@johnpoz:

If what your looking to do is block vpn.. Why can you not just do that with snort or suricata?  I would think those could detect the different vpn signatures of the traffic..

You are right this could be perhaps done with snort and app-detect.rules (OpenAppID Application Rules)

At first I know this is a pretty old thread, but something I was personally missing here in and this just for the records now.

We are all placed and living in different countries, with different laws and also working with different standards, but in normal
the networking field will be cut in several parts, as I know it this are;

Home networks SOHO networks professional networks and enterprise networks!

And if we are talking here now about enterprise networks, about at the NASDAQ notated companies, you will not really
see that there is a problem pointed to your company that is based on your computer network on Monday and till Friday
you was not able to solve this out and the market analysts are writing about that in the public only once! And your
companies stocks are going down and they were loosing ~7 million dollars on that behaviour! And what you all think is then
going on in that company? ….....

"we don't recommend open-source source software in an enterprise network- it's too risky".

If a company is opening their doors and is entering in a market, it is normal to hire an insurance that is then
saving that risk and work against individuals and other companies who gets in trouble or pain based on that
product or service of the enterprise company. And this insurances are very often looking at first how high is
the entire risk and how high must be the fee for them, and then they look often in their own company rules
and orders and tell that enterprise company what firewall they have to take! Not exactly which one, but it
must be a ICSA I, II or III proofed firewall and if this is not given or they don´t do it, the insurance company
will not pay if something occurs! Pretty simple but that´s it, or it is todays practice.

Greater companies likes enterprise companies have to follow their own standards, industrial standards, standards
of their partners, supplier or customers and for sure also with an keeping eye on laws and orders or their own
company rules. So often many employees are not knowing directly why something is not allowed to use or to
take inside and then they are often only speaking about something likes "it is not secure or safe", but in real
they simply don´t know on what this is based on. So please don´t forget this if you are talking about
OpenSource Software and enterprise companies.

So please don´t forget under pressure to implement the latest industry standards and comply with new
regulatory requirements and/or laws the most companies want to be on the "safe site" from their point of view.

Inside of many computer networks this companies will be more OpenSource software as you may could imagine
but they all don´t talk about it.

The second thing is the certification of the administrators or employees, if someone hires an admin and he is showing
certificates from Cisco, Juniper, Brocade, Netgear or perhaps also MikroTik, he is on the safe site. If something occurs
all people in that company are asking at the human recourses office who and why was hiring that employee? And if then
someone is able to tell that this employee was showing up certifications all is mostly fine, but if he is telling around or
he is answering that is the best Unix, Linux or BSD guy around this city as he know it, he gets more questions then
walking the other road. For sure not a guarantee for him, but this is like business runs as today.

@GruensFroeschli:

Really looking forward to wildcard certificates :)
Will make it a lot easier to manage since i run quite a lot of subdomains on my webserver :)

That's about the only scenario that makes sense, lots of subdomains on a single server. Otherwise you'd also have to distribute the wildcard cert to other boxes locally every time it was renewed. Possible, sure, but a bit of a pain and not very advantageous over just letting other servers request their own certs.

I'm still waiting for them to validate bare IP addresses and also allow extra EKU flags like "IP Security IKE Intermediate". I figured they'd at least allow the EKUs before doing wildcard certs.

In the i386 version, everything works perfect. Why is this happening ?

Can I know the purpose of Vlan tag and priority?  What is it for? :)

Continuing the K9 theme…


@anajames:

Is it a free app or a paid one.

It's a package to install in your pfSense. There are no paid apps for that.

Hi johnpoz,

Thank you very much for these explanaitions. I will try this.
Thanks to Derelict as well.

Thanks! Must be setup costs for such small pieces of data. For some reason I find this info difficult to search for. I get lots of other crap.

Congratulations.

@johnpoz:

This remote site is how far away connected how?

The existing network was at the time it was built the largest private VOIP type network in the world.  Its radio audio so one way at a time generally. Latency is not as big an issue as two way audio would be.

Makes use of microwave, fiber and even some t-1's thrown in for good measure.

The new proposed equipment was said to be unable to span subnets but Ive since found a document that says otherwise. So this is a non issue. But it does raise my eyebrows about the quality of people we were sent..

:o

@Jailer:

@heper:

installing it manually can brake your system

@justaskingonly

In case you missed it the first time…........

I know but I'm still trying.

This?
https://forum.pfsense.org/index.php?topic=126200.0

Convince FreeBSD to include a different syslog distribution in the base system, then we'll talk. We use what they use. :-)

You can use the syslog-ng package if you want so you are not limited to what's in the base system.

It's too late for such a change in 2.4, maybe 2.5, not sure what will be in that role for 3.0 but it's still early there.

We've already been talking about dropping clog in favor of sensible log rotation and retention since space constraints are not what they used to be in the past, even with RAM disks since most systems have more RAM available. Once we remove the clog-style log requirement then it frees up a lot of options like using syslog-ng in base.

And what mode are you using with your anyconnect TLS, DTLS, ipsec/IKEv2 ??

By default 500 is static, so you want to add 4500 UDP as also static outbound nat?  Are you trying to vpn in or out to an anyconnect?

"I also want to be able to connect via Cisco AnyConnect. "

After you mention that your using ipsec and openvpn, that you also want to be able to connect to pfsense vpn with anyconnect?