The pfSense Store

Recent Posts

Pages: [1] 2 3 4 5 ... 10
1
Packages / Re: pfBlockerNG v2.1 w/TLD
« Last post by blueduckdock on Today at 04:40:16 pm »
Trying to figure out pfblocker on CARP....

I've used this extensively on single installs but not via CARP. Are there any considerations I should take into account? I was told by pfsense support when I first installed that firewalls should mirror (ie. have pfblocker installed on both, etc.)
Am I ok to configure FW1 on 10.0.10.1 with whatever pfblocker stuff I want then simply sync to 10.0.10.2 (FW2?) I don't have to worry about the CARP interface or sync issues between this package and that right (let's say CARP interface is on 10.0.10.250)

Hi blueduckdock,

You can use CARP/HA in pfSense without issue. The package has an XMLRPC sync Tab that allows for the configuration of the package to be sync'd to other boxes... But with the current DNSBL code, this will cause issues with the DNSBL VIP, as both pfSense boxes will have the same DNSBL VIP address..

I had one user several months ago ask if this could be addressed and I did create a patch to get this addressed... If you are able to test it out, shoot me a PM if that works for you...
Yeah, I saw that post about DNSBL. Sucks because that's a big part of what I'm looking for with this.

Unfortunately I cannot test on that (it's prod.) If I get to it, I'll try to set either my home up with CARP (was thinking about doing it in the future between proxmox and physical anyway) or at least two pfsense VMs in my homelab.

I will let you know as I'd like to test it and help out. I've used pfblocker for so long it's the least I can do.

Thanks BBcan
2
Installation and Upgrades / Re: dhcp client DNS resolution not working
« Last post by johnpoz on Today at 04:38:35 pm »
ok that is fine, but you did not set that on pfsense.. Ah that is route table from your pc.. Ok that is fine..

So this client is multi homed with an connection to some 192.168.122/24 network?

Anyhoo.  So your running the resolver on pfsense.  And your clients are asking pfsense and they get what back, time out, refused, servfail?  See your using linux so do a dig or drill or your fav query for something to pfsense..  What do you get back?  This is pfsense lan?  Or another interface like opt, ie looks like this is wifi from your client output showing wlan0

example

Code: [Select]
C:\>ssh user@ubuntu.local.lan
Last login: Mon Aug 29 12:05:24 2016 from 10.0.8.100
user@ubuntu:~$ dig www.pfsense.org

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.pfsense.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1499
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.pfsense.org.               IN      A

;; ANSWER SECTION:
www.pfsense.org.        300     IN      A       208.123.73.69

;; AUTHORITY SECTION:
pfsense.org.            300     IN      NS      ns2.netgate.com.
pfsense.org.            300     IN      NS      ns1.netgate.com.

;; Query time: 95 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Mon Aug 29 16:37:45 CDT 2016
;; MSG SIZE  rcvd: 107

user@ubuntu:~$
3
so your saying these clients on your vlan get dhcp its just missing dns??

I can tell you that my dhcp settings for a vlan is left blank and it hands out the Pfsense IP in that vlan as the dns server as it is designed to do..

if it didn't then none of my wifi clients that are on vlans via tags would work..

Here as you can see I have a vlan 500, this is via wifi AP where that ssid has a vlan tag on it.  So pfsense has that vlan setup, its dhcp has no dns set all blank both on the general pool and the specific reservation I created for that client.  I then force a reconnect of that client so it would send a dhcp request that I did a packet capture of.  As you can clearly see it sent out the dns with is pfsense IP address in that vlan.

I don't know what could be causing or what your perceiving as a problem, but I can assure you pfsense hands out its IP for vlan interfaces for dns just fine.
4
Packages / Re: pfBlockerNG v2.1 w/TLD
« Last post by BBcan177 on Today at 04:31:07 pm »
Trying to figure out pfblocker on CARP....

I've used this extensively on single installs but not via CARP. Are there any considerations I should take into account? I was told by pfsense support when I first installed that firewalls should mirror (ie. have pfblocker installed on both, etc.)
Am I ok to configure FW1 on 10.0.10.1 with whatever pfblocker stuff I want then simply sync to 10.0.10.2 (FW2?) I don't have to worry about the CARP interface or sync issues between this package and that right (let's say CARP interface is on 10.0.10.250)

Hi blueduckdock,

You can use CARP/HA in pfSense without issue. The package has an XMLRPC sync Tab that allows for the configuration of the package to be sync'd to other boxes... But with the current DNSBL code, this will cause issues with the DNSBL VIP, as both pfSense boxes will have the same DNSBL VIP address..

I had one user several months ago ask if this could be addressed and I did create a patch to get this addressed... If you are able to test it out, shoot me a PM if that works for you...
5
OpenVPN / Client Specific Overrides
« Last post by fabienfs on Today at 04:30:12 pm »
Hello,

To give different access to the network with the OpenVPN server for users , I create each time a "Client Specific Overrides" with a "tunnel network" more specific.

Exemple:

OpenVPN Serveur tunnel network : 192.168.100.0/24
User1 : 192.168.156.64/26
User2 : 192.168.156.128/26

And I create specific rules for each prefix / 26 in the firewall


But since I have update my pfSense, all the more specific prefixes than /25 do not work. The problem is that I can not do a lot of /25 in a /24 . Why /26 or /27 is not long working? Can not connect with OpenVPN Client

thanks
6
Installation and Upgrades / Re: dhcp client DNS resolution not working
« Last post by McMurphy on Today at 04:28:44 pm »
LAN-GW: 192.168.1.254

This is the GW address for the clients and is the IP of the pfsense box.

user@pc:~$route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 wlan0
192.168.1.0     0.0.0.0         255.255.255.0   U     9      0        0 wlan0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

No downstream router just a broadband modem.
7
Portuguese / Pfsense travando em períodos comuns.
« Last post by moisesdfelix on Today at 04:22:36 pm »
Prezados amigos,

Boa Noite!

Estou com dificuldade para Analisar um possível problema no Pfsense v. 2.2.2! o sistema trava aproximadamente a cada dois meses, e em horários especificos no dia (antes das 06:00 hrs da manhã). avaliando os logs não indetifiquei nenhuma anormalidade. muinto embora sejá dificil de ter certeza, pois não consigo visualizar todos os logs em um determinado período, pois as vezes visualizo pouquissimos logs nos horários antes do ocorrido.

Já desconfiei do sistema Elétrico da Empresa, mas o pessoal da Elétrica disse que estava tudo bem, enfim, gostaria de saber se existe alguma forma de controlar melhor os eventos.

OBS: Analisando a Dashboard, o consumo de Memoria, CPU e Disco estão normais.

Segue abaixo log registrando o Travamento da sexta-feira para o sábado :(

Aug 27 06:33:11   kernel: FreeBSD 10.1-RELEASE-p9 #0 57b23e7(releng/10.1)-dirty: Mon Apr 13 20:30:25 CDT 2015
Aug 27 06:33:11   kernel: FreeBSD is a registered trademark of The FreeBSD Foundation.
Aug 27 06:33:11   kernel: The Regents of the University of California. All rights reserved.
Aug 27 06:33:11   kernel: Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
Aug 27 06:33:11   kernel: Copyright (c) 1992-2014 The FreeBSD Project.
Aug 27 06:33:11   syslogd: kernel boot file is /boot/kernel/kernel
Aug 27 01:30:47   lighttpd[62961]: (connections.c.137) (warning) close: 13 Connection reset by peer
Aug 27 01:01:00   php: rc.dyndns.update: phpDynDNS (vpnsites.no-ip.info): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Aug 26 17:26:22   php-fpm[29835]: /index.php: User logged out for user 'admin' from: 10.0.1.10
Aug 26 17:26:19   check_reload_status: Syncing firewall
Aug 26 17:26:13   check_reload_status: Syncing firewall
Aug 26 17:20:41   check_reload_status: Syncing firewall
Aug 26 17:19:31   php-fpm: /index.php: Successful login for user 'admin' from: 10.0.1.10
Aug 26 17:19:31   php-fpm: /index.php: Successful login for user 'admin' from: 10.0.1.10
Aug 26 17:14:01   php-fpm[16706]: /index.php: User logged out for user 'admin' from: 192.168.0.3
Aug 26 17:11:15   php-fpm[48924]: /index.php: Successful login for user 'admin' from: 192.168.0.3
Aug 26 17:11:15   php-fpm[48924]: /index.php: Successful login for user 'admin' from: 192.168.0.3
Aug 26 15:42:46   lighttpd[62961]: (connections.c.137) (warning) close: 13 Connection reset by peer

Ps.. observei também que no dia anterior ao travamento, o MBUF Usage estava quase que 50% mas normalmente ele fica em 28%
8
IPsec / Siste-to-Site VPN with source NAT
« Last post by {00Bits11} on Today at 04:17:41 pm »
Hi there community.

Looking for some assistance on getting traffic pass between a pfsense and a Juniper.
The Site-to-Site tunnel is up and running and I was able to ping from one side of the tunnel to the other.
After implementing Source-NAT I am unable to get across the VPN and ping the other site.

pfsense Configuration PH1:
Mutual PSK
Mode Main
Preshare Key Preshared
AES128
SHA1
DH group 2
NAT Traversal Auto

Configuration PH2:
Tunnel IPv4
Local Net 10.19.20.0/22
NAT/BITNAT 10.3.8.0/22
Remote Net 10.3.8.0/22
AES128
SHA1
PFS off

FW Rules
eth2_LAN * * * * none

IPsec
eth2_LAN TCP/UDP * 10.3.8.0/22 * * none
eth2_LAN ICMP      * 10.3.8.0/22 * * none
10.3.8.0/22 TCP/UDP * * eth2_LAN * * none
10.3.8.0/22 ICMP * * eth2_LAN * * none

NAT Rules:
Outbound: Mode AON
1:1 IPsec 10.3.8.20/22 10.19.20.0/22 *


Other side configuration:
PH 1
Remote GW: Host_IP_Address
pre-g2-aes1128-sha

PH 2
Tunnel IPv4
nopfs-esp-aes128-sha
Proxy ID Trust-Trust 10.19.20.0/22-10.3.8.0/22

I have attached a small diagram for more details.
Thank you in advance for your assistance.
9
NAT / Re: Open VPN NAT driving me crazy
« Last post by namtech on Today at 04:11:24 pm »
i did not set NOARP -  but as far as i know TUN interfaces in OpenVPN have NOARP per default and i guess it is inherited to the OVPNC1. Please correct me if i am mistaken here.

I use iBVPN (www.ibvpn.com) as VPN Provider for Netflix, it seems in all their .ovpn Config files they use "TAP" instead of "TUN. However in their pfSense Tutorial they wrote to use "TUN" which is probably wrong for their topology...

10.10.10.1 is the Gateway on their side. 10.10.10.8 is my Tunnelside. 10.10.10.1 was arping 10.10.10.8.


10
Portuguese / Re: Proxy transparent + captive portal não funciona
« Last post by rlrobs on Today at 04:07:29 pm »
Ok.

Vi uma coisa estranha na sua config(de acordo com o print).

Repare que na seção "transparent proxy"  existem dois "Bypass Proxy for Private Address Destination" (que inclusive eu deixo marcado) e dois "Bypass Proxy for These Destination IPs".
Ta isso mesmo ai?
Pages: [1] 2 3 4 5 ... 10