Re: [pfSense Support] SOEKRIS NET5501
You mean FreeBSD 7? Uh, no. Not if you want to run pfSense. --Bill On 10/10/07, Ryan L. Faircloth <[EMAIL PROTECTED]> wrote: > Thanks using your link I noticed in R7 this is supported is there anyway I > can upgrade my unit to release 7 (I know its prerlease) > > -Original Message- > From: Bill Marquette [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 10, 2007 10:27 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] SOEKRIS NET5501 > > Per > http://www.freebsd.org/cgi/man.cgi?query=vlan&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html > vr(4) doesn't support oversize frames. Without this support your > firewall will fragment frames - due to the issues this causes, we do > not support vlan configurations on hardware that isn't listed on the > vlan(4) man page. > > --Bill > > On 10/10/07, Ryan L. Faircloth <[EMAIL PROTECTED]> wrote: > > > > > > > > > > I am new to Freebsd in general and pfSense I am using 1.2RC2 embedded on a > > Soekris Net5501, the unit has 4 nics which default to the vr driver. This is > > reporting as no vlan support an suggestions Soekris indicated these nics > > should support vlans. Can this be worked around at this time or do I need to > > look into Intel Pro+ adapters? > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Re: Asterisk and PfSense
Chris Bagnall wrote: I have an asterisk server that is working mostly with SIP clients behind NAT. I'd like to put this asterisk server behind the PfSense to benefit from QoS and added security, packages, etc. However, I just tested and I can't make it work with more than 2 clients at the time (using 1-to-1 NAT). Interesting. We have quite a few pfsense + asterisk deployments out there in precisely this configuration and everything works fine. You've set up 1:1 NAT, that's fine. In pfSense, check that port 5060 is allowed (UDP) for SIP, and 1-2 are allowed (UDP) for RTP - assuming you haven't changed the port range in asterisk's rtp.conf On the asterisk box, check your sip.conf file. You need the following: localnet = 10.0.0.0/8 localnet = 172.16.0.0/12 localnet = 192.168.0.0/16 localnet = 169.254.0.0/16 externip = Substitute your real external 1:1 NAT IP into externip. The localnet entries tell asterisk that SIP packets from any of those address ranges should have their claimed IP ignored and their apparent IP/port used instead. In each sip.conf device section, make sure nat=yes is included. Hopefully that should solve your problems. Regards, Chris It looks like it is going to work. Will perform more test tomorrow, but it definitely looks good. Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] OpenVPN client function
I am trying to connect my pfsense router to my openvpn server, so i can have an encrpyted tunnel for everything behind the pfsense. all looks well but there is not outbound nat for tun0 any ideas? -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] SOEKRIS NET5501
Thanks using your link I noticed in R7 this is supported is there anyway I can upgrade my unit to release 7 (I know its prerlease) -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 10, 2007 10:27 PM To: support@pfsense.com Subject: Re: [pfSense Support] SOEKRIS NET5501 Per http://www.freebsd.org/cgi/man.cgi?query=vlan&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html vr(4) doesn't support oversize frames. Without this support your firewall will fragment frames - due to the issues this causes, we do not support vlan configurations on hardware that isn't listed on the vlan(4) man page. --Bill On 10/10/07, Ryan L. Faircloth <[EMAIL PROTECTED]> wrote: > > > > > I am new to Freebsd in general and pfSense I am using 1.2RC2 embedded on a > Soekris Net5501, the unit has 4 nics which default to the vr driver. This is > reporting as no vlan support an suggestions Soekris indicated these nics > should support vlans. Can this be worked around at this time or do I need to > look into Intel Pro+ adapters? > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] SOEKRIS NET5501
Per http://www.freebsd.org/cgi/man.cgi?query=vlan&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html vr(4) doesn't support oversize frames. Without this support your firewall will fragment frames - due to the issues this causes, we do not support vlan configurations on hardware that isn't listed on the vlan(4) man page. --Bill On 10/10/07, Ryan L. Faircloth <[EMAIL PROTECTED]> wrote: > > > > > I am new to Freebsd in general and pfSense I am using 1.2RC2 embedded on a > Soekris Net5501, the unit has 4 nics which default to the vr driver. This is > reporting as no vlan support an suggestions Soekris indicated these nics > should support vlans. Can this be worked around at this time or do I need to > look into Intel Pro+ adapters? > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] SOEKRIS NET5501
I am new to Freebsd in general and pfSense I am using 1.2RC2 embedded on a Soekris Net5501, the unit has 4 nics which default to the vr driver. This is reporting as no vlan support an suggestions Soekris indicated these nics should support vlans. Can this be worked around at this time or do I need to look into Intel Pro+ adapters?
Re: [pfSense Support] Load Balancer + Failover
Strange, other than the sticky address (which should be more a nuisance than anything) not getting set on the secondary, I'm not seeing anything obvious that would prevent the connection from working. The only other thing I can think to look at is whether the rulesets (/tmp/rules.debug) are the same between the two machines (with exception to a few subtle differences they should be). You can try tcpdump'ing on the secondary and making sure the tcp traffic is making it to the external interface. If it is, check the inside and see what's actually getting passed through. Lastly, double check the firewall logs, you might be seeing blocks for some reason. FWIW, I have similar setups working just fine (minus pfsense as the frontend), so this is likely a pfsense bug or a config issue of some sort. --Bill On 10/10/07, Lee Hetherington <[EMAIL PROTECTED]> wrote: > Hi Bill, > > All is carp, when the primary is off, I can ping the address still. > > Primary: > > # pfctl -sn -aslb > rdr inet proto tcp from any to 10.2.48.1 port = smtp -> { 10.5.49.1, > 10.5.49.2 } port 25 round-robin sticky-address > rdr inet proto tcp from any to 10.2.48.1 port = http -> { 10.5.49.1, > 10.5.49.2 } port 80 round-robin sticky-address > > Secondary: > > # pfctl -sn -aslb > rdr inet proto tcp from any to 10.2.48.1 port = smtp -> { 10.5.49.1, > 10.5.49.2 } port 25 round-robin > rdr inet proto tcp from any to 10.2.48.1 port = http -> { 10.5.49.1, > 10.5.49.2 } port 80 round-robin > > Thanks, > > Lee > > Bill Marquette wrote: > > Hmm, what does the output of "pfctl -sn -aslb" look like on both > > boxes? The other obvious question is, are the virtual addresses that > > front end your load balance pool CARP addresses? If they aren't, then > > the secondary won't take them over on failover regardless of the load > > balance config. > > > > --Bill > > > > On 10/10/07, Lee Hetherington <[EMAIL PROTECTED]> wrote: > > > >> Hi Bill, > >> > >> The config was sync'd ok, I can see it on both boxes. Below is a ps -ax > >> from the secondary machine: > >> > >> # ps -ax |grep slb > >> 60083 ?? Ss 0:00.51 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 > >> 65097 p0 RV 0:00.00 grep slb (tcsh) > >> > >> Looks to me like its running? I tried editing the config and saving it > >> like you suggest, and the ps -ax was then: > >> > >> # ps -ax | grep slb > >> 65407 ?? Ss 0:00.00 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 > >> > >> Still nothing however when I reboot the primary... > >> > >> Lee > >> > >> Bill Marquette wrote: > >> > >>> Can you confirm that the load balancer config sync'd over to the > >>> secondary? Also, assuming it did, can you do a 'ps -ax |grep slb' > >>> from the shell? I suspect it never started slbd after sync (as an > >>> interim workaround, you could try going to the load balancer page on > >>> the secondary and editing/saving the config). > >>> > >>> --Bill > >>> > >>> On 10/9/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > >>> > >>> > Hi Bill, > > Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we > are load balancing 443 and 80 TCP > > Lee > > On Tue, 9 Oct 2007 08:47:27 -0500, "Bill Marquette" <[EMAIL PROTECTED]> > wrote: > > > > Inbound or outbound load balancing? > > > > --Bill > > > > On 10/9/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > > >> Hi There, > >> > >> Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and > >> > >> > > working, the two machines are syncing settings and the carp is working > > properly. However, if I reboot the primary firewall the secondary takes > > over pings, but the load balancing doesnt work again until the primary > > is > > back online. > > > > > >> Everything seems to be ok, when the primary disappears, the ping drops > >> 1 > >> > >> > > packet, then the secondary carries on and everything runs ok. The > > servers > > on the lan interface of the firewall can route out to the internet fine > > whilst running with only the secondary firewall. The only thing not to > > work is the load balancer. > > > > > >> Anyone have any ideas? > >> > >> I have it wired as: > >> > >> INTERNET --> PIX 515 PAIR --> 2X CISCO 3550-EMI --> PFSENSE PAIR --> > >> 2X > >> > >> > > CISCO 3550-EMI --> LAN > > > > > >> Each of the pix/pfsense are connected to seperate switches, which are > >> in > >> > >> > > turn linked together. > > > > > >> Thanks in advance, > >> > >> Lee > >> > >> > >> - > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > >> > > -
Re: [pfSense Support] Possible bounty: adding PCI ADSL modem support
Chris Bagnall wrote: FreeBSD must be able to support the device Access to machines with the device - I can't stress enough how difficult it is to develop code for something you have no access to, the turn around time for code, test, bugfix is just too long to make it worthwhile. I know there's at least one PCI ADSL modem the Smoothwall/IPCop crowd have been working with for some time - I think it's sold under the brand "Bewan" but I'd have to check - it's some time since I looked into it. The other option might be one of the Sangoma cards - generally they're very open with their hardware. A problem I seem to recall is I don't think anyone makes ADSL2/2+ PCI cards. While the old ADSL cards may get you by for now, depending on the situation they may leave you stuck in a matter of months to a couple years maybe. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancer + Failover
Hi Bill, All is carp, when the primary is off, I can ping the address still. Primary: # pfctl -sn -aslb rdr inet proto tcp from any to 10.2.48.1 port = smtp -> { 10.5.49.1, 10.5.49.2 } port 25 round-robin sticky-address rdr inet proto tcp from any to 10.2.48.1 port = http -> { 10.5.49.1, 10.5.49.2 } port 80 round-robin sticky-address Secondary: # pfctl -sn -aslb rdr inet proto tcp from any to 10.2.48.1 port = smtp -> { 10.5.49.1, 10.5.49.2 } port 25 round-robin rdr inet proto tcp from any to 10.2.48.1 port = http -> { 10.5.49.1, 10.5.49.2 } port 80 round-robin Thanks, Lee Bill Marquette wrote: Hmm, what does the output of "pfctl -sn -aslb" look like on both boxes? The other obvious question is, are the virtual addresses that front end your load balance pool CARP addresses? If they aren't, then the secondary won't take them over on failover regardless of the load balance config. --Bill On 10/10/07, Lee Hetherington <[EMAIL PROTECTED]> wrote: Hi Bill, The config was sync'd ok, I can see it on both boxes. Below is a ps -ax from the secondary machine: # ps -ax |grep slb 60083 ?? Ss 0:00.51 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 65097 p0 RV 0:00.00 grep slb (tcsh) Looks to me like its running? I tried editing the config and saving it like you suggest, and the ps -ax was then: # ps -ax | grep slb 65407 ?? Ss 0:00.00 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 Still nothing however when I reboot the primary... Lee Bill Marquette wrote: Can you confirm that the load balancer config sync'd over to the secondary? Also, assuming it did, can you do a 'ps -ax |grep slb' from the shell? I suspect it never started slbd after sync (as an interim workaround, you could try going to the load balancer page on the secondary and editing/saving the config). --Bill On 10/9/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Hi Bill, Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we are load balancing 443 and 80 TCP Lee On Tue, 9 Oct 2007 08:47:27 -0500, "Bill Marquette" <[EMAIL PROTECTED]> wrote: Inbound or outbound load balancing? --Bill On 10/9/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Hi There, Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and working, the two machines are syncing settings and the carp is working properly. However, if I reboot the primary firewall the secondary takes over pings, but the load balancing doesnt work again until the primary is back online. Everything seems to be ok, when the primary disappears, the ping drops 1 packet, then the secondary carries on and everything runs ok. The servers on the lan interface of the firewall can route out to the internet fine whilst running with only the secondary firewall. The only thing not to work is the load balancer. Anyone have any ideas? I have it wired as: INTERNET --> PIX 515 PAIR --> 2X CISCO 3550-EMI --> PFSENSE PAIR --> 2X CISCO 3550-EMI --> LAN Each of the pix/pfsense are connected to seperate switches, which are in turn linked together. Thanks in advance, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] load balancing for internal and external servers
Bill Marquette wrote: > Technically we can make this work if the virtual servers are in a DMZ > (all you need is a NAT on the DMZ interface to hide the source address > of your test machine). But there's no way to make it work if the test > machine is in the same network as the server. thanks again; the issue will go away somewhat when we move our server farm to a colocation facility, at which point I have to build more firewalls anyway! > On 10/10/07, Paul M <[EMAIL PROTECTED]> wrote: >> Bill Marquette wrote: >>> You won't be able to test load balancing of virtual servers from >>> inside your network. It's a pf thing and unlikely to ever get >>> resolved. >> ah, thanks, I did wonder if that might be the case. I put a machine >> outside the firewalls on which I put squid as an intermediate fix, and >> it works well enough for testing. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Possible bounty: adding PCI ADSL modem support
> FreeBSD must be able to support the device > Access to machines with the device - I can't stress enough how > difficult it is to develop code for something you have no access to, > the turn around time for code, test, bugfix is just too long to make > it worthwhile. I know there's at least one PCI ADSL modem the Smoothwall/IPCop crowd have been working with for some time - I think it's sold under the brand "Bewan" but I'd have to check - it's some time since I looked into it. The other option might be one of the Sangoma cards - generally they're very open with their hardware. > And of course...interest, but you already figured that :) Is this something there genuinely isn't any interest in amongst the community? The other way of going about it is to rip out the PCB from a few low-cost Zyxel routers, drill out a 1U chassis and mount them in there with a 12v power supply, but each device would be independent (and need configuring independently). Obviously, doing it through an already familiar interface such as pfSense would seem much more sensible. Regards, Chris -- C.M. Bagnall, Director, Minotaur I.T. Limited For full contact details visit http://www.minotaur.it This email is made from 100% recycled electrons - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Dual WAN failover too sensitive
Yikes, we certainly never tested for satellite latencies. The fping command line we use is: /usr/local/sbin/fping -B1.5 -t400 -r3 -q This should give us successive tries of: 400ms timeout 600ms timeout 900ms timeout 1350ms timeout I'll have to check what the fping exit code is if it's missing one of it's pings. It does look like the logic changed a hair (incorrectly I believe) from the original code, it's entirely possible that a bug was introduced. Do me a favor, run this at your command line. /usr/local/sbin/fping -B 1.5 -t400 -r3 echo $? --Bill On 10/10/07, Craig Drown <[EMAIL PROTECTED]> wrote: > Hi, > we have 2 Wan connections for outgoing failover. > The preferred connection is a VSAT. If we put the monitor address as > the locat satellite modem it doesn't really tell us if the gateway in > Singpore is working. If we put an ip address in Singpore it seems to > change over when the connection is in fact fine (latency is c. 600ms) > Can the slbd settings be altered at all (WRAP running 1.2rc2). > Thanks. > Cheers, > Craig > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Possible bounty: adding PCI ADSL modem support
On 10/10/07, Chris Bagnall <[EMAIL PROTECTED]> wrote: > Of course, in the UK ADSL is presented via PPPoA, which necessitates a > separate > ADSL modem/router for each ADSL connection. In the limited space > of a wall box, > adding 5 ADSL modems with their 12v power supplies etc. does consume a vast > amount of space. heh, 5 modems?!?! nice load balance config! > What are the obstacles to adding PCI ADSL modem support (and PPPoA > authentication) to pfSense? Is there any interest in the community for this > feature? FreeBSD must be able to support the device Access to machines with the device - I can't stress enough how difficult it is to develop code for something you have no access to, the turn around time for code, test, bugfix is just too long to make it worthwhile. And of course...interest, but you already figured that :) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] load balancing for internal and external servers
Technically we can make this work if the virtual servers are in a DMZ (all you need is a NAT on the DMZ interface to hide the source address of your test machine). But there's no way to make it work if the test machine is in the same network as the server. --Bill On 10/10/07, Paul M <[EMAIL PROTECTED]> wrote: > Bill Marquette wrote: > > You won't be able to test load balancing of virtual servers from > > inside your network. It's a pf thing and unlikely to ever get > > resolved. > > ah, thanks, I did wonder if that might be the case. I put a machine > outside the firewalls on which I put squid as an intermediate fix, and > it works well enough for testing. > > thanks > Paul > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Spoofing/faking another NAT IP?
i'm not sure I understand how your network is layed out from your description. Any chance you could whip up a network diagram that shows what you have configured? You can use http://www.gliffy.com/ if you need a quick, free diagramming tool :) --Bill On 10/9/07, Gabriel Green <[EMAIL PROTECTED]> wrote: > I recently switched most of my infrastructure over to a new LAN. I have two > pfSense boxes, because I couldn't get Multi-WAN to work the way I needed it > to (but that's another story). > > With the IPSEC tunnels now terminating at a 172.16 network and the server > they need to connect to being > on that new network, is there any way I can get pfSense to "fake" the old > 10.0 network or host IP and respond to it? > > I have tried various NAT settings, proxy arp, Virtual IPs but I have a > feeling I am getting something wrong. > > Is this even possible? > > Thanks, > Gabe > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancer + Failover
Hmm, what does the output of "pfctl -sn -aslb" look like on both boxes? The other obvious question is, are the virtual addresses that front end your load balance pool CARP addresses? If they aren't, then the secondary won't take them over on failover regardless of the load balance config. --Bill On 10/10/07, Lee Hetherington <[EMAIL PROTECTED]> wrote: > Hi Bill, > > The config was sync'd ok, I can see it on both boxes. Below is a ps -ax > from the secondary machine: > > # ps -ax |grep slb > 60083 ?? Ss 0:00.51 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 > 65097 p0 RV 0:00.00 grep slb (tcsh) > > Looks to me like its running? I tried editing the config and saving it > like you suggest, and the ps -ax was then: > > # ps -ax | grep slb > 65407 ?? Ss 0:00.00 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 > > Still nothing however when I reboot the primary... > > Lee > > Bill Marquette wrote: > > Can you confirm that the load balancer config sync'd over to the > > secondary? Also, assuming it did, can you do a 'ps -ax |grep slb' > > from the shell? I suspect it never started slbd after sync (as an > > interim workaround, you could try going to the load balancer page on > > the secondary and editing/saving the config). > > > > --Bill > > > > On 10/9/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > >> Hi Bill, > >> > >> Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we > >> are load balancing 443 and 80 TCP > >> > >> Lee > >> > >> On Tue, 9 Oct 2007 08:47:27 -0500, "Bill Marquette" <[EMAIL PROTECTED]> > >> wrote: > >> > >>> Inbound or outbound load balancing? > >>> > >>> --Bill > >>> > >>> On 10/9/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > >>> > Hi There, > > Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and > > >>> working, the two machines are syncing settings and the carp is working > >>> properly. However, if I reboot the primary firewall the secondary takes > >>> over pings, but the load balancing doesnt work again until the primary is > >>> back online. > >>> > Everything seems to be ok, when the primary disappears, the ping drops 1 > > >>> packet, then the secondary carries on and everything runs ok. The servers > >>> on the lan interface of the firewall can route out to the internet fine > >>> whilst running with only the secondary firewall. The only thing not to > >>> work is the load balancer. > >>> > Anyone have any ideas? > > I have it wired as: > > INTERNET --> PIX 515 PAIR --> 2X CISCO 3550-EMI --> PFSENSE PAIR --> 2X > > >>> CISCO 3550-EMI --> LAN > >>> > Each of the pix/pfsense are connected to seperate switches, which are in > > >>> turn linked together. > >>> > Thanks in advance, > > Lee > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > >>> - > >>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > >>> > >>> -- > >>> Message scanned for all known viruses by Mailsauce. Email protection > >>> solutions from E-Sauce. For more information please visit > >>> http://www.mailsauce.com > >>> > >> - > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > -- > > Message scanned for all known viruses by Mailsauce. Email protection > > solutions from E-Sauce. For more information please visit > > http://www.mailsauce.com > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Re: Asterisk and PfSense
Chris Bagnall wrote: I have an asterisk server that is working mostly with SIP clients behind NAT. I'd like to put this asterisk server behind the PfSense to benefit from QoS and added security, packages, etc. However, I just tested and I can't make it work with more than 2 clients at the time (using 1-to-1 NAT). Interesting. We have quite a few pfsense + asterisk deployments out there in precisely this configuration and everything works fine. Weird. Maybe I'll write an howto when I succeed, as almost everything on pfsense + asterisk on google doesn't seem to be working. You've set up 1:1 NAT, that's fine. In pfSense, check that port 5060 is allowed (UDP) for SIP, and 1-2 are allowed (UDP) for RTP - assuming you haven't changed the port range in asterisk's rtp.conf Yes, I'm allowing UDP 5060 - 5069 (SIP UDP 1-2 (RTP) On the asterisk box, check your sip.conf file. You need the following: localnet = 10.0.0.0/8 localnet = 172.16.0.0/12 localnet = 192.168.0.0/16 localnet = 169.254.0.0/16 I missed that. externip = I had this. Substitute your real external 1:1 NAT IP into externip. The localnet entries tell asterisk that SIP packets from any of those address ranges should have their claimed IP ignored and their apparent IP/port used instead. Oh, I thought externip was enough. In each sip.conf device section, make sure nat=yes is included. Yes, all there. Hopefully that should solve your problems. I'll try that tonight or tomorrow night. Thanks a lot! Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Re: Asterisk and PfSense
Tortise wrote: Ugo Which ports are you NATting? 1-to-1 NAT. Allowing vi a rules : UDP 1 - 2 UDP 5060 - 5069 Which ports are setup for RTP in asterisk? rtpstart=1 rtpend=2 Kind regards David - Original Message - From: "Ugo Bellavance" <[EMAIL PROTECTED]> To: Sent: Wednesday, October 10, 2007 6:28 PM Subject: [pfSense Support] Asterisk and PfSense Hi, I have an asterisk server that is working mostly with SIP clients behind NAT. I'd like to put this asterisk server behind the PfSense to benefit from QoS and added security, packages, etc. However, I just tested and I can't make it work with more than 2 clients at the time (using 1-to-1 NAT). I've tried disabling static port. I've also tried to also disable scrubbing. I've tried setting the firewall setting to 'conservative'. The problem I'm getting is that once a second SIP client registers, it kind of kicks out the first one and so on. I've tried it without NAT, but I didn't really know how to do it, so I just gave the linux (asterisk) server the public IP address I wanted and made appropriate firewall rules. I couldn't connect using ssh, so I stopped fiddling around and wrote this message. What is recommended in my situation? Regards, Ugo Bellavance - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Dual WAN failover too sensitive
Hi, we have 2 Wan connections for outgoing failover. The preferred connection is a VSAT. If we put the monitor address as the locat satellite modem it doesn't really tell us if the gateway in Singpore is working. If we put an ip address in Singpore it seems to change over when the connection is in fact fine (latency is c. 600ms) Can the slbd settings be altered at all (WRAP running 1.2rc2). Thanks. Cheers, Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Possible bounty: adding PCI ADSL modem support
Greetings list, I know this one's probably been covered on the list in the past (it certainly has on the m0n0wall list), but I thought it would be worth again bringing up the topic of PCI modem support in pfSense. With the good load balancing support in pfSense these days and the massive price difference between ADSL and SDSL, I'm finding a lot of our deployments are environments with 2-5 ADSL connections in a load balanced configuration. Of course, in the UK ADSL is presented via PPPoA, which necessitates a separate ADSL modem/router for each ADSL connection. In the limited space of a wall box, adding 5 ADSL modems with their 12v power supplies etc. does consume a vast amount of space. What are the obstacles to adding PCI ADSL modem support (and PPPoA authentication) to pfSense? Is there any interest in the community for this feature? If anyone's interested in working on it, I am prepared to contribute to a bounty to make it viable for development work to occur. Regards, Chris -- C.M. Bagnall, Director, Minotaur I.T. Limited For full contact details visit http://www.minotaur.it This email is made from 100% recycled electrons - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Asterisk and PfSense
> I have an asterisk server that is working mostly with SIP clients > behind NAT. I'd like to put this asterisk server behind the PfSense to > benefit from QoS and added security, packages, etc. However, I just > tested and I can't make it work with more than 2 clients at the time > (using 1-to-1 NAT). Interesting. We have quite a few pfsense + asterisk deployments out there in precisely this configuration and everything works fine. You've set up 1:1 NAT, that's fine. In pfSense, check that port 5060 is allowed (UDP) for SIP, and 1-2 are allowed (UDP) for RTP - assuming you haven't changed the port range in asterisk's rtp.conf On the asterisk box, check your sip.conf file. You need the following: localnet = 10.0.0.0/8 localnet = 172.16.0.0/12 localnet = 192.168.0.0/16 localnet = 169.254.0.0/16 externip = Substitute your real external 1:1 NAT IP into externip. The localnet entries tell asterisk that SIP packets from any of those address ranges should have their claimed IP ignored and their apparent IP/port used instead. In each sip.conf device section, make sure nat=yes is included. Hopefully that should solve your problems. Regards, Chris -- C.M. Bagnall, Director, Minotaur I.T. Limited For full contact details visit http://www.minotaur.it This email is made from 100% recycled electrons - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Asterisk and PfSense
Ugo Which ports are you NATting? Which ports are setup for RTP in asterisk? Kind regards David - Original Message - From: "Ugo Bellavance" <[EMAIL PROTECTED]> To: Sent: Wednesday, October 10, 2007 6:28 PM Subject: [pfSense Support] Asterisk and PfSense Hi, I have an asterisk server that is working mostly with SIP clients behind NAT. I'd like to put this asterisk server behind the PfSense to benefit from QoS and added security, packages, etc. However, I just tested and I can't make it work with more than 2 clients at the time (using 1-to-1 NAT). I've tried disabling static port. I've also tried to also disable scrubbing. I've tried setting the firewall setting to 'conservative'. The problem I'm getting is that once a second SIP client registers, it kind of kicks out the first one and so on. I've tried it without NAT, but I didn't really know how to do it, so I just gave the linux (asterisk) server the public IP address I wanted and made appropriate firewall rules. I couldn't connect using ssh, so I stopped fiddling around and wrote this message. What is recommended in my situation? Regards, Ugo Bellavance - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] load balancing for internal and external servers
Bill Marquette wrote: > You won't be able to test load balancing of virtual servers from > inside your network. It's a pf thing and unlikely to ever get > resolved. ah, thanks, I did wonder if that might be the case. I put a machine outside the firewalls on which I put squid as an intermediate fix, and it works well enough for testing. thanks Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancer + Failover
Hi Bill, The config was sync'd ok, I can see it on both boxes. Below is a ps -ax from the secondary machine: # ps -ax |grep slb 60083 ?? Ss 0:00.51 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 65097 p0 RV 0:00.00 grep slb (tcsh) Looks to me like its running? I tried editing the config and saving it like you suggest, and the ps -ax was then: # ps -ax | grep slb 65407 ?? Ss 0:00.00 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 Still nothing however when I reboot the primary... Lee Bill Marquette wrote: Can you confirm that the load balancer config sync'd over to the secondary? Also, assuming it did, can you do a 'ps -ax |grep slb' from the shell? I suspect it never started slbd after sync (as an interim workaround, you could try going to the load balancer page on the secondary and editing/saving the config). --Bill On 10/9/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Hi Bill, Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we are load balancing 443 and 80 TCP Lee On Tue, 9 Oct 2007 08:47:27 -0500, "Bill Marquette" <[EMAIL PROTECTED]> wrote: Inbound or outbound load balancing? --Bill On 10/9/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Hi There, Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and working, the two machines are syncing settings and the carp is working properly. However, if I reboot the primary firewall the secondary takes over pings, but the load balancing doesnt work again until the primary is back online. Everything seems to be ok, when the primary disappears, the ping drops 1 packet, then the secondary carries on and everything runs ok. The servers on the lan interface of the firewall can route out to the internet fine whilst running with only the secondary firewall. The only thing not to work is the load balancer. Anyone have any ideas? I have it wired as: INTERNET --> PIX 515 PAIR --> 2X CISCO 3550-EMI --> PFSENSE PAIR --> 2X CISCO 3550-EMI --> LAN Each of the pix/pfsense are connected to seperate switches, which are in turn linked together. Thanks in advance, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]