Wednesday, December 05, 2012

Configuring Server 2008 to use the NTP Pool

Excellent article by Luka Manojlovic at http://luka.manojlovic.net/2011/06/24/windows-server-2008-2008-r2-ad-sync-with-external-ntp-server/ about configuring your Server 2008 to use the NTP Pool.  If you are in the us you may use us.pool.ntp.org.

Thanks, Luka!

Wednesday, October 31, 2012

pfSense: Remote Network Point to Point Link to VPN Over DSL Failover


The scenario: 

You have two locations with Internet connections and a dedicated point-to-point connection between the two and two pfSense systems performing all routing at both sites.  You desire the two sites remain connected should the dedicated connection fail.

The solution:

Create a pfSense configuration with failover from the point-to-point connection to a site-to-site VPN utilizing the existing Internet connections at each site.

Steps:

1.  Create an OpenVPN Server on the main pfSense and Client setup on the remote pfSense (I used pre-shared keys).  DO NOT set a route option in the Advanced box as most instructions for configuring OpenVPN will suggest nor should you have a static route to your remote network defined under System -> Routes.  Also note that  IPSec can not be used in this scenario as it doesn't create a new adapter that we can work with in the firewall rules and gateways.

2.  Check and see that the VPN turns on and connects via Status -> OpenVPN before proceeding.  If it does not then troubleshoot your Internet connectivity and OpenVPN settings.

2.  Go to Interfaces -> Assign and add Interface OPT3 with Network port ovpns1 on both the server and the client pfSense systems.

3.  On both your local and remote pfSense add a new Firewall Rule allowing all protocols from any source to to any destination under both OPT3 and OpenVPN.

4.  On both your local and remote pfSense add OPT3 as a Gateway under System -> Routing -> Gateways leaving the Gateway and other options blank.

5.  On both your local and remote pfSense create a new Group under System -> Routing -> Groups.  The group will define your dedicated connection as Tier 1 and OPT3 as Tier 2.  My trigger level is set to Member Down.

6.  On both your local and remote pfSense create a new Firewall Rule under LAN which has all traffic from all sources bound for the remote network use the new Gateway Group (under Advanced) you created in Step 5.

7.  Test - unplug the point-to-point connection, monitor things under Status -> Gateways, wait a minute or so, and hopefully you will still be passing traffic albeit through the VPN.

Please Note:  Upgrading from pfSense 2.0.x to 2.1.x breaks this configuration - I am working to resolve the issue.  The issue I am running into is that the OpenVPN connection gets established but the routing and gateway monitoring for that link fails and never shows as UP in the Gateway groups.  Deleting the OPT3 interface and its gateway then recreating them fixed the issue.

Friday, September 14, 2012

IPiphony and pfSense

Got this working on a single-WAN pfSense this past week, quick rundown of my pfSense settings:

NAT forward TCP/UDP ports 10,000-20,000 to the internal IP of the IPiphony, and NAT forward port 5060 to the same internal IP.

Go to Firewall -> NAT -> Outbound and set it to Manual Outbound Rule Generation.  Edit the "Auto created rule for LAN to WAN" and make certain the Static Port box is selected.  Save and reboot then feel the joy!

Anybody get this working with multiwan failover?  My failover works but we have to reset the state table or (easier for the end user) reboot the pfSense computer to bring the VOIP system back up.

Update 18-Sep-12

The system had been having issues with disconnects on forward and I'm not certain if they're with the VoIP provider, the PBX, or the pfSense firewall.  The vendor who is in charge of the PBX tested it with a Cisco firewall and found the behavior continued, but I'm still not certain as its possible the Cisco device is subject to the same failure.

If the undesired behavior continues I will be running through the troubleshooting steps at http://doc.pfsense.org/index.php/VoIP_Configuration.

Tuesday, August 21, 2012

Windows 7 Kiosk Lockdown

Why oh why won't Microsoft make a Steady State for Windows 7?  Even when users don't have administrative access to a Windows 7 desktop there are still a multitude of ways to waste time or foul things up.  My biggest concern is time wasting - I've seen staff try their hand at ASCII art, figure out how to invoke supposedly hidden applications, and do anything but get their work done using the computer.

If you've been itching to make your Windows 7 computer into a system that may only perform just a few tasks consider Inteset Secure Lockdown V2 - it's not free, but it will more than pay for itself in reduced headaches and increased productivity!

Check it out at http://shop.inteset.com/Category/14-lock-down-windows-7-and-internet-explorer-for-kiosks.aspx

IT's Kris Haynes: Scan to Email - Exchange 2007

This one had stumped me for quite some time.  Even after reading numerous blogs and expert advice sites I couldn't make this work to my satisfaction - I could get it working internally but not externally.  Today I found IT's Kris Haynes: Scan to Email - Exchange 2007 - Thank you Kris, you rock!

Monday, August 20, 2012

HP LaserJet Printer Drivers for Windows 7 x64

64 Bit Windows has finally come into its own and is the preferred platform versus 32 Bit in most situations.  Unless you're using an old HP printer, then it becomes a potentially serious issue.  I've found that most of the Vista 64 bit drivers work just fine in Windows 7.

If you're using a network printer it becomes a bit trickier - the Host Based Printing Systems don't print across the network, so they're right out even though they are often available in a 64 bit edition.

HP Universal Printing often works, and often does not.  For example it wouldn't work with a network connected Color LaserJet 3600 Series.  Instead I used the Vista driver from http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareIndex.jsp?lang=en&cc=us&prodNameId=501046&prodTypeId=18972&prodSeriesId=501044&swLang=8&taskId=135&swEnvOID=2100.

Thursday, August 16, 2012

Setting Up pfSense 2.x with Multiple WAN Connections and Squid in Transparant Mode

Setting up pfSense with multiple WAN connections configured for failover is easy.  Setting one up in a pfSense that has Squid Proxy is not obvious - in fact, there is a lot of conflicting information.  Ultimately http://forum.pfsense.org/index.php/topic,38882.0.html provided the answers I was looking for.

Interesting Note 27-Aug-2012:  This configuration broke the ability of the package manager to check the repository and install packages resulting in unpredictable behavior at best.  To compensate you must  disable the Transparent Proxy and disable Allow Users on Interface as well as disabling the new floating rule that enables Squid to function.

Update 15-Oct-13:  The proper floating firewall rule + adding your DNS servers to the Squid General configuration page will fix the broken updates.  The Floating Firewall Rule you must create is:  Pass, select your WAN and Opt1 (or whatever you called your public interfaces), direction: Out, protocol: TCP, Source: Any, Destination: Any, Destination Port Range: HTTP, then under Advanced, Gateway: select your failover group.


Tuesday, May 08, 2012

IPCop 2.0 - Not As Dead As I Thought?

Oh yeah, IPCop 2.0 has been available for a while.  They have tailored it for the Small Office/Home Office space.  If you liked IPCop 1.4, you will likely love IPCop 2.0.

Free Ghost Clone Clones Windows Using Linux!

For disk to disk copying there are a dizzying array of options.  I prefer to use open source and free tools - most Google queries in this category will lead you to Clonezilla and PING (Partimage Is Not Ghost).  Clonezilla is anything but simple, but can be used.  PING is also simple, but requires an intermediary drive to save the image before restoring it - what a pain.  Whither G4L?  Ghost 4 Linux, as you may have not have heard, is any easy reliable free drive cloning solution that offers easy operation.

The opening menus are somewhat intimidating - choose the latest version, select Exit on the notes screen, then input g4l at the prompt.  From there it is menu driven and you will desire to use the Click-N-Clone option.

Did I mention it's easy?  There is an excellent guide to cloning disk to disk at www.oakdome.com.

Friday, January 27, 2012

pfSense and Squid Proxy - Managing RAM Usage

My systems RAM usage typically hovers between 60% and 80% and the installed system is pfSense 2.0.1 with Squid, SquidGuard, and LightSquid.


To manage your cache effectively and reduce memory usage:

On the Cache Management page: Reduce the Memory Cache Size parameter - I use around 25% of host system's installed RAM . This controls how many ``hot'' objects are kept in memory. Reducing this parameter will not significantly affect performance, but you may recieve some warnings in cache.log if your cache is busy.

Reduce the Hard Disk Cache Size on the Cache Management page (on a system with 4GB of RAM I use 10,000 MB, on an old 1GB I use 512 MB). This will reduce the number of objects Squid keeps. Your overall hit ratio may go down a little, but your cache will perform significantly better.

Reduce the Maximum Object Size parameter (I use 512 on new 4GB systems, 64 on an old 1GB). You won't be able to cache the larger objects, and your byte volume hit ratio may go down, but Squid will perform better overall. (The preceding uses information borrowed heavily from http://www.comfsm.fm/computing/squid/FAQ-8.html - all credit to the original author!)