Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - smbsmb

Pages: [1]
Installation and Upgrades / reilable install - 2 HDD/CD/USB?
« on: July 11, 2011, 04:17:23 pm »
I have an old PC (Celeron; 512MB RAM; USB boot BIOS option present).
What is more reliable, to install pfSense on:
1. Two gmirror-ed HDDs. If one of them fails, we can boot from another.
If this old PC fails, we can move HDDs and network cards to another old one,
they are extremely cheap.
2. USB flash stick. Is possible also to use gmirror for USBs?
3. To run pfSense from CD and to store the configuration on Flash/FDD?

The same question, with additions.

Is there a way to use the thansparent proxy with a blacklist
not for all users of my office network?
For example, a chief and some managers has access to all sites,
but others have the blacklist of sites.

Also, is there a way for this blacklist to be time-specific,
for example - during lunch time (13:00-14:00) all users
can visit all sites (Let them get fun insted of lunch if they want)? Smile

The problems is that the managers don't have their personal PCs,
the use PCs shared with other users.

Can VPN Service solve this problem?
For example, my users could work without VPN - and get blacklist,
but the managers can login to this VPN and work without blacklists.... ?

Can new Load Balancer work with 2 or more PPPoE/PPtP connections?

Thank for for the answer, but I still can't setup what I need.
I'd like to have the following:
- access allowed from all computers to "good sites" without authentication
- access denied from all computers to "bad sites" (using transparent squid proxy)
- access allowed from a computer, when "the chief" authenticates by one of the methods:

- temporarily configures a Web browser to use a proxy, it ask login/password,
     after auth he has access to ALL sites.
     Does squid support combining transparent and non-transparent modes?
- connects to PFsense using PPPoE or PPtP by his login/password,
   and has access to ALL sites.
   Is the Squid configuration possible, to not intercept connections from PPPoE/PPtP serveices,
    of to intercept, but not to filter them?

AFAIK "Captive portal" cannot help me on this case.

Please help me to solve this problem:
Workers in our office should have access only to 10-12 sites (for work),
their ACL of these DNS-domains can easily be wtitten.
However, some workers should have access to all sites, by personal password.
The access control cannot be done by ip-addresses,
only by login-passwords, because computers are really not so "personal".

What is the right way to do it:
1.  To setup transparent squid+squidguard, and PPPoE(or PPTP) server.
Users without auth will have limited access,
users with auth - will have full access.
Is it possible to setup a transparent proxy,
which will not intercept traffic from PPPoE(or PPTP) users?

2. To setup firewall rules for thess sites, and PPPoE(or PPTP) server.
The rules will be more safe, because will block not only http to unneeded, but
will block all protocols.
However, there can be problems, if some site's IP-addresses will change
 - I should always correct the rules in this case.
AFAIK, it is possible to define different sets of rules,
for NAT and PPPoE(or PPTP) connections(users)?

Is these a better way to do this site-blocking?

How to test a snapshot build?

What an interesting, complex problem!

Our second office is located in a place,
where ISPs only provide slow unlimited Internet
traffic with speed not more than 128 Kbps.
So, our office is now connected that way:
We have bought several unlimited internet logins, 128Kbps each (VPN - pptp).
and use a bundle of route rules.

I tested the vpn connectivity to pptp server on main office, it worked.
Note that we didn't buy an external IP-addresses from our ISP (ISP does NAT for us).
So, our ISP doesn't block GRE,
and even such a complex thing -  "pptp through NAT over pptp" works, but the speed is \

Since GRE is not port-based, and all our connections have the same IP-address (ISP's \
NAT server), I'll try a pfSense to send GRE packets to our main VPN server over the \
Internet over all our ISP's connections in round-robins style, to combine their \
speed. It will probably combine ONLY outbound speed of our channels, but it is better \
than nothing.

Does this "outbound speed combining solution" seem to work, and possible with pfSense?

AFAIK pfSense currently support just one(not more) pptp vpn interface as WAN.
Also, I was told in mail-list:

>  Is there a workaround to connect all 8 pptp connections
>  from pfSense simultaneously?

"Not a good one. 8 installs could do it, then put one install inside
those 8 installs to balance between them. If you can use a cheap NAT
device of some sort on 7 of them, connect the NAT devices to 7 pfSense
interfaces, and use one on pfSense's WAN, then it'll work.

Only way PPTP on multiple WANs will ever get implemented is if you can
contribute code or someone else can in the future.  None of the
current developers have PPTP Internet connections."

- Is it possible to run 9 virtual machines on a computer,
   8 of them will run pfSense and connect to PPTP VPN,
   9th pfSense will load-balance between these 8 pfSenses?
- Is yes, which Virual Machine-software with network-between-VMs
  feature do you recommend to use?
- Is it possible to write a non-standard rule fo PF,
which will round-robin only ooutbound GRE packets,
and to add it (how?) to the pfSense configuration?

pf + ALTQ + borrow ?

The solution should exist, maybe not direct solution.
If these clients connect to pfsense using it's VPN server,
it is a way to determine, whether they want to use internet -
are they logged on the VPN or not logged on.
If I could create a web configuration user with limited rights
(only to change the speed limit),
one of these clients could change it.
Let clients them solve their problems by themselves. :-)

What about a bit different goal?

I have a 1MBps channel and 2 clients.
When only 1 client's computer is turned on (and he wants to use internet),
he should get all 1MBps .
When 2 computers are on, each of them sould get 512kBps.

Is it possible?

Pages: [1]