Netgate Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - valnar

Pages: [1] 2 3 4 5
1
General Questions / 2.4.3 Traffic Graph non-inverse not working
« on: March 29, 2018, 08:34:39 pm »
Basically as the title says.  I upgraded to 2.4.3 and now the inverse function (actually, turning it OFF) doesn't work.  The graphs are inversing the up and down no matter what the setting.

2
pfBlockerNG / pfBlocker white list bypasses all other rules
« on: February 28, 2018, 06:32:24 pm »
So I found a major security issue in pfBlocker, or pfSense in general.  If this has been discussed before I apologize.

I implemented pfBlocker with GeoIP "allowing" and once a packet hits one of those rules (ie. I allow North America), it simply is forwarded without checking any other rules.  This is a major design flaw IMO since Geo-IP blocking is implemented as a regular firewall rule.  Because it matches that rule first, I cannot apply further scrutiny other than it's from North America.  My downstream rule to only allow certain IP's access for HTTPS or SSH inbound to my network is completely bypassed.

Geo blocking should be at a different level than a standard firewall policy.  Further rules should be processed once it meets your Geo blocking requirement.  Is there a way to make this happen?

3
General Questions / Search firewall logs by rule names?
« on: January 27, 2018, 07:36:56 am »
Is it possible to add a feature that lets you search firewall logs by the rule name? If you have a lot of logs, that would be more useful than guessing the IP's and ports, especially if they are unknown.

Also, being able to easily add parameters using simple definitions (like CheckPoint does or Cisco ASA) to include multiple IP's, ports or other search terms would help.

4
Packages / Just want pfSense to shutdown when UPS goes to battery
« on: January 24, 2018, 03:54:15 pm »
I'm a little confused on whether I should use apcupsd or nut.  My pfSense firewall is on an APU2 box.

Basically I have an APC SmartUPS 1000 and its USB cable is already connected to a Windows server.  I also have the Network Management Card 2 installed in it.  All I really need is for pfSense to shut itself down when the power gets low enough on battery.  My other computers have different methods of dealing with it, so I don't need pfSense to be a traffic director (although after this, I tackle my Ubuntu box, so maybe I DO want pfSense to have smarts in this area??).

I assume there is a network mechanism I can use to have pfSense poll the state of the UPS?

I looked at apcupsd and couldn't figure out the correct combination of parameters to make it work.  I used this, but I don't know if its working:

Enable - Check
UPS name: My UPS
UPS Cable: ether
UPS Type: pcnet
Device: 10.xxx.xxx.6:apc:password
Net Server: On
NIS IP: 127.0.0.1
NIS Port: 3551

Status
Code: [Select]
Status information from apcupsd
Running: apcaccess -h 127.0.0.1:3551

APC      : 001,018,0466
DATE     : 2018-01-24 16:32:04 -0500 
HOSTNAME : <removed>
VERSION  : 3.14.14 (31 May 2016) freebsd
UPSNAME  : Basement UPS
CABLE    : Ethernet Link
DRIVER   : PCNET UPS Driver
UPSMODE  : Stand Alone
STARTTIME: 2018-01-24 16:31:08 -0500 
STATUS   : COMMLOST
MBATTCHG : 5 Percent
MINTIMEL : 3 Minutes
MAXTIME  : 0 Seconds
NUMXFERS : 0
TONBATT  : 0 Seconds
CUMONBATT: 0 Seconds
XOFFBATT : N/A
STATFLAG : 0x05000100
END APC  : 2018-01-24 16:52:03 -0500

Which package is for me?  I couldn't find the instructions after a cursory look.  Thanks.

5
Cache/Proxy / HAProxy or STunnel for HTTPS proxy?
« on: January 24, 2018, 03:17:40 pm »
Long time pfSense user, short time package user.

I have Blue Iris which runs the webcams in my house and the app has the ability (baked in) to use STunnel locally on the same Windows box for encryption.  The app normally only uses HTTP but this provides a HTTPS proxy to it.  However, from what I can see of STunnel, it's pretty rudimentary.

I hit a thread that said pfSense can do this instead and that sounds like a better idea.  I wasn't sure if STunnel is still the package I want or it HAProxy did some of it.  Ideally it would at least do the same as STunnel on that Windows box, but bonus points if I can wrap a 2nd layer of security around it like a certificate.

Can anyone point me in the right direction?




6
OpenVPN / OpenVPN is choppy
« on: December 20, 2017, 03:29:30 pm »
I know this is going to be an open-ended complaint with little hard data, but...

I setup an OpenVPN server on my home pfSense firewall.  This is replacing a Cisco 1921 router where I previously setup AnyConnect, its distant cousin, to get into my home network.  It was on an ASA 5505 before that.

It seems the VPN experience over OpenVPN is choppy, for lack of a better term.  It's not smooth. VNC & RDP to my home computers are halt and go with micro stutters...just erratic.  It's almost like a bad connection but it's not.  I don't see any obvious problems with my VPN setup but its behavior reminds me of an MSS or MTU fragmentation issue.  I lowered the MTU on my TAP adapter (Windows 7) to 1440 and it doesn't seem to matter.  I might lower it more, but before I spend too much time troubleshooting, is this a common problem?  Is there an easy fix to make the VPN experience smoother?  Perhaps something I can edit in my OpenVPN config file that was generated?  I'm running the latest recommended package of OpenVPN GUI for Windows.

'Note that this doesn't happen with any other VPN past or present.  Whether it's AnyConnect, Cisco's older IPSEC VPN Client, L2TP or whatever.

Any advice?

7
General Questions / 2.40 idle cpu usage
« on: October 20, 2017, 06:03:35 am »
When sitting idle on the dashboard with no traffic going through pfSense (or minimal), my cpu usage hovers around 9% as a minimum.  In 2.3.4-p1, it was more like 1%.  If I leave the GUI and only use SSH, it does seem to get better.  I believe the process is php-fpm.

Why the difference between the versions?  Here is a snapshot of TOP, although the CPU usage here doesn't quite match what's shown on the dashboard.  It goes to 99% idle when Dashboard is not running in a browser.  My board is an APU2C4 running over ZFS.  The 2.3.4-p1 was not ZFS of course (if that matters).

Code: [Select]
[2.4.1-RC][admin@hidden]/root: top
last pid: 80473;  load averages:  0.73,  0.50,  0.27                                       up 0+10:18:02  06:56:23
67 processes:  1 running, 60 sleeping, 6 zombie
CPU:  1.8% user,  0.0% nice,  1.1% system,  0.1% interrupt, 96.9% idle
Mem: 22M Active, 182M Inact, 674M Wired, 18M Buf, 3036M Free
ARC: 284M Total, 75M MFU, 198M MRU, 16K Anon, 1544K Header, 10M Other
     175M Compressed, 360M Uncompressed, 2.06:1 Ratio
Swap: 2048M Total, 2048M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
74976 root          1  52    0   263M 26340K accept  3   0:00   5.48% php-fpm
38737 root          1  20    0 20056K  3196K CPU1    1   0:00   0.22% top
45347 root          1  20    0 37704K  7352K kqread  1   0:00   0.21% nginx
28996 root          5  52    0 13028K  1944K uwait   0   0:08   0.04% dpinger
86484 root          1  20    0 10480K  2556K select  3   0:01   0.03% syslogd
28121 root          5  52    0 10980K  1872K uwait   1   0:08   0.03% dpinger
50559 dhcpd         1  20    0 16652K  8328K select  0   0:09   0.03% dhcpd
28332 root          5  52    0 10980K  1872K uwait   3   0:07   0.03% dpinger
  530 root          1  52    0   261M 18440K kqread  3   0:02   0.02% php-fpm
28614 root          5  52    0 10980K  1872K uwait   2   0:06   0.02% dpinger
84764 root          1  20    0 78836K  7380K select  3   0:01   0.02% sshd
46344 root          1  20    0 24604K 12424K select  2   0:04   0.01% ntpd
54400 root          1  20    0   106M 58524K select  1   0:07   0.01% bsnmpd
 4985 root          1  20    0 39304K  3884K bpf     3   0:03   0.01% bandwidthd
 4370 root          1  20    0 39304K  3888K bpf     0   0:03   0.01% bandwidthd
 3640 root          1  20    0 39304K  4372K bpf     3   0:03   0.01% bandwidthd
 4531 root          1  20    0 39304K  4240K bpf     0   0:03   0.00% bandwidthd
 3992 root          1  20    0 39304K  4368K bpf     2   0:03   0.00% bandwidthd
 4929 root          1  20    0 39304K  4240K bpf     3   0:03   0.00% bandwidthd
 4265 root          1  20    0 39304K  4244K bpf     3   0:03   0.00% bandwidthd
19303 root          1  20    0 12696K  1768K bpf     0   0:02   0.00% filterlog
 4152 root          1  20    0 39304K  4244K bpf     3   0:03   0.00% bandwidthd
39367 unbound       4  20    0 89696K 56972K kqread  2   0:27   0.00% unbound
57470 root          1  52   20 13084K  2424K wait    0   0:23   0.00% sh
18713 root          1  20    0 20348K  4320K select  3   0:01   0.00% openvpn
45346 root          1  20    0 37704K  6996K kqread  2   0:01   0.00% nginx
40360 root          1  20    0  8228K  1668K kqread  2   0:00   0.00% dhcpleases
45849 root          1  20    0 12496K  1864K nanslp  0   0:00   0.00% cron
98284 root          1  20    0 13392K  3372K pause   3   0:00   0.00% tcsh
  560 root          1  20    0  9556K  4712K select  2   0:00   0.00% devd
[2.4.1-RC][admin@hidden]/root:


8
General Questions / Upload partial edited config backup?
« on: October 08, 2017, 10:34:37 am »
Is it possible to edit out a portion of an XML backup config and upload it to a pfSense firewall...and have the missing pieces take the defaults?  I have a config with a bad OpenVPN section and instead of rebuilding all my rules, dhcp and everything from scratch, I was wondering if I could remove that portion and upload the remaining config? Ideally the missing parts would be reconstructed so when I download the backup again, it'll be put back together pristine.

I could try this, but I didn't want to blow up my firewall just yet, so I'm asking here!

9
OpenVPN / Extra OpenVPN interface?
« on: October 04, 2017, 05:30:42 am »
Sorry for what will probably be a n00b question..

I have an APU2C4 board (standard 3 ethernet interfaces, only using 2).  I followed some directions to create an OpenVPN server on pfSense so I can VPN into my home remotely.  It works well, but I notice I have two FW interfaces for it. One is called OVPN (which is what I renamed it) and the other is simply OpenVPN which I believe was created when I did the wizard.  Why both?  Can I get rid of one of them?  And if so, how?  Which is used?


10
OpenVPN / OpenVPN tutorial for simple setup?
« on: October 01, 2017, 06:38:10 pm »
I'm looking for a simple tutorial that will guide me in setting up OpenVPN for client access into my home.  While encryption is good, I don't need anything fancy in regards to distributing client certificates.  In fact, I'd prefer not to have any.  A simple Server cert would be fine so that it works similar to Cisco's AnyConnect client.  Ideally it would be easy enough to setup without a client export so that in a pinch, I could download the OpenVPN client anywhere, set it up and log into my home.

I *DO* like the idea of using a browser recognizable cert through ACME/LetsEncrypt though.  Anything that makes the client setup as easy and smooth as possible.  I have a DNS name through DYNDNS.org.

Do such instructions exist?

11
General Questions / Better logging with a GUI?
« on: September 20, 2017, 08:30:48 am »
I'd like to see the firewall logs in a better manner similar to CheckPoint or any other firewall product with a searchable GUI.  Because the built-in log view is limited in pfSense, the standard recommendation is to use a syslog server or something better like Splunk.  My question is, why?  If the SSD I have installed in my pfSense box already has all the logs for everything that happens, why log it twice to something outside of the box?

Are there any packages or GUI tools that can utilize the logs already stored on the pfSense firewall instead of resorting to a syslog server?  Ideally the tool would do what all standard firewalls do -- search or filter existing conversations by IP address, destination, source, port, accepts, drops, etc.  Without such a tool, pfSense cannot compete with the big boys IMO.


Edit: I'm currently using the NanoBSD version and will install the regular new 2.40 version on a different box soon.  If the logging/search capabilities is different in NanoBSD, I apologize.

12
2.4 Development Snapshots / ZFS vs UFS and power loss
« on: September 17, 2017, 03:50:43 pm »
Does ZFS offer any better protection against power loss vs UFS on pfSense firewalls?  When power goes out at my house, I have limited capability to gracefully shut down my firewall.  My single running Windows server is my priority.

I'll be upgrading from a NanoBSD version of pfSense to something more modern on an SSD with my APU board comes in, so my experience with either is nill.

13
2.4 Development Snapshots / RAM required for ZFS?
« on: September 08, 2017, 01:06:16 pm »
Some of the smaller hardware options (like APU boards) have either 2GB or 4GB RAM.  They can take an SSD, but the RAM is fixed.  Will that be enough to use ZFS in addition to all the other firewall duties?

14
Captive Portal / Show captive portal page as home page?
« on: September 06, 2017, 02:34:55 am »
Is there an easy way to show the captive portal page I uploaded to my pfSense box as the home page of a web browser?  I'm setting up a couple kiosk thin clients in an area and when the browser is launched, I'd prefer to point it directly to the page that the users would see should they attempt to go to the Internet anyway...I just want to skip that step!  I'd prefer not to fire up a separate server for on the subnet for this.

I couldn't figure out how to easily do it.

ie. If my pfSense LAN interface is 192.168.1.1, can I make it http://192.168.1.1/etc/where-the-file-sits.html or similar?
That would alleviate the need of worrying about certs or if a user tried an https site first.

15
Hardware / No love for PC Engines anymore?
« on: September 04, 2017, 10:03:32 am »
I rarely see reference to the new PC Engines boards here:
http://www.pcengines.ch/apu3a2.htm

Is there a reason for that?  The ALIX boards were the darling of pfSense for years.  These new ones are (still) small, have 3 Intel NIC's, support AES-NI, perfect amount of RAM and plenty fast enough.  Is there a reason why more expensive offerings from Netgate or the official pfSense store are recommended over these?  I noticed Netgate doesn't carry the brand anymore.

I've been out of the pfSense hardware game for a few years, so just curious.

Pages: [1] 2 3 4 5