The pfSense Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - mikeisfly

Pages: [1] 2 3
1
Hello everyone. I just got around to looking at the Aril 2017 pfsense hangout on LetsEncrypt. I have  my acme package setup and I am getting a valid letsencrypt certificate that I can log into my gui with a valid lock icon in the address bar next to the url when I type if the FQDN of my firewall. I have a split zone setup so when I type in pfsense.exampledomain.com when I'm out side of my network I get my public IP address. When I'm home and I type in the FQDN I get the private IP address of my firewall. regardless everything comes up as it should with a nice lock in the address bar. Again no problem so far.

Here is my problem, when I just type in the hostname (example: https://pfsense) I get a invalid certificate error. I can't enter just the hostname in the SAN section of the certificate generation because I will get a error 400. I guest it needs the tld. I have tried using squidproxy using the transparent proxy option with reverseproxy and squidguard to rewrite the domain name, or expand it out to the FQDN. I have tried to create a cname record in my windows server 2012 r2 setup to create a alias to the FQDN but nothing seems to work.

My goal is to put just the hostname or IP address of my firewall in the address bar and have the firewall do a redirect (Like it does when you try to access it from http instead of https) to the FQDN? Is this possible? Can a system tunable be added? Has anyone had this problem and figured it out? Any help is very appreciated.

Thanks,

2
2.4 Development Snapshots / Gateway Groups Loadbalancing performance
« on: March 01, 2017, 07:55:58 pm »
Please see Image below:

I was testing the load balancing capabilities of PfSense by connecting 8 WAN connections to my firewall. I have to say that I'm very impressed by how well it scales. Here are the speeds of each modem individually:

     Download   Upload   Ping(ms)
WAN1   180.27   24.24   10   
WAN2   141.45   22.68   10   
WAN3   180.52   24.12   10   
WAN4   240.17   12.17   10   
WAN5   179.89   24.23   10   
WAN6   180.28   24.21   10   
WAN7   180.36   24.04     10   
WAN8   240.19   12.19   10   

Total       1523.13      167.88


I got 61.34% of the download speed and 87.15% of the upload. I know what your thinking 61% that's not that good. Well I'm on a gigabit network so my theoretical max is 1 Gaps. I believe I would have gotten closer to the max but I was maxing out the fiber optic nodes that these coaxial cable modems were connected to. I'm also hitting the max upload performance of the nodes as well. Just wanted to say good job keep up the good work!

Test info:

Computer running the test was a Dell OptiPlex i5 (980 I think) 4 GB ram running Server 2012 (Chrome Browser) using the built in gigabit nic.

PfSense is running on a i5 OptiPlex 980 as well 4Gbps of ram. The built-in nic is connected to a brocade FastIron 648P POE which is the LAN port running 17 VLANs

The WAN is connected to one port of a  dual gigabit port Intel NIC. A cisco C3550-I5Q3L2-M switch is what I'm using as a WAN Aggregator. The WAN port on PfSense is running 9 VLANs. The modems are spread across two nodes which have no real world users.


PfSense version:

2.4.0-BETA (amd64)
built on Tue Feb 28 13:16:27 CST 2017
FreeBSD 11.0-RELEASE-p8

CPU:

Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
Current: 3100 MHz, Max: 3101 MHz
4 CPUs: 1 package(s) x 4 core(s)


I would have created a LAGG Group but PfSense doesn't allow a VLAN on a LAGG port to be assigned to a WAN interface. If anyone would like for to test anything let me know and I will try to get you the info asap.

P.S.
Although I am a employee of a very large ISP, I do not speak for them or endorse PfSense on their behalf. I have been a user of PfSense almost from the beginning and thought that I would share this very cool information with everyone. I personally have loved the project from almost the beginning and have personally recommended it!


3
I just upgraded to the 2.3 alpha after seeing December's hangout. My firewall can ping the remote site but no other address in my LAN can. I am using peer to peer tls. In the client specific overide I specify the common name and the server CA. I have set the "topology subnet" in advanced options. Looking at the routing table shows all the site to sites pointing to the same IP address which doesn't seem correct. I am using the 64bit version and have the latest snapshot as of 23 Dec 2015. Any help is appreciated.

4
I am using:


2.2.3-RELEASE  (amd64)
built on Tue Jun 23 16:37:42 CDT 2015
FreeBSD 10.1-RELEASE-p13

Version of PfSense, I was on version 2.2.4 64bit was having issues with DHCP so I needed to downgrade until 2.2.5 comes out (Hopefully). Anyway I currently use LDAP for authenticating to my various PfSense boxes. I decided to kill my PPTP server and get an OpenVPN server with Certificates and LDAP authentication. Everything is working but the problem is there is no option to specify which group should be allowed to access OpenVPN and in the group attributes in user manager there is no options for UserOpenVPN, there are options for PPTP, IPSEC, L2TP.

I was able to come up with a work around by using the extended query field (Under LDAP) to search for the 'memberOf' membership which is what I want. I then had to duplicate the LDAP server with just that small change to the field to target the membership that I wanted (Admins of PfSense firewall, OVPN remote users, etc). Works well but seems like a silly way to do it. I would love to be able to setup the LDAP server generally like it is now, but then have a group field added to OpenVPN server, or Webgui, or whatever which would override or append the query to add the memberOf.  I welcome everyone's input.

Thanks in Advances

5
General Questions / Use of the PfSense Logo
« on: June 05, 2015, 12:17:30 pm »
Good Afternoon Dev team,

I just made a YouTube video showing people how to make vlans on a PfSense router and then connecting it to a Cisco Switch. When it asked me for a thumb nail I just used the PfSense logo, but now that I think about it I don't want to infringe on your IP and if this is an improper use of the logo I will try to remove it and if necessary re-post the video without it.. Just looking for some guidance and please except my apology in advance if that was not the right thing to do.

6
General Discussion / I found this and it gave me a chuckle. Check it out.
« on: February 16, 2015, 10:02:38 pm »
Warning there is foul language but if you work in IT you can relate.

https://www.youtube.com/watch?v=fd2o8yb6rUA

7
webGUI / How to redirect what's in the browser's URL to PfSense's FQDN?
« on: November 02, 2014, 01:03:30 pm »
I have purchased a wildcard certificate for my home network so I will stop getting the certificate error in my browser. (It was  cheap < $100) http://cheapsslsecurity.com. Accessing my firewall from outside the network is not a problem, but when I'm home I don't usually access my equipment by the FQDN. If I access it by it's FQDN I don't have a issue but when I access it by it's domain name I get a certificate error. I have looked in the settings and I don't see where I can get PfSense to redirect the URL to the FQDN when using HTTPS (HTTP I'm thinking this is a non issue). I'm assuming this has to be done server side. I am running Windows Server 2012 R2 and have DNS setup, but I don't see how this can be done from the DNS server stand point unless I'm missing something. Any help would be appreciated.


Thanks,

8
So I'm not sure why this isn't working for me but I was trying to embed some images from my onedrive public folder in the forum and they didn't show. So I thought I would start a thread here to help anyone trying to do the same thing. Below should be a test image:



One thing I did was right click on the folder and made sure under security that everyone is selected. I also took out the iframe stuff too, not sure what else needs to be done, or if this functionality is not supported.

9
OpenVPN / OpenVPN been very unstable since 2.1.4 upgrade
« on: July 11, 2014, 10:16:08 pm »
I have been reading around but not sure if there is any real evidence, but my OpenVPN mesh network has been very unstable since the upgrade to 2.1.4, prior to this upgrade it has been rock solid never going down unless there was a power outage at one of the sites and then only that site was effected. What I'm seeing is pauses in the network for about 30 second - 5 minutes at random times. The only way I really know I'm down is when I try to log into my home PfSense firewall but can't because my LDAP server is located at one of my remote sites so the timeout interval in PfSense cause the log in process to hang. When it pauses a ping of the remote site on the private side results in a timeout.

An inspection of the logs don't reveal anything concerning excepts this:

openvpn[71638]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2564 / time = (1405132113) Fri Jul 11 22:28:33 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

There are a bunch of these and this

Jul 11 22:50:29    openvpn[3873]: Peer Connection Initiated with [AF_INET]174.57.87.75:47672
Jul 11 22:49:58    openvpn[3873]: UDPv4 link remote: [undef]
Jul 11 22:49:58    openvpn[3873]: UDPv4 link local (bound): [AF_INET]68.83.92.154:1194
Jul 11 22:49:58    openvpn[3873]: Preserving previous TUN/TAP instance: ovpns1
Jul 11 22:49:58    openvpn[3873]: Re-using pre-shared static key
Jul 11 22:49:58    openvpn[3873]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 11 22:49:55    openvpn[3873]: SIGUSR1[soft,ping-restart] received, process restarting


Can the changes to OpenSSL be the cause of my instability? I'm going to down grade two of my sites back to 2.1.3 tonight during scheduled maintenance to see if this fixes issue. I have been doing a continuous ping for over 5 minutes and at one of my sites I am seeing 29.3% packet loss and 8% packet loss from another site. Even though I have a remote connection to the PfSense firewall my ssh session never dropped. The ping test was from me to site X and from Site B to Site X. I can ping from other sites other to site X to take Site X as the issue out of the equation. Like I stated before the problem only started to happen when I upgraded to 2.1.4

I'm using PfSnse 2.1.4 Full  x64
on a Core 2 Duo E6750 @ 2.66 GHz with 4GB of RAM 80GB HDD

other sites are configured similarly.



10
General Discussion / The infamous port 32764!
« on: January 15, 2014, 07:02:08 am »
Looks like PfSense is safe  ;) but please have your friends and family check to see if their router responds to port 32764, looks like it can be a way for someone to back door your router remotely. There is a free port scanner at www.grc.com and he (Steve Gibson) has made a bitly link www.bitly.com/port32764 which will scan your WAN interface to see if you have the problem. You either want to see stealth or closed.

11
General Questions / Dude, where's your stickers?
« on: November 08, 2013, 05:12:24 am »
I didn't see any place here where I can buy logo stickers from your guys. This would be a awesome way for you guys to generate money and people to add the finial touches on there PfSense boxes. I would like to see paper based stickers of different sizes as well as some more elaborate maybe metal backed one. You guys could figure out the pricing structure I was just thinking about how much I love my PfSense box but when people see my rack or other  builds that I have done for friends they don't know it's PfSense unless someone tells them. What do you guys think? If you guys decide that this is something that you might want to do make sure that the stickers have really good adhesive on them. Nothing worse that a logo sticker that falls of because your communications room got a little warm.

12
Hardware / Chromecast
« on: November 05, 2013, 07:33:37 pm »
My apologies in advance if I'm posting twice. I posted about issues that a friend of mine is having with his Chromecast but when I came by to check replies I don't see any trace of it.

I hooked a friend up with PfSense and he is loving it but he just brought a Chromecast and it is not working. Here are the screens that he is getting:




A quick check of his DHCP status shows that it did indeed get an IP but for some reason PfSense is blocking it's connections going out to google.



Here is what I have done so far:

1. Turned uPNP on
2. Installed Avahi (Read some where on here that this might help)
3. Created a rule on my LAN allowing Chromecast IP to any connection even though the default any to any connection should work.

I have searched to see if there were any ports that I can open up but you can see from the blocks PfSense is blocking https connections from Chromecast to Google. I'm not sure if this is the root cause of the issue but I believe that it has something to do with what's going on.

I saw on a 2.1RC post that Jimp was waiting for his Chromecast to be delivered but there was no information after that. How did that go for you?

Here is some information about his network:

PfSense box is a Dell Optiplex 755 mini (Core 2 Duo /w 2GB of RAM and 80GB Hard Drive) Running 2.1 Release 64bit
Packages Avahi
PfSense box is connected to an HP Procurve 2610-48 PWR
One of the ports is connected to an BelAir Access Point 2.4/5 Ghz

Anyone have success with chormecast through PfSense?

13
Hardware / Does PfSense support t1 Cards and other Hardware
« on: October 22, 2013, 07:55:33 pm »
I was just wondering what expansion cards does PfSense support? Does it support T1 cards like this one : http://www.amazon.com/Sangoma-Interface-Asterisk-Interoperable-Express/dp/B001BDERCC or maybe some sort of FXO/FXS card. Right now if I was going to run the freeswitch package and I needed to connect to a PBX system or hang some pots phones off of PfSense could I do it? I have a Cisco router with a T1 controller, FXO card and FXS card for the conversion between my FreePBX server and my PBX system in my lab, but I was thinking I would like to make a PfSense box and configure it to be a Voice Gateway/voice Mail Server? Has anyone done this or have any experience doing it with FreeSwitch. Right now I have a Cisco 2821 configured as a Voice Gateway with both FXO ports and T1 ports.

14
General Questions / PfSense offical Visio Stencil
« on: October 12, 2013, 08:34:55 am »
I was looking to make a Visio Diagram of my network and I was wondering if there were any PfSense Stencils?

15
I'm running PfSense 2.1 RC from May 17th, 2013 i386 But I believe this problem effects all releases. My title is a little misleading because if the LDAP server is not available it will fall back to local database but the GUI is very very very slow.

My LDAP server is not on site and is accessible through a site to site VPN. If I lose connection to the remote site PfSense becomes very very slow with regards to access to the Web GUI. Router and Firewall functionality work fine. It take 5-10 minutes for PfSense to realize that the LDAP server is unavailable before it will use the Local Database for authentication and then when ever you go to a new page it's like it tries to check the LDAP server again which causes another 5-10 minute wait. It's almost unusable. I have checked every where to see if there is something that I can do to lower this timeout value. I suspect that I can change a value under:
 system->Advance->system Tuneables but I don't know enough about FreeBSD to even attempt to mess around with this. Also is this the correct behavior to check with the authentication Server on every page accessed? Is there someway to remember the users credentials through a cookie or something because this is a real pain when you have a critical outage.

Pages: [1] 2 3