The pfSense Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - mikeisfly

Pages: [1] 2 3 4 5 ... 31
Installation and Upgrades / Re: pfSense on old Macbook
« on: November 15, 2017, 07:14:10 pm »
Duo means it's hyperthreaded, if I remember correctly. I also believe it is 64bit. As far as a single port you can use a switch but the switch will have to support vlans.

Firewalling / Re: Blocking web gui but allowing squidguard redirect page
« on: November 15, 2017, 04:52:54 am »
why not just block access with a firewall rule? Something like a :

block rule source subnet destination FWIP dest port: 443

" if a hostname couldn't be resolved it would result in a "no host found error" unicast packet back to the requestor"

Yes it does in a sense.. It would send back no error, it wouldn't send back NX..  Since its not FQDN..

> dig testhost

; <<>> DiG 9.11.2 <<>> testhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20634
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;testhost.                      IN      A

;; Query time: 2 msec
;; WHEN: Tue Nov 14 06:19:23 Central Standard Time 2017
;; MSG SIZE  rcvd: 26

My point is if you just put in a hostname and your client is setup with a suffix it would ask for host name in that suffix added.. Which could give you a faulty response since you would get back something you didn't ask for.. example

> ping pfsense

Pinging pfsense.local.lan [] with 32 bytes of data:

I just asked for the hostname and get back the fqdn since the client auto added the domain suffix when it did its query..  But what if I really wanted.


Pinging [] with 32 bytes of data:

This was my point that you could get back the wrong answer to what your actually looking for..

Gotha. I agree 100%. I just thought this would be understood. But you are totally right, if you are not careful you could get back a answer that you didn't actually want.

Installation and Upgrades / Re: Bought equipment. what should I do next?
« on: November 13, 2017, 08:11:03 pm »

Wow, what provider do you use? This looks awesome! Do they do phone and TV too?

I wasnít planning on using built in NIC as I have more than enough ports on the HP card. Iíve already disabled integrated sound and LAN card.

I would use the built in NIC for WAN and HP for LAN(s). I guess now days with the PCI-e bus there is no downside to doing it the way you are doing it, but out of habit I prefer to have LAN and Wan on different NICs on different buses on the south bridge. The dedicated lanes of PCI-e should make this a non issue for your setup. Router ports are gold so I would enable the port in the bios and just leave it disabled in PfSense. That way down the line if you need it you can enable it without having to restart your firewall.

That is a super bad habit!  And you should break yourself of it as fast as possible - cold turkey would be my suggestion ;)  As to the speed.. Clicking a bookmark is fast as your going to get - don't have to type a thing ;)

If your suffix search is not correct you could end up on the wrong box for starters ;)  Second if not dns resolve then your machine will broadcast for the name, why because you thought it faster to just type in a host vs a fqdn or just use a bookmark.

I will have to aqueous, as dns is not my area of expertise. I would think that hostname resolution would be a unicast packet sent to the dns server and if a hostname couldn't be resolved it would result in a "no host found error" unicast packet back to the requestor. I do see your point about logging into the wrong device, which is why I name my host accordingly so I don't have any issues. At work we use a CLLI (Common Language Location Identifier) for the hostname and I do something similar at home. Not really worried about broadcast as I keep my subnets relatively small (64 hosts). But I guess your right bad habits can be hard to break. I'm kind of old school with the keyboard using hotkeys and typing everything instead of bookmarks. What a first world problem! I guess I will start using bookmarks or typing the FQDN.

ACME does allow up to 100 names per certificate (all of them are SANs) and they can all be different domains if need be, but they all must be FQDN entries which each get validated individually.

Thanks, I thought I remembered you saying that on the hangout.

Your not going to get a cert to sign off on a host name.. That is not a valid SAN.. It would would always need to be a FQDN..  Does ACME allow for sans of different domains?

Yes, I think up to a 100 don't quote me on that. 

Why would you ever do that?  You stated you have a fully working cert with fqdn... The problem is your own making.. Why would you not just go to pfsense.domain.tld?  what is the point of just wanting to go to pfsense ?

Speed. Sure when I'm outside of my network I would just use the fqdn to access the gui but if I'm already on the network, under the same dns domain I typically will use the host name when addressing devices instead of using the full fqdn. When I'm addressing something across a different DNS zone then I would add the domain.tld .

But sure if you have a page listen on just IP or the host name, it could be set to redirect..  But for that you would need to setup httpd that supports virtual pages.. Ie it serves up different page for host.domain.tld than otherhost.someother.tld..  Which is different than the default page it serves up on just the IP when you hit port 80 direct.  Or when you hit it with just some host name and not a fqdn site, etc..

I was thinking the same thing, seems like a waist of resources just for a redirect. I just figured surely someone else has tried to do this before and came up with the answer.

Pfsense is not meant to be a full httpd for your network.. Its meant to serve up its web gui when hit on port 80 or 443 or whatever other ports you change it too, etc..   What your asking for just seems pointless because you want a green lock when you put in the rfc1918 IP or just a non fqdn?

Sort of, yes I could import the cert in all of my machines but that seems like a really big pain in the butt since I have a few and having a public trusted cert would let me know if my page has been high-jacked or not even when I'm not using a machine with a imported cert like my cell phone. This is also a good learning experience.

BTW - I hit my pfsense gui via IP and get a green https - because I just use pfsense CA that my browser trusts and I can put in whatever san I want for any domain I want, etc.. not limited to the acme restrictions..  Never thought of putting a non fqdn san.. Since that is just pointless..
That's cool, do you use the same machine all the time for configuration? I kind of feel like the browser trusts too many CA's these days as it is. Ultimately I will probably generate my own private CA on my Windows Server 2012 R2 box and import it into PfSense but this letsencrypt is pretty cool. I guess it does allow the bad guys to generate valid certs for hacking the Internet but we can discuss that on a different thread. I do appreciate your input. I may go the webserver route with a redirect. I may even ask for a feature request but not sure how likely it is to get approved. Maybe there would be a security risk with that but can't think of anything at the moment. Seems like something simple to do, admittedly I don't know how to do it.

Hello everyone. I just got around to looking at the Aril 2017 pfsense hangout on LetsEncrypt. I have  my acme package setup and I am getting a valid letsencrypt certificate that I can log into my gui with a valid lock icon in the address bar next to the url when I type if the FQDN of my firewall. I have a split zone setup so when I type in when I'm out side of my network I get my public IP address. When I'm home and I type in the FQDN I get the private IP address of my firewall. regardless everything comes up as it should with a nice lock in the address bar. Again no problem so far.

Here is my problem, when I just type in the hostname (example: https://pfsense) I get a invalid certificate error. I can't enter just the hostname in the SAN section of the certificate generation because I will get a error 400. I guest it needs the tld. I have tried using squidproxy using the transparent proxy option with reverseproxy and squidguard to rewrite the domain name, or expand it out to the FQDN. I have tried to create a cname record in my windows server 2012 r2 setup to create a alias to the FQDN but nothing seems to work.

My goal is to put just the hostname or IP address of my firewall in the address bar and have the firewall do a redirect (Like it does when you try to access it from http instead of https) to the FQDN? Is this possible? Can a system tunable be added? Has anyone had this problem and figured it out? Any help is very appreciated.


Installation and Upgrades / Re: Bought equipment. what should I do next?
« on: November 11, 2017, 02:15:37 pm »
Not sure what kind of port is built in and what kind you added on, but surricata is sensitive about netmap compatibility, so if you plan to run that and want inline function to work, it may not be possible with every NIC port.  In other words, you could have to leave the built in port empty if its not comptible and you want that function.  Hopefully at least the add on NICs are good.  If lucky, they will all work.

Looks like if the board is

then the built in NIC is Intel I219-V  and here is the data sheet
The specs on the 4 port HP card is located here:

Looks like your setup is more for gaming than a router, but hey if you having it laying around why not. Doubt FreeBSD will have drivers for everything.

Installation and Upgrades / Re: Bought equipment. what should I do next?
« on: November 11, 2017, 09:34:00 am »
Like others have mentioned, I would connect a cat5e or cat6 wire from your modem to the WAN port on the back of your PfSense box. You will have to decide which port on your nic will be the wan. I would make the built in NIC on your mobo the wan port. I then would connect the first port on the four port nic to the last port 28, on your switch. That will be the LAN Port. I would connect the Access point to port 27 on your switch. I would connect all your clients from port 1 going toward the last. I like to connect clients and devices that will only have one mac address to the first ports and things that will have multiple mac address (switches, access points) to the last ports of a switch. That way you work towards the middle.

If you want to get better bandwidth management you could do a lag port from PfSense to your switch but the probable that I have found with that is you can't put vlans on a lag port. I know you aren't using vlans now, but you have to think about the future. For example you may want to have multiple SSIDs to separate traffic. I personally put my cameras and Hue lights, and ecobee thermostat on a WiFi called IoT to minimize my attack surface. I also have corresponding rules that don't allow traffic from that network to my lan.

Like others have mentioned though I would start simple and then build the network out from there.

Post a bounty / Re: Slow Web GUI with many VLAN Interfaces - 300$
« on: November 11, 2017, 07:55:16 am »
I know this doesn't really solve the issue but isn't having 300+ interfaces off a firewall kind of crazy? I probably would virtualize your PfSense and have several PfSense vm's running in the same box and try to get the job done like that. Are there switches out there that can handle 300 vlans? Again I know this doesn't solve the root issue just seems like a engineering issue.

Hardware / Re: Chelsio T3 - Firmware
« on: November 10, 2017, 09:01:28 pm »
I can confirm that this process works. I brought a Chelsio Card S320E with dual CX4 interfaces. After installing FreeNAS 11 on a spare drive and loading it for the first time the firmware was installed on the card. I then swapped the PfSense HDD back and I was good to go. Not sure why the firmware is not included in PfSense I'm using the latest PfSense snapshot 2.4.2.a something built on 10 Nov 2017. But everything is working fine now.

Routing and Multi WAN / Re: Routing between PFSense and second router ???
« on: November 09, 2017, 02:28:40 pm »
No problem. I work for a very large ISP not Verizon, and the only way to get SSH access is from our corporate network. If I find a way I will post back here but I doubt it. I know on our modems getting access to ssh opens a lot more options than is  present in the GUI. In addition our password changes everyday to log into said modem so even if you could get access to the command-line, cracking the password would be really tough. Not sure if Verizon is doing the same thing.

No problem in answering your question, I like helping plus seeing how you did your setup, it gave me ideas on how I may reconfigure my setup in the future. I like to read through the forums to see others problems and solutions to add to my own knowledge. Good luck to you in the future.

Routing and Multi WAN / Re: Routing between PFSense and second router ???
« on: November 09, 2017, 10:05:14 am »
I seriously doubt that Verizon will give you ssh access to the router. I have FiOS as well and I have the same model router you have. I tried to access it but it was a no go. Why do you need SSH access when you should be able to do everything from the GUI.

Routing and Multi WAN / Re: 10gb routing not even close
« on: November 07, 2017, 06:36:57 pm »
Hmm very interesting. I have ordered two Chelsio T3 cards off eBay with CX4 Interfaces. Just waiting for them to arrive. While not exactly the same check this video out it could give you some tips on how to optimize your setup. I plan on going through a switch I will report back when I have everything up and running my wan link is 1Gb symmetric.

My PfSense firewall in a :

Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
Current: 3200 MHz, Max: 3201 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)

with 4GB of ram. I PCIe slot I believe is gen 2 maybe 3 but I  play on putting the card in the x16 slot.

My Server is a Dual Xeon E2690 with 128 GB RAM 1 TB SSD Boot Drive / 32 (8x4) TB HDD running storage spaces with 512 GB SSD Cache. The server is running Windows server 2012 R2. First I will check switch speed then I will check routing performance I would be shocked if I can get filtering performance anywhere near 10Gb but if I can get it above 2-3 Gbps I would feel like my money was well spent.

Routing and Multi WAN / Re: Routing LAN VLAN to to WAN VLAN
« on: November 07, 2017, 06:07:25 pm »
I'm glad you got it working. Normally when you want to do policy based routing and you have multiple WANs you would create a rule under that interface setting the gateway to the WAN interface of your choice. Then you have to go to the outbound nat and I usually set it to hybrid mode and I set a rule like something below:

Interface     Source            Source Port   Destination   Destination Port    NAT Address     NAT Port       Static Port       Description         Actions
WAN       *              *                    *                     WAN address      *                                      Default GW

Order here matters I believe (first match wins) so if your interface rule says to use WLWAN but the NAT outbound rule that matches first says to use the WAN then the traffic would be dropped. Looks like you have your interface rule set to any (*) which is allowing the desired behavior.


Pages: [1] 2 3 4 5 ... 31