Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - chetansaundankar

Pages: [1]
1
Routing and Multi WAN / Pfsense as a router-on-a-stick
« on: January 12, 2011, 04:28:24 am »
Setups
---------
I have a setup where vms use vlans (vlans are assigned dynamically to VM as it gets provisioned so the vlan situation is not known before hand). The vms are in same subnet of 192.168.3.0/24 however each vm is in separate vlan. I want to use pfsense as a gateway for vms with vlan trunk terminating at that pfsense.

I would like to know your thoughts on this.


2
OpenVPN / Re: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2
« on: November 28, 2010, 11:49:47 pm »
@eureka, Thanks for the suggestions.
I will try out your suggestions & get back to you with the results.

Before I try out though, I would like to tell you that sub-domain to search into is not known @ deployment time. Sub-domains & Users in that sub-domain are getting added dynamically, there could be hundreds of sub-domains in one root domain so fixing group BaseDN wont be possible. I had commented out <Group>...</Group> section completely when I had tested.

Also, I would like to know what exactly "%u" does in filter (&(uid=%u)).


3
OpenVPN / Re: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2
« on: November 26, 2010, 11:20:35 am »
Thanks a lot for this. I was able to get it working.
However I have observed some strange behavior,

Setup
-------
- My setup has pfsense 1.2.3 & OpenDS 2.2 as ldap provider.
- In ldap, I have base DN as "dc=baseorg,dc=com".
- There are two sub domains - "dc=orgone,dc=baseorg,dc=com", "dc=orgtwo,dc=baseorg,dc=com".
- Theres a user in each subdomain called "testuser".
- BaseDN in authorization section of the config is set to "dc=baseorg,dc=com".
- RequireGroup in authorization section of the config file is set to false

Behavior - 1
---------------
Test: If I try to authenticate with testuser@baseorg.com
Expected Behavior - Ideally auth should fail as the user belongs to one of the sub-domain.
Actual Behavior - User gets authenticated successfully.
Question - Is this an expected behavior?


Behavior - 2
---------------
Test: If I try to authenticate with junk values whatever@abcd.com
Expected Behavior - Ideally auth should fail with an error message for incorrect username or domain.
Actual Behavior - A line in openvpn log - Incorrect password supplied for LDAP DN "cn=testuser,dc=orgtwo,dc=baseorg,dc=com".
Question - How come "cn=testuser,dc=orgtwo,dc=baseorg,dc=com" is referred when the values are junk?


4
OpenVPN / Re: Connecting to local subnet issue
« on: August 28, 2010, 02:37:36 am »
I was able to solve the issue by changing the LAN IP Address to 192.168.10.233. The problem is that if WAN & LAN ips are in same subnet then the problem occurs as soon as I change the LAN IP to say 192.168.10.209 then client is able to ping the 192.168.10.209 host. Can someone please explain why this happens.

5
OpenVPN / Connecting to local subnet issue
« on: August 26, 2010, 02:31:59 pm »
During the testing of pfsense openvpn server I faced issues in pinging machines in subnet of pfsense server.

Setup
---------

- Internet router provided by ISP. IP: 192.168.1.254
- My Laptop. Ubuntu 9.04. IP: 192.168.1.105
- pfsense running as a virtual machine (vmware player). WAN IP: 192.168.1.239, LAN IP: 192.168.1.233
- Another virtual machine (vmware player) running with IP: 192.168.1.209

OpenVPN Setup
-------------------------
- TUN interface
- Tunnel network: 10.0.9.0/24
- push "route 192.168.1.0 255.255.255.0" in place

Test
-------
OpenVPN client on Windows XP tries to connect to openvpn server & tries to ping 192.168.1.209

Observations
--------------------
- Connection with the openvpn server gets successfully established.
- Client can ping 192.168.1.239 & 192.168.1.233 addresses.
- Client is also able to ping 192.168.1.105 (the machine on which the pfsenseissue vm is running)
- But client is not able to ping 192.168.1.209 (another virtual machine) or 192.168.1.254 (internet gateway on server side)

I dont know why such behavior is observed. Appreciate if anybody can offer some explanation.

Thanks

Chetan S.






Pages: [1]