clearsight 0 Posted ... Going on the understanding that your setup is exactly as given in the guide, your firewall is blocking all SMTP traffic. The setup given in the guide only allows WAN traffic on the following ports: Port(s)--------------------------------------------------------------------------------------------------------------------Hint = ......... --------------------------------------------------------------------------------------------------------------------Port = [ 21 ] [ -- ▼] [ FTP control (command) ]--------------------------------------------------------------------------------------------------------------------[ 43 ] [ -- ▼] [ WHOIS protocol (If you use a WHOIS program to attain host records) ]--------------------------------------------------------------------------------------------------------------------[ 80 ] [ -- ▼] [ Hypertext Transfer Protocol (HTTP) ]--------------------------------------------------------------------------------------------------------------------[ 143 ] [ -- ▼] [ Internet Message Access Protocol (IMAP), management of email messages ]--------------------------------------------------------------------------------------------------------------------[ 443 ] [ -- ▼] [ Hypertext Transfer Protocol over TLS/SSL (HTTPS) ]--------------------------------------------------------------------------------------------------------------------[ 990 ] [ -- ▼] [ FTPS Protocol (control), FTP over TLS/SSL ]--------------------------------------------------------------------------------------------------------------------[ 993 ] [ -- ▼] [ Internet Message Access Protocol over TLS/SSL (IMAPS), I.E. Secure email ]--------------------------------------------------------------------------------------------------------------------[ 1024:65535 ] [ -- ▼] [ Registered and Ephemeral Ports ] Go to the Firewall -> Aliases -> Ports menu and add ports 465 and 587 to the WAN_SERVICE_PORTS alias. That will allow SMTP traffic. WOHOO that solved it! Adding things to the Aliases. Great.THANK YOU Quote Share this post Link to post
Dakuon 0 Posted ... Superb guide, but i have an issue.I have terrible speed loss while using pfSense for some reason.Out of my 500/500 i get some terrible results.Compared speed on pfSense and Debian 8.7.1 on the same airvpn server with info from same generated config.pfSense90/200Debian CLI (Installed debian with no features/gui, added OpenVPN client through apt-get and applied conf)450/400 Any ideas?I'd be fine with running vpn from debian, but i cant figure out how to route the traffic so stuck there. Quote Share this post Link to post
zhang888 1066 Posted ... Make sure that the proper hardware crypto acceleration is enabled.Try cryptodev, RDRAND, depends on your CPU, and choose which works best for you.A reboot is required after each change. 1 Wolf666 reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
bama 0 Posted ... Hello community, I'm very new and nervous when it comes to setting up pfsense but did follow guide and it works but I don't get my expected speeds and truly suspect it's my isp, I'd be grateful if someone could throughly explain how to set up openvpn over SSL with the current setup provided by pf_sensefan I'd really like to hide the openvpn encryption fingerprint,to any who choose to help or point me to proper resources many thanks. Quote Share this post Link to post
dIecbasC 38 Posted ... Before we jump into adding SSL on top, can you clarify a few things first as this may not be the problem. Which ISP?What service are you on, 150/150mbps for example?Whats your hardware?What are your expectations? Quote Share this post Link to post
bama 0 Posted ... dIecbasC thanks for your attempt to help and I'll try to be as specific as I can, time warner now spectrum is isp, 300 Mbps down 20mbps up hardware pfsense SG-4860 direct from Netgate I was expecting speeds anywhere from 100mbps- 200mbps down and 5mbps -15mbps up one thing I did expect is that openvpn encrypting process takes bandwidth so I know I'll lose some in that process and I know airvpn servers have limitations at any given moment but it just seems to me I should be getting more also counting time of day and whether or not ISP is providing max service. Quote Share this post Link to post
dIecbasC 38 Posted ... On my 150/150 line I was seeing 135/132ish so about 10% offset with a Rangely C2758 board at about 30% utilization. I would expect you should be able to achieve 200+/~17 with the right hardware. The SG4860 has the Rangely C2558 processor which has its cores clocked at 2.4Ghz, same as my C2758 but as OpenVPN is primarily single threaded shouldn't be the issue. If you are seeing something really low like 20/10 then its more than likely a config issue - double NAT or something, if you are seeing 150/15 then maybe some tweaking is needed. What are you exactly seeing perf wise, have you used speedtest.net to confirm etc? Quote Share this post Link to post
bama 0 Posted ... Speedtest.net on my 5ghz I see only 50mps+, but I use multiple tests like dslreports.com also network analyzer and others I see speeds anywhere from 90mbps up to 131mbps down and 21mbps + and on 2.4 ghz I see speeds no matter what test around 40 - 60 Mbps down and 21mbps up Quote Share this post Link to post
dIecbasC 38 Posted ... don't even attempt benchmark speed from a wifi connection, they are way to unreliable, wifi=convenient, not performant. Plug a cable in to remove that issue and let us know what you are seeing. Quote Share this post Link to post
bama 0 Posted ... i tried speedtest.net and dslreports,com from wired connection and saw down load speeds of 20 - 37 mbps and upload speeds of 17- 21 mbps, i have no clue how to even begin to address this also the cpu has linux and i used duckduckgo as my browser,again thanks for your time and effort. Quote Share this post Link to post
Dakuon 0 Posted ... Make sure that the proper hardware crypto acceleration is enabled.Try cryptodev, RDRAND, depends on your CPU, and choose which works best for you.A reboot is required after each change. I have tried every possible thing i can think of to optimize it for the hardware, but just not getting anywhere.Both debian and pfsense run on ESXi with 12 cores and 2gb memory each.Tried E1000, VMXNET 2 and 3 adapters. Quote Share this post Link to post
Hobedei 0 Posted ... Took me two tries to get the configuration correct (user error in first attempt) but truly great tutorial. Never would have figured pfsense out without this. One thing you might add to the firewall alias rules are the SMTP ports .. everything else seems to be there. Another thing about spending so much time with pfsense and your tutorial is that I feel much more comfortable making tweaks within the program. Quote Hide Hobedei's signature Hide all signatures Hak Share this post Link to post
rustintimberlake 13 Posted ... At the moment pfsense is setup according to this tutorial (awesome guide and well written). The problem I'm having is that on my 200mbit/sec connection, speeds on NL servers drop to around 12-20mbit/sec over openvpn. Normally these servers tend to be the fastest for me. Main internet router is in 'modem mode'. Custom settings: server-poll-timeout 10; explicit-exit-notify 5; rcvbuf 524288; sndbuf 524288; bcast-buffers 4096; mlock; fast-io; mssfix 1300; keepalive 5 15; key-direction 1; keysize 256; prng SHA512 64; tls-version-min 1.2; key-method 2; tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384; tls-timeout 2; ns-cert-type server; remote-cert-tls server; I think openvpn's fingerprint or something is triggering ISP's filter as when I download over qbittorent I see a ton of authenticate/decrypt packet (bad packet ID) errors, like this: Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971279 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971280 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971281 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971282 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971283 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971284 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971285 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971286 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Using Eddie I could change the ports to SSH or SSL 80 / 443 and can get more higher speeds on uncongested servers. But how do I do that in pfSense, guys? 1 cl910550 reacted to this Quote Share this post Link to post
go558a83nk 364 Posted ... At the moment pfsense is setup according to this tutorial (awesome guide and well written). The problem I'm having is that on my 200mbit/sec connection, speeds on NL servers drop to around 12-20mbit/sec over openvpn. Normally these servers tend to be the fastest for me. Main internet router is in 'modem mode'. Custom settings: server-poll-timeout 10; explicit-exit-notify 5; rcvbuf 524288; sndbuf 524288; bcast-buffers 4096; mlock; fast-io; mssfix 1300; keepalive 5 15; key-direction 1; keysize 256; prng SHA512 64; tls-version-min 1.2; key-method 2; tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384; tls-timeout 2; ns-cert-type server; remote-cert-tls server; I think openvpn's fingerprint or something is triggering ISP's filter as when I download over qbittorent I see a ton of authenticate/decrypt packet (bad packet ID) errors, like this: Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971279 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971280 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971281 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971282 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971283 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971284 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971285 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 3 12:48:36 openvpn 62455 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #971286 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Using Eddie I could change the ports to SSH or SSL 80 / 443 and can get more higher speeds on uncongested servers. But how do I do that in pfSense, guys? I think this is the 2nd or 3rd time somebody has asked this. I'm no expert by any means and I figured it out myself by just looking around and posting on the pfsense forums. I'll write up something here for using an SSL tunnel. SSH doesn't require stunnel but may require installing something like bash. The other steps and actions are very similar. You must install stunnel from the freebsd repo with a small workaroundIt's recommended to install nano and screen from the pfsense repo Start by browsing to https://pkg.freebsd.org/FreeBSD:10:amd64/latest/All/ This is for 64bit systems, which I assume all are these days. Find stunnel, and copy the link to it. Open an SSH session to your pfsense machine, select 8 for the shell command line. I use putty for this. https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe run it and put in the ip address of your pfsense machine e.g. 192.168.1.1 with connection type SSH. Via your SSH session find or create a directory on the pfsense machine to which to download stunnel use fetch to download stunnel from the SSH prompt, like this - fetch https://pkg.freebsd.org/FreeBSD:10:amd64/latest/All/stunnel-5.40,1.txz use pkg to install stunnel - pkg install stunnel-5.40,1.txz use pkg to install nano - pkg install nano use pkg to install screen - pkg install screen exit out of the shell session by typing exit at the command prompt re-enter the shell session by selection option 8 download the config files you need from the AirVPN config generator page with your web browser. Then we will upload them to the pfsense machine via the web GUI interface. In the pfsense web GUI go to diagnostics>command prompt In the upload file section upload the *.ssl files you need, for each server you may want to use. And upload a stunnel.crt file. If you've downloaded configs for several servers you may have many stunnel.crt files but you only need to upload one. They're all the same. Via the SSH session command line move those files you've uploaded to the pfsense machine to a permanent location. Right now they're in the temp folder as the web GUI told you. This step is not necessary but should help with performance. I edit the .ssl files to use the least CPU intensive TLS 1.2 cipher. By default it'll use a stronger cipher but this isn't the real security later, openvpn is. This is just meant to defeat DPI. Since your machine will be crunching SSL for stunnel and openvpn, choosing a weaker cipher here will save you some clock cycles. In the permanent directory to which you've moved the .ssl and stunnel.crt files use nano to edit... e.g. nano AirVPN_the_server_you_chose.ssl under the line "options = NO_SSLv2" paste another line (no quotes) "ciphers = DHE-RSA-AES128-SHA256" type ctrl+o to save the changes. type ctrl+x to exit out of nano run stunnel using screen so that it runs in the background. like this - screen -dmS tunnel stunnel AirVPN_the_server_you_chose.ssl the options -dmS are important, and so is the letter case. "tunnel" is the name of the screen session, you can call that whatever you want. Look via your web GUI of the pfense machine at Status>system logs to see that stunnel is running properly. If it is, then proceed to editing your openvpn client by going to vpn>openvpn>clients and editing your AirVPN client so that it goes through stunnel. The edits you must make to the openvpn client are: protocol must be TCP, interface must be localhost, server must be 127.0.0.1, server port must be 1413, and you must add to custom options from the corresponding .ovpn file (same server as the .ssl file you started with stunnel) the line "route server_IP_address 255.255.255.255 net_gateway" (without quotes). Just open the .ovpn file for the server you chose with wordpad to copy and paste the line. If "explicit-exit-notify x" is in your custom options remove it as that option won't work with a TCP tunnel. click save to save the changes to the openvpn client and it should connect. Again you can look in system logs to see more stunnel actions, and look at your openvpn status and logs, all via the web GUI. 1 TDJ211 reacted to this Quote Share this post Link to post
Mufasa 0 Posted ... Hi @pfSense_fan your tutorial is second to none sir i solute you, it encouraged me to purchase a package, i do apologies however it was not until after that i saw your referral link, i purchased 3 months, will be a year next time will hook you up then, I am a mere 2 years in on my Pfsense adventure and i am looking forward to reading up on more on this forum. Quote Share this post Link to post
Mufasa 0 Posted ... Hi again guys, not sure if my issue is valid or not, but i cant help feeling that i have a leak somewhere, After following the tutorial i have an active VPN connection and when it goes down so does the internet, Awesome, I have followed the rules set out to enabling torrenting through the vpn, and now that seems to be working great, or is it?, i have noticed strange behavior on my traffic graphs, even when downloading from steam WAN shows most traffic in where AIR_VPN shows the same amount of traffic only going out, is this normal behavior, I apologize if this is the norm, i am new to this, just thought it was strange. Also I use Squid, it was working before i started using AIR_VPN and appears to be working now, but is there any additional steps that i need to take to insure that is working properly, again sorry if this is a noob Q, but the proxy is important to me because i have a house full of young children to protect. Thanks in advance. Quote Share this post Link to post
go558a83nk 364 Posted ... Hi again guys, not sure if my issue is valid or not, but i cant help feeling that i have a leak somewhere, After following the tutorial i have an active VPN connection and when it goes down so does the internet, Awesome, I have followed the rules set out to enabling torrenting through the vpn, and now that seems to be working great, or is it?, i have noticed strange behavior on my traffic graphs, even when downloading from steam WAN shows most traffic in where AIR_VPN shows the same amount of traffic only going out, is this normal behavior, I apologize if this is the norm, i am new to this, just thought it was strange. Also I use Squid, it was working before i started using AIR_VPN and appears to be working now, but is there any additional steps that i need to take to insure that is working properly, again sorry if this is a noob Q, but the proxy is important to me because i have a house full of young children to protect. Thanks in advance. another user, posts on page 10 of this thread, found that the squid proxy was causing "leaks". so, you might begin there. 1 Mufasa reacted to this Quote Share this post Link to post
Mufasa 0 Posted ... Hi again guys, not sure if my issue is valid or not, but i cant help feeling that i have a leak somewhere, After following the tutorial i have an active VPN connection and when it goes down so does the internet, Awesome, I have followed the rules set out to enabling torrenting through the vpn, and now that seems to be working great, or is it?, i have noticed strange behavior on my traffic graphs, even when downloading from steam WAN shows most traffic in where AIR_VPN shows the same amount of traffic only going out, is this normal behavior, I apologize if this is the norm, i am new to this, just thought it was strange. Also I use Squid, it was working before i started using AIR_VPN and appears to be working now, but is there any additional steps that i need to take to insure that is working properly, again sorry if this is a noob Q, but the proxy is important to me because i have a house full of young children to protect. Thanks in advance.another user, posts on page 10 of this thread, found that the squid proxy was causing "leaks". so, you might begin there.Yes that indeed is my problem, i have noticed before that my torrent check was reporting back my WAN ip, Unfortunately there are no posts after explaining, or if even possible to have the Proxy running at the same time, i will quote kaymio and see if they found a solution,Thanks. Quote Share this post Link to post
Mufasa 0 Posted ... I'm a newbie to pfSense, this setup is the first I've done. For the most part it works as intended, except that not encrypted http traffic does not go through the tunnel. Visiting airvpn.org tells me I'm connected through the proper server. Checking http://myip.is reveals my real IP and LAN IP, while checking https://www.whatismyip.com/ reveals the IP of my VPN server. I stumbled upon it by accident, investigating the not working DynDNS confirmation which is asking http://checkip.dyndns.org which returns in turn the LAN address of my computer. There should be added that my pfSense box is sitting behind another NAT with a 10.0.0.0/24 range. I can't get rid of it... Did I miss something fundamental or does the NAT on the WAN side of the box interfere with my routing? Help would me much appreciated! if you followed the guide exactly it should not even be possible for your LAN devices to reach the WAN gateway. Well, I thought so too and I think that I followed the guide to the point. Any suggestion on where I could have missed somethting? My first thought was that the PRIVATE NETWORKS could apply and might route my 192 /24 network through to the 10 /24 network. After removing the RFC1918 rules there was no change.A few days ago I had to add the SMTP port to the WAN PORTS, so I could send mail. The connection attempts to the SMTP got caught, but why do the http attempts not get caught or routed properly?sorry, I won't be much help. my setup never followed the guide exactly and has strayed even further from it in time. I've found the culprit. The firewall rules are not the problem. After disabling the transparent squid proxy, behaviour is back to normal. Would I need extra rules if I wanted to run the proxy? Kaymio I am having the same issue, did you find a solution, Thanks in advance. Quote Share this post Link to post
Ismell5omthing5t!nKEE 0 Posted ... I have been going by your guide, something is not right, after seven times of restoring to factory defaults and entering in all the information from your guide exactly as it is I still can't get the Status/OpenVPN to show it is up(I have tried restart service).Now I will soon have two WANs so I must get this working soon. Quote Share this post Link to post
Mufasa 0 Posted ... Hi, awesome guide! Worked great, except for a problem with my local Cox IP being shown in dnsleak.com, and a few other leak tests. This issue was only happening with Squid Proxy running. Trying a ton of peoples recommendations, nothing was working including deleting X-Forwarded head mode, and disabling VIA Header. This is what I found to work with Squid, even though it was frowned upon in guide...I checked default gateway and problem was solved. So if someone else is having this issue, hopefully this will save them some time. CHECK DEFAULT GATEWAY! Set as follows: ------------------------------------------------------------------------------------Edit Gateway------------------------------------------------------------------------------------Disabled = [_] (UNCHECKED)------------------------------------------------------------------------------------Interface = [AirVPN_WAN ▼]------------------------------------------------------------------------------------Address Family = [IPv4 ▼]------------------------------------------------------------------------------------Name = [ AirVPN_WAN ]------------------------------------------------------------------------------------Gateway = [ dynamic ]------------------------------------------------------------------------------------Default Gateway = [_] (*****UNCHECKED, SEE NOTES BELOW)------------------------------------------------------------------------------------Gateway Monitoring = [√] Disable Gateway Monitoring(CHECKED)NOTE: The monitoring service has caused more issues then it hascorrected as of late, so we will disable it.------------------------------------------------------------------------------------Force state = [_] Mark Gateway as Down (UNCHECKED)------------------------------------------------------------------------------------Description = [ AirVPN_WAN ]------------------------------------------------------------------------------------[☼ Display Advanced ] = ( Unchanged )------------------------------------------------------------------------------------ ***** NOTE: In the past, the default gateway setting was advised to be checked. This was to act as a fail-safe in the event something went wrong, all traffic would attempt to route through the VPN and have no chance of being re-routed to the clear_net. While this "works", THIS IS NOT CORRECT FROM A ROUTING STAND POINT. Trying to use it this way causes what is known as a routing loop and can quickly exhaust network buffers. This can be seen in the OpenVPN Logs when using the "verb 4" setting. It shows up as:write UDPv4: No buffer space available (code=55)The idea of having the VPN as the default gateway is nice on paper, but should not be used. If all other settings are correct, this is not an issue and should not be worried about. Focus instead on having all settings correct! This method does not work properly for me, it does allow you to have both enabled and the Squid guard works, but puts extreme loads on the CPU and most sites wont resolve giving error code 51 and the sites ip, you could add the sites in manually, but to me that would not make sense and could take a long time because most sites could have more than one ip, would be a hell of a list in a short period putting yet more stress on the CPU. Quote Share this post Link to post
Mufasa 0 Posted ... Ok guys i am coming to the conclusion that this is not possible, everything i have read and tried has failed, it would seem that full blown protection in a sense, is just not possible, I read a post that pfsense_fan wrote himself on the old thread he stated that it is not possible, enable squid = leaks, disable squid = no family protection, and the protection of my kids is paramount, Now my Q is this, is there any way to route my kids list of addresses past the VPN and through the proxy without it interfering with the VPN, And is memory speed important to Pfsense? i have an old dell Poweredge with 2X 3ghz quad core Xeons in it, it has 16gb of memory but the memory is old and slow, i suppose in theory i could load server on to that machine and run 2X pfsense instances on it, do you guys think having 2 machines would get me out of the Squid bind. Or maybe there is an alternative to Squid Guard that would allow me similar power over my home network. hope someone can help with this, most of this stuff is over my head, and i am out of time, i need to focus on other things at the minuet. Thanks in Advance. Quote Share this post Link to post
ytsbs 0 Posted ... NOW... is working fine - THANK YOU for this HowTo ! Three things didn´t work:1.My pfsense is getting internet from another router (10.0.0.1/24) which make the real inet connection. Some other PCs are on this Subnet, too.From the pfsense subnet (10.0.2.0/24) I can´t reach router 10.0.0.1 or other PCs in his subnet.2.Impossible to ping from (10.0.2.0/24) to anywhere outside 10.0.2.0/24.3.Impossible to make PPTP connections from subnet (10.0.2.0/24). From 10.0.0.0/24 PPTP connections working. Everything else I use/need in the pfsense/AirVPN network is working fine! Quote Share this post Link to post
ytsbs 0 Posted ... Point 1 and 2 are OK now... with a lot of trial and error... "Only" the PPTP passthrough didn´t work... Quote Share this post Link to post