[pfSense] routing between subnets at same Interface - configuration not working on 2.4.1
Hello, I cannot switch from Version 2.3.3 to 2.4.1 because of the routing at the same interface. I transfered the backup.xml from machine A (2.3.3) to machine B (2.4.1) and everything worked fine but the routing between Subnets assigned at LAN-Interface. There are multiple subnets set up via VirtualIPs and there are static routes to each of the subnets via the native LAN-Gateway Adress e.g route 192.168.110.0/24 via GW_LAN(192.168.100.1) and assigned VirtualIP in this case 192.168.110.1 Since this configuration runs well on 2.3.3 I wanted to ask whether there are major changes in default handling of traffic at the same interface. In 2.3.3 you don't need firewall-rules to allow traffic between subnets at the same interface - did this change in 2.4.1? Thanks! Fabian ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] routing between subnets at same Interface - configuration not working on 2.4.1
Have you tried 2.4.2 ? -- The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume. > On Jan 30, 2018, at 02:57, Fabian Bosch wrote: > > Hello, > > I cannot switch from Version 2.3.3 to 2.4.1 because of the routing at the > same interface. > I transfered the backup.xml from machine A (2.3.3) to machine B (2.4.1) and > everything worked fine but the routing between Subnets assigned at > LAN-Interface. > There are multiple subnets set up via VirtualIPs and there are static routes > to each of the subnets via the native LAN-Gateway Adress e.g route > 192.168.110.0/24 via GW_LAN(192.168.100.1) and assigned VirtualIP in this > case 192.168.110.1 > Since this configuration runs well on 2.3.3 I wanted to ask whether there are > major changes in default handling of traffic at the same interface. In 2.3.3 > you don't need firewall-rules to allow traffic between subnets at the same > interface - did this change in 2.4.1? > > Thanks! > > Fabian > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Force CA certificate installation as tsueted root CA on WiFi clients
Dear, I have pfSEnse + Squid in transparent mode. I have to filter web sites and content in HTTPS with Squidguard, so I've created a CA self-signed certificate and a server certificate (signed by the CA) in pfSense. After that I defined the CA certificate in the Squid configuration tab from pfSense. In order to let navigate the WiFi clients in a good way through the Squid transparent proxy, filtering everything we want with Squidguard, I have to force the installation of the CA certificate on them. How can I automatically force the CA certificate installation as a trusted Root CA on WiFi clients, taking into account they can be Windows, Linux, Android, Iphone, etc. ??? Thanks in advance. ROBERT ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Force CA certificate installation as tsueted root CA on WiFi clients
I'm assuming you're talking about devices you own/control. Windows is easy, just push it out using AD Linux you'd have to script something to push it out to each device with ssh or similar IOS & Android you might have luck with apple & google's enterprise management systems, but I'm not sure they support pushing out certs If they're not devices you own/control then you can't do it, that's not how SSL works. Ed -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto Carna Sent: Tuesday, January 30, 2018 11:57 AM To: pfSense Support and Discussion Mailing List Subject: [pfSense] Force CA certificate installation as tsueted root CA on WiFi clients Dear, I have pfSEnse + Squid in transparent mode. I have to filter web sites and content in HTTPS with Squidguard, so I've created a CA self-signed certificate and a server certificate (signed by the CA) in pfSense. After that I defined the CA certificate in the Squid configuration tab from pfSense. In order to let navigate the WiFi clients in a good way through the Squid transparent proxy, filtering everything we want with Squidguard, I have to force the installation of the CA certificate on them. How can I automatically force the CA certificate installation as a trusted Root CA on WiFi clients, taking into account they can be Windows, Linux, Android, Iphone, etc. ??? Thanks in advance. ROBERT ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Force CA certificate installation as tsueted root CA on WiFi clients
On Tue, Jan 30, 2018 at 01:56:34PM -0300, Roberto Carna wrote: > How can I automatically force the CA certificate installation as a > trusted Root CA on WiFi clients, taking into account they can be > Windows, Linux, Android, Iphone, etc. ??? So, I'm going to re-word this in a way that may make it more obvious why the answer is what it is" Q: How can I automatically undermine the basis of the SSL PKI by forcing my CA (which, by design, generates certificates for arbitrary sites and thereby main-in-the-middles all communications) onto third parties that happen to be traversing my network? A: You can not -- at least not legally or ethically. -- . ___ ___ . . ___ . \/ |\ |\ \ . _\_ /__ |-\ |-\ \__ ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Force CA certificate installation as tsueted root CA on WiFi clients
On Tue, Jan 30, 2018 at 12:22:50PM -0500, Izaac wrote: > main-in-the-middles man-in-the-middle -- . ___ ___ . . ___ . \/ |\ |\ \ . _\_ /__ |-\ |-\ \__ ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Force CA certificate installation as tsueted root CA on WiFi clients
On 30/1/18 5:22 pm, Izaac wrote: Q: How can I automatically undermine the basis of the SSL PKI by forcing my CA (which, by design, generates certificates for arbitrary sites and thereby main-in-the-middles all communications) onto third parties that happen to be traversing my network? A: You can not -- at least not legally or ethically. This is a good - and often overlooked - point. Ask yourself why you are trying to do this. You are undermining the basis of secure communications, and opening up your users to considerable risks whenever they access online banking, or indeed any other service that expects a secure connection to transfer sensitive data. Is it really worth it just to block a few undesirable websites? Assuming you're in a corporate environment, might not a simple 'IT/Internet Policy' addendum to employees' contracts cover this far more effectively? Kind regards, Chris -- This email is made from 100% recycled electrons ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] routing between subnets at same Interface - configuration not working on 2.4.1
Hi Fabian, Have you set?: System/Advanced/Firewall & NAT: "Static route filtering, Bypass firewall rules for traffic on the same interface" As for your 'static routes', i'm not sure what purpose they serve.. Routing between subnets known on a pfSense interface is 'automatic'. Regards, PiBa-NL Op 30-1-2018 om 9:57 schreef Fabian Bosch: Hello, I cannot switch from Version 2.3.3 to 2.4.1 because of the routing at the same interface. I transfered the backup.xml from machine A (2.3.3) to machine B (2.4.1) and everything worked fine but the routing between Subnets assigned at LAN-Interface. There are multiple subnets set up via VirtualIPs and there are static routes to each of the subnets via the native LAN-Gateway Adress e.g route 192.168.110.0/24 via GW_LAN(192.168.100.1) and assigned VirtualIP in this case 192.168.110.1 Since this configuration runs well on 2.3.3 I wanted to ask whether there are major changes in default handling of traffic at the same interface. In 2.3.3 you don't need firewall-rules to allow traffic between subnets at the same interface - did this change in 2.4.1? Thanks! Fabian ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
