still shows DNS exiting from the client VPN location (Paris), not the pfsense router location (Germany). This is accomplished without the use of opening ports or "VPN pass-through."

I would run through the connectivity troubleshooting with a client connected directly to the pfSense, leaving the second ddWRT router of the diagnostic test and note your findings. Also check your NAT settings on the pfsense router. Take a screen grab of your Outbound NAT settings and post them here.

6
pfBlockerNG / Re: firehol level 1 list blocking LAN resources
« on: November 20, 2017, 02:15:41 am »
I put the resulting IP list and DNSBL list on an external webserver as well currently updated once a week. You have them here: https://dnsbl.dyndns.org/modules/mymod/MyBlocklist.txt and https://dnsbl.dyndns.org/modules/mymod/mydnsblfeed.txt  The DNSBL file is big so it can take a while to download.

The links are not working.

Code: [Select]
Connection timed out after 15039 milliseconds Retry in 5 seconds...
. cURL Error: 28
Connection timed out after 15015 milliseconds Retry in 5 seconds...
. cURL Error: 28
Connection timed out after 15021 milliseconds Retry in 5 seconds...
.. unknown http status code
Download FAIL [ 11/20/17 08:12:54 ]
  Firewall and/or IDS are not blocking download.

The Following list has been REMOVED
 

Thanks for sharing. Let us know when the webserver is working again.

7
pfBlockerNG / Re: Comprehensive YouTube/Google Ad Block List
« on: November 20, 2017, 01:55:02 am »
Thanks for sharing.
You add this to your DNSBL Feed section, correct?

I tested it. It blocks most. I had one ad get through on ten videos.
I had to make sure I had the Adblocker for Youtube Extension disabled in Firefox to give a fair chance.

8
IDS/IPS / Re: Snort Alert Log Questions
« on: November 03, 2017, 03:31:41 am »
Thanks Bill.

9
NAT / Re: VLAN Through a TL-SG108
« on: November 03, 2017, 03:28:42 am »
Switch: Dlink DGS-1100-08

I did live in a rainforest before. Now I live by the coast. Same island. Yes, it takes that long for mail to get here using the USPS. Once a package leaves the US and enters the third world it is fair game. Most packages have made it untouched. One was raided and all the DVDs removed. I have sometimes have a hard time understanding how it can take that long too and I live here.

I just looked at our last set of packages to come in. They were shipped September 5 and arrived at our local PO on October 18.

10
NAT / Re: VLAN Through a TL-SG108
« on: October 30, 2017, 10:35:12 am »
Thank you both johnpoz and Grimson!

Once I revised the NAT rules the client can connect to the internet and is even behind the VPN.

I imagine that if I change the 192.168.30.0/24 to go out the WAN interface and not the OpenVPN interface the client will kick out the WAN, exposed and all...

I have already purchased a new switch. Three days shipping to a US address, repackage, then 4-6 weeks to here... A Christmas present.

I will start revising the firewall rules on VLAN30 to shore things up.

11
NAT / Re: VLAN Through a TL-SG108
« on: October 30, 2017, 09:59:58 am »
GUESTWIFI rules are wide open for testing. I will tighten them down later.

NAT is an attempt to copy what I set up for the PIA VPN connection and I suspect could be a problem.

The WAN and OpenVPN entries in the Manual Outbound NAT section are confirmed working settings for the PIA VPN connection. I added the four additional GUESTWIFI entries in attempt to discover any setting that would send traffic out.

Thanks for taking a look.

12
NAT / Re: VLAN Through a TL-SG108
« on: October 30, 2017, 09:26:40 am »
You could connect your AP direct to pfsense port..  Does your pfsense box have more than 1 interface that you can use on the lan side?

Only 1 physical interface. re1

pfsense lan - switch --- AP

Just like that. LAN port - dumb switch --- AP

pfSense is 192.168.4.1
Unifi AP Management IP is 192.168.4.186

I created my SSID "VLAN30 test" and checked "use VLAN" and entered 30.

I am running UniFi Controller software on a PC, not a phone. Controller software is latest available as of 29/10, Version 5.5.24.

I think I answered all your questions. Oh, and screens too.

Does any magic happen on the UniFi "Networks" page?

13
NAT / Re: VLAN Through a TL-SG108
« on: October 30, 2017, 07:05:30 am »
That switch is dumb, it does not understand vlans.

...and that was the very thing I was hoping to avoid but I figured was another possible issue. A new switch is six weeks out with the risk that they steal it out of a USPS package. Building networks in the third-world is always interesting.

Thanks johnpoz for the quick answer!

14
NAT / VLAN Through a TL-SG108
« on: October 30, 2017, 06:18:02 am »
LAN network is 192.168.4.1/24

LAN is on a PIA VPN account.

A VLAN has been created and labeled as GUEST WIFI and tagged as 30.

A static IP has been assigned as 192.168.30.1

DHCP has been turned on for this interface.

The DHCP range has been set to 192.168.30.100 - 192.168.30.200

A firewall rule for GUEST WIFI has been set for IPv4 any-any-any

The switch is a TP-Link TL-SG108.  http://www.tp-link.com/us/products/details/cat-42_TL-SG108.html

The AP is a UniFi AP-AC-Lite.

The "Use VLAN" option is checked and "30" is entered.

The client can associate with the AP and automatically receive an IP of 192.168.30.100; however no traffic is passing from the client to pfSense.

A ping test from pfSense to the 192.168.30.100 client is successful.

The 192.168.30.100 client can access the 192.168.4.1/24 network, pfSense control panel, NAS, etc.

The 192.168.30.100 client cannot access the internet.

All services are running.

I am using DNS Resolver and DNS Query Forwarding is checked.

Is this a NAT issue or DNS?

Any help is appreciated getting clients on the VLAN30 out to the internet.

15
General Questions / Re: Cannot Get back into WebGUI - No Network on LAN Port
« on: September 24, 2017, 10:27:34 am »
You may have a DNS issue here.

I agree. What do you find under System>General Setup "DNS Server Settings"?

And please ping from Diagnostics>Ping the site www.Google.com and report your results.

And to steal more great ideas from Stephen from another post...

Try going to Diag > DNS lookup and check google.com from there.

Check Status > Services and make sure Unbound (the DNS resolver) is running. It should be by default.


Pages: [1] 2 3 4 5