Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - epionier

Pages: [1] 2 3 4 5
1
Hallo magicteddy,

danke für die Erfahrung. Das Problem mit Einbrüchen in den Abendstunden stellt sich für uns nicht, da wir tagsüber arbeiten ;D
Den VDSL Anschluss behalte ich ja zudem auch noch. Mir geht es vorwiegend um den Upstream und wenn möglich niedrige Latenzen für Echtzeitanwendungen über Remote Desktop.

Vielleicht hat ja jemand noch konkretere Erfahrungen mit meinen 2 Fragen, aber danke.

2
Hallo,

durch eine neue neue Hardware von Vodafone im Keller des Gebäudes ist nunmehr bei uns auch ein schneller Kabel-Anschluss möglich, den ich als Ergänzung / Failover für unseren VDSL Anschluss buchen möchte. Leider habe ich ein paar Fragen, die mir seitens Vodafone nicht beantwortet werden und auch die Homepage nichts dazu hergibt. Genutzt werden soll der Anschluss über unsere pfSense als Router.

1) Ist der "WLAN-Kabelrouter" der mitgeliefert wird als reines Modem im Bridge-Modus verwendbar, wie bei unserem VDSL-Anschluss das Vigor130?
    Es steht nirgends um welche Hardware es sich handelt um beim Hersteller nachzusehen.

2) Handelt es sich standardmäßig um einen IPv4 oder um einen IPv6-Anschluss ggf. mit so etwas wie DS-Lite?
     Wir brauchen einen IPv4 Anschluss aber nicht zwingend eine feste IP,
     daher die Frage ob die Feste IP für 5€ hinzugebucht werden muss um eine "echte" IPv4 Adresse zu erhalten.

Wie sind sonst eure Erfahrungen mit dem Kabelanschluss, wie Latenz, Abbrüche, etc?
Habe da leider bislang nicht viel Erfahrung damit.

Vielleicht kann ja jemand die Fragen beantworten und seine Erfahrungen schildern, wäre sehr dankbar!

3
Cache/Proxy / Chrome for Business and SQUID Proxy - Secure Connection?
« on: January 26, 2018, 11:00:07 am »
Hello,

I use pfsense on the local network running SQUID on 10.21.30.1 with local authentification.

I downloaded Chrome for Business that allows me to configure settings via (ADM / GPO).

Unfortunately I am unable to get Chrome working with SQUID properly with a secure connection.


I want that Chrome connects to the squid server with a secure connection (TLS) no matter if the destination website ist HTTPS or HTTP.


What I have done:

1) I used GPO for manual proxy connection and entered 10.21.30.1:3128 because https://10.21.301.1:3128 is not working
(Which should be possible according to:http://dev.chromium.org/developers/design-documents/secure-web-proxy)
In chrome it asks then for proxy authentification. This is working but this is a unsecure connection because in the authentification it says http://10.21.30.1:3128 and not https.//......
How do I switch to TLS connection?
After importing the local certificate of SQUID I am able to connect to HTTPS sites. But is the connection to the local SQUID server then secure with TLS?

2) By the way, does anyone know a possibility that Chrome does not ask for proxy authentification on startup? I get the prompt every time I open Chrome no matter if the credentials are saved or not.

I know this a certain question for Chrome but it depends on SQUID, too.
Maybe someone can help me out.

4
Messages from the pfSense Team / Re: pfSense 2.4.2-RELEASE Now Available!
« on: November 24, 2017, 10:05:18 am »
I run pfSense on ESXI 6.0 latest update. I removed "kern.vty=sc" of /boot/loader.conf.local (I had this VT issue with pfSense 2.4.0).

Then I upgraded via Shell to 2.4.2 and everything is working fine (No VT issue and no Framebuffer issue https://redmine.pfsense.org/issues/7975 )

So thank you for your work!

One question remains: Is pfSense still based on PHP 5.6 and why is it not upgraded to the much faster PHP 7.1.2 or 7.2 (release date on 30 November)?

5
Messages from the pfSense Team / Re: pfSense 2.4.0-RELEASE Now Available!
« on: October 13, 2017, 11:09:52 am »
Thx for the release and your work!

I got the same boot problem under ESXI 6.0 Update 3a (latest version).

I made a snapshot in advance and reverted this way the corrupt 2.4 installation. I added the line as provided in boot.local.conf and then the update and boot went fine but there were some PHP errors / warnings. But the second reboot went fine and 2.4 is up and running.

Would be nice if there would be a post in the future when this problem is resolved and the line in boot.local.conf could be removed (if this makes a difference).

6
Traffic Monitoring / Re: ntopng v3.0.0 released
« on: June 22, 2017, 10:26:21 am »
I run pfSense on powerful hardware but with ntopng I still have the problem that ntopng from time to time is not accessible.

When I try to connect to https://localhost:3000 I often receive a failure in connection but the pfSense service page shows that the service is running.

Hope this problem will be solved wit 3.0.0 where it says ""better FreeBSD support"

7
Traffic Monitoring / Re: ntopng v3.0.0 released
« on: June 07, 2017, 07:13:15 pm »
Lets hope so because as far as I can see it is already in the FreeBSD Port:

https://www.freebsd.org/cgi/ports.cgi?query=ntopng&stype=all

8
Traffic Monitoring / ntopng v3.0.0 released
« on: June 01, 2017, 11:01:05 am »
Hello,

ntopng v.3.0.0 release arrived today. It would be nice to implement the new version into pfSense in the near future as there are a lot of useful improvements like better FreeBSD support:

http://www.ntop.org/ntopng/introducing-ntopng-3-0/



10
If anyone else has this problem. The ACL always_direct just means no caching but the connection is established via squid proxy.

The only solution I found is to bypass the proxy within the browser itself. There is a possibility to enter an exception for certain sites that  are excluded from the proxy. By the way, depending on the configuration of pfSense (e.g. if blocking all internet traffic except of squid) a firewall rule must be added to allow the certain IP to establish a connection to the certain site via a certain port.

Maybe someone will find this helpful.

11
Hello,

we are using pfSense in the latest stable version plus the squid package. On the local PCs we are using Firefox with the squid caching proxy enabled for non-SSL plus SSL filtering (non-transparent mode) via man-in-the-middle-filtering. Everything works fine so far with caching via squid for SSL and non-SSL sites.

We now need a possibility to exclude squid usage for establishing a direct connection for certain sites / IPs to the PC. In short we need to bypass the caching proxy for certain sites / IPs.
The reason is that on the PC there is a USB smart card reader and a third party software component (authentification client software for a connection to a certain website).

Explanation:

We have to go to a certain website like https://www.safeconnection.com. If we press on this site "Login" this site needs to communicate with the software component on the local PC (which connects on the other hand to the local attached smart card reader).
If we visit the website now (with squid) we receive an error with a  "connection problem" between the website and the software component.
I have to use another brwoser that is not connected via squid to get it work.


So how can we bypass the proxy?

I believe I have to use: Package->Proxy Server->General Settings->General->Advanced Features->Custom ACLS (Before Auth) to enter a custom ACL for always_direct: http://www.squid-cache.org/Doc/config/always_direct/

But I am not able to figure out what I have to insert in this box??

a) What exactly do I have to enter there?
b) How do I find the needed sites/IPs/ports to exclude? (edit: should be visible in the "real time" menu of squid)


Maybe someone is much more firm in this, help is highly appreciated ;D
 

12
Deutsch / Re: Squid stellt auf einigen Seiten falsche Zertifikate aus
« on: November 24, 2016, 01:16:35 pm »
Hast du das beachtet?

"Install the CA certificate as a Trusted Root CA on each computer you want to filter SSL on to avoid SSL error on each connection."

Ich gehe aber mal davon aus, dass du das schon eingestellt hast, da du sonst generell Fehler bekommen solltest.

Daher noch folgendes schrittweise:

1. Prüfe dass dein Zertifikat eine korrekte Angabe des pfSense Hosts bei "CN" hat.

2. Stelle auf "Accept Remote Certificate with errors" um, das hatte einige Fehler bei mir beseitigt. Der "Nachteil" der Einstellung ergibt sich aus der Beschreibung. Zudem deselektiere alles bei "Certificate Adapt"

3. Stelle das akzeptierende Interface nur auf dein LAN um

13
Deutsch / Re: Squid stellt auf einigen Seiten falsche Zertifikate aus
« on: November 23, 2016, 10:54:41 am »
Mit Squid die SSL Filterung zu benutzen bedeutet zwangsläufig, dass Squid sich mit dem Webserver und dessen Zertifikat verbindet und dein lokaler Browser mit Squid mit SSL, daher ist es schon richtig, dass das Zertifikat deines Squid Servers (internal) angezeigt wird. Es wird die SSL-Kette durch Squid unterbrochen um eben den INhalt filtern zu können.

Nur das von dir erstellte pfSense (Squid) Zertifikat ist wohl zum 11. September abgelaufen, daher kann keine Verbindung von Squid zum Server hergestellt werden, steht ja auch in der Beschreibung drin.
Daher musst du über den pfSense Cert.Manager ein neues Zertifikat erstellen mit einer längeren Lebensdauer. Dieses Zertifikat muss dann wiederum bei Squid in den SSL Filter Einstellungen ausgewählt werden.

14
As far as I can tell we ran into problems with Hardware TCP Segmentation Offloading (TSO) enabled, not on the LAN side but on the WAN side (VDSL).
pfSense is installed on an ESXI Host as a VM. LAN and WAN are a Intel i350-T4 card.
With TSO enabled I could not make any transfers with "larger" files anymore, e.g. we could not send E-Mails with an attachment via Outlook anymore.

15
I tried 2.4 Alpha testwise with latest Hyper-V Server 2016 TP5 as a Gen2 VM with Safe Boot disabled. ISO file:

pfSense-CE-2.4.0-DEVELOPMENT-amd64-20160902-0634.iso

When I power the VM on it displays the start screen of pfSense but when I try to install (Multi User and Single User) it is loading the kernel for one line and then the VM reboots and back to the start screen (loop). I tried all options but it will not go further.

How did you manage to get to the partition screen? Do you have a HDD already integrated in the VM?

Pages: [1] 2 3 4 5