Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - kejianshi

Pages: 1 ... 328 329 330 331 [332]
General Questions / Re: Yes, we scan
« on: July 04, 2013, 12:20:35 pm »
There are basically only two entities who go to great lengths for secure communications:

Governments and criminal organizations (if there is a difference).

However, I would argue that everyone should, but good luck getting all your buddies to use secure xmpp chat behind a vpn when facebook and skype are so "cool".  It must be the "smilies".

In the end your issue will not be "can I build a secure infrastructure on the cheap behind a pfsense box that does the job?".
Thats the easier part.

In the end your problem will be "How do I get all my buddies and pals to use the stuff when we communicate?".

General Questions / Re: Yes, we scan
« on: July 04, 2013, 11:08:34 am »
If you and a few friends are operating a chat server, then a solid firewall and good crypto will help.  Or, if you own your own phone servers and you guys all use that.  In those scenarios where you OWN the servers and the clients are trusted, you could encrypt everything going in and out between the server and all clients and keep everyone inside a VPN 24/7 and so long as you generated all the crypt yourself and passes the certs out to your friends in person, you would probably be fine.

However, the problems you face are that SSL doesn't help when the OWNERS of the servers you are probably using (like facebook, public email, public phone, etc) are either freely handing over the contents of their servers to the government or being forced too (according to news). 

Basically, to have any privacy you would need to own your own services and preferably those services would be non-logging.

This is EXACTLY the behavior you get when using openvpn on a windows machine that wasn't installed as admin and isn't running as admin.  Thats why I mentioned it.  Try using the older version of the openvpn client for windows and doing all the admin privs as I described.  Other than wasting some of your time, it can't hurt anything.   Also, If you have been using any other sort of vpn tech like hotspot shield or anything else like that, uninstall those first, then uninstall anything remotely associated with any sort of tunneling or vpn and only then reinstall openvpn client.

If that doesn't work, then we have absolutely for sure found out what your problem isn't...

General Questions / Re: Guest Network
« on: July 03, 2013, 09:41:28 pm »
Beyond setting the two ports to different subnets, I would also add a rule to the TOP of the firewall rules for EACH LAN and OPT1:

OPT 1 interface

BLOCK any with destination LAN subnet

LAN interface

BLOCK any with destination OPT1 subnet

Thats it.  The two ports wil have access to the world but not each other.

If you want LAN and OPT1 to be able to talk to each other.

Simply set up:

Firewall Rules:

ID: (blank)
Proto: *
Source LAN net
Port: *
Dest: *   
Gateway: *
Queue: *
Schedule: (blank)
Description: Allow LAN to ALL

ID: (blank)
Proto: *
Source OPT1 net
Port: *
Dest: *   
Gateway: *
Queue: *
Schedule: (blank)
Description: Allow OPT1 to ALL

With no other rules listed above these, the LAN and OPT1 will be able to communicate with each other and the WAN.
If you have blocking rules listed above these rules, all bets are off.

I don't use the pfsense VM.  I have twice before created my own from the 2.01 and 2.02 versions.
The purpose for me was to use the openvpn functions and the PPTP functions, which I can report work very well in VMware.

The thing to be careful of, which might effect this install is DHCP.

If done incorrectly a pfsense VM will cause conflict if its trying to assign DHCP on the same domain as another DHCP server (like the one built into you home router) and that might cause the behaviour you described.  I always configured my pfsense VM wan port to pick up DHCP from the router.  I also had to set the VM WAN port to BRIDGED and replicate the physical characteristics of host so that it was grabbing an IP just like any other computer on the LAN, assigning that to the pfsense VM's WAN and then being sure that none of the subnets I configure for PPTP, openvpn or lan in the VM conflict with the home router.  Set up like that, it works fine.

Since then, I have built quite a few physical boxes, so I don't need the VM anymore, but it always worked well.

A can confirm that making the changes helped MBUF.  No more issues.  I didn't have any erratic behaviour so I didn't apply the NIC specific fixes.  Just the increased MBUF.

The biggest problems I've ever had with Win7 and Vista were this:

At install of openvpn, you really MUST right click the file and install as admin.

Then after that, I locate the openvpn connect icon on desktop and right click and change its compatibility to run as admin.

Then I am usually all good.   If you didn't install as admin on windows, uninstall and reinstall as admin. The be sure the vpn is run as admin each time you run it.  I suspect your issue will go away.

OpenVPN / Re: OpenVPN TCP works UDP does not
« on: July 03, 2013, 07:37:49 pm »
Hmmmm.   I would do a few things differently. 

I would create 1 openvpn thread on and the second on or so...   (just to get away from the 192.168s)
Then I would check my firewall rules to be sure the rules had been generated properly to PASS those subnets to ANY.  Check the subnets match above.
Then I would create the outbound NAT rules to allow the LAN and for both openvpn subnets. (I stopped using auto outbound NAT on WAN).

Now try it on manual.  Be warned that manual outbound NAT is picky.  Has to be done correctly, but it never leaves me wondering "what went wrong"?

If that doesn't work, having a snapshot of you NAT rules, Firewall rules, Outbound NAT rules, and openvpn config would help people help you.

P.S.  The reason I quit using Automatic Outbound NAT is because it kept rewriting SIP packets and was killing my servers.
And I'm a control freak...   Thus the pfsense.

Cache/Proxy / Re: Problem with LightSquid Realtime Proxy Stats
« on: July 03, 2013, 01:10:22 pm »
I had this problem with lightsquid also.   1.8.2 pkg v.2.32

I also found another issue, but both issues are caused by the addition of the LAN IP being added to the external cache manager block in squid when lightsquid is installed.  If my lightsquid is installed and working correctly I can see both the real time monitor and the logs.  All is well.  But then if I want to add a banned domain to the blacklist, I will get an error that my cache manage IPs are not valid.  This is caused because lightsquid inserts my LAN IP on the external cache manager line and apparently squid doesn't like that.  However, If I delete the LAN IP from the external cache manager, I can then add my banned IPs, however real time monitoring in squidlight will cease to function.

So, I have a choice.  Either the interface will allow me to have a functioning realtime monitor in squidlight or the ability to add and subtract black listed domains, but apparently no both simultaneously.

Packages / Re: squid stable stops working and can't be restarted
« on: July 02, 2013, 03:49:18 pm »
What you just explained sounds pretty close to what I am discovering.

For your 8GB system I would have expected that allocating 2GB "Memory cache" and 40GB HD cache
would have resulted in:

4% of 40GB = 1.6GB


The 2GB you allocated to Memory cache

= 3.6GB minimum ram used by squid as the caches fill which is very near what you show.
I like simple formulas for determining such things.
Maybe 5% or even 6% would be a safer start point than 4% based on your post.

Thanks for the post.

Packages / squid stable stops working and can't be restarted
« on: July 02, 2013, 01:46:17 pm »
squid stable stops working and can't be restarted.  This was really annoying.  I'm pretty sure this was happening because my squid cache settings were less than ideal causing squid to eventually crash and not even start on reboot. Un-installing the package and reinstalling didn't help either.  My fix, was to install the package, ssh to the box, go to command line and issue to clear the cache:

cd /var/squid/cache
rm -rf *

Then I rebooted the box and reloaded the squid package.   Adjusted my disk cache and ram cache from web interface.

There is also the issue that there is no clear matrix for setting up squid cache.  So far, to me it seems that physical ram (not hard drive size) will determine maximum cache size since the disk cache has to be indexed in ram and that adds up.  I'm going to try (physical ram / 2) * 25 = max disk cache

allowing 1/2 of my ram as ram cache (for me I have 3GB so half is 1.5 GB)
allowing space for 4% of my disk cash in ram, so that there should be at most for me 37.5 GB disk cache. 

I have yet to see a clear, safe formula for calculating cache allocation based on system ram (1st) and disk space (2nd) and it seems this should be a very simple, easy and clear calculation, not alchemy.  What I am 100% sure of so far is that too big disk cache will exhaust ram long before disk space.

OK - I'll do I'll try that tweak.  System has 1 nfe0 that I'm using on WAN that is 10/100.  The internet never gets to 100 much here.  I have 1 dual port PCIe Intel NIC that is 10/100/1000 and 1 single port PCI Intel NIC that is 10/100/1000.  Those are em0-em2.  The LANs are all disallowed to see each other to give my tenants privacy.  All The gigabit Intel NICs are set up as LAN ports.  So, will I have to apply this tweak for just the nfe(0) wan, the em(0-3) LANs or for all? I noticed the patches are different for each card type.

Hi all.  I was having a problem with very high MBUF approaching the limit.  Example  24460/25600.  This was fairly new.  Never happened before.  Normally, it would sit around  3460/25600 or so for many many days and never really change much.  The only things I had changed is I added squid stable and dansguardian to an otherwise absolutely vanilla setup.  So, I wiped the box and re-installed.  With no packages loaded, there was no MBUF issue.   After adding squid stable, there was still no MBUF issue.  After then installing Dansguardian, the MBUF problem returned.  So, I removed Dansguardian again leaving only squid stable and the MBUF numbers are back where they have always been.  Low. So, I figure this must be an issue with Dansguardian causing some sort of memory leak.
Anyway, it would be nice is it didn't do that because I like dansguardian. 
I'm using Pfsense version:
2.0.3-RELEASE (i386)
built on Fri Apr 12 10:22:57 EDT 2013
FreeBSD 8.1-RELEASE-p13

Pages: 1 ... 328 329 330 331 [332]