Netgate Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - saywhat

Pages: [1]
We were using and

Changed them over to opendns and machines responded almost immediately

We have had the exact same issue here in UK. We use BT as the ISP/

Same lolcat 3rd party self signed cert appearing for many sites, all DNS being redirected to which shows as being a malicious IP in Portugal, used for lots of spammy domains.

Interestingly, we had Google DNS set on pfsense. When I changed this to OpenDNS the problem immediately went away, pings began to return correct IPs again etc.

I know Google DNS was hijacked before, so that is a possibility, but I would have thought an attack such as that would have hit the news on twitter by now.

Traffic Shaping / Re: L7 Protocol Definitions for iMessage and Facetime
« on: November 22, 2011, 05:56:08 pm »
The devices are iPads and we dont wish to use a proxy. iPad apps dont all work nicely with proxies, especially if that proxy requires authentication. So we have a seperate web filter that operates as a transparent bridge which does web filter, but not SSL intercepting. Then we have pfSense box on the other end of that as our main WAN router. One single subnet for our whole internal network, so pfSense is just being used for pure firewall and NAT type stuff.

Had hoped the L7 stuff was the answer, as there doesnt appear to be any other way to do it.

Guess we just have to live with iMessage and FaceTime on our net :(

Traffic Shaping / L7 Protocol Definitions for iMessage and Facetime
« on: November 22, 2011, 10:50:53 am »
I am looking to block the use of FaceTime and iMessage over our network from iOS Devices.

Apple docs claim that Factime uses a few UDP ports up in the 16xxx range, plus 80, 443 and 5223. 80 and 443 are open on pfSense for obvious reasons. Turns out if Facetime or iMessage cannot use those 16xxx ports they just stream the whole lot down 443. Which makes blocking them something I cannot figure out (bar blocking 443 to the entire 17.x.x.x subnet which Apple own.) That is not an option as we still need push notifications for other apps and also wish to use iCloud which also relies on this.

My question is, Facetime and iMessage send over 443 to apple encrypted. Can a Layer 7 protocol definition be made up to encompass this and if so does anyone happen to have one lying about ? :) As im afraid I dont believe I am advanced enough to write one.

Thanks in advance for any pointers

General Questions / Re: PPPoE and Static IP
« on: June 30, 2011, 07:22:58 am »
Perfect thank you

Set up the Other type VIPs on the system and then just create a single catch all outbound NAT rule to map the traffic to the .86 address that the gateway should be. All seems to be working now and able to use incoming NAT rules to forward port 80 to different internal IPs based on the external IP it was reached from

Cheers for the help

General Questions / Re: PPPoE and Static IP
« on: June 29, 2011, 06:01:58 pm »
Sorry to jump in on the thread, but I have a similar issue.

We have BT Infinity and have to use their vDSL modem. It requires that pfSense connect to it using PPPoE

I just have Wan and Lan setup on pfSense.

Wan gets IP address 81.x.x.x from PPPoE but we have a /29 in 217.x.x.81-86 where 86 should be the IP of the gateway (IE the pfSense WAN interface). I cannot see any method to have PPPoE and a static IP setup on WAN.

The 81.x.x.x address also changes with every reboot, we wish to have our outgoing traffic go out over 217.x.x.86 with the 81-85 addresses available for various port forwarding purposes.

Any help would be greatly appreciated, and hopefully will also help the thread starter.


Pages: [1]