@newbieuser1234:

i setup security onion.  i was a bit confused on the setup. how can it block port scans, etc via snort if it's on the local network and not in bridge mode between the isp and the router.  jimp, do you guys just use the elsa piece of it or do you use snort with it.  I thought pfsense was far easier to configure.

I don't think we use it for snort, but for other things. I'm not 100% clear on how snort works with it in that kind of setup.

The ELSA part is of more interest than snort on there for me.

Neither did I until I stumbled across it by accident one day and was forced to think about it.
I don't think I've ever tested it on a box running Squid though so your situation may be different.

That's what I meant by VPN-over-DNS, hiding an encrypted tunnel inside dns queries. I have never looked into blocking/detecting it, mostly because last time I looked into setting it up it was not trivial. However I see that Softether supports it so maybe it will be more common: http://www.softether.org/1-features/1._Ultimate_Powerful_VPN_Connectivity#1.6.VPN_over_ICMP.2C_and_VPN_over_DNS%28Awesome!%29
I assume to do this you still need to actually own a domain though.  :-\

I'd be interested in any thoughts.

Steve

@stephenw10:

There was a similar thread recently: http://forum.pfsense.org/index.php/topic,62819.0.html

Steve

Thanks for that mate.

If anyone is interested I have built my self a small VM with 80GB hdd.
Running Centos on there and it's running rsyslog which logs all the firewall data to /var/logs/syslog/firewall.log

In turn I can grep for addresses and ports on this and have to say it works very nicely.

I have the option "show raw filter logs" enabled and this does give quite a comprehensive view of all the traffic hitting my firewall.

For now this will do me nicely but if I feel I need anything else then I'll have another look at that thread.

Yeah my network is configured in a weird way i.e my way (it aint easy!)
Yep you're abs right, it's not behind pfsense, but kinda like "dmz" configured by someone before (now have to configure dmz "properly")

we're still trying to figure what the hell it sent out!  Thanks to you i was able to pin it!
Thank you steve and Good day!  :)

@jimp:

There are many posts here on the forum about that. Search for 192.168.100.1 or the llinfo error and you'll turn up several useful discussions.

http://forum.pfsense.org/index.php?topic=54171.0
http://forum.pfsense.org/index.php?topic=56330.0
http://forum.pfsense.org/index.php?topic=62964.0
http://redmine.pfsense.org/issues/2704

Since you mentioned in this post http://forum.pfsense.org/index.php/topic,62964.0.html that with v2.1 might be better I will wait for the final version.
At least I know what its causing my issue so I know how to fix it.

Depends on switching, bandwidth throughput, ect…

Low bandwidth + managed switches = Assuming the networks are on separate vlans, a pair of interfaces and using vlan separation.
Low(100MB)/Medium(1GB) bandwidth + unmanaged switches = 7 interfaces one for each network + one to the Cisco.
1GB+ then a LAAG configuration or 10GB nics.

Why not just use pfSense as the firewall and default gateway?  ...wouldn't be the first time a 5xx/2xxx/3xxx series router was replaced by a pfSense box;)

Ah, two different interpretations of the VPN requirement.
When you said home country did you mean where your pfSense will be or somewhere else you previously lived?

Steve

there will be no problem with the amount of ip, just in case be sure have the same segment on the lan and the network mask, read about nat 1to1 or just in case that have less ip but have mores services, port forwarding

cheers

hold on, you have some virtual interface to create a vlan? you must have the trunk, and then some vif(default gw for those nics) to connect internal and do the routing and everything! another thing its know if the card support vlan tag, and you should be good, when the package of the new nic, comes can you provide some review of the performance…

Sweet! Thansk for the quick and seemingly absolutely correct reply :)

OK,

i entered:
date 1306171306 which sets the clock on "june 17 2013 at 13:06"

my mistake was:
date 201306171306 -> so i entered 2013 for year –> and that didn't work ::)

can u elaborate more? What is it for?

if a user is signing on with there auth keys. why do i need this?

i can delete them? can i regenerate new keys?

can i delete the DSA and the other one, and just keep RSA? can i change then to 4096 bits?

any where i can read up more on this?

@cmb:

I'd just run Security Onion rather than Snort on the firewall.

I guess he's trying to achieve some sort of IPS-like functionality, where the triggering of a Snort rule not only creates an alert but also dynamically adds the offending IP(s) to the firewall's block-list, similar to what is (at long last ;-) offered by pfSense's Snort-package.

i will try them all

For example if I run 'ipconfig /all' on this machine, WinXP home set to get it's details via dhcp from pfSense:

C:\Documents and Settings\Steve>ipconfig /all Windows IP Configuration         Host Name . . . . . . . . . . . . : NewTuring         Primary Dns Suffix  . . . . . . . :         Node Type . . . . . . . . . . . . : Mixed         IP Routing Enabled. . . . . . . . : No         WINS Proxy Enabled. . . . . . . . : No         DNS Suffix Search List. . . . . . : fire.box Ethernet adapter Local Area Connection:         Connection-specific DNS Suffix  . : fire.box         Description . . . . . . . . . . . : Realtek RTL8139/810X         Physical Address. . . . . . . . . : 00-30-1B-AB-18-C3         Dhcp Enabled. . . . . . . . . . . : Yes         Autoconfiguration Enabled . . . . : Yes         IP Address. . . . . . . . . . . . : 192.168.2.10         Subnet Mask . . . . . . . . . . . : 255.255.255.0         Default Gateway . . . . . . . . . : 192.168.2.1         DHCP Server . . . . . . . . . . . : 192.168.2.1         DNS Servers . . . . . . . . . . . : 192.168.2.1         Lease Obtained. . . . . . . . . . : 16 June 2013 11:16:05         Lease Expires . . . . . . . . . . : 16 June 2013 13:16:05

I am then able to ping other machines by their hostname:

C:\Documents and Settings\Steve>ping NewBabbage Pinging NewBabbage.fire.box [192.168.2.2] with 32 bytes of data: Reply from 192.168.2.2: bytes=32 time<1ms TTL=128 Reply from 192.168.2.2: bytes=32 time<1ms TTL=128 Reply from 192.168.2.2: bytes=32 time<1ms TTL=128 Reply from 192.168.2.2: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.2.2:     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:     Minimum = 0ms, Maximum = 0ms, Average = 0ms

This works even though 'fire.box' is not a real domain, or at least it's not my domain.

Interestingly this works even though I don't have 'Register DHCP leases in DNS forwarder' set in pfSense.  :-\

Steve

Sure sounds like the Teaming on the server and Link Aggregation on the switch is not working together. If you have Intel NICs this article might come in handy:

http://www.intel.com/support/network/sb/cs-009747.htm