Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Packets dropping after installing ipguard_dev

    Scheduled Pinned Locked Moved pfSense Packages
    13 Posts 3 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ashima LAYER 8
      last edited by

      Hello,

      I need a help urgently. My setup

      Wan : dhcp
      Lan : 192.168.4.1/24

      Packages installed : snort and ipguard_dev

      Things work fine before installing ipguard_dev. I am able to ping my local machine.  After installing ipguard I am unable to access my pfsense box.

      My ipguard conf is as follows

      00:07:e9:5d:bc:ac 192.168.4.1 pfsense box
      e8:9a:8f:bb:d0:8f 192.168.4.10  my pc given a static ip by dhcp atatic arp
      00:00:00:00:00:00 192.168.4.128/25  for all other pc my dhcp rance is 192.168.4.128 - 192.168.4.254

      In my ipguard log file

      Aug 17 16:02:10 warring fopen(/usr/local/etc/ipguard_lan.conf): No such file or directory
      Aug 17 16:02:10 notice em1 00:07:e9:5d:bc:ac 192.168.4.1 (1 pairs) fake de:ad:d:fc:09:ee
      Aug 17 16:02:10 warning stat(/usr/local/etc/ipguard_lan.conf): No such file or directory
      Aug 17 16:02:59 notice xxxx: e8:9a:8f:bb:d0:8f 192.168.4.10 192.168.4.1

      I am not able to diagnose the issue. I'll be grateful if someone can help me. The file ipguard_lan.conf is present but I don't understand why it says No such file or directory.

      Thank you,
      with regards
      ashma

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        @ashima:

        The file ipguard_lan.conf is present but I don't understand why it says No such file or directory.

        Because PBI is piece of junk? This package is not ready for anything starting from pfSense 2.1, apparently.

        1 Reply Last reply Reply Quote 0
        • A
          ashima LAYER 8
          last edited by

          Then which package should I use to prevent users from changing their ips.
          Basically I want all users except HR dept to have more restricted internet (HR dept will have a bit less restricted internet access) .

          I have lan dhcp range from 192.168.4.128- 192.168.4.254.

          I have given static ip to devices from HR department (between range 192.168.4.10 to 192.168.4.126)
          But if a user ( from other department)  just change his ip address to say 192.168.4.20 then he'll be able to get less restricted internet access.

          How do restrict such user. Please help.
          regards,
          Ashima

          1 Reply Last reply Reply Quote 0
          • F
            fragged
            last edited by

            Don't give admin access to employees? Other than that you could put them on another subnet which is then restricted.

            Or better yet, don't bother with stupid restrictions?

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              Sounds like a  job for a smart switch rather than pfSense. I'll look into fixing the package paths, this is outright dangerous when you configure the thing and lock yourself out because the config it ignored due to wrong path.

              EDIT:

              @OP:

              
              cd /usr/local/pkg
              mv ipguard.inc ipguard.inc.orig
              fetch https://raw.githubusercontent.com/doktornotor/pfsense-packages/patch-5/config/ipguard/ipguard.inc
              
              

              Reconfigure the package and report back.

              1 Reply Last reply Reply Quote 0
              • A
                ashima LAYER 8
                last edited by

                Thanks to doktornotor.

                The patch is indeed working. Thank you very much. I am no more getting locked.

                I have a simple question. Does Ipguard have limitation in terms of no of users. I have checked this setting for 3 users, if the no of users increase more than 50 will it be able to handle it.

                I have two set of users with different internet restriction.
                Which of the two configuration is better :

                1. Two lan cards for LAN connection with different subnet say 192.168.4.0/24 and 192.168.5.0/24. Then using squid to have different restriction for each subnet.

                2. Define dhcp range as 192.168.4.128-192.168.4.254. Apply internet restriction for 192.168.128/25 using squid. Give static ip between the range 192.168.4.2 to 192.168.4.127. Use ipguard to prevent users to change ip.

                I have around 50 users altogether.

                Thank you.
                with warm regards,
                Ashima

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by

                  @ashima:

                  Thanks to doktornotor.

                  The patch is indeed working. Thank you very much. I am no more getting locked.

                  I have a simple question. Does Ipguard have limitation in terms of no of users. I have checked this setting for 3 users, if the no of users increase more than 50 will it be able to handle it.

                  Hmmm… LOL. I never used the package or even seen the package previously. I only fixed it. :D

                  But anyway: this has no limit on the IP/MAC pairs... cannot imagine performance issues either. It just IMHO becomes paintful to maintain when the numbers grow. Also, 1/ and 2/ isn't easily comparable. This frankly imposes no limitations... it just breaks things for hosts not whitelisted by sending spoofed ARP replies to them.

                  BTW, refetch the file. I made it recreate the symlink every time you change the configuration (think it's better so it doesn't point to wrong file if people change interfaces assignment.)

                  1 Reply Last reply Reply Quote 0
                  • A
                    ashima LAYER 8
                    last edited by

                    Hello,

                    Things are going crazy. I am able to ping my pfsense box from my pc and vice versa but unable to do webgui or access any internet site. I am able to ping any site from my pc as well as from pfsense box but its not allowing to surf.

                    Here's my setup detail :

                    pfsense 2.2.3 64 bit with snort, ipguard, squid, squidguard.

                    It was working fine but don't know what caused this.

                    I have refetched the ipguard.inc file.

                    My /var/log/ipguard_lan.log  shows

                    Aug 18 16:40:18 notice xxxx: de:ad:a0:6a:40:e5 169.254.68.237 169.254.68.237
                    Aug 18 16:40:18 notice xxxx: de:ad:45:42:ae:e2 169:254:161.105 169.254.161.105

                    These lines keep repeating continously.

                    Also in pfTop on console

                    tcp I 192.168.4.10:1224    192.168.4.1:443    4:4    1274

                    These message keep repeating. 192.168.4.10 is my local pc. These message keep coming even when my pc is not connected to pfsense box.

                    I can't make out whats going wrong. Is it due to ipguard ?
                    Please help

                    Thanks
                    Regards,
                    Ashima

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned
                      last edited by

                      Look, I am unable to provide support for this package. I fixed it so that it actually is able to read its own configuration and work. I did not write the package, I never used the package. Any PEBKAC misconfiguration -> your own problem.

                      Read the package docs, read the GUI notes, stop blacklisting yourself. This package is dangerous when not configured properly!!! 169.254.x.x is APIPA, sounds like your DHCP is not working or what, may not even be related to the package at all. Cannot see how's that iftop output related. Also, frankly not familiar with iftop at all.

                      Also, installing a huge slew of intrusive packages at once is NOT the way to go here. Get ONE thing working, move to another. Do NOT install anything else until the previous thing is tested and working. There are huge chances of Snort blocking things out of the blue. And the Squid* stuff is known to be a huge source of trouble universally.

                      1 Reply Last reply Reply Quote 0
                      • A
                        ashima LAYER 8
                        last edited by

                        Thanks doktornotor for all your help.  As of now I guess I can change the status to solved. Thanks for the patch.

                        Ofcourse I have installed one package at a time,tested it and move on to next. Infact I am working on this from past one month.

                        I guess I'll repost my issue of getting locked in different category in the forum.

                        with warm regards,
                        Ashima

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned
                          last edited by

                          BTW, package version 0.1.1 is merged, no need for manual hacks any more.

                          1 Reply Last reply Reply Quote 0
                          • A
                            ashima LAYER 8
                            last edited by

                            I am sorry for the late reply… but I didn't get your point - 0.1.1 is merged no need for manual hack.
                            Does that mean I need not install ipguard and I can do MAC-IP pairing.

                            BTW  IP Guard problem got completly solved.

                            1st install the patch as suggested by dokornoton.
                            2nd I had more than 2 Network interfaces. So Ip GUARD expect entry for all network interfaces in the ether file.

                            Thanks a ton.

                            1 Reply Last reply Reply Quote 0
                            • D
                              doktornotor Banned
                              last edited by

                              @ashima:

                              I am sorry for the late reply… but I didn't get your point - 0.1.1 is merged no need for manual hack.
                              Does that mean I need not install ipguard and I can do MAC-IP pairing.

                              No, I mean you can simply install the updated package….

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.