Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - mislav

Pages: [1]
OpenVPN / Openvpn + freeradius - unable to log in into VPN
« on: February 06, 2018, 07:04:39 pm »
Hi. Today I did upgrade of my pfsense machine from 2.3.x to 2.4.2. and after this update, our openvpn + freeradius has stopped working. Any ideas why?

I've tried with both present user login (both mOTP or plain text pass) or with creating NEW user credentials - result is the same - unable to log in into VPN.

I've attached whole messages I got when running free radius in debug mode:
/usr/local/etc/rc.d/radiusd debug

Also, on dashboard, I've noticed under vpn there is always message when connecting:
[error]   Unable to contact daemon0   Service not running?

Here is the output also from viscosity client connection log:
vlj 07 1:53:07: State changed to Connecting
vlj 07 1:53:07: Viscosity Windows 1.7.6 (1540)
vlj 07 1:53:07: Running on Microsoft Windows 7 Ultimate
vlj 07 1:53:07: Running on .NET Framework Version 4.5.51209.379893
vlj 07 1:53:07: Bringing up interface...
vlj 07 1:53:07: Checking reachability status of connection...
vlj 07 1:53:07: Connection is reachable. Starting connection attempt.
vlj 07 1:53:07: OpenVPN 2.4.4 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 19 2017
vlj 07 1:53:07: library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.09
vlj 07 1:53:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
vlj 07 1:53:33: TCP/UDP: Preserving recently used remote address: [AF_INET]HIDDENIP:1191
vlj 07 1:53:33: Attempting to establish TCP connection with [AF_INET]HIDDENIP:1191 [nonblock]
vlj 07 1:53:34: TCP connection established with [AF_INET]HIDDENIP:1191
vlj 07 1:53:34: TCP_CLIENT link local (bound): [AF_INET][undef]:0
vlj 07 1:53:34: TCP_CLIENT link remote: [AF_INET]HIDDENIP:1191
vlj 07 1:53:34: State changed to Authenticating
vlj 07 1:53:36: [vpn1_ssl_2017] Peer Connection Initiated with [AF_INET]HIDDENIP:1191
vlj 07 1:53:37: State changed to Connecting
vlj 07 1:53:37: AUTH: Received control message: AUTH_FAILED
vlj 07 1:53:41: SIGUSR1[soft,auth-failure] received, process restarting
vlj 07 1:53:41: State changed to Connecting
vlj 07 1:53:42: State changed to Disconnecting
vlj 07 1:53:42: ERROR: could not read Auth username

Is there anything else needed?

Firewalling / RST package info - firewall
« on: September 28, 2017, 03:20:49 am »

I'm having issues with RST packages. Apparently there is no way to log this kind of packet, or I'm doing something wrong. On the Status ->System Logs ->Firewall -> Normal View on the bottom you can see on the button "More information":
TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, C - CWR.
= Add to block list., = Pass traffic, = Resolve

so according to this, if there would appear such packet with RST flag, R flag would be shown. I've tried to log all traffic sent from my IP, but no success. I've also tried to set under Advanced Options in the firewall rule TCP flags to match RST and even used option "Any flags", also no success. When I send normal SYN packages, this gets logged and I'm able to see this traffic.
When I do tcpdump dump on both source/destination host - I'm able to see those RST/SYN packages on the source, but on the pfsense I can only see packages with SYN flag.

Then I also found option System -> Advanced -> System Tunables - net.inet.tcp.blackhole - Do not send RST on segments to closed ports - but no matter if I change this to 0 or leave it at 2, there is no RST response on closed ports. From what I read, and please correct me if I'm wrong, RST is just a reset flag which is set when someone tries to connect to closed/non-open ports. Now, this wouldn't be a problem in general, however on the internal office firewall, we're seeing this:

Possible RST Flood on IF X1 - src: IP:443 dst: LOCAL_IP:27297 - rate: 712/sec continues

The traffic goes from internet/internal servers to different local servers - so traffic is not on the same interfaces. It seems like although traffic goes through pfsense, it somehow gets bypassed there and what should be usually blocked/logged on pfsense is seen on the internal firewall instead - this flood attacks. Spoofed source IP or not, traffic goes through pfsense.

Any ideas how to block this/see this traffic? SYN flood is not a problem, I've tested this and pfsense blocks this without any problems when using State type - Synproxy.

Firewalling / Firewall missing traffic
« on: March 03, 2017, 05:05:29 am »
Hi everyone.

I've a question and I'm out of ideas and need your help!

For start, here is the environment and the network flow:
- traffic comes from internet to pfsense WAN interface and I've set rule there to allow all traffic to one specific host XX (and I'm logging traffic)
- the server where traffic comes in behind NAT and this traffic goes to host XX as mentioned

Now, the host XX have also hardware firewall and here is the problem:
- hardware firewall detects some traffic as suspicious/intrusion prevention but this traffic I don't see on pfsense traffic - why?

Example of this kind of traffic seen by host XX / hardware firewall:
time: 2017/03/03 10:55:27
src:, 443
dst: HOST XX, 18283
TCP scanned port list, 23110, 48846, 14554, 61720, 33472

Sometimes traffic like that is logged in pfsense, sometimes it's not. Any ideas?

Traffic Shaping / pfsense is limiting upload speed
« on: October 06, 2016, 07:20:30 am »
Hi there.

I've checked traffic shaper and there were some values for WAN/LAN interface (around 50Mbits/sec), however my traffic in this case is not going through those interfaces, but through some third one. No limit is set there and Diagnostics -> Limiter it says - Limiters: No limiters were found on this system.

That being said, I have a strange case. I have the following setup:
1) VM1 going outside through FW1
2) VM2 going outside through vmvare

The both setup I can reach max download speed of 9-10MB/s, however upload speed is problematic. If I'm uploading to one test server via SCP I get:
1) with setup 1 I get upload speed of max ~ 9MB/s
2) with setup 2 I get upload speed of max ~ 4-5MB/s

Any idea what and where could be an issue with pfsense? I've launched few speedtests and I can see upload speed difference even there. How come I lose around 50% upload speed via pfsense.

IPsec / Site-to-site IPsec problem - no connection
« on: July 29, 2016, 02:30:09 am »

I'm trying to setup IPsec site-to-site connectivity between two pfsense machines and so far no luck. I've tried to authenticate via both RSA and PSK shared key, however no success.

This is the error I'm getting when authenticating with shared key:

Jul 29 07:07:10    charon       08[IKE] <con1|636> received AUTHENTICATION_FAILED notify error
Jul 29 07:07:10    charon       08[ENC] <con1|636> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 29 07:07:10    charon       08[NET] <con1|636> received packet: from HOST-B[4500] to HOST-A[4500] (68 bytes)
Jul 29 07:07:10    charon       08[NET] <con1|636> sending packet: from HOST-A[4500] to HOST-B[4500] (252 bytes)
Jul 29 07:07:10    charon       08[ENC] <con1|636> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Jul 29 07:07:10    charon       08[IKE] <con1|636> establishing CHILD_SA con1{37}
Jul 29 07:07:10    charon       08[IKE] <con1|636> authentication of 'HOSTNAME-OF-HOST-A' (myself) with pre-shared key
Jul 29 07:07:10    charon       08[IKE] <con1|636> local host is behind NAT, sending keep alives
Jul 29 07:07:10    charon       08[ENC] <con1|636> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jul 29 07:07:10    charon       08[NET] <con1|636> received packet: from HOST-B[500] to HOST-A[500] (332 bytes)
Jul 29 07:07:10    charon       08[NET] <con1|636> sending packet: from HOST-A[500] to HOST-B[500] (332 bytes)
Jul 29 07:07:10    charon       08[ENC] <con1|636> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 29 07:07:10    charon       08[IKE] <con1|636> initiating IKE_SA con1[636] to HOST-B
Jul 29 07:07:10    charon       02[KNL] creating acquire job for policy HOST-A/32|/0 === HOST-B/32|/0 with reqid {37}

HOST-A WAN IP is behind NAT (static IP)
HOST-B WAN IP is not behind NAT

I've opened in firewall both 500/4500 UDP ports on WAN and set appropriate rules on IPsec interface itself to allow local network traffic (on both machines).

AES-NI is disabled on both servers (Cryptographic Hardware is set to NONE on both).

As HOST-A is behind NAT, I've set on both servers My identifier/Peer identifier to FQDN. I've tried with IPs also, no luck.

Phase 1 on both servers:
- Key Exchange version V2 is used
- Encryption Algorithm - I've tried switching between AES/3DES, no luck
- Hash Algorithm - SHA1
- DH Group - 1024bit

Phase 2 on both servers:
- Protocol - I've tried both ESP/AH, no luck
- when ESP was set as protocol, Encryption Algorithms: I've tried using all of them together, separated, one by one, no changes
- Hash Algorithms - SHA1 (when AES256-GCM was set, I didn't enable any hash algorithm)
- PFS key group- 1024bit

I've double checked settings and they're identical on both servers, they just differs on this few things mentioned.

How to debug this? Any idea what could be wrong?

OpenVPN / Strange problems with OpenVPN authentication
« on: May 10, 2016, 07:45:52 am »

pfsense version is 2.2.6-RELEASE (amd64)

I'm using OpenVPN with backend freeradius + OTP.

Now, the problem is when user tries to authenticate:
1) sometimes they're unable to log in at all and they're blocked after 10 attempts and I need to remove local file to unlock them
2) sometimes they log in in first try
3) sometimes they can't log in in first 2-4 or 5 tries and after that they log in

So, as you can see it has no order and it happens on random basics.

Error in openvpn log is as follows:
May 10 12:06:52    openvpn[98946]: XX:51000 Connection reset, restarting

May 10 12:06:49    openvpn[98946]: XX:51000 [XX] Peer Connection Initiated with [AF_INET]XX:51000
May 10 12:06:49    openvpn[98946]: XX:51000 TLS Auth Error: Auth Username/Password verification failed for peer
May 10 12:06:49    openvpn[98946]: XX:51000 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
May 10 12:06:49    openvpn: user 'XX' could not authenticate.
May 10 12:06:46    openvpn[98946]: TCP connection established with [AF_INET]XX:51000

Same user get the same error and after few tries he log in successfully. So yes, in the end, users are able to log in, however whole process of authentication is annoying.

Once they log in:
May 10 12:07:06    openvpn[98946]: XX/XX:51001 send_push_reply(): safe_cap=940
May 10 12:07:04    openvpn[98946]: XX/XX:51001 MULTI_sva: pool returned IPv4=XX, IPv6=(Not enabled)
May 10 12:07:04    openvpn[98946]: XX:51001 [XX] Peer Connection Initiated with [AF_INET]XX:51001
May 10 12:07:04    openvpn: user 'XX' authenticated
May 10 12:07:01    openvpn[98946]: TCP connection established with [AF_INET]XX:51001

So my question is basically, how could same command run after 10-15 sec and before that I received "WARNING: Failed running command (--auth-user-pass-verify) + TLS Auth Error: Auth Username/Password verification failed for peer".

So far I've tried to:
1) change FQDN with IP in vpn client file - didn't help
2) delete freeradius user and re-create it - didn't help
3) delete user cert + whole user and re-create it + adding the same in free radius = also didn't help
4) I didn't use any special characters in password

Any ideas what to check?

Cache/Proxy / FTP Client Proxy Package - problem with firewall on port 21
« on: January 04, 2016, 01:18:36 am »
Firstly, thanks for the package and great work.

Second, I've noticed some strange behaviour.

I have firewall rules defined for Server X, e.g.: incoming to ports 80/443/etc and there's no firewall rule for port 21 -> it's blocked. On Server X ftp client exists and with ftp client proxy package enabled I can connect to the same even though there is no such thing defined in firewall itself (GUI).

I've tried disabling option "Check this box to move the automatically added FTP rules higher in the ruleset to bypass explicit blocks. Helps allow passive FTP to arbitrary destinations, but FTP will always be allowed outbound when checked." and putting block rule on top of all rules for connections to Server on port 21 -> this traffic passes by. When I disable FTP proxy client traffic is blocked and everything is working as expected.


Pages: [1]