Topics

1

Packages / Bandwidthd legend/logo pics not showing

« on: April 14, 2018, 08:11:34 am »

Seems like there are some missing files for the following URLs. I can see the graphs but would like the legends to work too.

https://pfsenseip/bandwidthd/logo.gif
https://pfsenseip/bandwidthd/legend.gif

2

Installation and Upgrades / Restore to new hardware, interface assignments, what the heck am I doing wrong?

« on: March 30, 2018, 08:13:34 am »

I googled around and seemingly the best advice I saw was to export my config from present pfsense, edit the interface section and upload to new router. Everyone says it is easy and takes seconds but I keep running into interface not known issues during boot, seemingly surrounding my vLANs? What am I doing wrong in these config files below??

I got these names from the autoconfig options during boot so I know that's the names pfsense sees on the new hardware. Assigning what I want during boot just gets me an endless "interface not known" and never lets me progress to running.

Old config file

Code: [Select]

<interfaces>
<wan>
<enable></enable>
<if>igb0</if>
<ipaddr>dhcp</ipaddr>
<ipaddrv6>dhcp6</ipaddrv6>
<gateway></gateway>
<blockpriv>on</blockpriv>
<blockbogons>on</blockbogons>
<media></media>
<mediaopt></mediaopt>
<dhcp6-duid></dhcp6-duid>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
<descr><![CDATA[WAN]]></descr>
</wan>
<lan>
<enable></enable>
<if>igb1</if>
<ipaddr>10.0.1.1</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<subnetv6>64</subnetv6>
<media></media>
<mediaopt></mediaopt>
<track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
<descr><![CDATA[LAN]]></descr>
</lan>
<opt1>
<descr><![CDATA[vLAN10IoT]]></descr>
<if>igb1.10</if>
<enable></enable>
<ipaddr>10.0.10.1</ipaddr>
<subnet>24</subnet>
<spoofmac></spoofmac>
</opt1>
<opt2>
<descr><![CDATA[VLAN11Phones]]></descr>
<if>igb1.11</if>
<enable></enable>
<ipaddr>10.0.11.1</ipaddr>
<subnet>24</subnet>
<spoofmac></spoofmac>
</opt2>
</interfaces>
New config file

Code: [Select]

<interfaces>
<wan>
<enable></enable>
<if>igb0</if>
<ipaddr>dhcp</ipaddr>
<ipaddrv6>dhcp6</ipaddrv6>
<gateway></gateway>
<blockpriv>on</blockpriv>
<blockbogons>on</blockbogons>
<media></media>
<mediaopt></mediaopt>
<dhcp6-duid></dhcp6-duid>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
<descr><![CDATA[WAN]]></descr>
</wan>
<lan>
<enable></enable>
<if>em0</if>
<ipaddr>10.0.1.1</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<subnetv6>64</subnetv6>
<media></media>
<mediaopt></mediaopt>
<track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
<descr><![CDATA[LAN]]></descr>
</lan>
<opt1>
<descr><![CDATA[vLAN10IoT]]></descr>
<if>em0.10</if>
<enable></enable>
<ipaddr>10.0.10.1</ipaddr>
<subnet>24</subnet>
<spoofmac></spoofmac>
</opt1>
<opt2>
<descr><![CDATA[VLAN11Phones]]></descr>
<if>em0.11</if>
<enable></enable>
<ipaddr>10.0.11.1</ipaddr>
<subnet>24</subnet>
<spoofmac></spoofmac>
</opt2>
</interfaces>

3

General Questions / Basic static route question, doesn't seem to be working.

« on: March 16, 2018, 11:34:16 am »

OK, I have a Ubuntu server on my local LAN running OpenVPN. I also have a remote Ubiquiti Edgerouter connecting to my Ubuntu OpenVPN with no issue, port forwarding etc in local pfSense working fine tunnel up etc. Current Symptoms:

• Local Ubuntu server can ping and SSH into multiple things on remote LAN
• Remote Edgerouter and a linux server on remote LAN can ping the Ubuntu server local LAN IP, but can't reach anything else on local LAN
• Nothing else on local LAN can reach remote LAN

So, sounds like I need to add a static route to pfSense to point to the local Ubunto VPN server to allow local LAN devices to reach out to the remote LAN. Right? This is what I did and it doesn't seem to be doing anything.

System / Routing / Gateways

• Interface: LAN
• Address Family IPv4
• Gateway; the Ubuntu Server LAN IP 10.0.1.6
• Default Gateway not checked; I don't think I want this to be the LAN default gateway...
• Disable Monitoring not checked
• Monitor IP, blank. Ubuntu server will ping
• In pfSense dashboard the gateway shows UP

System / Routing / Static Routes

• Destination Network: remote VPN virtual IP entered as "10.80.0.0" drop down /24
• Gateway; Selected the above created gateway

Using a computer on my local LAN I can't seem to get anything on tracert past pfSense, IMO pfSense should be sending this to my Ubuntu server at 10.0.1.6 but it isn't. What am I missing?

Code: [Select]

tracert 10.0.3.1

Tracing route to 10.0.3.1 over a maximum of 30 hops

  1     1 ms    <1 ms     2 ms  pfSense.localdomain [10.0.1.1]
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
Edit: I'm using these guides
https://community.openvpn.net/openvpn/wiki/RoutedLans
https://secure-computing.net/wiki/index.php/Graph

4

Packages / Advice and info request: Squidguard reverse proxy with LDAP and Letsencrypt

« on: March 12, 2018, 10:04:28 am »

I'm in need of a reverse proxy that hits the criteria below, can this be done with Squid/Squidgard? Is squid easy to work with on pfSense or should I just look into putting it on it's own VM, ie; would pfSense just be an unnecessary complication here?

• Three internal web servers serving up http unencrypted, reverse proxy needs to add encryption.
• Reverse proxy needs to be able to detect namespace: server1.example.com, server2.example.com, server3.example.com and send that to the right internal server
• Preferred to use Letsencrypt certs, but not required.
• LDAP authentication before any access is granted.

I'm currently doing everything except LDAP in Nginx on an Ubuntu VM, thing is I looked at Nginx LDAP and it's just over my head so I'm looking around to see what else is available.

5

OpenVPN / Site to Site routing with pfSense and remote Edgerouter not working

« on: March 10, 2018, 03:39:28 pm »

I set up an OpenVPN server at my house in pfSense and imported the VPN config to a remote Ubiquiti Edgerouter X. Tunnel is up but I'm having routing difficulty. Both pfSense and the ERX are the default gateway on their LANs. I want devices on either LAN to reach the opposite LAN, Site to Site. Worked with this guide https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site

From what I understand those last two things should set up the route/iroute OpenVPN stuff that's necessary. Unfortunately I have no idea where to see the raw OpenVPN server config file or CCD files to see if this is true. I've done this stuff with Windows as the OpenVPN server and the ERX before, just can't figure out the pfSense GUI. I haven't messed with entering any static routes myself, IMO OpenVPN and these two devices already being the default gateways should be enough?!?

• 10.0.1.0/24 pfSense local LAN
• 10.9.0.0/24 OpenVPN virtual network
• 10.9.0.10 is ERX VPN IP, static assignment via client config
• 10.0.3.0/24 Remote ERX LAN

Symptoms

• Nothing on 10.0.1.x including the pfSense ping utility can reach anything on 10.0.3.x
• pfSense ping utility can reach 10.9.0.10, the remote ERX VPN IP
• The remote ERX can ping anything it wants on 10.0.1.x entire LAN, and my phone using the same pfSense OpenVPN server can reach anything it wants 10.0.1.0/24
• Other things on the 10.0.3.x LAN can not reach 10.0.1.x IPs
• The remote ERX can ping 10.9.0.1, the OpenVPN server IP.
• Other things on the 10.0.3.x LAN can not reach 10.9.0.1
• In the ERX I can see an automatically created route to 10.0.1.0/24 with next hop 10.9.0.1

pfSense OpenVPN server configuration

• Remote access TUN / UDP
• Tunnel network 10.9.0.0/24
• Redirect gateway off
• IPv4 local networks has 10.0.1.0/24 in it
• Provide DNS server is available with 10.0.1.1 listed FWIW

Client specific Overrides, I'm thinking of this as the OpenVPN CCD file, right?

• has my openvpn server selected
• has an entry of the connecting ERX common name
• Tunnel: 10.9.0.10/24
• IPv4 local networks: 10.0.1.0/24
• IPv4 remote networks 10.0.3.0/24

6

DHCP and DNS / How do I get charts and graphs like PiHole?

« on: March 04, 2018, 02:04:59 pm »

I found the charts and graphs that PiHole presents quite useful and fairly easy to understand. Really let me know what is reaching out to where on my network. So how can I get the same thing out of pfSense?

Using resolver and pfBlockerng.

7

DHCP and DNS / Dynamic DNS, freedns.afraid.org

« on: January 13, 2018, 02:44:24 pm »

Services -> Dynamic DNS -> Dynamic DNS Clients -> Add -> "Service Type" = freeDNS

I stopped DDClient on my Ubuntu machine and entered my info with user/password into pfSense, didn't get any errors when setting it up but does not go green in the list, cached IP stays 0.0.0.0 (red) and status, services doesn't list DDNS. Don't see it mentioned in logs. Check IP seems to be running. So why isn't it doing anything? Can I see a failed log or status somewhere?

8

Installation and Upgrades / Brand new install: Unable to retrieve package information.

« on: January 11, 2018, 09:22:52 am »

note; I'm very new to pfsense

Problem:
Edit: the larger problem seems to be no internet access. I thought the wizard would leave me with a working router but I guess not.
Under Package Manager/Available Packages I'm getting: Unable to retrieve package information. Searched around a bit and found some advice regarding pkg clean, pkg update, pkg upgrade, reboot. Errors for those are below, and searching around I'm seeing results from 2.3 failed upgrades and it being necessary to create directories for these missing files or directories but this being a brand new install this all seems weird, what's wrong?

History:
I installed 2.4.2 release last night and went through the wizard choosing mostly defaults, nothing strange I'm aware of, chose 9.9.9.9 and 8.8.4.4 for DNS. I didn't have the WAN connected, I wanted to have everything in and working before I connected it to the internet. Now with everything connected it acts as a router fine and update check says it's good.

Results from pkg clean

pkg: Repository pfSense-core missing. 'pkg update' required
pkg: No package database installed.  Nothing to do!

Results from pkg update

Updating pfSense-core repository catalogue...
pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory
Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
34405241800:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/builder/ce-242/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
34405241800:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/builder/ce-242/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
34405241800:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/builder/ce-242/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-core/meta.txz: Authentication error
repository pfSense-core has no meta file, using default settings
Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
34405241800:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/builder/ce-242/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
34405241800:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/builder/ce-242/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
34405241800:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/builder/ce-242/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-core/packagesite.txz: Authentication error
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
34405241800:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/builder/ce-242/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
34405241800:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/builder/ce-242/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
34405241800:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/builder/ce-242/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-pfSense_v2_4_2/meta.txz: Authentication error
repository pfSense has no meta file, using default settings
Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
34405241800:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/builder/ce-242/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
34405241800:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/builder/ce-242/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
34405241800:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/builder/ce-242/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-pfSense_v2_4_2/packagesite.txz: Authentication error
Unable to update repository pfSense
Error updating repositories!