Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Maxburn

Pages: [1] 2
1
pfBlockerNG / Re: pfBlockerNG v2.0 w/DNSBL
« on: April 19, 2018, 08:45:53 pm »
Did charting make it into this release? I can't seem to find it.

https://forum.pfsense.org/index.php?topic=144733.msg787832#msg787832

2
Packages / Bandwidthd legend/logo pics not showing
« on: April 14, 2018, 08:11:34 am »
Seems like there are some missing files for the following URLs. I can see the graphs but would like the legends to work too.

https://pfsenseip/bandwidthd/logo.gif
https://pfsenseip/bandwidthd/legend.gif

3
Found it at the extreme bottom of the config file, thanks. Makes sense in retrospect as the vLANs configured in another section have a selection for their parent interface. I thought that was what I was configuring above all in one step but guess not.

Edited it to this and it all came back up fine.

Code: [Select]
<vlans>
<vlan>
<if>em0</if>
<tag>10</tag>
<pcp></pcp>
<descr><![CDATA[IoT]]></descr>
<vlanif>em0.10</vlanif>
</vlan>
<vlan>
<if>em0</if>
<tag>11</tag>
<pcp></pcp>
<descr><![CDATA[Phones]]></descr>
<vlanif>em0.11</vlanif>
</vlan>
</vlans>

4
I googled around and seemingly the best advice I saw was to export my config from present pfsense, edit the interface section and upload to new router. Everyone says it is easy and takes seconds but I keep running into interface not known issues during boot, seemingly surrounding my vLANs? What am I doing wrong in these config files below??

I got these names from the autoconfig options during boot so I know that's the names pfsense sees on the new hardware. Assigning what I want during boot just gets me an endless "interface not known" and never lets me progress to running.

Old config file
Code: [Select]
<interfaces>
<wan>
<enable></enable>
<if>igb0</if>
<ipaddr>dhcp</ipaddr>
<ipaddrv6>dhcp6</ipaddrv6>
<gateway></gateway>
<blockpriv>on</blockpriv>
<blockbogons>on</blockbogons>
<media></media>
<mediaopt></mediaopt>
<dhcp6-duid></dhcp6-duid>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
<descr><![CDATA[WAN]]></descr>
</wan>
<lan>
<enable></enable>
<if>igb1</if>
<ipaddr>10.0.1.1</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<subnetv6>64</subnetv6>
<media></media>
<mediaopt></mediaopt>
<track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
<descr><![CDATA[LAN]]></descr>
</lan>
<opt1>
<descr><![CDATA[vLAN10IoT]]></descr>
<if>igb1.10</if>
<enable></enable>
<ipaddr>10.0.10.1</ipaddr>
<subnet>24</subnet>
<spoofmac></spoofmac>
</opt1>
<opt2>
<descr><![CDATA[VLAN11Phones]]></descr>
<if>igb1.11</if>
<enable></enable>
<ipaddr>10.0.11.1</ipaddr>
<subnet>24</subnet>
<spoofmac></spoofmac>
</opt2>
</interfaces>

New config file
Code: [Select]
<interfaces>
<wan>
<enable></enable>
<if>igb0</if>
<ipaddr>dhcp</ipaddr>
<ipaddrv6>dhcp6</ipaddrv6>
<gateway></gateway>
<blockpriv>on</blockpriv>
<blockbogons>on</blockbogons>
<media></media>
<mediaopt></mediaopt>
<dhcp6-duid></dhcp6-duid>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
<descr><![CDATA[WAN]]></descr>
</wan>
<lan>
<enable></enable>
<if>em0</if>
<ipaddr>10.0.1.1</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<subnetv6>64</subnetv6>
<media></media>
<mediaopt></mediaopt>
<track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
<descr><![CDATA[LAN]]></descr>
</lan>
<opt1>
<descr><![CDATA[vLAN10IoT]]></descr>
<if>em0.10</if>
<enable></enable>
<ipaddr>10.0.10.1</ipaddr>
<subnet>24</subnet>
<spoofmac></spoofmac>
</opt1>
<opt2>
<descr><![CDATA[VLAN11Phones]]></descr>
<if>em0.11</if>
<enable></enable>
<ipaddr>10.0.11.1</ipaddr>
<subnet>24</subnet>
<spoofmac></spoofmac>
</opt2>
</interfaces>

5
Following up; I started over with following this guide; https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site

That guide is so simple and leaves out anything client specific overrides, no iroute CCD entires etc. Far as the firewall rules go there was already something in there from a wizard I tried before which still looked suitable.

Loaded the client export to the ERX and it failed, logs show --pull is inappropriate for UDP. Without much hope I commented that out in the config file and retried, tunnel came up. But I couldn't ping back and forth. Then found this in the system logs for openvpn in pfSense:

ERROR: FreeBSD route add command failed: external program exited with error status: 1

Googling that it's a routing issue. So I checked over that guide again, couldn't find anything wrong and said heck with it, rebooted pfSense. When it came back up that error was gone, tunnel was up. Local LAN devices could reach remote LAN and vice versa.

So yay?

6
ping and traceroute maybe do well. ICMP is a stateless protocol. The problems with that come if you establish a stateful connection.

So I'd try one of the suggestions.

OK, thanks for bearing with me! That one got through, I can just about picture how that makes a difference with how things are flying around.

7
Maybe I'm not expressing the problem right, at the moment everything can reach everything else. See these traceroutes below. BUT when I reach out from my local LAN to those remote devices I can only stay connected for a minute or two. I haven't done anything in the pfSense firewall yet either, maybe that's the issue??

This is my remote raspberry Pi reaching back to some random local LAN device
Code: [Select]
user@raspberrypi:~ $ traceroute 10.0.1.3
traceroute to 10.0.1.3 (10.0.1.3), 30 hops max, 60 byte packets
 1  10.0.3.1 (10.0.3.1)  0.598 ms  0.524 ms  0.478 ms
 2  10.80.0.1 (10.80.0.1)  80.190 ms  80.152 ms  80.372 ms
 3  10.80.0.1 (10.80.0.1)  3049.530 ms !H  3089.671 ms !H  3089.633 ms !H
pi@raspberrypi3:~ $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.3.3  netmask 255.255.255.0  broadcast 10.0.3.255

This is my local chromebook reaching a remote LAN device.
Code: [Select]
crosh> ping 10.0.3.2
PING 10.0.3.2 (10.0.3.2) 56(84) bytes of data.
64 bytes from 10.0.3.2: icmp_seq=1 ttl=62 time=49.3 ms
64 bytes from 10.0.3.2: icmp_seq=2 ttl=62 time=44.9 ms
64 bytes from 10.0.3.2: icmp_seq=3 ttl=62 time=43.4 ms
^C
--- 10.0.3.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 43.487/45.909/49.310/2.482 ms
crosh> tracepath 10.0.3.2
 1?: [LOCALHOST]                                         pmtu 1500
 1:  pfSense.localdomain                                   1.393ms
 1:  pfSense.localdomain                                   1.054ms
 2:  ubuntuserver.localdomain                              1.252ms asymm  1
 3:  10.80.0.11                                           50.313ms asymm  2
 4:  10.0.3.2                                             45.226ms reached
     Resume: pmtu 1500 hops 4 back 3

8
From the 2nd link you provided:
Quote
the annoying work-around would be to add the route to every box on the LAN, in which case step 3 above would work.

This is exactly what I said, when I said to add specific routes to each device.

Yes, that's a work around. If you can't do the thing it mentions before that:

Quote
That means in our example: 10.10.2.1 must know that for 10.10.1.x 10.10.3.x and the vpn internal network (for example, 10.8.0.x), it sends the traffic to 10.10.2.10 This is true for any number of lans you want to connect, whether server or client.

9
Quote
I don't think you understood me. I put a static route in pfsense, which is the default gateway for everything on my local LAN. It should see that traffic and send it to the VPN.

???

So, if a device on the LAN wants to send a packet to the other end of the VPN, it sends it to pfSense, which is supposed to route it back out the interface it came in on, to get to the VPN elsewhere on the local LAN?  That's not the way routers work.  You'll need to add the specific route to all the devices that want to send traffic to the VPN.

Yes, exactly. Do you think I am interpreting this wrong?

https://secure-computing.net/wiki/index.php/Graph

https://community.openvpn.net/openvpn/wiki/RoutedLans#ROUTESTOADDOUTSIDEOFOPENVPN

Code: [Select]
C:\Users\me>tracert 10.0.3.1

Tracing route to 10.0.3.1 over a maximum of 30 hops

  1     1 ms    <1 ms     2 ms  pfSense.localdomain [10.0.1.1]
  2     1 ms     1 ms    <1 ms  ubuntuserver.localdomain [10.0.1.6]
  3    47 ms    41 ms    45 ms  10.0.3.1

Trace complete.

C:\Users\me>ipconfig
~
   IPv4 Address. . . . . . . . . . . : 10.0.1.54

10
Correction; This entry

System / Routing / Static Routes

  • Destination Network: remote network entered as "10.0.3.0" drop down /24
  • Gateway; Selected the above created gateway

Does allow local LAN devices to ping remote LAN devices all day long.

But once I SSH into a remote server and tell it to ping something on my local LAN this works great for a little while and then I get disconnected. The VPN tunnel is not dropping.

Edit, more info. This looks like what I want to see going on from the LAN.

Code: [Select]
tracert 10.0.3.3

Tracing route to 10.0.3.3 over a maximum of 30 hops

  1     1 ms    <1 ms     2 ms  pfSense.localdomain [10.0.1.1]
  2     1 ms     1 ms    <1 ms  ubuntuserver.localdomain [10.0.1.6]
  3    45 ms    42 ms    40 ms  10.80.0.11
  4    44 ms    41 ms    41 ms  10.0.3.3


Code: [Select]
user@10.0.3.3's password:
Linux raspberrypi3 4.9.59-v7+ #1047 SMP Sun Oct 29 12:19:23 GMT 2017 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Mar 16 14:17:23 2018 from 10.0.1.54
user@raspberrypi3:~ $ ping 10.0.1.1
PING 10.0.1.1 (10.0.1.1) 56(84) bytes of data.
64 bytes from 10.0.1.1: icmp_seq=1 ttl=62 time=76.1 ms
64 bytes from 10.0.1.1: icmp_seq=2 ttl=62 time=40.0 ms
64 bytes from 10.0.1.1: icmp_seq=3 ttl=62 time=44.1 ms
64 bytes from 10.0.1.1: icmp_seq=4 ttl=62 time=42.9 ms
64 bytes from 10.0.1.1: icmp_seq=5 ttl=62 time=41.4 ms
64 bytes from 10.0.1.1: icmp_seq=6 ttl=62 time=39.8 ms
64 bytes from 10.0.1.1: icmp_seq=7 ttl=62 time=39.0 ms
64 bytes from 10.0.1.1: icmp_seq=8 ttl=62 time=42.7 ms
64 bytes from 10.0.1.1: icmp_seq=9 ttl=62 time=40.8 ms
64 bytes from 10.0.1.1: icmp_seq=10 ttl=62 time=39.8 ms
64 bytes from 10.0.1.1: icmp_seq=11 ttl=62 time=42.8 ms
64 bytes from 10.0.1.1: icmp_seq=12 ttl=62 time=40.3 ms
64 bytes from 10.0.1.1: icmp_seq=13 ttl=62 time=44.2 ms
64 bytes from 10.0.1.1: icmp_seq=14 ttl=62 time=42.8 ms
64 bytes from 10.0.1.1: icmp_seq=15 ttl=62 time=40.8 ms
64 bytes from 10.0.1.1: icmp_seq=16 ttl=62 time=43.6 ms
64 bytes from 10.0.1.1: icmp_seq=17 ttl=62 time=42.9 ms
64 bytes from 10.0.1.1: icmp_seq=18 ttl=62 time=42.6 ms
64 bytes from 10.0.1.1: icmp_seq=19 ttl=62 time=44.1 ms
64 bytes from 10.0.1.1: icmp_seq=20 ttl=62 time=42.7 ms

putty session disconnected...

11
If the VPN endpoint is within the LAN, a static route on the edge router cannot resolve the routing issue.
You rahter need static routes on each LAN device pointing to the Ubuntu server.

I don't think you understood me. I put a static route in pfsense, which is the default gateway for everything on my local LAN. It should see that traffic and send it to the VPN.

More findings, changing the static route entry:

System / Routing / Static Routes

  • Destination Network: remote network entered as "10.0.3.0" drop down /24
  • Gateway; Selected the above created gateway

This allows anything on my local LAN to communicate to anything on my remote LAN, great

But, things on the remote LAN can't reach anything on my local LAN. This baffles me.

Why do you not run the OpenVPN server on pfSense?

I could not wrap my head around the GUI to make OpenVPN do what I wanted. I have decent experience with this at work doing site to site between endpoints that are the default gateway but we aren't routing to the server LAN.
https://forum.pfsense.org/index.php?topic=145034.msg789391#msg789391

12
OK, I have a Ubuntu server on my local LAN running OpenVPN. I also have a remote Ubiquiti Edgerouter connecting to my Ubuntu OpenVPN with no issue, port forwarding etc in local pfSense working fine tunnel up etc. Current Symptoms:
  • Local Ubuntu server can ping and SSH into multiple things on remote LAN
  • Remote Edgerouter and a linux server on remote LAN can ping the Ubuntu server local LAN IP, but can't reach anything else on local LAN
  • Nothing else on local LAN can reach remote LAN
So, sounds like I need to add a static route to pfSense to point to the local Ubunto VPN server to allow local LAN devices to reach out to the remote LAN. Right? This is what I did and it doesn't seem to be doing anything.

System / Routing / Gateways
  • Interface: LAN
  • Address Family IPv4
  • Gateway; the Ubuntu Server LAN IP 10.0.1.6
  • Default Gateway not checked; I don't think I want this to be the LAN default gateway...
  • Disable Monitoring not checked
  • Monitor IP, blank. Ubuntu server will ping
  • In pfSense dashboard the gateway shows UP

System / Routing / Static Routes
  • Destination Network: remote VPN virtual IP entered as "10.80.0.0" drop down /24
  • Gateway; Selected the above created gateway
Using a computer on my local LAN I can't seem to get anything on tracert past pfSense, IMO pfSense should be sending this to my Ubuntu server at 10.0.1.6 but it isn't. What am I missing?

Code: [Select]
tracert 10.0.3.1

Tracing route to 10.0.3.1 over a maximum of 30 hops

  1     1 ms    <1 ms     2 ms  pfSense.localdomain [10.0.1.1]
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.

Edit: I'm using these guides
https://community.openvpn.net/openvpn/wiki/RoutedLans
https://secure-computing.net/wiki/index.php/Graph

13
I'm in need of a reverse proxy that hits the criteria below, can this be done with Squid/Squidgard? Is squid easy to work with on pfSense or should I just look into putting it on it's own VM, ie; would pfSense just be an unnecessary complication here?

  • Three internal web servers serving up http unencrypted, reverse proxy needs to add encryption.
  • Reverse proxy needs to be able to detect namespace: server1.example.com, server2.example.com, server3.example.com and send that to the right internal server
  • Preferred to use Letsencrypt certs, but not required.
  • LDAP authentication before any access is granted.

I'm currently doing everything except LDAP in Nginx on an Ubuntu VM, thing is I looked at Nginx LDAP and it's just over my head so I'm looking around to see what else is available.

14

First off, 10.0.3.0/24 needs to be in Remote Networks there. Yes, there and the CCD.

I think that's key. Thing is there was no entry on that page for remote networks. Likely because I selected remote access? I know how it needs to be both in the server config and CCD in plain config files. I changed it to Site-To-Site shared key and that field appeared. Redid everything for that new configuration and now having much less success, endpoints can't even ping the opposite VPN IP let alone anything on the LAN.

Time to back up and reassess this situation, I just spent a day getting something working and failing that I plainly know how to do, but already I'm thinking this would be easier if either I had pfSense on both ends so I could follow guides OR if I just skipped it in pfSense all together and ran OpenVPN on my ubuntu server with the same configuration we use at work in text files. I'm a little shocked at that last part, I am a big fan of GUI but in this one case I took the time to get things working in plain config files so I oddly prefer that now in this one case.

Is there no way to just upload an OpenVPN server config and CCD file in pfSense?

15
I set up an OpenVPN server at my house in pfSense and imported the VPN config to a remote Ubiquiti Edgerouter X. Tunnel is up but I'm having routing difficulty. Both pfSense and the ERX are the default gateway on their LANs. I want devices on either LAN to reach the opposite LAN, Site to Site. Worked with this guide https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site

From what I understand those last two things should set up the route/iroute OpenVPN stuff that's necessary. Unfortunately I have no idea where to see the raw OpenVPN server config file or CCD files to see if this is true. I've done this stuff with Windows as the OpenVPN server and the ERX before, just can't figure out the pfSense GUI. I haven't messed with entering any static routes myself, IMO OpenVPN and these two devices already being the default gateways should be enough?!?

  • 10.0.1.0/24 pfSense local LAN
  • 10.9.0.0/24 OpenVPN virtual network
  • 10.9.0.10 is ERX VPN IP, static assignment via client config
  • 10.0.3.0/24 Remote ERX LAN

Symptoms
  • Nothing on 10.0.1.x including the pfSense ping utility can reach anything on 10.0.3.x
  • pfSense ping utility can reach 10.9.0.10, the remote ERX VPN IP
  • The remote ERX can ping anything it wants on 10.0.1.x entire LAN, and my phone using the same pfSense OpenVPN server can reach anything it wants 10.0.1.0/24
  • Other things on the 10.0.3.x LAN can not reach 10.0.1.x IPs
  • The remote ERX can ping 10.9.0.1, the OpenVPN server IP.
  • Other things on the 10.0.3.x LAN can not reach 10.9.0.1
  • In the ERX I can see an automatically created route to 10.0.1.0/24 with next hop 10.9.0.1

pfSense OpenVPN server configuration
  • Remote access TUN / UDP
  • Tunnel network 10.9.0.0/24
  • Redirect gateway off
  • IPv4 local networks has 10.0.1.0/24 in it
  • Provide DNS server is available with 10.0.1.1 listed FWIW

Client specific Overrides, I'm thinking of this as the OpenVPN CCD file, right?
  • has my openvpn server selected
  • has an entry of the connecting ERX common name
  • Tunnel: 10.9.0.10/24
  • IPv4 local networks: 10.0.1.0/24
  • IPv4 remote networks 10.0.3.0/24






Pages: [1] 2