Two pfsense for shaper and squid at the same time? how?

srs

I installed the 2nd pfsense box, manufactured a crossover cable, configured as said before and at least I can surf the net, rss; but have not tested shaper yet; I'll do this tests tomorrow morning.

But one strange thing that i've noticed is that I cannot logon into msn anymore; trafic shapping on both pfsense is enabled with low priority to msn (enabled on both but how I use squid in one, so in this pfsense shaper do not act), but we never had any problem to log into msn or anyother messenger kind.. any idea?

thanks

hoba

are you by any chance using the imspector package?

srs

no, I'm not using it; I discovered now (other users discovered  ;D) that gmail isnt working (I think that is some problem with https), and other services that require special ports opened; do I have to do any kind of other config in nat or firewall?

I also cannot access simple sites as http://mail.yahoo.com/ or www.hotmail.com, that isnt in any black list or acl

thanks

hoba

Can you make sure dns is working correctly? Maybe some hosts are not resolved properly?

srs

I configured second pfsense with the same dns servers I used in the first one; I have found something: when I disable transparent proxy everything (the sites that are working) stops work; I think the problem with the sites that are not working is that they have some part in https and cant contact this or it cant retorn to the client… it seems that only proxy is accessing internet; when I turn it off everything stops... what do you think?

thanks

hoba

One thing that comes to mind is that you have to do some more magic at the pfSense that is facing the internet (pfSense2):

firewall>nat, outbound:
enable manual outbound nat. It will create a rule for you automatically. Edit that rule and change the source from "network" to "any". Otherwise it won't nat the traffic for clients that are not in the LAN of pfSense2.

firewall>rules, lan tab:
edit the default lan to any rule. Make it read source "any" too instead of "lan subnet". We are not natting so the clients from the network behind pfSense1 are not allowed yet.

That's why only things that go through the proxy work currently, but not ports or protocols that don't use it. Guess that should get it working.

srs

Hoba, it seems eveything is ok, as you said  ;D  ;D ;D  ;D

I will make tests with the other applications but it seems fine;

one more question: in default configuration pfsense has ports closed or opened? lets say I want to access some oracle db in internet (200.x.x.x), I must to open oracle ports in pfsense, in order that I could use some oracle based app or in pfsense this ports will be opened untill I close it??

thanks a lot!

hoba

Default configuration is LAN to WAN everything allowed (the default lan to any rule) and wan to lan everything is blocked silently. Basically everything that is not explicitly allowed at any interface is blocked. There is an invisible block all rule at the bottom of the firewallscreen.

GruensFroeschli

@hoba:

Default configuration is LAN-subnet to WAN everything allowed (the default lan to any rule) and wan to lan everything is blocked silently. Basically everything that is not explicitly allowed at any interface is blocked. There is an invisible block all rule at the bottom of the firewallscreen.

ftfy

If you have a subnet behind another router behind pfSense it wont be able to get out per default.
–> The default rule has to be changed from "source: lan-subnet" to "source: any"

hoba

@hoba:

One thing that comes to mind is that you have to do some more magic at the pfSense that is facing the internet (pfSense2):

firewall>nat, outbound:
enable manual outbound nat. It will create a rule for you automatically. Edit that rule and change the source from "network" to "any". Otherwise it won't nat the traffic for clients that are not in the LAN of pfSense2.

firewall>rules, lan tab:
edit the default lan to any rule. Make it read source "any" too instead of "lan subnet". We are not natting so the clients from the network behind pfSense1 are not allowed yet.

That's why only things that go through the proxy work currently, but not ports or protocols that don't use it. Guess that should get it working.

Yep, that was something that I initially forgot about to tell him ::)

srs

well guys, now everything is working fine! thanks for your help. The next step is installing some cool software, as ntop, snort, to monitor network and help to make it secure and prevent risk security issues. Does this software can be installed in any box, would make any difference??

Thanks

hoba

I would install it at the pfSense facing the internet.

srs

I'm learning a lot of new things, :), and need to solve some questions:

about vlans, I've reading about it and think that it would be usefull to me to separate my info labs (destinated to students) from the rest of the lan, thats right? now comes the questions: as I've seen in forum, each vlan needs an exclusive NIC to be assigned to. adding two nics, for example, to my pfsense facing the LAN, could I configure this two vlans even that the lan has only one phisical layer, I mean, all working in switches that are connected to themselves. This also means that those two vlans cables would be in the same switch.

Lets say that the answear is yes, and I can configure the vlans to labs (10.0.3.0) and all the rest (10.0.0.0), I would add the respective macs to the vlan, is it?

in my case, the pfsense that is facing the LAN is my shaping box; can shaping work with vlans???

RRD would generate graphics for the new VLANs??

Does this would work??

thanks one more time!

hoba

First of all: you don't need one physical interface per vlan. You can have multiple vlans on one physical interface. However a vlan is treated as an interface in pfsense whoch brings us back to the limitation thagt trafficshaping can currently only be done lan to wan and vice versa (will change in 1.3).

If you only want to seperate the different departments you could use portbased vlans on the switches though. Just make the uplink port to the pfsense be member of all the vlans you have (like vlan2 students, vlan3 labs, …). The ports that go to students set to only use vlan2, the lab ports make vlan3 and so on. This would only involve configuring the switches and leave everything else the way it is now (pfSense and clients). All clients would still be in the same subnet but wouldn't be able to see each other anymore as the switchports are seperated by the vlans. This method wouldn't break trafficshaping either.

srs

ok Hoba, I understand and thanks your information.

I think for now it have to be like it is; my switches are 3com but not support vlans; this is why I thoght I could use pfsense to do that! but its ok, I can wait 1.3 or the new switches :)

thanks one more time.

hoba

For portbased vlans you only need one vlan capable switch (if you can make every department use one switch behind it then). A small 8 port switch like an hp procurve 1800-8g would do. Set it up to have all vlans (2,3,4,5,6,7,8) on port 1 (the one that goes to the pfSense) and make all other ports being in a single vlan only (port2=vlan2, port3=vlan3,…). Then hook up the switches of all departements to unique ports (like switches with ports for students to port2, switches with ports for labs port3, ...). This will give you the seperation and that switch is rather cheap.

srs

Yes, I understand, it was like if I had lots of nics in a pfsense gw, with every nic linked to one switch, isnt? the big problem of our institution estructured cabling project, is that there is only one uplink from the main switch to the other switches/buildings; so I cannot separate fisically my network, and today all departments works within a linear network project

There is one switch that makes uplink to all labs switches, maybe in this one I could install a gerenciable one and have the vlans, but there is no exclusive uplink from this switch to my pfsense, the uplink is shared by the rest of the network…

But is Hoba, the way is working today is fantastic.

One question: with vlans I may have differents dhcp servers? even that they share the same phisical lans?

thanks

hoba

If you convert everything to vlans (tagged vlans at the pfsense in that case) you could have seperate dhcp servers for every vlan, yes, though they share the same physical uplink. The switches have to seperate the clients/ports to the different vlans then. The logic layout of that would be a pfsense with a physical nic per vlan and a dedicated switch connected to each of these nics with only lab clients sitting on one of them, only students sitting at the other one and so on. However, keep in mind that this will be a situation that can'T be shaped properly in pfSense 1.2 currently. The next version will support this though.

srs

Hey guys, how are you??

I need to make a little upgrade in this configuration (pfsense node) and want your opinion:

I need to add a 3rd network card and create a static route to a new network, that is in another internet link I have purchased, and I think it should be done on NAT pfsense; so I would add a 3rd NIC on my NAT pfsense and configure a static route (200.123.x.x go to 3rd NIC) and my question is that, as this config is not being done on my shaper pfsense (this is another box running only shaper), so I think I would not have problems with traffic shaper; is it right??

thanks a lot

srs