The pfSense Store

Recent Posts

Pages: [1] 2 3 4 5 ... 10
1
NAT / No VOIP call established
« Last post by Maurice on Today at 06:53:07 am »
Hello all

We are using pfsense for a short while now and im very satisfied with the product.
For now im expiencing a problem that i cant solve, so i hope you guys can help me out.

We have replaced an Cisco ASA with a PFsense firewall on the costumers site.
Since there was nothing configured on the ASA on natting or routing or what so ever we have not configured this either on the new PFsense.
Everything works except for the VOIP.

There is an Asterisk PBX 11.23.1 behind the PFsense and there are voip phones.
When we make a call then we see that the rings. When they pick up the Phone the conversation is ended immediatly.

We have made a packet capture and we see that the PBX answered:
Status: 486 Busy Here

We have tried the following:
- Created a nat for the RTP ports: 49152 - 49407
- Created a nat for port: 5066 (TCP and UDP)
- Disable source port rewriting
- Set Conservative state table optimization
- Tried the siproxd
- Disable scrub

We have put the ASA back in place and now VOIP is working again.
We would like to have the PFsense back in place

Can anyone help?

Regards,
Maurice





2
Hello here joined the packet capture from device where:

10.0.0.1  ZYWALL USG20 used as dhcp server
10.0.0.2  PFSENSE

84:a6:c8:ee:75:91  The device connecting to wifi.

On this file both situation where first the zywall as dhcp and then the pfsense as dhcp.

ThankYou
Best regards.
3
Portuguese / Re: configurar vpn ipsec no pfsense 2.2.6
« Last post by rlrobs on Today at 06:42:42 am »
Reformulando:
1 - No pfsense, crie uma conexão com seu AD. Menu: System/User Manager/Servers.
2 - Crie uma conexão OpenVPN e no método de autenticação aponte pro 'server' criado em 1
3 - Configure o firewall pra restringir o acesso aos servidores.


Observações:

- Pra fazer o que você quer (client to server) é mais simples fazer por openVPN e nao IPSEC
- Nao vai precisar instalar nada no AD.
- Ao criar o openvpn (client to server) use o 'server mode: Remote user (User Auth)'




4
Yes, I wish that every server that does stuff for an inter[state|national] audience was set to UTC. Then every forum post, commit, build, log entry... would be shown in the UTC time that it happened and there would be no ambiguity and easy comparison of times.

And every date should be shown in YYYY/MM/DD format that is easy to compare and sorts beautifully.
5
>So can we please see a sniff on pfsense for this request for rebind.  So you actually mean rebind not renewal.  So typical renewal will be a directed packet to the original dhcp server this is t1.  Once you go into t2, since you did not get a response from dhcp server on your renewal request and are trying to rebind you would be sending broadcast.

Yess, i will reply with the pcap later as i reach it on my other pc.

>Also the mac of the client is the same, nothing funky going on where the mac is from the AP..   So your AP are they working in a cluster or standalone?  I do not have much experience with those low end AP from cisco.  We always use a controller with cisco and in that case the controller normally runs in dhcp proxy mode, etc.  But I do not believe those wap351 can work with a controller - and not sure exactly the details of what goes on when they are setup in a cluster, etc.
The mac still the same, the wap351 cisco are in cluster one of this act as cluster controller, when the device manage the 802.11r (roaming capable) everithings work fine.


>So I am curious why a client would ever get to t2 and be trying to rebind vs just doing a renewal in the dhcp process?  Are you saying renewals and rebinds do not work?  How exactly is this presenting itself as an issue?  Would not the clients that can not renew or rebind just switch to discover mode once the lease has expired and then get a new IP?  So are you users complaining of intermittent connectivity?  When their IP release?  What is the lease time your running?
The situation is when the device (windows) moving far from AP1 to near AP2 he change his connection asking for DHCP_REQUEST not DHCP_DISCOVER on this situation PFSENSE didn't answare.


>What would be fantastic would be a watching the process from a client on AP1 as it goes through a renew, then move that client to ap2 and watch what happens as it tries to renew and then rebind and finally gives up and does discover, etc.
I've the packet capture from pfsense where i can see DHCP_REQUEST many time and PFSENSE didn't replay.

So on this situation the t1 and t2 are not considered from the device because he roam from and existing SSID to the SAME SSID as reconnection so he REBING asking for DHCP_REQUEST.

If i use a ZYWALL as dhcp everithings is very fine.

I've a pcap where i've used first the zywall and the the pfsense as dhcp server, the capture is on the lan port where the wap are connected, if you need a different capture just explain me better i can capture also the traffic from wap.

Thank You
Best regards


6
Oh dear, is it only the time dimension that is the problem. I wonder if it managed to restore all 3 dimensions of space  ;)
7
Français / Re: SNMP Inter LAN
« Last post by fred74 on Today at 06:32:24 am »
Retour PRO,
Bonjour,
Je reviens vers vous pour vous dire que tout était rentré dans l'ordre.
Toutes mes "infos" remontent de tous mes serveurs et "matériels" vers mon serveur FAN.
J'ai revu toutes mes rules, tout remis à 0.
Et surtout, et je pense que c'est de là que venait le problème, j'ai remonté toute ma configue sur mon serveur FAN et Reboot.
Et voilà, ça fonctionne.

Merci @ tous pour vos informations, @ bientôt.

Je clôture le ticket.
8
pfBlockerNG / Re: [ pfB_PRI3 - WatchGuard ] Download FAIL
« Last post by Mr. Jingles on Today at 06:31:35 am »
Thank you Ron  :D

BB: isn't the not-reporting-no-logging a bug?

I think the issue is the Watchguard (Rep Authority) is now blocking non-humans from downloading this page... Best to disable for a few days (to see if its just rate-limited for 24hrs or something)... But if it persists, then best to just disable/remove the feed....

Normally this error below means that a connection was established with a server but that connection was closed by the remote server. (Recv):
Code: [Select]
Recv failure: Connection reset by peer Retry in 5 seconds...

Thanks BB.

Yet, isn't this a bug:

Quote
Now the problem is: how did you found out/diagnosed this? Because I see this in your reply:

Code: [ pfB_RepAuth - RepAuth ] Download FAIL [ 09/17/16 13:01:08 ]
 [ 63.251.171.2 ] Firewall IP block found in: [ BT_Spyware | 63.251.171.0/28 ]
Yet all I get is:

Code: [ pfB_PRI3 - WatchGuard ] Download FAIL [ 09/18/16 19:03:33 ]
  Firewall and/or IDS are not blocking download.
9
That all looks fine, the IPv4 routing/ping/... should work fine without any IPv6 settings, or with broken IPv6 settings. I assume the WAN GW IP is in the same subnet (8 address subnet in your case) as the pfSense WAN IP.
I guess the WAN GW is actually some device at the ISP and the cable modem is just in bridge mode. If that is so, then you have no way to "reset/power-cycle" the actual WAN GW device.
If you can find out the MAC address of the server that used to be at WAN IP, then set that as the MAC address of the WAN interface. That should certainly trick the upstream WAN GW into finding its way back to you. Or by the time we have chatted a bit in this thread the WAN GW device will time out its ARP cache, and then learn the "new" MAC address of pfSense WAN interface.
10
Yes, at least for testing open any protocol and port, perhaps you may restrict it later.
Pages: [1] 2 3 4 5 ... 10