Packets dropping after installing ipguard_dev



  • Hello,

    I need a help urgently. My setup

    Wan : dhcp
    Lan : 192.168.4.1/24

    Packages installed : snort and ipguard_dev

    Things work fine before installing ipguard_dev. I am able to ping my local machine.  After installing ipguard I am unable to access my pfsense box.

    My ipguard conf is as follows

    00:07:e9:5d:bc:ac 192.168.4.1 pfsense box
    e8:9a:8f:bb:d0:8f 192.168.4.10  my pc given a static ip by dhcp atatic arp
    00:00:00:00:00:00 192.168.4.128/25  for all other pc my dhcp rance is 192.168.4.128 - 192.168.4.254

    In my ipguard log file

    Aug 17 16:02:10 warring fopen(/usr/local/etc/ipguard_lan.conf): No such file or directory
    Aug 17 16:02:10 notice em1 00:07:e9:5d:bc:ac 192.168.4.1 (1 pairs) fake de:ad:d:fc:09:ee
    Aug 17 16:02:10 warning stat(/usr/local/etc/ipguard_lan.conf): No such file or directory
    Aug 17 16:02:59 notice xxxx: e8:9a:8f:bb:d0:8f 192.168.4.10 192.168.4.1

    I am not able to diagnose the issue. I'll be grateful if someone can help me. The file ipguard_lan.conf is present but I don't understand why it says No such file or directory.

    Thank you,
    with regards
    ashma


  • Banned

    @ashima:

    The file ipguard_lan.conf is present but I don't understand why it says No such file or directory.

    Because PBI is piece of junk? This package is not ready for anything starting from pfSense 2.1, apparently.



  • Then which package should I use to prevent users from changing their ips.
    Basically I want all users except HR dept to have more restricted internet (HR dept will have a bit less restricted internet access) .

    I have lan dhcp range from 192.168.4.128- 192.168.4.254.

    I have given static ip to devices from HR department (between range 192.168.4.10 to 192.168.4.126)
    But if a user ( from other department)  just change his ip address to say 192.168.4.20 then he'll be able to get less restricted internet access.

    How do restrict such user. Please help.
    regards,
    Ashima



  • Don't give admin access to employees? Other than that you could put them on another subnet which is then restricted.

    Or better yet, don't bother with stupid restrictions?


  • Banned

    Sounds like a  job for a smart switch rather than pfSense. I'll look into fixing the package paths, this is outright dangerous when you configure the thing and lock yourself out because the config it ignored due to wrong path.

    EDIT:

    @OP:

    
    cd /usr/local/pkg
    mv ipguard.inc ipguard.inc.orig
    fetch https://raw.githubusercontent.com/doktornotor/pfsense-packages/patch-5/config/ipguard/ipguard.inc
    
    

    Reconfigure the package and report back.



  • Thanks to doktornotor.

    The patch is indeed working. Thank you very much. I am no more getting locked.

    I have a simple question. Does Ipguard have limitation in terms of no of users. I have checked this setting for 3 users, if the no of users increase more than 50 will it be able to handle it.

    I have two set of users with different internet restriction.
    Which of the two configuration is better :

    1. Two lan cards for LAN connection with different subnet say 192.168.4.0/24 and 192.168.5.0/24. Then using squid to have different restriction for each subnet.

    2. Define dhcp range as 192.168.4.128-192.168.4.254. Apply internet restriction for 192.168.128/25 using squid. Give static ip between the range 192.168.4.2 to 192.168.4.127. Use ipguard to prevent users to change ip.

    I have around 50 users altogether.

    Thank you.
    with warm regards,
    Ashima


  • Banned

    @ashima:

    Thanks to doktornotor.

    The patch is indeed working. Thank you very much. I am no more getting locked.

    I have a simple question. Does Ipguard have limitation in terms of no of users. I have checked this setting for 3 users, if the no of users increase more than 50 will it be able to handle it.

    Hmmm… LOL. I never used the package or even seen the package previously. I only fixed it. :D

    But anyway: this has no limit on the IP/MAC pairs... cannot imagine performance issues either. It just IMHO becomes paintful to maintain when the numbers grow. Also, 1/ and 2/ isn't easily comparable. This frankly imposes no limitations... it just breaks things for hosts not whitelisted by sending spoofed ARP replies to them.

    BTW, refetch the file. I made it recreate the symlink every time you change the configuration (think it's better so it doesn't point to wrong file if people change interfaces assignment.)



  • Hello,

    Things are going crazy. I am able to ping my pfsense box from my pc and vice versa but unable to do webgui or access any internet site. I am able to ping any site from my pc as well as from pfsense box but its not allowing to surf.

    Here's my setup detail :

    pfsense 2.2.3 64 bit with snort, ipguard, squid, squidguard.

    It was working fine but don't know what caused this.

    I have refetched the ipguard.inc file.

    My /var/log/ipguard_lan.log  shows

    Aug 18 16:40:18 notice xxxx: de:ad:a0:6a:40:e5 169.254.68.237 169.254.68.237
    Aug 18 16:40:18 notice xxxx: de:ad:45:42:ae:e2 169:254:161.105 169.254.161.105

    These lines keep repeating continously.

    Also in pfTop on console

    tcp I 192.168.4.10:1224    192.168.4.1:443    4:4    1274

    These message keep repeating. 192.168.4.10 is my local pc. These message keep coming even when my pc is not connected to pfsense box.

    I can't make out whats going wrong. Is it due to ipguard ?
    Please help

    Thanks
    Regards,
    Ashima


  • Banned

    Look, I am unable to provide support for this package. I fixed it so that it actually is able to read its own configuration and work. I did not write the package, I never used the package. Any PEBKAC misconfiguration -> your own problem.

    Read the package docs, read the GUI notes, stop blacklisting yourself. This package is dangerous when not configured properly!!! 169.254.x.x is APIPA, sounds like your DHCP is not working or what, may not even be related to the package at all. Cannot see how's that iftop output related. Also, frankly not familiar with iftop at all.

    Also, installing a huge slew of intrusive packages at once is NOT the way to go here. Get ONE thing working, move to another. Do NOT install anything else until the previous thing is tested and working. There are huge chances of Snort blocking things out of the blue. And the Squid* stuff is known to be a huge source of trouble universally.



  • Thanks doktornotor for all your help.  As of now I guess I can change the status to solved. Thanks for the patch.

    Ofcourse I have installed one package at a time,tested it and move on to next. Infact I am working on this from past one month.

    I guess I'll repost my issue of getting locked in different category in the forum.

    with warm regards,
    Ashima


  • Banned

    BTW, package version 0.1.1 is merged, no need for manual hacks any more.



  • I am sorry for the late reply… but I didn't get your point - 0.1.1 is merged no need for manual hack.
    Does that mean I need not install ipguard and I can do MAC-IP pairing.

    BTW  IP Guard problem got completly solved.

    1st install the patch as suggested by dokornoton.
    2nd I had more than 2 Network interfaces. So Ip GUARD expect entry for all network interfaces in the ether file.

    Thanks a ton.


  • Banned

    @ashima:

    I am sorry for the late reply… but I didn't get your point - 0.1.1 is merged no need for manual hack.
    Does that mean I need not install ipguard and I can do MAC-IP pairing.

    No, I mean you can simply install the updated package….