Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - jimp

Pages: [1] 2 3 4 5 ... 1451
Packages / Re: ACME / Let's Encrypt - "Verify error:Fetching: Timeout"
« on: March 16, 2018, 03:45:06 pm »
The timeout would indicate that was unable to reach that domain.

Is pointing to the firewall itself? Forwarded using NAT maybe? If so, the firewall itself may not be able to complete that request because of how it's handled. It may work in your browser due to NAT reflection, for example, that would not apply to traffic from the firewall itself.

You might need a host override on the firewall to resolve that name to your own local web server.

Hardware / Re: pfSense 2.4.1 and Intel Atom 3858 - 3958
« on: March 16, 2018, 03:40:23 pm »
C3000 support won't be ready for general public use until we put out a pfSense release based on FreeBSD 11.2, which will probably happen in a few months.

There is some early support for our new SG-7100 devices that is based on C3000 in our factory images for 2.4.3, but that is only available to those who have purchased the hardware from us.

CARP/VIPs / Re: pfsense HA and openvpn client
« on: March 16, 2018, 10:37:26 am »
You don't need to create a CARP VIP for the OpenVPN interface.

You set the OpenVPN client instance to use a WAN CARP VIP as _its_ Interface value.

General Questions / Re: Connect from work to home with ssh tunnel ?
« on: March 16, 2018, 09:57:14 am »
Sounds like a good way to get fired. Or worse than that if "classified" material is involved, assuming you meant government "classified", and not company secrets/work product, which could still be a crime depending on the circumstances.

Locking thread. If you want to evade your company policies, you are on your own.

Cache/Proxy / Re: Password Leak In Squid Cache Log
« on: March 16, 2018, 09:47:24 am »
As you can see from the log entry, the problem appears to be from safesearch, not the category itself.

That would be something to bring up to squid directly, though that may be a squidGuard issue as well (and it has been essentially abandoned).

You can disable logging in squid, which could help, but if you are worried about users seeing the passwords, why do those users have access to the squid log at all, or pfSense?

Packages / MOVED: Password Leak In Squid Cache Log
« on: March 16, 2018, 09:46:25 am »

Those errors are almost always a link quality issue. Packets arriving out of order or duplicate copies of packets.

You can play with the replay window settings in OpenVPN but ultimately you probably need to look upstream for the source of the problem.

That is a completely different error. That is the kind of error you get if you use DNS-Manual and tried to renew without clicking 'issue' first.

General Questions / MOVED: Monthly traffic reports?
« on: March 15, 2018, 02:59:40 pm »

Firewalling / Re: Alias Sync
« on: March 15, 2018, 10:43:27 am »
Put the alias contents in a .txt file hosted on a central https server, and then use URL table aliases to pull the contents into the other nodes.

pfBlockerNG may help there if you need updates faster than the default URL table aliases.

Packages / Re: ACMEv2 is live!
« on: March 15, 2018, 09:44:19 am »
Sorry for the unfamiliarity! How do I get the latest ACME package on a 0.2.4 pfSense installation?

The latest version of pfSense is 2.4.2-p1 (or 2.3.5-p1).  The latest version of the ACME package is 0.2.5_1 (there were some changes after 0.2.4). You get it by visiting System > Packages. If the package is already installed, click the little upgrade icon next to the package name to update it. If the package is not installed, visit the Available Packages tab and install it from there.

Packages / Re: ACMEv2 is live!
« on: March 15, 2018, 08:17:45 am »
Is that a direct error from pfSense or from the new ACME package ?

Information : pfSense 2.3.5-RELEASE (i386)

You should see ACME package version 0.2.5_1 show up shortly, it contains a fix for this for 2.3.x users.

Users on 2.4.x will see the update but it doesn't really matter for them, I bumped the version to keep it in line so my next batch of enhancements will be easier to merge across all branches.

Packages / Re: ACMEv2 is live!
« on: March 15, 2018, 07:37:36 am »
Appears to be a bug, I'll check it out and fix it up ASAP. Looks like it's a quirk in how the help text is processed on 2.3.x compared to 2.4.x

Packages / Re: ACMEv2 is live!
« on: March 14, 2018, 01:05:33 pm »
I have generated a few myself.

I will note every once in a while I was getting an error "Le_OrderFinalize not found" and even posted a bug report here thinking I found a workaround, turns out simply retrying after a min or so would let it work.

EdIt: I will note the errors were with 0.2.3 I see there was a small change in 0.2.4 that may have resolved it.

I pushed a fix in 0.2.5 that might address this as well, there was another way that sort of error could happen.

Pages: [1] 2 3 4 5 ... 1451