pfSense Gold Subscription

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - epionier

Pages: [1]
1
Traffic Monitoring / ntopng v3.0.0 released
« on: June 01, 2017, 11:01:05 am »
Hello,

ntopng v.3.0.0 release arrived today. It would be nice to implement the new version into pfSense in the near future as there are a lot of useful improvements like better FreeBSD support:

http://www.ntop.org/ntopng/introducing-ntopng-3-0/



2
Hello,

we are using pfSense in the latest stable version plus the squid package. On the local PCs we are using Firefox with the squid caching proxy enabled for non-SSL plus SSL filtering (non-transparent mode) via man-in-the-middle-filtering. Everything works fine so far with caching via squid for SSL and non-SSL sites.

We now need a possibility to exclude squid usage for establishing a direct connection for certain sites / IPs to the PC. In short we need to bypass the caching proxy for certain sites / IPs.
The reason is that on the PC there is a USB smart card reader and a third party software component (authentification client software for a connection to a certain website).

Explanation:

We have to go to a certain website like https://www.safeconnection.com. If we press on this site "Login" this site needs to communicate with the software component on the local PC (which connects on the other hand to the local attached smart card reader).
If we visit the website now (with squid) we receive an error with a  "connection problem" between the website and the software component.
I have to use another brwoser that is not connected via squid to get it work.


So how can we bypass the proxy?

I believe I have to use: Package->Proxy Server->General Settings->General->Advanced Features->Custom ACLS (Before Auth) to enter a custom ACL for always_direct: http://www.squid-cache.org/Doc/config/always_direct/

But I am not able to figure out what I have to insert in this box??

a) What exactly do I have to enter there?
b) How do I find the needed sites/IPs/ports to exclude? (edit: should be visible in the "real time" menu of squid)


Maybe someone is much more firm in this, help is highly appreciated ;D
 

3
Hello,

we are currently using ESXI 6.0 (without SR-IOV) and want to change to Hyper-V Standalone Hypervisor when Server 2016 will be released.

I read a lot about pfSense under Hyper-V but in respect to SR-IOV some questions remain. We could not use this feature under ESXI 6.0 because the igb-driver for the network adapter (Intel i350-T4) does not support SR-IOV.

In pfSense I will use under Hyper-V two non-legacy "NICS" of an Intel i350-T4, one bound to an external "WAN"-vSwitch and one to a external "LAN"-vSwitch. The management will be excluded from these vSwitches.

Upon creation of the vSwitches the decision has to made to use SR-IOV or not. So does pfSense current version support SR-IOV?
According to Intel: http://www.intel.com/content/www/us/en/support/network-and-i-o/ethernet-products/000005722.html
FreeBSD is not listed as a supported Guest OS but there are virtual function drivers for FreeBSD (?)

If it is supported is there any configuration needed under pfSense settings?

If it is not supported are there any problems connecting pfSense to a vSwitch with SR-IOV activated (for other Windows Guests)?
Edit: This is resolved because I just saw that SR-IOV has not only to be activated on the vSwitch but also in the network adapter in the VM.

Kindly appreciated some help by some experienced Hyper-V users.

4
Hello,

I noticed that under listed Feature #4044 in the upcoming version 2.4:

https://redmine.pfsense.org/issues/4044

there will be support for Gen 2 virtual machines under Hyper-V. According to Chris Buechler this is resolved now so I wonder if this will maybe find its way already in version 2.3.2 or 2.3.3?

We are moving from ESXI to Hyper-V soon and Gen 2 support would be great especially in regards of the networking adapters (I know that I don`t have to use legacy network adapters anymore).

Perhaps this is just a small fix and not due to a later FreeBSD version and so an implementation could be earlier because 2.4 is so far away ;D


5
IDS/IPS / Snort process runs crazy when WAN IP (PPPoE) reconnects
« on: June 06, 2016, 06:21:46 pm »
Hello,

unfortunately I am having a problem with SNORT and I cannot find a solution.

I posted my problem in "General Questions" first but I can nail it down to misbehavior of the snort process that is why I am asking in this section again if anyone has the same problem - or better the solution - because it drives me crazy. Here is more information of my problem: https://forum.pfsense.org/index.php?topic=111883.0

I am running pfSense 2.3.1_1 on ESXI 6.0 as a VM (v11). 1 vCPU (Xeon L5640) and 2 NICs (VMXNET3).

The vSwitch of ESXI is for WAN port set to allow promiscuous mode.

SNORT is activated for WAN port.

Every night when PPPoE reconnects on 0:10 my snort process runs crazy so that CPU usage is 100%. pfSense is still working (like IPSec and Squid) but I am unable to log in via Web Interface or Console/SSH and the CPU remains on 100% for hours. On the console I only see the line:
"*** Welcome to pfSense 2.3.1-RELEASE-p1 (amd64 full-install) on firewall ***" and nothing more (like the selection) so mostly I am unable to access the Shell to kill the snort process.

I tried to enable/disable TSO+LRO+device polling under "Advanced Networking" in all kind of combinations (with reboot) but the problem remains.

I also changed the NIC for WAN to an Intel i350 NIC but the problem remains.

I have to reboot pfSense to get it working properly again until the next WAN reconnect or - when I was already in the SHELL via Console - I can solve the problem temporarely by killing the snort process (kill -9 Snort_PID) and CPU is immediately going down to 0% again.

Pattern match is AC-BNFA and Barnyard2 is disabled. RAM is more than sufficient.
I can post more information about configuration/etc. when needed.

I also tried to uninstall SNORT (including configuration) and reinstalled it freshly but the problem remains.
(Also not all configuration is deleted this way, e.g. the Oinkmaster code for Snort VRT rules is still listed in the text field after the fresh reinstall.)

Does anyone has a clue how to fix this?






6
IPsec / IPSec - Mobile Clients - wrong subnet bug?
« on: June 03, 2016, 02:23:07 pm »
Hello,

I am using IPSec IKEv2 MSCHAPv2 on pfSense 2.3.1_1 and everything is working fine. I am just wondering about the subnet that is used. In the "mobile clients" section I set "provide a virtual IP to clients" and it set it to 10.21.32.0 in the text field an 24 in the selection. So usually a mobile client should receive an 10.21.32.0/24 IP/subnet.

When I check Status->IPSec with one client connected it says in the lower "show child entries" that the IP/subnet of the connected client is 10.21.32.1/32

Why is there a 32 subnet instead of a 24 subnet?

7
General Questions / 100% CPU problem with pfSense 2.3
« on: May 15, 2016, 06:21:50 am »
Hello,

I am using pfSense 2.3 in a ESXI VM configured with a single core and enough RAM (4GB). Everything is working fine but from time to time I suddenly have a 100% CPU without end. I can see that in the ESXI manager that the CPU for the pfSense VM is 100% during hours (at night e.g.) and does not lower down anymore.

When the CPU is 100% I cannot access the Webconfigurator anymore and when I SSH to the machine it displays only the first the welcome line but nothing more (like the selection). Also on the console. But IPSec for example or squid is still working, I am just unable to access pfSense for configuration, etc. The only way to solve that is rebooting the machine which takes a while. Afterwards sometimes the CPU hits 100% immediately again and sometimes not.

Sometimes when I was quick after the reboot I restarted the webconfigurator and PHP on the console/ssh and then it seems to be stable (for some time).

The system logs in the webconfigurator shows no errors or something like that. Also not on the Dashboard.

How do I find out whats causing this? Because when I have 100% CPU I cannot SSH to the machine to check "top -aSH" to find the faulty process.

Last night I assume the problem occurred after the PPPoE renewal because afterwards I did not show any snort entries anymore.

Here is the log for last night: (newest on top, some information XXXed):

Quote
May 15 12:15:34   shutdown      reboot by root:
May 15 12:09:02   sshd   65760   Accepted keyboard-interactive/pam for admin from 10.21.32.1 port 53297 ssh2
May 15 12:07:58   php-fpm   17736   /index.php: Successful login for user 'admin' from: 10.21.32.1
May 15 03:31:35   kernel      pppoe0: promiscuous mode enabled
May 15 03:30:49   xinetd   11808   Reconfigured: new=0 old=1 dropped=0 (services)
May 15 03:30:49   xinetd   11808   readjusting service 6969-udp
May 15 03:30:49   xinetd   11808   Swapping defaults
May 15 03:30:49   xinetd   11808   Starting reconfiguration
May 15 03:30:48   SnortStartup   34071   Snort START for WAN(61399_pppoe0)...
May 15 03:30:48   php-fpm   65608   /rc.start_packages: [lightsquid] Updating cronjobs...
May 15 03:30:48   check_reload_status      Syncing firewall
May 15 03:30:47   check_reload_status      Syncing firewall
May 15 03:30:47   php-fpm   65608   /rc.start_packages: [lightsquid] Removing old cronjobs...
May 15 03:30:47   php-fpm   65608   /rc.start_packages: [lightsquid] Successfully created '/usr/local/etc/lightsquid/lightsquid.cfg' configuration file.
May 15 03:30:47   php-fpm   65608   /rc.start_packages: [lightsquid] Loaded default '/usr/local/etc/lightsquid/lightsquid.cfg.sample' configuration file.
May 15 03:30:47   check_reload_status      Reloading filter
May 15 03:30:46   php-fpm   65608   /rc.start_packages: [squid] Starting a proxy monitor script
May 15 03:30:46   php-fpm   65608   /rc.start_packages: [squid] Reloading for configuration sync...
May 15 03:30:45   php-fpm   65608   /rc.start_packages: [squid] Stopping any running proxy monitors
May 15 03:30:45   php-fpm   65608   /rc.start_packages: [squid] Reloading C-ICAP...
May 15 03:30:45   php-fpm   65608   /rc.start_packages: [squid] Reloading ClamAV...
May 15 03:30:45   php-fpm   65608   /rc.start_packages: Checked cron job for /usr/local/bin/freshclam --config-file=/usr/local/etc/freshclam.conf, no change needed
May 15 03:30:45   php-fpm   65608   /rc.start_packages: [squid] Adding freshclam cronjob.
May 15 03:30:45   php-fpm   65608   /rc.start_packages: Checked cron job for /usr/local/pkg/swapstate_check.php, no change needed
May 15 03:30:45   php-fpm   65608   /rc.start_packages: Checked cron job for /usr/local/sbin/squid -k rotate -f /usr/local/etc/squid/squid.conf, no change needed
May 15 03:30:45   php-fpm   65608   /rc.start_packages: [squid] Adding cronjobs ...
May 15 03:30:33   xinetd   11808   Reconfigured: new=0 old=1 dropped=0 (services)
May 15 03:30:33   xinetd   11808   readjusting service 6969-udp
May 15 03:30:33   xinetd   11808   Swapping defaults
May 15 03:30:33   xinetd   11808   Starting reconfiguration
May 15 03:30:32   php-fpm   65608   /rc.start_packages: [squid] - squid_resync function call pr:1 bp: rpc:no
May 15 03:30:32   check_reload_status      Reloading filter
May 15 03:30:31   php-fpm   65608   /rc.start_packages: [squid] Starting a proxy monitor script
May 15 03:30:31   php-fpm   65608   /rc.start_packages: [squid] Reloading for configuration sync...
May 15 03:30:29   php-fpm   65608   /rc.start_packages: [squid] Stopping any running proxy monitors
May 15 03:30:28   php-fpm   65608   /rc.start_packages: [squid] Reloading C-ICAP...
May 15 03:30:28   php-fpm   65608   /rc.start_packages: [squid] Reloading ClamAV...
May 15 03:30:28   php-fpm   65608   /rc.start_packages: Checked cron job for /usr/local/bin/freshclam --config-file=/usr/local/etc/freshclam.conf, no change needed
May 15 03:30:28   php-fpm   65608   /rc.start_packages: [squid] Adding freshclam cronjob.
May 15 03:30:28   php-fpm   65608   /rc.start_packages: Checked cron job for /usr/local/pkg/swapstate_check.php, no change needed
May 15 03:30:28   php-fpm   65608   /rc.start_packages: Checked cron job for /usr/local/sbin/squid -k rotate -f /usr/local/etc/squid/squid.conf, no change needed
May 15 03:30:28   php-fpm   65608   /rc.start_packages: [squid] Adding cronjobs ...
May 15 03:30:16   php-fpm   65608   /rc.start_packages: [squid] - squid_resync function call pr:1 bp: rpc:no
May 15 03:30:16   php-fpm   97269   /rc.start_packages: Skipping STARTing packages process because previous/another instance is already running
May 15 03:30:16   php-fpm   65608   /rc.start_packages: Restarting/Starting all packages.
May 15 03:30:15   check_reload_status      Starting packages
May 15 03:30:15   php-fpm   60012   /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 217.248.XXX.XXX -> 93.208.XXX.XXX - Restarting packages.
May 15 03:30:15   xinetd   11808   Reconfigured: new=0 old=1 dropped=0 (services)
May 15 03:30:15   xinetd   11808   readjusting service 6969-udp
May 15 03:30:15   xinetd   11808   Swapping defaults
May 15 03:30:15   xinetd   11808   Starting reconfiguration
May 15 03:30:15   check_reload_status      Starting packages
May 15 03:30:15   php-fpm   65608   /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - -> 10.21.31.1 - Restarting packages.
May 15 03:30:15   check_reload_status      Reloading filter
May 15 03:30:15   php-fpm   65608   /rc.newwanip: rc.newwanip: on (IP address: 10.21.31.1) (interface: []) (real interface: ovpns1).
May 15 03:30:15   php-fpm   65608   /rc.newwanip: rc.newwanip: Info: starting on ovpns1.
May 15 03:30:14   xinetd   11808   Reconfigured: new=0 old=1 dropped=0 (services)
May 15 03:30:14   xinetd   11808   readjusting service 6969-udp
May 15 03:30:14   xinetd   11808   Swapping defaults
May 15 03:30:14   xinetd   11808   Starting reconfiguration
May 15 03:30:13   check_reload_status      rc.newwanip starting ovpns1
May 15 03:30:12   kernel      ovpns1: link state changed to UP
May 15 03:30:12   php-fpm   60012   /rc.newwanip: Creating rrd update script
May 15 03:30:12   check_reload_status      Reloading filter
May 15 03:30:12   kernel      ovpns1: link state changed to DOWN
May 15 03:30:12   php-fpm   60012   /rc.newwanip: Resyncing OpenVPN instances for interface WAN.
May 15 03:30:12   check_reload_status      Reloading filter
May 15 03:30:12   php-fpm   60012   /rc.newwanip: Forcefully reloading IPsec
May 15 03:30:11   php-fpm   60012   /rc.newwanip: phpDynDNS (): (Success) IP Address Updated Successfully!
May 15 03:30:11   php-fpm   60012   /rc.newwanip: phpDynDNS: updating cache file /conf/dyndns_wancustom''0.cache: 93.208.XXX.XXX
May 15 03:30:11   php-fpm   60012   /rc.newwanip: Message sent to XXX@XXX.de OK
May 15 03:30:07   php-fpm   60012   /rc.newwanip: Removing static route for monitor 217.237.XXX.XXX and adding a new route through 87.186.XXX.XXX
May 15 03:30:07   php-fpm   60012   /rc.newwanip: ROUTING: setting default route to 87.186.XXX.XXX
May 15 03:30:07   xinetd   11808   Reconfigured: new=0 old=1 dropped=0 (services)
May 15 03:30:07   xinetd   11808   readjusting service 6969-udp
May 15 03:30:07   xinetd   11808   Swapping defaults
May 15 03:30:07   xinetd   11808   Starting reconfiguration
May 15 03:30:06   php-fpm   60012   /rc.newwanip: IP has changed, killing states on former IP 217.248.XXX.XXX.
May 15 03:30:06   php-fpm   60012   /rc.newwanip: rc.newwanip: on (IP address: 93.208.XXX.XXX) (interface: WAN[wan]) (real interface: pppoe0).
May 15 03:30:06   php-fpm   60012   /rc.newwanip: rc.newwanip: Info: starting on pppoe0.
May 15 03:30:05   ppp      [wan] IFACE: Rename interface ng0 to pppoe0
May 15 03:30:05   ppp      [wan] IFACE: Up event
May 15 03:30:05   check_reload_status      rc.newwanip starting pppoe0
May 15 03:30:04   check_reload_status      Rewriting resolv.conf
May 15 03:30:04   ppp      [wan] 93.208.XXX.XXX -> 87.186.XXX.XXX
May 15 03:30:04   ppp      [wan] IPCP: LayerUp
May 15 03:30:04   ppp      [wan] IPCP: state change Ack-Sent --> Opened
May 15 03:30:04   ppp      [wan] SECDNS 217.237.151.142
May 15 03:30:04   ppp      [wan] PRIDNS 217.237.150.188
May 15 03:30:04   ppp      [wan] IPADDR 93.208.XXX.XXX
May 15 03:30:04   ppp      [wan] IPCP: rec'd Configure Ack #3 (Ack-Sent)
May 15 03:30:04   ppp      [wan] SECDNS 217.237.151.142
May 15 03:30:04   ppp      [wan] PRIDNS 217.237.150.188
May 15 03:30:04   ppp      [wan] IPADDR 93.208.XXX.XXX
May 15 03:30:04   ppp      [wan] IPCP: SendConfigReq #3
May 15 03:30:04   ppp      [wan] SECDNS 217.237.151.142
May 15 03:30:04   ppp      [wan] PRIDNS 217.237.150.188
May 15 03:30:04   ppp      [wan] 93.208.XXX.XXX is OK
May 15 03:30:04   ppp      [wan] IPADDR 93.208.XXX.XXX
May 15 03:30:04   ppp      [wan] IPCP: rec'd Configure Nak #2 (Ack-Sent)
May 15 03:30:04   ppp      [wan] IPV6CP: LayerFinish
May 15 03:30:04   ppp      [wan] IPV6CP: state change Req-Sent --> Stopped
May 15 03:30:04   ppp      [wan] IPV6CP: protocol was rejected by peer
May 15 03:30:04   ppp      [wan_link0] LCP: protocol IPV6CP was rejected
May 15 03:30:04   ppp      [wan_link0] LCP: rec'd Protocol Reject #74 (Opened)
May 15 03:30:04   ppp      [wan] SECDNS 0.0.0.0
May 15 03:30:04   ppp      [wan] PRIDNS 0.0.0.0
May 15 03:30:04   ppp      [wan] IPADDR 0.0.0.0
May 15 03:30:04   ppp      [wan] IPCP: SendConfigReq #2
May 15 03:30:04   ppp      [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
May 15 03:30:04   ppp      [wan] IPCP: rec'd Configure Reject #1 (Ack-Sent)
May 15 03:30:04   ppp      [wan] IPCP: state change Req-Sent --> Ack-Sent
May 15 03:30:04   ppp      [wan] IPADDR 87.186.XXX.XXX
May 15 03:30:04   ppp      [wan] IPCP: SendConfigAck #28
May 15 03:30:04   ppp      [wan] 87.186.XXX.XXX is OK
May 15 03:30:04   ppp      [wan] IPADDR 87.186.XXX.XXX
May 15 03:30:04   ppp      [wan] IPCP: rec'd Configure Request #28 (Req-Sent)
May 15 03:30:04   ppp      [wan] IPV6CP: SendConfigReq #1
May 15 03:30:04   ppp      [wan] IPV6CP: state change Starting --> Req-Sent
May 15 03:30:04   ppp      [wan] IPV6CP: Up event
May 15 03:30:04   ppp      [wan] SECDNS 0.0.0.0
May 15 03:30:04   ppp      [wan] PRIDNS 0.0.0.0
May 15 03:30:04   ppp      [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
May 15 03:30:04   ppp      [wan] IPADDR 0.0.0.0
May 15 03:30:04   ppp      [wan] IPCP: SendConfigReq #1
May 15 03:30:04   ppp      [wan] IPCP: state change Starting --> Req-Sent
May 15 03:30:04   ppp      [wan] IPCP: Up event
May 15 03:30:04   ppp      [wan] IPV6CP: LayerStart
May 15 03:30:04   ppp      [wan] IPV6CP: state change Initial --> Starting
May 15 03:30:04   ppp      [wan] IPV6CP: Open event
May 15 03:30:04   ppp      [wan] IPCP: LayerStart
May 15 03:30:04   ppp      [wan] IPCP: state change Initial --> Starting
May 15 03:30:04   ppp      [wan] IPCP: Open event
May 15 03:30:04   ppp      [wan] Bundle: Status update: up 1 link, total bandwidth 64000 bps
May 15 03:30:04   ppp      [wan_link0] Link: Join bundle "wan"
May 15 03:30:04   ppp      [wan_link0] Link: Matched action 'bundle "wan" ""'
May 15 03:30:04   ppp      [wan_link0] LCP: authorization successful
May 15 03:30:04   ppp      [wan_link0] PAP: rec'd ACK #1 len: 5
May 15 03:30:04   ppp      [wan_link0] LCP: LayerUp
May 15 03:30:04   ppp      [wan_link0] PAP: sending REQUEST #1 len: 60
May 15 03:30:04   ppp      [wan_link0] PAP: using authname "XXXXXXXXX@t-online-com.de"
May 15 03:30:04   ppp      [wan_link0] LCP: auth: peer wants PAP, I want nothing
May 15 03:30:04   ppp      [wan_link0] LCP: state change Ack-Sent --> Opened
May 15 03:30:04   ppp      [wan_link0] MAGICNUM 0xeb21b71a
May 15 03:30:04   ppp      [wan_link0] MRU 1492
May 15 03:30:04   ppp      [wan_link0] LCP: rec'd Configure Ack #2 (Ack-Sent)
May 15 03:30:04   ppp      [wan_link0] MAGICNUM 0xeb21b71a
May 15 03:30:04   ppp      [wan_link0] MRU 1492
May 15 03:30:04   ppp      [wan_link0] LCP: SendConfigReq #2
May 15 03:30:04   ppp      [wan_link0] PROTOCOMP
May 15 03:30:04   ppp      [wan_link0] LCP: rec'd Configure Reject #1 (Ack-Sent)
May 15 03:30:04   ppp      [wan_link0] LCP: state change Req-Sent --> Ack-Sent
May 15 03:30:04   ppp      [wan_link0] MAGICNUM 0x4b0a8b6e
May 15 03:30:04   ppp      [wan_link0] AUTHPROTO PAP
May 15 03:30:04   ppp      [wan_link0] MRU 1492
May 15 03:30:04   ppp      [wan_link0] LCP: SendConfigAck #73
May 15 03:30:04   ppp      [wan_link0] MAGICNUM 0x4b0a8b6e
May 15 03:30:04   ppp      [wan_link0] AUTHPROTO PAP
May 15 03:30:04   ppp      [wan_link0] MRU 1492
May 15 03:30:04   ppp      [wan_link0] LCP: rec'd Configure Request #73 (Req-Sent)
May 15 03:30:04   ppp      [wan_link0] MAGICNUM 0xeb21b71a
May 15 03:30:04   ppp      [wan_link0] MRU 1492
May 15 03:30:04   ppp      [wan_link0] PROTOCOMP
May 15 03:30:04   ppp      [wan_link0] LCP: SendConfigReq #1
May 15 03:30:04   ppp      [wan_link0] LCP: state change Starting --> Req-Sent
May 15 03:30:04   ppp      [wan_link0] LCP: Up event
May 15 03:30:04   ppp      [wan_link0] Link: UP event
May 15 03:30:04   ppp      [wan_link0] PPPoE: connection successful
May 15 03:30:04   ppp      PPPoE: rec'd ACNAME "XXXR73-se800-B222E170705301"
May 15 03:30:04   ppp      [wan_link0] PPPoE: Connecting to ''
May 15 03:30:04   ppp      [wan_link0] LCP: LayerStart
May 15 03:30:04   ppp      [wan_link0] LCP: state change Initial --> Starting
May 15 03:30:04   ppp      [wan_link0] LCP: Open event
May 15 03:30:04   kernel      ng0: changing name to 'pppoe0'
May 15 03:30:04   ppp      [wan_link0] Link: OPEN event
May 15 03:30:04   ppp      [wan] Bundle: Interface ng0 created
May 15 03:30:04   ppp      web: web is not running
May 15 03:30:03   ppp      process 19511 terminated
May 15 03:30:03   ppp      [wan_link0] Link: Shutdown
May 15 03:30:03   kernel      pppoe0: promiscuous mode disabled
May 15 03:30:03   ppp      [wan] Bundle: Shutdown
May 15 03:30:03   ppp      [wan_link0] LCP: LayerFinish
May 15 03:30:03   ppp      [wan_link0] LCP: state change Stopping --> Stopped
May 15 03:30:03   ppp      waiting for process 19511 to die...
May 15 03:30:02   ppp      waiting for process 19511 to die...
May 15 03:30:01   ppp      [wan_link0] LCP: LayerDown
May 15 03:30:01   ppp      [wan_link0] LCP: SendTerminateAck #3
May 15 03:30:01   ppp      [wan] IPV6CP: state change Closed --> Initial
May 15 03:30:01   ppp      [wan] IPV6CP: Down event
May 15 03:30:01   ppp      [wan] IPCP: state change Closing --> Initial
May 15 03:30:01   ppp      [wan] Bundle: No NCPs left. Closing links...
May 15 03:30:01   ppp      [wan] IPCP: LayerFinish
May 15 03:30:01   ppp      [wan] IPCP: Down event
May 15 03:30:01   ppp      [wan] IPV6CP: Close event
May 15 03:30:01   ppp      [wan] IPCP: Close event
May 15 03:30:01   ppp      [wan] Bundle: Status update: up 0 links, total bandwidth 9600 bps
May 15 03:30:01   ppp      [wan_link0] Link: Leave bundle "wan"
May 15 03:30:01   ppp      [wan_link0] LCP: state change Opened --> Stopping
May 15 03:30:01   ppp      [wan_link0] LCP: rec'd Terminate Request #180 (Opened)
May 15 03:30:01   ppp      [wan] IPV6CP: state change Stopped --> Closed
May 15 03:30:01   ppp      [wan] IPV6CP: Close event
May 15 03:30:01   ppp      [wan] IFACE: Rename interface pppoe0 to pppoe0
May 15 03:30:01   ppp      [wan] IFACE: Down event
May 15 03:30:01   ppp      [wan] IFACE: Removing IPv4 address from pppoe0 failed(IGNORING for now. This should be only for PPPoE friendly!): Can't assign requested address
May 15 03:30:01   check_reload_status      Rewriting resolv.conf
May 15 03:30:01   ppp      [wan] IPCP: LayerDown
May 15 03:30:01   ppp      [wan] IPCP: SendTerminateReq #4
May 15 03:30:01   ppp      [wan] IPCP: state change Opened --> Closing
May 15 03:30:01   ppp      [wan] IPCP: Close event
May 15 03:30:01   ppp      [wan] IFACE: Close event
May 15 03:30:01   ppp      caught fatal signal TERM
May 15 03:30:01   ppp      waiting for process 19511 to die...
May 15 03:30:01   ppp      process 57918 started, version 5.8 (root@pfSense_v2_3_0_amd64-pfSense_v2_3_0-job-14 22:52 6-Apr-2016)
May 15 03:30:01   ppp      Multi-link PPP daemon for FreeBSD
May 15 03:30:00   check_reload_status      Configuring interface wan
May 15 03:30:00   pppoe0      PPPoE periodic reset executed on wan
May 15 03:24:32   snort   16007   [1:2008578:6] ET SCAN Sipvicious Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} 62.138.0.118:5277 -> 217.248.XXX.XXX:5060
May 15 03:24:32   snort   16007   [1:2011716:4] ET SCAN Sipvicious User-Agent Detected (friendly-scanner) [Classification: Attempted Information Leak] [Priority: 2] {UDP} 62.138.0.118:5277 -> 217.248.XXX.XXX:5060
May 15 03:19:21   snort   16007   [1:2008578:6] ET SCAN Sipvicious Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} 85.114.135.163:5084 -> 217.248.XXX.XXX:5060
May 15 03:19:21   snort   16007   [1:2011716:4] ET SCAN Sipvicious User-Agent Detected (friendly-scanner) [Classification: Attempted Information Leak] [Priority: 2] {UDP} 85.114.135.163:5084 -> 217.248.XXX.XXX:5060

8
IDS/IPS / Snort WAN Rules - Recommendation?
« on: May 14, 2016, 03:23:13 pm »
Hello,

I am quite new to IDS with Snort but I have it configured for WAN and enabled promiscuous mode for the WAN port.

I enabled in general the rules:

Snort VRT Rules
Snort GPLv2 Community Rules
Emerging Threats Open Rules
Snort OpenAppID Detectors

under "WAN Categories" I enabled the "Use IPS Policy" under "Snort VRT IPS Policy Selection" and set it to balanced.
So far I do not have much "false positives" but I wonder if this selection is safe enough because with the "Use IPS Policy" all "Snort Text Rules" and "Snort SO Rules" are greyed out so I assume they are disabled (that`s what the description of "Use IPS Policy" says, too).

I tried to disable the "Use IPS Policy" and checked ALL rules that pfSense offered me but this led to a lot of false positives so I reverted the option.

My questions:

1. Is it safe enough to just use the free "ET Open Rules" according to IPS policy?

2. If not, which of the "Snort Text Rules" and "Snort SO Rules" are recommended?

3. Are some of the rules the same (or almost)? Because there is e.g. a DNS Ruleset in every category of rules

Perhaps some experienced snort user can help me out to find peace in the nights ;D

9
Cache/Proxy / ClamAV -> Squid HTTPS/SSL Traffic ?
« on: May 10, 2016, 07:34:10 am »
Hello,

I run Squid with ClamAV enabled on pfSense 2.3. I assume that HTTPS/SSL traffic content is not scanned with ClamAV due to the system of encryption.

But I cannot find an answer if HTTPS/SSL traffic is checked with ClamAV when the option "SSL Man In the Middle Filtering" is enabled. Theoratically it should now be possible to scan the content before encrypting it to the client again but is this really the case or just my guess?

10
Hello,

I have an improvement proposal. When using IPSec with IKEv2 EAP-MSCHAPv2 a user needs a EAP key for authentification.
In System->User Manager there is only the possibility to save a PSK key that can`t be used with EAP-MSCHAPv2. So in VPN->IPSec->Pre-Shared keys there must be a separate item with an EAP key for already existing users.
It would be nice if there would be a possibility to save an EAP key, too.

By the way, I love the new 2.3 pfSense version and it is really a great improvement compared to 2.2.6 version! Great work!

11
IPsec / IPSec problem with pfSense 2.3 - DPD path probing fails
« on: April 14, 2016, 03:45:22 pm »
Hello,

I am using a IPSec IKEv2 Connection on pfSense. The configuration of IPSec is fine and worked with 2.2.6 without problems.
After the installation of 2.3 version the IPSec clients still connect to pfSense and I can connect to certain IPs in the pfSense Network.
But after a minute or so all of a sudden I am unable to make a connection to the remote IPs anymore.
It still displays a active connection in the client but it seems that it is not alive anymore. When I dis- and reconnect everything works again for a couple of minutes. The problem exists whether I connect with OS X 10.11, iPhone (both Built-In Clinet) or Android (StrongSwan Client).
An OpenVPN connection works flawless.

I think the problem is due to DPD (Dead peer connection). I do not understand why the DPD is established via the LAN ( .7 ) and not the WAN ( .8 )? Because there only exist a WAN Firewall rule to allow incoming connections via port 4500. LAN (out) should work to any IP with this rule:

IPv4 *   LAN net   *   *   *   *   none       Default allow LAN to any rule      
IPv6 *   LAN net   *   *   *   *   none       Default allow LAN IPv6 to any rule

NAT Outbound is manual.      

This says my log (IPs modified with xx):

Code: [Select]
Apr 14 22:28:35 charon 12[IKE] <con1|15> giving up after 10 path probings
Apr 14 22:28:33 charon 12[NET] <con1|15> sending packet: from 10.21.30.7[4500] to xx.227.10.33[4500] (128 bytes)
Apr 14 22:28:33 charon 12[IKE] <con1|15> checking path 10.21.30.7[4500] - xx.227.10.33[4500]
Apr 14 22:28:33 charon 12[IKE] <con1|15> path probing attempt 10
Apr 14 22:28:30 charon 12[NET] <con1|15> sending packet: from 10.21.30.7[4500] to xx.227.10.33[4500] (128 bytes)
Apr 14 22:28:30 charon 12[IKE] <con1|15> checking path 10.21.30.7[4500] - xx.227.10.33[4500]
Apr 14 22:28:30 charon 12[IKE] <con1|15> path probing attempt 9
Apr 14 22:28:28 charon 12[NET] <con1|15> sending packet: from 10.21.30.7[4500] to xx.227.10.33[4500] (128 bytes)
Apr 14 22:28:28 charon 12[IKE] <con1|15> checking path 10.21.30.7[4500] - xx.227.10.33[4500]
Apr 14 22:28:28 charon 12[IKE] <con1|15> path probing attempt 8
Apr 14 22:28:25 charon 12[NET] <con1|15> sending packet: from 10.21.30.7[4500] to xx.227.10.33[4500] (128 bytes)
Apr 14 22:28:25 charon 12[IKE] <con1|15> checking path 10.21.30.7[4500] - xx.227.10.33[4500]
Apr 14 22:28:25 charon 12[IKE] <con1|15> path probing attempt 7
Apr 14 22:28:23 charon 12[NET] <con1|15> sending packet: from 10.21.30.7[4500] to xx.227.10.33[4500] (128 bytes)
Apr 14 22:28:23 charon 12[IKE] <con1|15> checking path 10.21.30.7[4500] - xx.227.10.33[4500]
Apr 14 22:28:23 charon 12[IKE] <con1|15> path probing attempt 6
Apr 14 22:28:20 charon 05[NET] <con1|15> sending packet: from 10.21.30.7[4500] to xx.227.10.33[4500] (128 bytes)
Apr 14 22:28:20 charon 05[IKE] <con1|15> checking path 10.21.30.7[4500] - xx.227.10.33[4500]
Apr 14 22:28:20 charon 05[IKE] <con1|15> path probing attempt 5
Apr 14 22:28:18 charon 05[NET] <con1|15> sending packet: from 10.21.30.7[4500] to xx.227.10.33[4500] (128 bytes)
Apr 14 22:28:18 charon 05[IKE] <con1|15> checking path 10.21.30.7[4500] - xx.227.10.33[4500]
Apr 14 22:28:18 charon 05[IKE] <con1|15> path probing attempt 4
Apr 14 22:28:15 charon 05[NET] <con1|15> sending packet: from 10.21.30.7[4500] to xx.227.10.33[4500] (128 bytes)
Apr 14 22:28:15 charon 05[IKE] <con1|15> checking path 10.21.30.7[4500] - xx.227.10.33[4500]
Apr 14 22:28:15 charon 05[IKE] <con1|15> path probing attempt 3
Apr 14 22:28:13 charon 05[NET] <con1|15> sending packet: from 10.21.30.7[4500] to xx.227.10.33[4500] (128 bytes)
Apr 14 22:28:13 charon 05[IKE] <con1|15> checking path 10.21.30.7[4500] - xx.227.10.33[4500]
Apr 14 22:28:13 charon 05[IKE] <con1|15> path probing attempt 2
Apr 14 22:28:10 charon 05[NET] <con1|15> sending packet: from 10.21.30.7[4500] to xx.227.10.33[4500] (128 bytes)
Apr 14 22:28:10 charon 05[IKE] <con1|15> checking path 10.21.30.7[4500] - xx.227.10.33[4500]
Apr 14 22:28:10 charon 05[IKE] <con1|15> path probing attempt 1
Apr 14 22:28:07 charon 05[NET] <con1|15> sending packet: from 10.21.30.7[4500] to xx.227.10.33[4500] (128 bytes)
Apr 14 22:28:07 charon 05[IKE] <con1|15> checking path 10.21.30.7[4500] - xx.227.10.33[4500]
Apr 14 22:28:07 charon 05[ENC] <con1|15> generating INFORMATIONAL request 0 [ N(NATD_S_IP) N(NATD_D_IP) ]
Apr 14 22:28:07 charon 05[IKE] <con1|15> sending DPD request
Apr 14 22:28:07 charon 15[IKE] <con1|15> sending keep alive to xx.227.10.33[4500]
Apr 14 22:26:58 charon 14[NET] <con1|15> sending packet: from 10.21.30.8[4500] to xx.227.10.33[4500] (288 bytes)
Apr 14 22:26:58 charon 14[ENC] <con1|15> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS SUBNET) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Apr 14 22:26:58 charon 14[IKE] <con1|15> CHILD_SA con1{16} established with SPIs cd2368e0_i 0f88b971_o and TS 10.21.30.0/24|/0 === 10.21.32.1/32|/0

Any ideas?

12
Cache/Proxy / Lightsquid on pfSense 2.3 - Error with report folder?
« on: April 13, 2016, 02:12:19 pm »
Hello,

I just updated pfSense to version 2.3 and everything went fine. I had to wipe the local cache of Squid to get squid working properly again.

On version 2.2.6 I used SARG to create Squid reports. With version 2.3 the package is removed and as far as I understand Lightsquid has now taken over this job. That is why I installed lightsquid. I made the configuration on Status->Squid Proxy Reports according to the "necessary steps after install".

Afterwards I made a "refresh" and a "refresh full" but every time I click on "Open Lightsquid" it connects to the Lightsquid page but it displays following error:

Quote
LigthSquid diagnostic.
Error : report folder '/var/lightsquid/report' not contain any valid data! Please run lightparser.pl (and check 'report' folder content)
Please check config file !

Variable   value
$tplpatph   /usr/local/www/lightsquid/tpl
$templatename   base
$langpatph   /usr/local/share/lightsquid/lang
$langname   eng
$reportpath   /var/lightsquid/report
Access to '/var/lightsquid/report' folder   yes
$graphreport   1

folder content:


How do I run lightparser.pl? The folder /var/lightsquid/report is indeed empty.

Access logging with squid is done in the folder: /var/squid/logs

So how do I fix Lightsquid?

13
Deutsch / IPSec VPN - Vergabe einer bestimmten IP oder DHCP?
« on: April 02, 2016, 06:18:57 am »
Hallo,

ich habe eine pfSense 2.2.6 am laufen. Das Netzwerk hat den IP-Adressbereich 10.21.30.0-255 Subnet 255.255.255.0.

Die pfSense ist derzeit bei mir keine "richtige Firewall", sondern fungiert im Moment mehr als "interner" Squid-Proxy, d.h. pfSense läuft in einer virtuellen Maschine auf einem Server mit LAN 10.21.30.7 und WAN 10.21.30.8. Andere VMs nutzen die pfSense über LAN als Proxy. PfSense verbindet sich dann über eine FritzBox 7490 mit dem Internet. "Vor" der pfSense ist demnach die FritzBox 7490, die im Routerbetrieb läuft.

Nun möchte ich das VPN statt über die FritzBox über die pfSense laufen lassen, da der Server mit Xeon-CPU AES-NI unterstützt. Also VPN-Zugänge auf der FritzBox deaktivieren und dort entsprechendes Portforwarding zum pfSense WAN einrichten, soweit so klar. Ich habe auch auf der pfSense bereits IPSec soweit korrekt konfiguriert und die entsprechenden Firewall-Regeln eingerichtet.

Wie kann ich es einrichten, dass ein Client bei der VPN Verbindung eine bestimmte IP von 10.21.30.X bekommt oder zumindest eine IP vom DHCP-Server (nur FritzBox 10.21.30.100-10.21.30.200) bezieht? Der DHCP-Server auf der pfSense ist deaktiviert.

In der Konfiguration der pfSense gibt es lediglich an entsprechender Stelle die Option: "Provide a virtual IP address to clients", bei der ich aber nur ein IP-Spektrum angeben kann, sodass es Probleme mit doppelten IPs geben könnte wenn ich ebenfalls 10.21.30.X statt z.B. 10.21.31.X nehme, da nicht auszuschließen ist, dass der DHCP Server eine gleiche IP bereits vergeben hat.

Da ich die FritzBox als Router vorerst belassen möchte, würde ich eben gerne eine .30.X IP haben, damit ich im Netzwerk auf die anderen .30.X Geräte zugreifen kann.

Vielleicht hat ja jemand einen guten Tipp?

14
Hey,

I am new to pfSense and I am totally impressed by all the features but the disorientation is not less ;D

Unfortunately I didn`t find a solution in the forum nor the internet for the following configuration:

I installed pfSense as a VM on ESXI 6.0 and configured 2 virtual switches (LAN/WAN) consisting of 2 physical NICs.

This server is connected to a switch which is connected to another switch. On this switch there is the VDSL-modem connected to a port. The VDSL-modem is so far configured as a router (gateway). Now I want to put the VDSL-modem in bridged mode and use it as a plain modem and pfSense for PPPoE & Routing.

How do I manage to tell pfSense where the VDSL-Modem is behind all the switches and the connected devices?
Do I have to set up VLAN tag for VDSL in pfSense and use the VLAN-ID on the corresponiding ports on both switches (switches are VLAN-capable)?

Configuration:

Internet -> VDSL-Modem -> Switch 1 -> Switch 2 -> pfSense on ESXI

Help is highly appreciated ;D

Pages: [1]