Matt
Take me down to the paradise city
Premium
join:2003-07-20
Jamestown, NC
 ·North State Commun..
| pfSense Troubles
I've posted this over at the pfsense.com forums, but most of the time things go unanswered so I thought I'd try you guys here.
I have a VPN server behind my pfSense box. pfSense is in bridge mode and not performing NAT. External clients make an inbound PPTP connection through pfSense to the VPN server and are assigned a private IP in the 10.8.0.x range. This range is 1:1 NAT'd to a public range by the VPN server.
I can make inbound VPN connections, but when I do, the client is unable to get back out to the internet using any protocol. This works perfectly without pfSense in line. If I try to ping Google for example, I see two states in the pfSense logs:
209.123.147.125 is 1:1 NAT'd (on the VPN server, not pfSense) to 10.8.0.125. On the VPN server I see outbound states/sessions, but no inbound traffic. pfSense logged information one time as blocked, but the source address was 10.8.0.125. So I created a firewall rule that allowed all LAN-WAN traffic specifically for 10.8.0.x and told it to log it. When I attempted the ping again, I noted that it logged that it had passed a ping for 10.8.0.125 but no response ever came back in.
The VPN server and the pfSense box can both access the internet fine.
Any ideas? Should I put pfSense into NAT mode and use it to perform the 1:1 NAT'ing? |
|
Matt
Take me down to the paradise city
Premium
join:2003-07-20
Jamestown, NC | I figured it out. I added another NIC to the VPN server and bound the 1:1 NAT address range to that NIC. I'm sure that's hackish and ugly, but so far so good. |
|
BBBanditRuR
join:2009-06-02
Parachute, CO | reply to Matt
Glad it was a fairly easy fix. I've used pfSense for about two years now, and MOSTLY love it, except for a few of the VPN issues. Out of curiosity, what VPN service are you running? PPTP, IPSEC, OpenVPN?? I'm about ready to give OpenVPN a new round. |
|
Matt
Take me down to the paradise city
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
1 edit | said by BBBanditRuR  :Glad it was a fairly easy fix. I've used pfSense for about two years now, and MOSTLY love it, except for a few of the VPN issues. Out of curiosity, what VPN service are you running? PPTP, IPSEC, OpenVPN?? I'm about ready to give OpenVPN a new round. I'm running RRAS for PPTP and SSTP support behind pfSense. |
|
drew
Reformation
Premium
join:2002-07-10
Port Orchard, WA
clubs: | MS RRAS have a note of simplicity to it. I like it.
pfSense is a bit more complicated. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ | Speaking of pfSense and "complicated", the book came out today:
»blog.pfsense.org/?p=509
--
with every mistake we must surely be learning |
|
Matt
Take me down to the paradise city
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
| I think $36.50 is a small price to pay to show support for these guys. Their free support stinks and documentation is very hard to come by, so if the book is really a line-by-line complete reference, I will probably pick one up.
I hope they sell a million of them.
--
trafficcloak.com - pptp/sstp vpn services |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
 ·Optimum Online
| I've sent them cash in the past for a few bounties where people dropped the ball on paying them.
Apparently it sold well today and broke the top 100 for tech books. Oddly enough, writing a book is probably a good way to determine just how much of a dedicated business userbase they have. 
--
with every mistake we must surely be learning |
|
drew
Reformation
Premium
join:2002-07-10
Port Orchard, WA
clubs:
·wavebroadband
| reply to Matt
I'd like to pick the book up.
My IT knowledge is lacking and pfSense in combination with a machine wouldbe a good way to learrn me
--
Come play Mafia! | My Picture Blog |
|
BBBanditRuR
join:2009-06-02
Parachute, CO
·Comcast
·Qwest.net
| If you REALLY wanna get your hands dirty with pfSense, get into learning FreeBSD (or any of the BSD's). Basically, it boils down to pfSense being a custom Firewall setup, that saves you hours of installing/configuring. One could essentially take FreeBSD and trim it down to do the exact same thing minus the web interface that pfSense is; and even then, you could use Webmin+SSH to do remote admin. Once installed, you still have to tweak things like kernel parameters and other network-centric settings, which the GUI doesn't exactly help you out with (i.e. command line stuff).
An example of this is tuning the kernel to make Squid faster (should you choose to use Squid). Looking in the FreeBSD manual, the same procedure exists (tuning nmbclusters), but if you are familiar with the userland/kernel in BSD's, it makes a lot more sense why this works, rather than say adding more memory to your rig.
Anywho, my point is pfSense saves you time, but if you are going to make a go of it in production, I would spend some time with the core OS (FreeBSD) first, at least installing/tweaking the kernel parts. |
|
Matt
Take me down to the paradise city
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
| That's a great idea BBBanditRuR . I've found FreeBSD to be rather picky about certain hardware and especially things like ACPI compared to other operating systems. Has FreeBSD 8 resolved any of those issues?
--
trafficcloak.com - pptp/sstp vpn services |
|
BBBanditRuR
join:2009-06-02
Parachute, CO
·Comcast
·Qwest.net
| reply to Matt
Cool. I was pretty sure you had a dedicated service behind pfSense, as I've tried PPTP and IPSEC on it (I stayed away from OpenVPN on the box since it says in it there are problems), and found both to be "meh". I'm waiting for the next release to actually put those services at the gateway/firewall. The other guy I work with uses the Cisco ASA's for SSL stuff. I make fun of him, as "Cisco" is the almighty end all...to him. I mean they are nice, but for the moolah. |
|
EUS
Kill cancer
Premium
join:2002-09-10
Montreal, QC
clubs:  | reply to Matt
I have found that m0n0wall's documentation covers pfsense very well. |
|
koitsu
Premium
join:2002-07-16
Mountain View, CA
| reply to Matt
said by Matt :That's a great idea BBBanditRuR . I've found FreeBSD to be rather picky about certain hardware and especially things like ACPI compared to other operating systems. Has FreeBSD 8 resolved any of those issues? The vagueness of your comment won't allow for anyone to respond with a concrete answer. "Hey, FreeBSD didn't like stuff before, are those bugs fixed?" "Uhhh...." Need more input.
Yes, ACPI support has been enhanced significantly on between FreeBSD 7 and 8, predominantly by John Baldwin. There's also the freebsd-acpi mailing list which is specifically for problem reports regarding ACPI.
--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer. |
|
Matt
Take me down to the paradise city
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
| reply to EUS
said by EUS :I have found that m0n0wall's documentation covers pfsense very well. Thanks, you're the second person to tell me that. I'll give it a look.
--
trafficcloak.com - pptp/sstp vpn services |
|
Bink
join:2006-05-14
Denver, CO | reply to BBBanditRuR
If you REALLY “REALLY wanna get your hands dirty,” forget FreeBSD and try OpenBSD. The pf in pfSense is from the pf (packet filter) in OpenBSD. The pf in FreeBSD is an aging port of the more modern pf in OpenBSD. |
|
BBBanditRuR
join:2009-06-02
Parachute, CO
·Comcast
·Qwest.net
| reply to Matt
I don't know for sure, a lot of installations I'm dealing with are still on 6.2 or 7.x
For hardware, I've had lots of varied success/failures. I had LOTS of failures with some HP G3 Proliants with the onboard RAID configured (RAID 1 or 5). Couldn't tell if the disks were bad or the controller. THANKFULLY, FreeBSD was able to recover (at least long enough to get data off of them). Strange things for sure, but I couldn't say if it was the hardware (probably) or the OS (unlikely considering disks would randomly fail, but the OS trudged on). |
|
