I'm glad that i could help you.  :D

Best,

There are multiple versions of the inline config - which are you using?

Some clients only support tun and will choke if "dev tun" is there, such as OpenVPN Connect.

If you use the "Others" choice for Inline it does have "dev tun" inside.

Hi again!!

This is the diagram of my lab.

https://www.dropbox.com/s/uqomxj4os3f72bn/diagram.jpg

The pfSense is the Vpn Server with OpenVPN.

Thanks.

Thanks, Nachtfalke!

I've got everything working at this point….finally.  ;D

Your explanations of different files helps too!  Much appreciated!

Hard to understand for me what you write because google cannot translate it really good to german ;-)

I am not PHP expert but as far as I understand it then the file "pkg_edit.php" + "freeradius.xml" + "freeradius.inc" generate the GUI.

If you change anything from console like:

vi /usr/local/etc/raddb/users

then this will be overwritten If you click on "Save" on the GUI. This is because in the freeradius.inc there is a command which writes the content from the .XML to the file.

SSL encrypts the data, not the address

??? what you call the "address" is facebook right, wich is a DNS resolution. DNS is layer 7. SSL encrypt everything after layer 3. That's why you can't block it by name .

Apparently, the problem is that redirecting port 443 traffic through the proxy would interfere with the SSL connection and so it's not done.You can work around this by setting up your own certificate

yes it's what I've said ! But its not the fastest and easiest way to do to it.

that's why I recommanded to do it with firewall rules ;)

I hope I were helpfull  ;D ;D

Solution: Do NOT use last update "built on Wed Apr 3 21:48:42 EDT 2013" is broken aka pfSense-Full-Update-2.1-BETA1-i386-20130403-2147.tgz.

And what will happen if I have CARP, so my WAN have a private ip address?
I will have to use host_outbound = mypublicip in the configuration file, but how to edit the file and avoid pfsense gui to overwrite it?

@Supermule:

Didnt that get updated via the GUI??

@DigitalDeviant:

I jusat signed up for VRT rules and cannot get them to install after a reinstall and reconfiguration of snort. I'm currently running 2.0.2-RELEASE (amd64).

Edit: The issue may lie with my Snort account. I was unable to manually pull 2.9.4.1 rules with my Oinkmaster URL; I got an error saying I was not a subscriber, though I can manually download the 2.9.4.1 rules. I was able to pull 2.9.4.0 via Oinkmaster URL.

Edit 2: All problems with my account are cleared and I still cannot automatically download Snort 2.9.4.1 rules.

Edit 3: I had to change {$oinkid} in snort_check_for_rule_updates.php with my actual Oinkid. Then it worked.

I haven't had time to troubleshoot any further. I have confirmed I have the right Oikcode in the GUI. Unless I change it in both spots it wound download the MD5 or rules. I don't have the exact errors from the system logs but it seemed like the download link was wrong so I'm guessing that it's not getting the Oinkcode variable. Troubleshooting time is minimal so any ideas on how to proceed would be appreciated.

Hey Barry!

I got it blocked it using squid and squidguard!

My settings squid on transparent proxy and on squidguard with blacklist "http://www.shallalist.de/Downloads/shallalist.tar.gz",

denied these two "[blk_BL_hobby_games-misc] - [blk_BL_hobby_games-online]" on both tabs Common ACL and Groups ACL!
and it blocked those two websites.!

One more thing about squidguard after making all the changes inside move to the "General settings" tab and scroll to the end and SAVE the settings first and then HIT apply on top of the same page.

Good-Day!

The 127.0.0.1 user entry did the trick!  Before this, I had even created an entry for the specific IP address of the pfsense box, which didn't work.

Thank YOU!

Hi,

can you make sure that the server certificate for the RADIUS server is a "server" certificate and not a client certificate ?
Where did you create the certificate?
Did you select the CA and the server cert in freeradius –> EAP --> CERTIFICATES FOR TLS ?
If you created the certificate/CA on pfsense then you need to empty the "Private Key Password".

Sometimes it works after clicking a second time on the "Save" button on the freeradius --> EAP page.

If your Linux/Android clients does not support PEAP + MSCHAPv2 then you should use some other mechanism than MSCHAPv5. Try with MD5. It's not a security problem because PEAP establishes a TLS tunnel and this is secure and it doesn't matter what is happening within the tunnel unless it is compatbile with your devices.

Thank you for your feedback.

If I remember correct on an some weeks old test environment I installed HAVP and I could see that ClamAV version wasn't the actual version as it is on the clamav homepage. I am not sure if all signatuires and programcodes are still up to date on the HAVP package or if these will update automatically.

Using an "old" version of HAVP proxy isn't the main problem i think because it is just redirecting traffic throu7gh ClamAV but it makes no sense (in my opinion) to redirect traffic through an old/utdates antivirus scanner and lose performance even if the scanner is not on the newest version an cannot find "all" viruses.

I would be interested if ClamAV is independent from HAVP and updates itself? How does this work on other packages like Danguardian?