Netgate Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - sporkme

Pages: [1] 2 3 4 5 6
1
Firewalling / Re: Add rules to OpenVPN client interface?
« on: January 30, 2018, 06:27:28 pm »
Quote
I mean, if I remove the rules on that tab, where do I put rules for the server instance?

On the assigned interface for the client or server.

Quote
This is intriguing, but isn't that tab only for the OpenVPN server, not the client instances?


That tab is an interface group of all OpenVPN instances on the node. Both clients and servers.

I say again:

Quote
Rules on the OpenVPN tab are processed first.

If those rules match or block traffic the interface rules are never reached.

If you want the assigned interface rules to be controlling, delete/disable all of the rules on the OpenVPN tab.

I know you keep saying, but consider perhaps your understanding is incorrect.

Right now there's a pass all rule on the OpenVPN server interface.  I have added a "log packets matching..." checkbox on this rule.  There is traffic passing over the OpenVPN client interfaces.  It is not being logged.  Explain why no traffic matches if that rule overrides the client rules (which are still empty, which should be a deny all).

Also what sense would it make to have interface rules for each client instance if the rules have no effect?

2
Firewalling / Re: Add rules to OpenVPN client interface?
« on: January 27, 2018, 01:49:29 pm »
Rules on the OpenVPN tab are processed first.

If those rules match or block traffic the interface rules are never reached.

If you want the assigned interface rules to be controlling, delete/disable all of the rules on the OpenVPN tab.


This is intriguing, but isn't that tab only for the OpenVPN server, not the client instances?

I mean, if I remove the rules on that tab, where do I put rules for the server instance?

3
Firewalling / Re: Add rules to OpenVPN client interface?
« on: January 27, 2018, 12:34:01 pm »
A picture of rules might help

As I said above, there are no rules on this interface, so it should be a default deny/drop.

Anyhow, pics of that and the interface assignments attached.


4
Firewalling / Add rules to OpenVPN client interface?
« on: January 26, 2018, 04:11:00 pm »
How does one implement rules on an openvpn client interface?

I went to Interfaces -> Assign and selected/enabled the ovpnc interface of interest, and I now see a rules tab for it in the firewall config section.  I've restarted the vpn connection.  Even with no rules (which is a default block), traffic flows without restriction in both directions.

How do I attach rules to this?

5
I use HE.net as well, and just noticed this ATV issue today. I actually have a handful of streaming devices and I'd really prefer all of them to use IPv4 - mainly because I'm OTT-only with all my viewing and don't want to screw around with things by possibly pushing traffic over a tunnel, it's just another possible point of failure I don't want to think about.

Given that I know all the MACs of these devices (a few rokus, an ATV and a fire TV), is there some way on the pfsense side to just prevent them from even picking up IPv6 addresses?  I know I could VLAN but I really don't want to invest in more gear or cable runs to accomplish this.

6
DHCP and DNS / Re: Trying to disable DNS Resolver, getting an error
« on: August 16, 2017, 10:21:29 am »
I know this is old, but it's the most recent topic on this I'm finding.

I have the exact same error, and I'm not finding any obvious fixes.  I'm on 2.3.4.

I run the resolver instead of the forwarder so I can have DNSSEC (very nice if you use ssh's sshfp record stuff).

I also find that when DNS is screwed, the web UI is basically not usable.  How does one work around that?

7
Feedback / Re: Blog - javascript scrolling hacks
« on: July 21, 2017, 01:25:00 pm »
That's the site (the pfsense blog as opposed to...?), and if you pick around in the javascript for the theme they've purchased,there's all sorts of scrolling f***ery going on there.  I'm sure it varies from browser to browser, OS to OS.  I'm Chrome, OS-X.  It's site-specific. I've seen similar behavior on a handful of other sites, usually WordPress blogs with one of those themes that has a 200+ item bullet list of features to justify the cost of the theme.

Just pointing it out, if the blog guy doesn't grok the code they have in place that's fine, just noting it's totally annoying and gratuitous.  It resides in common/common.min.js.

I also have no interest in disabling "smooth scrolling" to correct one site.  I like my smooth scrolling elsewhere, TYVM. :)

8
Feedback / Blog - javascript scrolling hacks
« on: July 20, 2017, 03:51:39 pm »
I know, I must be one of a handful of people that uses an actual mouse with a scroll wheel, but as one of them, I'll lodge this request:  remove the javascript junk on the blog that screws with mouse acceleration, it basically makes scrolling unusable - just one tiny up or down scroll jumps huge amounts.  Even in other contexts there's rarely any kind of common sense case to be made for fiddling with scroll acceleration on desktop.

9
Firewalling / FiOS IPTV?
« on: June 28, 2017, 12:43:12 am »
I'm in a bit of a spot because I'm technically under NDA, but I am in Verizon's IPTV trial.  They seemed unsure on whether I needed their router or not, so they sent me the boxes (two set-top boxes and a dvr).  So far, no dice.  The box acts as if it's doing something, and non-live TV seems fine, but any of the live TV stuff just stalls out with no picture.  I'm guessing they're using multicast based on what otehr folks asking about other IPTV services in the forums have posted, but I'm not sure.

TL;DR - anyone else here on the same trial, and if so, can you share what you did to get things working short of sticking your pfsense box behind their router and double-natting everything?

10
General Questions / Re: What hardware is everyone using?
« on: February 22, 2017, 09:39:03 pm »
For home use I keep using old/refurb Dell slimline boxes.  They are very cheap, nearly silent, and tend to be power efficient.  For a long time I had a Dell P-III-600MHz box, that finally ran out of CPU when I moved to FiOS (usenet downloads maxed at maybe 70Mb/s).  Now I'm running a Core2Duo slimline Dell, picked it up on Amazon (free Prime shipping) for $80.  Something similar to this, they're all over Amazon and Ebay: https://smile.amazon.com/OptiPlex-Core2Duo-2-66GHz-160GB-DVD-RW/dp/B00J8K4KZ4/

Also found Realtek cards with full or low profile brackets that actually work well with FreeBSD:

https://smile.amazon.com/gp/product/B008FAELF2/

11
Firewalling / Save states across reboot?
« on: February 20, 2017, 11:00:09 pm »
I remember at some point having a BSD-based firewall that let you run a command at shutdown to save firewall/NAT states to a file and then load them back at system start.  After a bit of googling, it looks like this was the old "ipf" firewall package, and specifically the "ipfs" command (https://smartos.org/man/1m/ipfs).

It appears pf dropped this capability - I don't see anything in the pfctl manpage to lock, save or load states.  So long shot, any plans for pfsense to do something similar since you're working with a sort of fork of the official pf?  I remember how nice it was to be able to keep my ssh sessions around over the course of an OS update, how cool would that be if one could start an update in pfsense and when the box finishes rebooting all your long-running connections are still there?

12
Traffic Monitoring / Re: RRD Summary - Last month traffic count incorrect
« on: December 01, 2016, 09:13:28 pm »
Is this fixed yet?  I'm not sure I believe this total for last month:

In   7715977 MBytes
Out   3420302 MBytes
Total   11136279 MBytes

That is possible on a 100Mb/s FiOS connection, and I do make heavy use of PSVue, but 7TB still seems a bit extreme.  I'm on 2.3.2.

Edit:

Threw the new status_rrd_summary that's waiting for approval (dropped https://raw.githubusercontent.com/razzfazz/FreeBSD-ports/7ee34982f851c3290b3f5c95999934f92ed8ec31/sysutils/pfSense-pkg-RRD_Summary/files/usr/local/www/status_rrd_summary.php in /usr/local/www/) and these are the new numbers:

In   640450 MBytes
Out   297139 MBytes
Total   937589 MBytes

With the old graphs gone I don't have anything to compare this to though. Verizon does not offer any type of "meter".

13
Installation and Upgrades / 2.3 update moved me to 32-bit, how?
« on: July 01, 2016, 12:13:57 am »
So while I was trying to figure out where all my pretty RRD graphs that showed monthly usage and such went, I kept getting errors.  Updated to 2.3.x and the mystery error went away, but it was replaced with some brief message along the lines of "rrd files from wrong architecture, deleting" (thanks!  I wouldn't want to save and convert years of data...:) ).

I thought that was a bit odd and then when poking around trying to get apcupsd installed from the FreeBSD repo I noted that it failed because the URL pointed to the amd64 repo.

Any idea why the 2.3 upgrade shoved me to i386?  This is not a modern box, but it was running amd64 and the one cause I could find googling did not seem to be my issue.  My backup config had this line, which I don't think forces me to a "non-standard" update URL (or is it?):

Code: [Select]
<firmware>
                        <alturl>
                                <enable/>
                                <firmwareurl>https://updates.pfsense.org/_updaters</firmwareurl>
                        </alturl>
                </firmware>

14
OpenVPN / Re: Route external OpenVPN IP(s) to DMZ
« on: March 30, 2016, 10:11:52 pm »
Did you ever get this working?  This is incredibly similar to something I'm looking to do and have not had much luck with it.

15
Routing and Multi WAN / Re: Tunneling and multi-homing?
« on: February 28, 2016, 05:37:39 pm »
One more shot, I can't be the only one doing this. :)

So let's say I have my tunnel set up, be it IPSEC, GRE, whatever.  I have a block of IPs routed over the tunnel TO the pfsense box.  How do I in turn make those IPs usable in both a 1:1 NAT setup AND make some available on another interface (ex. on a VLAN on the LAN side of the pfsense box)?

Pages: [1] 2 3 4 5 6