Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - lifeboy

Pages: [1]
1
IPsec / IPSec phase2 with NAT/BINAT both sides fails to communicate
« on: February 09, 2018, 06:03:41 pm »
When I set up an IPSec tunnel with phase2 using NAT/BINAT, communication to the NAT'ed side stops.

When I remote the NAT/BINAT, all is well. 

I have read https://forum.pfsense.org/index.php?topic=132486.0 which seems quite similar, except that my far side is not Azure, but another of pfSense box that I have control over. 

Of course, if this was my "live" setup, I could just not use NAT, but in the final setup, I need to connect to a service provider who doesn't allow us to do comms over private ip addresses.

Has anyone run into this and how did you fix it?

2
DHCP and DNS / Alias resolution somewhat cripple
« on: September 12, 2017, 08:34:37 am »
I have noticed this before and would like to see if something can be done about this.

When an alias is added to pfSense, it seems that the name gets randomly resolved if there's more than one A record.  An example:

Code: [Select]
$ dig  httpredir.debian.org

; <<>> DiG 9.10.3-P4-Ubuntu <<>> httpredir.debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15753
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;httpredir.debian.org. IN A

;; ANSWER SECTION:
httpredir.debian.org. 3464 IN CNAME static.debian.org.
static.debian.org. 164 IN A 5.153.231.4
static.debian.org. 164 IN A 149.20.4.15
static.debian.org. 164 IN A 130.89.148.14
static.debian.org. 164 IN A 128.31.0.62

;; Query time: 6 msec
;; SERVER: 192.168.121.1#53(192.168.121.1)
;; WHEN: Tue Sep 12 15:12:00 SAST 2017
;; MSG SIZE  rcvd: 144

So if I add httpredir.debian.org, it doesn't work most of the time in a firewall rule and I have to manually add each ip address to the alias to get the desired result.

If would be really beneficial if a simple lookup could be done when a name (instead of an ip) is added to an alias and the appropriate records added.  Then one could have a refresh of the name (manually) or at startup or some other event to refresh records that have changed.

Mikrotik RouterOS has such a capability when one creates firewall address-lists.  You enter the name and the system resolves the records and add one or more to the list as may be required.  This really makes life so much easier.

Is something like this is the works or could it be added to a list of feature to be expanded?

thanks and regards

Roland

3
Since a recent upgrade (I'm on 2.3.2_1 now), in many places in the GUI virtually only a-z, A-Z, 0-9 seem to be allowed.  Previously this was not the case.  Now I can't even use an _ in an alias name for instance.  Or an @ or $ in a password.  While it is possible to use simpler strings, specifically in the instance of passwords, this significantly reduces the security of a password.  Strangely enough, anything already stored in a config somewhere continues to be accepted, it's only new passwords and other entries that are not allowed to have even the simplest special characters.

I suppose this is a bug, since I cannot believe that this is a design decision or is it?

An example:
Setting a L2TP user's password which includes a @, results in this:
The password contains invalid characters.

What's going on here?

thanks

4
I have a curious problem.  A perfectly working pfSense KVM machine (configured as per my post here: https://forum.pfsense.org/index.php?topic=88858.msg491311#msg491311 ), has the following symptoms now.
  • I have two bridges on the host machine: vmbr0 (LAN) and vmbr1 (WAN).   Both have tx checksumming turned off.
  • When I start the VM guest with pfSense, I cannot communicate with it via the WAN or LAN port.  All I can do is see via the KVM (proxmox)  console that it's up and it claims the ports are up.
  • When I try to ping the WAN gateway ip though, I get "host is down".  Pinging a LAN host IP just gives no response.
  • When I change the VM guest config to have both WAN and LAN on the LAN bridge (vmbr0) I can actually reach the guest via the WAN port public ip, but pfsense then is not able to "talk" to the LAN.  The WAN port seems to be working though??
Anyone have any idea what changed from Debian 7 to 8 that may be causing this?

5
I upgraded not too long ago and noticed yesterday that no servers behind pfSense were receiving any updates.  It no traffic is going out, only incoming traffic is working.

pfSense runs in a KVM virtual machine under Proxmox and all was well using pfSense 2.2.2.

Both ports are bridged in the VM host platform configured as follows:

Code: [Select]
# cat /etc/network/interfaces
# network interface settings
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto eth1
iface eth1 inet manual

auto eth3
iface eth3 inet manual

iface eth2 inet manual

auto bond0
iface bond0 inet manual
slaves eth0 eth1
bond_miimon 100
bond_mode 802.3ad
bond_xmit_hash_policy layer2

auto vmbr0
iface vmbr0 inet static
address  192.168.121.33
netmask  255.255.255.0
gateway  192.168.121.1
bridge_ports bond0
bridge_stp off
bridge_fd 0
# gateway  192.168.121.1

auto vmbr1
iface vmbr1 inet manual
bridge_ports eth3
bridge_stp off
bridge_fd 0

Therefore the KVM host cannot reach anything on the WAN port, since there is no IP address allocated.

The pfSense basic config is:
1 WAN port (vtnet1)
1 LAN port (vtnet0)
7 Virtual IP defined
I connect to the LAN via IPsec/L2tp and can access all the servers/services in this way.

Problem is that no traffic is passed beyond the WAN port.  I can ping xxx.71.69.226 (the WAN port address), but not 225, which is the gateway.  However, from xxx.71.69.226 I can ping the 225 gateway and anything else outside.

Here's the routing table:

Code: [Select]
$ netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags      Netif Expire
default            41.71.69.225       UGS      vtnet1
xxx.71.69.224/28    link#2             U        vtnet1
xxx.71.69.226       link#2             UHS         lo0
xxx.71.69.228       link#2             UHS         lo0
xxx.71.69.228/32    link#2             U        vtnet1
xxx.71.69.229       link#2             UHS         lo0
xxx.71.69.229/32    link#2             U        vtnet1
xxx.71.69.230       link#2             UHS         lo0
xxx.71.69.230/32    link#2             U        vtnet1
xxx.71.69.231       link#2             UHS         lo0
xxx.71.69.231/32    link#2             U        vtnet1
xxx.71.69.232       link#2             UHS         lo0
xxx.71.69.232/32    link#2             U        vtnet1
xxx.71.69.233       link#2             UHS         lo0
xxx.71.69.233/32    link#2             U        vtnet1
xxx.71.69.234       link#2             UHS         lo0
xxx.71.69.234/32    link#2             U        vtnet1
127.0.0.1          link#5             UH          lo0
192.168.120.240    link#7             UH        l2tp0
192.168.120.241    link#8             UH        l2tp1
192.168.120.248    link#7             UHS         lo0
192.168.121.0/24   link#1             U        vtnet0
192.168.121.1      link#1             UHS         lo0

The default gateway should receive all the traffic, but it's not happening.  Is there a freeBSD method to disable/enable routing (like Linux has), or is routing always allowed by default?

I don't know how to troubleshoot this any further, so I need some help please.

6
pfSense is set up as described here, except that some of the options are not shown in pfSense 2.2 any more.

I can connect from Linux (Ubuntu) & Mikrotik successfully.

However, OSX just plays dumb.  Using OSX 10.10.2 with the native client as described here, I get the following in the /var/log/system.log regardless of what changes I try on the server.  There's pretty much nothing to change on the client.  It has so few options to set.

Code: [Select]
Mar 16 23:23:12 Carel-Macbook-Pro.local pppd[6789]: pppd 2.4.2 (Apple version 786.10.1) started by carelvandermerwe, uid 501
Mar 16 23:23:12 Carel-Macbook-Pro.local pppd[6789]: l2tp_get_router_address
Mar 16 23:23:12 Carel-Macbook-Pro.local pppd[6789]: l2tp_get_router_address 192.168.88.1 from dict 1
Mar 16 23:23:12 Carel-Macbook-Pro.local pppd[6789]: L2TP connecting to server '41.yy.xx.130' (41.71.68.130)...
Mar 16 23:23:12 Carel-Macbook-Pro.local pppd[6789]: IPSec connection started
Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: plogsetfile: about to add racoon log file: /var/log/racoon.log
Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: accepted connection on vpn control socket.
Mar 16 23:23:12 --- last message repeated 1 time ---
Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: Connecting.
Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: IPSec Phase 1 started (Initiated by me).
Mar 16 23:23:12 --- last message repeated 1 time ---
Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: >>>>> phase change status = Phase 1 started by us
Mar 16 23:23:13 --- last message repeated 1 time ---
Mar 16 23:23:13 Carel-Macbook-Pro.local racoon[6790]: none message must be encrypted
Mar 16 23:23:16 --- last message repeated 1 time ---
Mar 16 23:23:16 Carel-Macbook-Pro.local racoon[6790]: IKE Packet: transmit success. (Phase 1 Retransmit).
Mar 16 23:23:16 Carel-Macbook-Pro.local racoon[6790]: none message must be encrypted
Mar 16 23:23:19 --- last message repeated 1 time ---
Mar 16 23:23:19 Carel-Macbook-Pro.local racoon[6790]: IKE Packet: transmit success. (Phase 1 Retransmit).
Mar 16 23:23:19 Carel-Macbook-Pro.local racoon[6790]: none message must be encrypted
Mar 16 23:23:22 --- last message repeated 1 time ---
Mar 16 23:23:22 Carel-Macbook-Pro.local racoon[6790]: IKE Packet: transmit success. (Phase 1 Retransmit).
Mar 16 23:23:22 Carel-Macbook-Pro.local racoon[6790]: none message must be encrypted
Mar 16 23:23:22 --- last message repeated 1 time ---
Mar 16 23:23:22 Carel-Macbook-Pro.local pppd[6789]: IPSec connection failed
Mar 16 23:23:22 Carel-Macbook-Pro.local racoon[6790]: IPSec disconnecting from server 41.yy.xx.130
Mar 16 23:23:22 --- last message repeated 1 time ---
Mar 16 23:23:22 Carel-Macbook-Pro.local racoon[6790]: glob found no matches for path "/var/run/racoon/*.conf"

I have unloaded (stopped) and loaded (started) racoon on the Mac, it makes no difference.

I'm at a loss for other options. 

Does this work on a Mac?  I have even installed IPSecuritas, but it also gives a very similar error so I unstalled it again.

(Update: Also test on OSX 10.6, same problem)

7
IPsec / L2TP link "freezes" when anything but pings are sent.
« on: February 25, 2015, 05:37:30 am »
What would be the solution to this problem?  There are many question in the forums that are similar:  Access to clients, possibly NAT'ted ones via L2TP doesn't work.

I have noticed the following:

1. I have disabled IPSec in an effort to isolate the problem.
2. L2TP connects and I can ping all the addresses on the VPN.
3. As soon as I connect to a service (ie. http://192.168.121.10), sometimes a little of the page actually starts loading before the link "dies" (for lack of a more accurate description)
4. There is not l2tp activity in the logs.
5. The RAW /var/log/l2tps.log has the following:

Code: [Select]
Feb 20 14:52:53 pfSense l2tps: L2TP: Control connection 0x80301bb08 connected
Feb 20 14:52:53 pfSense l2tps: L2TP: Incoming call #1 via connection 0x80301bb08 received
Feb 20 14:52:53 pfSense l2tps: [l2tp0] L2TP: Incoming call #1 via control connection 0x80301bb08 accepted
Feb 20 14:52:53 pfSense l2tps: [l2tp0] opening link "l2tp0"...
Feb 20 14:52:53 pfSense l2tps: [l2tp0] link: OPEN event
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: Open event
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: state change Initial --> Starting
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: LayerStart
Feb 20 14:52:53 pfSense l2tps: [l2tp0] L2TP: Call #1 connected
Feb 20 14:52:53 pfSense l2tps: [l2tp0] link: UP event
Feb 20 14:52:53 pfSense l2tps: [l2tp0] link: origination is remote
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: Up event
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: state change Starting --> Req-Sent
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: SendConfigReq #18
Feb 20 14:52:53 pfSense l2tps:  ACFCOMP
Feb 20 14:52:53 pfSense l2tps:  PROTOCOMP
Feb 20 14:52:53 pfSense l2tps:  MRU 1500
Feb 20 14:52:53 pfSense l2tps:  MAGICNUM a628a980
Feb 20 14:52:53 pfSense l2tps:  AUTHPROTO CHAP MD5
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: rec'd Configure Request #1 (Req-Sent)
Feb 20 14:52:53 pfSense l2tps:  ACCMAP 0x00000000
Feb 20 14:52:53 pfSense l2tps:  MAGICNUM 80ad49dd
Feb 20 14:52:53 pfSense l2tps:  PROTOCOMP
Feb 20 14:52:53 pfSense l2tps:  ACFCOMP
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: SendConfigAck #1
Feb 20 14:52:53 pfSense l2tps:  ACCMAP 0x00000000
Feb 20 14:52:53 pfSense l2tps:  MAGICNUM 80ad49dd
Feb 20 14:52:53 pfSense l2tps:  PROTOCOMP
Feb 20 14:52:53 pfSense l2tps:  ACFCOMP
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: state change Req-Sent --> Ack-Sent
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: rec'd Configure Nak #18 (Ack-Sent)
Feb 20 14:52:53 pfSense l2tps:  AUTHPROTO CHAP MSOFTv2
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: SendConfigReq #19
Feb 20 14:52:53 pfSense l2tps:  ACFCOMP
Feb 20 14:52:53 pfSense l2tps:  PROTOCOMP
Feb 20 14:52:53 pfSense l2tps:  MRU 1500
Feb 20 14:52:53 pfSense l2tps:  MAGICNUM a628a980
Feb 20 14:52:53 pfSense l2tps:  AUTHPROTO CHAP MSOFTv2
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: rec'd Configure Ack #19 (Ack-Sent)
Feb 20 14:52:53 pfSense l2tps:  ACFCOMP
Feb 20 14:52:53 pfSense l2tps:  PROTOCOMP
Feb 20 14:52:53 pfSense l2tps:  MRU 1500
Feb 20 14:52:53 pfSense l2tps:  MAGICNUM a628a980
Feb 20 14:52:53 pfSense l2tps:  AUTHPROTO CHAP MSOFTv2
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: state change Ack-Sent --> Opened
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: auth: peer wants nothing, I want CHAP
Feb 20 14:52:53 pfSense l2tps: [l2tp0] CHAP: sending CHALLENGE len:17
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: LayerUp
Feb 20 14:52:53 pfSense l2tps: [l2tp0] CHAP: rec'd RESPONSE #1
Feb 20 14:52:53 pfSense l2tps:  Name: "roland"
Feb 20 14:52:53 pfSense l2tps: [l2tp0] AUTH: Auth-Thread started
Feb 20 14:52:53 pfSense l2tps: [l2tp0] AUTH: Trying INTERNAL
Feb 20 14:52:53 pfSense l2tps: [l2tp0] AUTH: INTERNAL returned undefined
Feb 20 14:52:53 pfSense l2tps: [l2tp0] AUTH: Auth-Thread finished normally
Feb 20 14:52:53 pfSense l2tps: [l2tp0] CHAP: ChapInputFinish: status undefined
Feb 20 14:52:53 pfSense l2tps:  Response is valid
Feb 20 14:52:53 pfSense l2tps:  Reply message: S=098CA97B7048BF0D24E71E3142E76D476CF1FDFE
Feb 20 14:52:53 pfSense l2tps: [l2tp0] CHAP: sending SUCCESS len:42
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: authorization successful
Feb 20 14:52:53 pfSense l2tps: [l2tp0] Bundle up: 1 link, total bandwidth 64000 bps
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: Open event
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: state change Initial --> Starting
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: LayerStart
Feb 20 14:52:53 pfSense l2tps: [l2tp0] CCP: Open event
Feb 20 14:52:53 pfSense l2tps: [l2tp0] CCP: state change Initial --> Starting
Feb 20 14:52:53 pfSense l2tps: [l2tp0] CCP: LayerStart
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: Up event
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: state change Starting --> Req-Sent
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: SendConfigReq #5
Feb 20 14:52:53 pfSense l2tps:  IPADDR 192.168.120.248
Feb 20 14:52:53 pfSense l2tps:  COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Feb 20 14:52:53 pfSense l2tps: [l2tp0] CCP: Up event
Feb 20 14:52:53 pfSense l2tps: [l2tp0] CCP: state change Starting --> Req-Sent
Feb 20 14:52:53 pfSense l2tps: [l2tp0] CCP: SendConfigReq #3
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: rec'd Configure Request #1 (Req-Sent)
Feb 20 14:52:53 pfSense l2tps:  COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid
Feb 20 14:52:53 pfSense l2tps:  IPADDR 0.0.0.0
Feb 20 14:52:53 pfSense l2tps:    NAKing with 192.168.120.240
Feb 20 14:52:53 pfSense l2tps:  PRIDNS 0.0.0.0
Feb 20 14:52:53 pfSense l2tps:    NAKing with 192.168.121.248
Feb 20 14:52:53 pfSense l2tps:  SECDNS 0.0.0.0
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: SendConfigRej #1
Feb 20 14:52:53 pfSense l2tps:  SECDNS 0.0.0.0
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: rec'd Configure Ack #5 (Req-Sent)
Feb 20 14:52:53 pfSense l2tps:  IPADDR 192.168.120.248
Feb 20 14:52:53 pfSense l2tps:  COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: state change Req-Sent --> Ack-Rcvd
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: rec'd Protocol Reject #2 (Opened)
Feb 20 14:52:53 pfSense l2tps: [l2tp0] LCP: protocol CCP was rejected
Feb 20 14:52:53 pfSense l2tps: [l2tp0] CCP: protocol was rejected by peer
Feb 20 14:52:53 pfSense l2tps: [l2tp0] CCP: state change Req-Sent --> Stopped
Feb 20 14:52:53 pfSense l2tps: [l2tp0] CCP: LayerFinish
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: rec'd Configure Request #2 (Ack-Rcvd)
Feb 20 14:52:53 pfSense l2tps:  COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid
Feb 20 14:52:53 pfSense l2tps:  IPADDR 0.0.0.0
Feb 20 14:52:53 pfSense l2tps:    NAKing with 192.168.120.240
Feb 20 14:52:53 pfSense l2tps:  PRIDNS 0.0.0.0
Feb 20 14:52:53 pfSense l2tps:    NAKing with 192.168.121.248
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: SendConfigNak #2
Feb 20 14:52:53 pfSense l2tps:  IPADDR 192.168.120.240
Feb 20 14:52:53 pfSense l2tps:  PRIDNS 192.168.121.248
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: rec'd Configure Request #3 (Ack-Rcvd)
Feb 20 14:52:53 pfSense l2tps:  COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid
Feb 20 14:52:53 pfSense l2tps:  IPADDR 192.168.120.240
Feb 20 14:52:53 pfSense l2tps:    192.168.120.240 is OK
Feb 20 14:52:53 pfSense l2tps:  PRIDNS 192.168.121.248
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: SendConfigAck #3
Feb 20 14:52:53 pfSense l2tps:  COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid
Feb 20 14:52:53 pfSense l2tps:  IPADDR 192.168.120.240
Feb 20 14:52:53 pfSense l2tps:  PRIDNS 192.168.121.248
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: state change Ack-Rcvd --> Opened
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IPCP: LayerUp
Feb 20 14:52:53 pfSense l2tps:   192.168.120.248 -> 192.168.120.240
Feb 20 14:52:53 pfSense l2tps: [l2tp0] IFACE: Up event
Feb 20 14:52:53 pfSense l2tps: [l2tp0] no interface to proxy arp on for 192.168.120.240

Then, when I attempt to connect to machine, this happens in the log:

Code: [Select]
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@

This is just a snippet of the huge volume of ^@'s I see.

I have no idea what this means or what causes it, but although the link stays up (according to the client software on my Ubuntu Desktop), it is useless.

8
I have a Proxmox cluster of machines installed and want to set up pfSense 2.2 as a firewall/router to control access and allow VPN L2TP/IPsec connections to be made to the VM in the cluster.  Here's my setup:



I have battled with the L2TP setup extensively.  Once the link is up, I can ping all the hosts on the Cluster LAN, but not SSH, HTTP or anything else for that matter. 

I then realised that if I attempt to access the internet from any of the hosts on the LAN, I can ping anything on the internet, but also not use other services like SSH for example. 

To be more specific.  Host S1 has the following network config:  (vmbr0 is LAN in my diagram above and vmbr1 is WAN)

Code: [Select]
# network interface settings
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto eth1
iface eth1 inet manual

auto eth3
iface eth3 inet manual

iface eth2 inet manual

auto bond0
iface bond0 inet manual
slaves eth0 eth1
bond_miimon 100
bond_mode 802.3ad
bond_xmit_hash_policy layer2

auto vmbr0
iface vmbr0 inet static
address  192.168.121.33
netmask  255.255.255.0
dns-nameserver 192.168.121.1 8.8.8.8
bridge_ports bond0
bridge_stp off
bridge_fd 0
gateway 192.168.121.1

auto vmbr1
iface vmbr1 inet manual
bridge_ports eth3
bridge_stp off
bridge_fd 0

Eth3 does not have an ip address on the host, only via vmbr1 on the WAN port of the pfSense VM, thus not allowing any traffic into/out of the network except through the pfSense WAN port.

The routes on S1:

Code: [Select]
~# ip route
192.168.121.0/24 dev vmbr0  proto kernel  scope link  src 192.168.121.33
default via 192.168.121.1 dev vmbr0

Code: [Select]
~# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP qlen 1000
    link/ether 00:21:28:8e:b6:52 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP qlen 1000
    link/ether 00:21:28:8e:b6:52 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:21:28:8e:b6:54 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:21:28:8e:b6:55 brd ff:ff:ff:ff:ff:ff
6: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:21:28:8e:b6:52 brd ff:ff:ff:ff:ff:ff
7: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:21:28:8e:b6:52 brd ff:ff:ff:ff:ff:ff
    inet 192.168.121.33/24 brd 192.168.121.255 scope global vmbr0
    inet6 fe80::221:28ff:fe8e:b652/64 scope link
       valid_lft forever preferred_lft forever
8: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:21:28:8e:b6:55 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::221:28ff:fe8e:b655/64 scope link
       valid_lft forever preferred_lft forever
9: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/void
    inet6 fe80::1/128 scope link
       valid_lft forever preferred_lft forever
10: tap103i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether a6:54:df:4a:c4:39 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::a454:dfff:fe4a:c439/64 scope link
       valid_lft forever preferred_lft forever
11: tap103i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 1a:96:aa:1e:32:8f brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1896:aaff:fe1e:328f/64 scope link
       valid_lft forever preferred_lft forever
12: tap101i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 4e:15:b3:15:b1:4b brd ff:ff:ff:ff:ff:ff
    inet6 fe80::4c15:b3ff:fe15:b14b/64 scope link
       valid_lft forever preferred_lft forever
13: tap105i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 0e:5c:b9:c1:e4:17 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c5c:b9ff:fec1:e417/64 scope link
       valid_lft forever preferred_lft forever

Just for clarity: I use bonded LACP ethernet between my hosts since I'm also using ceph to virtualise the hard disks into a cluster.  That's where the bonded ethernet fits in.

My question is: What is wrong with the setup and what should I add to pfSense make this work?

Code: [Select]
~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  pfSense.aaaa.com (192.168.121.1)  0.251 ms  0.232 ms  0.231 ms
 2  xx.yy.zz.129 (xx.yy.zz.129)  1.020 ms  1.039 ms  1.045 ms
 3  xx.qq.ww.34 (xx.qq.ww.34)  16.400 ms  16.437 ms  16.411 ms
 4  google.jb1.napafrica.net (196.46.25.166)  16.566 ms  16.576 ms  16.579 ms
 5  72.14.239.35 (72.14.239.35)  16.950 ms 72.14.239.117 (72.14.239.117)  16.922 ms 72.14.239.35 (72.14.239.35)  17.106 ms
 6  * * *
 7  * * *

However, the following just sits there:

Code: [Select]
~# wget http://www.google.com
--2015-02-17 00:11:50--  http://www.google.com/
Resolving www.google.com (www.google.com)... 216.58.223.36, 2c0f:fb50:4002:803::2004
Connecting to www.google.com (www.google.com)|216.58.223.36|:80... connected.
HTTP request sent, awaiting response...


pfSense has the following firewall rules:

IPv4
DestinationGatewayFlagsUseMTUNetIF
default41.71.68.129UGS200761366vtnet1
41.71.68.128/29link#2U300201366vtnet1
41.71.68.130link#2UHS816384lo0
127.0.0.1link#5UH11016384lo0
192.168.121.0/24link#1U96651500vtnet0
197.242.201.21841.71.68.129UGHS01366vtnet1







9
General Questions / How to change boot device permanently
« on: September 30, 2010, 12:18:56 pm »
One of my pfsense boxes just got fried (on a UPS in a serverroom, mind you!).  So we moved the disk drive to a new but different box.  The system boots up to a point when it prompts for the boot partition.  It tries /dev/ad5s1a but fails.   If one enters ufs:ad2s1a it boots and all is well, but of course I would like this change to be permanent.  However, the /boot/loader.conf is empty and /boot/defaults/loader.conf has no effect on the boot process. 

Can someone please point me the correct place to change the boot partition specification?  Of course, we could do a fresh install and restore a backup of the config, but then we would have learnt nothing and that would be so much "the windows way" that I would prefer to just correct the setup! :-)

regards

Roland

10
Hi all,

I understand how to create a time based rule to block or allow access to specific destinations.  However, pfSense does not allow the combination of a schedule and a non-default gateway in the same rule. 

I'd like to push all traffic over an utilised WAN link after hours though (which does not incur a usage charge), but during the day the traffic should go over ADSL which is faster (and the other WAN link is used for VOIP traffic during the day)

I have been thinking about this and am wondering if someone has figured out a way to do this with a possibly a combination of negative rules and schedules?  I've tried some rules this way and that way, but I always run into the problem that the rules stop being applied as soon as the first match is found.

Any ideas or help you can offer?

regards

Pages: [1]