[pfSense Support] which image?

[David Newman]

Greetings. I'd welcome recommendations for which pfSense image to
install on this system, which currently runs OpenBSD:

Nexcom 1563
VIA 667-MHz CPU
512 Mbytes RAM
512-Mbyte disk-on-chip (not CF) storage
3 x 100Base-T Ethernet

OpenBSD sees the DOC storage as a regular IDE drive.

For pfSense, I *think* I want the 512-Mbyte embedded image, but am
unsure about what changes, if any, the installation requires. (The docs
for installing/upgrading the embedded images seem oriented toward CF
cards and I don't know if installing to them differs from disks.)

Thanks in advance.

dn


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] which image?

[David Newman]

On 1/5/10 8:59 AM, Scott Ullrich wrote:
> On Tue, Jan 5, 2010 at 11:02 AM, David Newman  wrote:
>> Greetings. I'd welcome recommendations for which pfSense image to
>> install on this system, which currently runs OpenBSD:
>>
>> Nexcom 1563
>> VIA 667-MHz CPU
>> 512 Mbytes RAM
>> 512-Mbyte disk-on-chip (not CF) storage
>> 3 x 100Base-T Ethernet
>>
>> OpenBSD sees the DOC storage as a regular IDE drive.
>>
>> For pfSense, I *think* I want the 512-Mbyte embedded image, but am
>> unsure about what changes, if any, the installation requires. (The docs
>> for installing/upgrading the embedded images seem oriented toward CF
>> cards and I don't know if installing to them differs from disks.)
> 
> It depends on if you have VGA or not.   If you have VGA you will want
> the Full Installation ISO.  If not then you will want the NanoBSD
> image.

This system has VGA out, yes.

The hardware requirements doc says pfSense needs a minimum 1 Gbyte of
disk for the full version:

http://www.pfsense.org/index.php?option=com_content&task=view&id=45&Itemid=48

Is this right, or am I OK with 512 Mbytes storage?

thanks again

dn

> 
> Scott
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] which image?

[David Newman]

On 1/5/10 9:11 AM, Bao Ha wrote:
> 
> On Tue, Jan 5, 2010 at 8:59 AM, Scott Ullrich  <mailto:sullr...@gmail.com>> wrote:
> 
> On Tue, Jan 5, 2010 at 11:02 AM, David Newman
> mailto:dnew...@networktest.com>> wrote:
> > Greetings. I'd welcome recommendations for which pfSense image to
> > install on this system, which currently runs OpenBSD:
> >
> > Nexcom 1563
> > VIA 667-MHz CPU
> > 512 Mbytes RAM
> > 512-Mbyte disk-on-chip (not CF) storage
> > 3 x 100Base-T Ethernet
> >
> > OpenBSD sees the DOC storage as a regular IDE drive.
> >
> > For pfSense, I *think* I want the 512-Mbyte embedded image, but am
> > unsure about what changes, if any, the installation requires. (The
> docs
> > for installing/upgrading the embedded images seem oriented toward CF
> > cards and I don't know if installing to them differs from disks.)
> 
> It depends on if you have VGA or not.   If you have VGA you will want
> the Full Installation ISO.  If not then you will want the NanoBSD
> image.
> 
>  
> 
> We have the NanoBSD images that support both VGA and serial console on
> our website.
> http://www.hacom.net/catalog/pub/pfsense/
> 
> His problem is the 512MB size of DOC. I don't think there is any
> embedded images built for that small size in current version 1.2.3.
> 
> It may not be a bad idea to install the full version of pfSense on DOC.
> Unlike CF, I believe DOC has built-in wear leveling. It would not be a
> problem to use it as a "regular" hard disk.

Thanks, Bao. There is a 512-Mbyte build of embedded 1.2.3.

However, I'm unsure what alterations (if any) are needed to install this
on a disk-on-chip system.

Thanks again for any clues on this.

dn


> 
> -- 
> Best Regards.
> Bao C. Ha
> Hacom OpenBrick Distributor USA ethttp://www.hacom.n
> voice: (714) 564-9932
> 8D66 6672 7A9B 6879 85CD 42E0 9F6C 7908 ED95 6B38
> 


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] VLAN Setup

[David Newman]

On 1/9/10 5:40 PM, Tortise wrote:

> I thought a managed switch was a pre-requisite for VLAN's, as is one
> pfSense box (or equivalent).

Not necessarily. At least one box that can forward traffic among VLANs
is the only requirement. In many network designs there's a 1:1
correspondence between VLANs and IP subnets, so that box is ... a router.

pfSense is a router in the sense that it moves traffic between different
IP subnets on different interfaces. (Routers also can run dynamic
routing protocols such as OSPF but that's neither here nor there with
regard to VLAN and subnet configuration.)

VLANs are Ethernet constructs and subnets are IP constructs:

- at layer 2, each VLAN is its own broadcast domain (and collision
domain, if using 802.11 or old half-duplex Ethernet stuff)

- at layer 3, each IP subnet is its own broadcast domain

As for "managed," that usually refers to whether a switch supports a
network management protocol such as SNMP. Net management stuff is nice
to have but isn't necessary for configuring VLANs and/or subnets.

So, bottom line: One pfSense box *could* be enough if there are
different VLANs/IP subnets defined on each interface and only one
physical device per VLAN/subnet.

OTOH if you want to have multiple devices in each VLAN, a switch hanging
off each VLAN interface would be necessary.

dn



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] VLAN Setup

[David Newman]

On 1/10/10 1:08 AM, Fabian Abplanalp wrote:

> Correct. The two VLANs have their own IP Subnets. 

..

> Yep. The setup is working already with 2 VLANs, but with two pfSense boxes.

To your original question, I do not see a way to do this on one pfSense
box.

At least on 1.2.2, each physical interface can be configured with
multiple VLANs but only one IP address.

I believe this is a limitation of the GUI, and not the underlying
firewall or OS. I have pf-on-OpenBSD boxes with multiple IP subnet/VLAN
logical interfaces configured on each physical interface. I also have
configured multiple subnets/VLANs on FreeBSD using interface aliases.

You may be able to do the same thing on a pfSense box from the shell,
but it would not be manageable from the GUI and it might screw up
routing and firewall tables if the pfSense code expects exactly one
subnet per physical interface.

dn



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] VLAN Setup

[David Newman]

On 1/10/10 5:44 PM, Nathan Eisenberg wrote:

>> At least on 1.2.2, each physical interface can be configured with
>> multiple VLANs but only one IP address.
> 
> To be clear - each VLAN CAN be configured with its own IP address.

Where? I'm new to pfSense and maybe shouldn't have jumped to that
conclusion. But I don't see anything about VLANs on the LAN or WAN
interface screen, or anything about addressing or subnets on the VLAN
screen.

Again, though, I may be missing something.

dn


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] VLAN Setup

[David Newman]

On 1/10/10 6:14 PM, Glenn Kelley wrote:
> I strongly suggest you buy the book.
> It is a great resource. 
> 
> Also - vlans are under the interfaces section - you need to add each.

Thanks, but that wasn't the question.

The previous post suggested pfSense supports configuration of multiple
VLANs *and* multiple IP subnets on a single physical interface.

The 1.2.2 and 1.2.3 GUI interface section does indeed allow for
definition of multiple VLAN IDs -- but exactly one IPv4 address per
physical interface.

There might be some other way to bind multiple logical interfaces to
each physical interface, each with one IP subnet and one VLAN ID, but
AFAICT it isn't covered in the interfaces section.

dn


> 
> _
> * Glenn Kelley |  Operations Director | Typo3USA |  www.Typo3USA.com
> <http://www.Typo3USA.com> *
> Ohio NOC | 317 South North Street | Washington CH OH 43160
>*Skype Messenger*: vinehosting
> Email: gl...@typo3usa.com <mailto:gl...@typo3usa.com>
> Phone: 740-490-8668
> Pplease don't print this e-mail unless you really need to.
> 
> On Jan 10, 2010, at 8:47 PM, David Newman wrote:
> 
>> here? I'm new to pfSense and maybe shouldn't have jumped to that
>> conclusion. But I don't see anything about VLANs on the LAN or WAN
>> interface screen, or anything about addressing or subnets on the VLAN
>> screen.
>>
>> Again, though, I may be missing something.
> 


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] VLAN Setup

[David Newman]

On 1/10/10 8:39 PM, Tim Dickson wrote:
>> The 1.2.2 and 1.2.3 GUI interface section does indeed allow for
>> definition of multiple VLAN IDs -- but exactly one IPv4 address per
>> physical interface.
> 
> Define the VLAN and it becomes an interface in the GUI where you can define 
> an IP/subnet. 
> I currently have 5 VLANs (with separate IP and subnets) leaving a single 
> physical NIC.
> 
> I think the key is to either use VLANS on a physical nic OR the physical 
> interface.
> IE if interface 1 is to be used for VLANS, don't assign it as a physical 
> interface.
> It "can" work that way - but I believe is a best practice to avoid. 
> 
> So step 1.  Assign VLANS, 
> Step 2 go to interfaces tab, enable the interface, and set the IP/Subnet
> Step 3 Configure VLANS on the switch port that is connected to the NIC.

Yup, this works fine, thanks. I'd missed the part about defining the
VLANs first and then assigning them to physical interfaces and then
configuring IP addresses.

So, getting back to Fabian Abplanalp's original post, yes it is possible
to use one pfSense box to connect multiple IP subnets/VLANs per interface.

dn



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Re: Less bandwidth available behind the firewall

[David Newman]

On 1/12/10 9:51 PM, Ugo Bellavance wrote:
> On 2010-01-12 23:56, Chris Buechler wrote:
>> On Tue, Jan 12, 2010 at 11:50 PM, Ugo Bellavance  wrote:
>>> Hi,
>>>
>>> I'm running pfsense 1.2.2 on a pentium 4, 3.0 ghz, 1 GB RAM.  HDD
>>> install.
>>>
>>> When I start a download from a nearby centos mirror, directly from the
>>> firewall (using fetch), I get the full bandwith available from my ISP
>>> (60
>>> mbps).  However, If I try to download the same file from the same
>>> server,
>>> but from a linux server behind the firewall, using wget, I only get
>>> about 20
>>> mbps.  If I start multiple download, I can reach 60mbps. Is there an
>>> explanation?
>>>
>>
>> Probably a TCP window difference of some sort between FreeBSD and your
>> Linux box.
> 
> How would I check that?

Run tcpdump to capture traffic from both types of transfers (from the
firewall and behind the firewall). Then examine the captures to compare
the TCP receive window sizes during the transfers.

dn


> 
> Thanks,
> 
> ugo
> 
> 
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Re: Less bandwidth available behind the firewall

[David Newman]

On 1/13/10 8:14 AM, Ugo Bellavance wrote:
> Le 2010-01-13 09:49, Chris Buechler a écrit :
>> On Wed, Jan 13, 2010 at 12:59 AM, David
>> Newman  wrote:
>>> On 1/12/10 9:51 PM, Ugo Bellavance wrote:
>>>> On 2010-01-12 23:56, Chris Buechler wrote:
>>>>> On Tue, Jan 12, 2010 at 11:50 PM, Ugo Bellavance   
>>>>> wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I'm running pfsense 1.2.2 on a pentium 4, 3.0 ghz, 1 GB RAM.  HDD
>>>>>> install.
>>>>>>
>>>>>> When I start a download from a nearby centos mirror, directly from
>>>>>> the
>>>>>> firewall (using fetch), I get the full bandwith available from my ISP
>>>>>> (60
>>>>>> mbps).  However, If I try to download the same file from the same
>>>>>> server,
>>>>>> but from a linux server behind the firewall, using wget, I only get
>>>>>> about 20
>>>>>> mbps.  If I start multiple download, I can reach 60mbps. Is there an
>>>>>> explanation?
>>>>>>
>>>>>
>>>>> Probably a TCP window difference of some sort between FreeBSD and your
>>>>> Linux box.
>>>>
>>>> How would I check that?
>>>
>>> Run tcpdump to capture traffic from both types of transfers (from the
>>> firewall and behind the firewall). Then examine the captures to compare
>>> the TCP receive window sizes during the transfers.
>>>
>>
>> That's the best way, though maybe not the easiest to decipher if you
>> aren't intricately familiar with how TCP functions.
> 
> 
> ## Linux box
> 
> net.ipv4.tcp_tso_win_divisor = 3
> net.ipv4.tcp_adv_win_scale = 2
> net.ipv4.tcp_app_win = 31
> net.ipv4.tcp_window_scaling = 1
> 
> net.core.rmem_default = 107520
> net.core.wmem_default = 107520
> net.core.rmem_max = 131071
> net.core.wmem_max = 131071
> 
> 
> ## pfsense box
> 
> # sysctl -a | grep -i tcp | grep space
> net.inet.tcp.sendspace: 65228
> net.inet.tcp.recvspace: 65228
> 
> I hope I got all the numbers, these are the default values, we didn't
> change them.

I would strongly recommend against messing with TCP sysctls unless (a)
you know what the actual problem is and (b) you fully understand TCP
sliding windows and window scaling mechanics. TCP is a complex beast,
and easily upset.

Better to first isolate and understand the problem before attempting fixes.

dn


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: SV: [pfSense Support] virtual ip

[David Newman]

On 1/15/10 2:36 PM, a_subscribti...@fiberby.dk wrote:
>> 1. Question.
>> Imagine a setup where I have /30 as wan ip and routed a /29 public ip
>> net to
>> that address.

This part is unclear.

If your WAN interface uses a /30 prefix (255.255.255.252), then you are
on a /30 subnet, not a /29 subnet.


>> I have several lan-interfaces that I want to separate, so that every
>> lan net
>> will be natted through its own public ip.

This can be true for only very small instances of "several":

- with a /29 there are six valid hosts possible, one of which is your
ISP's router

- with a /30 there are two valid hosts possible, one of which is your
ISP's router

In the former case, yes, you can map each of five IP addresses on your
WAN interface to some other address(es) on your protected interfaces.

In the latter case, you have only one routable address. You still can
map multiple services onto this address but you'd need different port
numbers for each (to make up an example, you could map ports , 1
and 2 to three different sshd servers on your protected network).

dn


>> If I have understood correctly, then I don't need to set up an
>> interface
>> with the public ip net, as long as I'm using "other" VIPs.
>> Is that right?
>>
>> 2. Question.
>> Imagine a setup where I have /30 as wan ip and routed a /29 public ip
>> net to
>> that address.
>> I want to hand some of the public ips directly to servers, and I want
>> to use
>> some as virtual ips.
>> If I have understood correctly, then I would set up an interface with
>> the
>> public ip net. But what vips will I use?
>>
>> Kind regards Anders
> 
> 
> Please don't double post... you asked this question on Wed 1/13/2010 3:59
> AM.
> 
> Best Regards,
> Nathan Eisenberg
> 
> Ok, But if you are able, I'll really appreciate your or someone else help.
> 
> Kind regards,
> Anders Dahl
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 
> 
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multiple IPs via MAC/DHCP

[David Newman]

On 2/3/10 7:38 PM, Dave Donovan wrote:

> As for getting the new MAC, you can pretty much make it up. 

"Pretty much" is the operative term here. Some MAC address space is
reserved for multicast (always beginning with 01:00:5E) and locally
administered addresses (where the second bit of the first byte is set).

But as long as high-order bits 0 and 1 of the MAC address' first byte
are 0, and the addresses you choose aren't already in use on the same
network, you should be fine.

> I should say that this is an unconventional approach.

Yes.

dn



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] migrating pf to pfSense

[David Newman]

For possible migration of a couple of OpenBSD/pf boxes to pfSense, is
there a import facility for pf.conf configs?

thanks

dn


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Slow TCP connection

[David Newman]

On 3/2/10 7:59 AM, David Burgess wrote:
> On Tue, Mar 2, 2010 at 8:54 AM, Hiren Joshi  wrote:
> 
>> I'm using the "packet capture" bit in pfsense. Is there a way of doing
>> this via the shell (I'm new to BSD, more of a Linux person) and leaving
>> it running (filtered by hostname) for a few hours/days? This way I can
>> dump it all and analyse it in wireshark.
> 
> tcpdump. For example,
> 
> tcpdump -i vr0 -n -w capture.pcap
> 
> -i for the interface, -n to disable name resolution, capture.pcap is
> the capture file. I'm not sure if you have to do anything special to
> make it readable in wireshark.

No special treatment needed -- wireshark will take pcap files as input.

However, you might want to bear a couple of things in mind:

1. By default, tcpdump grabs only the first 68 bytes of each packet. You
can override this with the '-s' flag, for example with a switch such as
'-s 1500'. This is essential if you need to see deeper into the packet
but the tradeoff is increased processing time. If you just need TCP
headers you shouldn't need this switch.

2. Depending on link utilization tcpdump can capture a *lot* of traffic.
If you know you only want to see traffic from/to a specific host, or for
a given protocol, there are filters you can add at the end of a tcpdump
command to limit what it will capture -- and wireshark uses identical
capture filter syntax. The tcpdump manpage or wireshark docs have more info.

dn



> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Maximum New Connections Per Second

[David Newman]

On 6/18/10 1:08 PM, Code Ghar wrote:
> In the pfSense book, there's a section (6.6.9.3) titled "Maximum New
> Connections / Per Second". It says that "Any IP address exceeding that
> number of connections within the given time frame will be blocked for
> one hour." When using VoIP, which uses UDP, if one IP sends calls to
> your VoIP switch with pfSense in the middle, there's one state
> established. Within that state if that same IP sends, say 5 messages in
> a second, are these messages considered 5 connections in one state or 1
> connection in one state? My aim is to restrict UDP connections per
> second from all IPs in a rule.

The most common case with VoIP traffic is that you have at least two
streams, one apiece for signaling and media traffic.* The signaling
stream typically uses a well-known port (i.e., 5060 for SIP) and the
media traffic (often RTP/RTSP) uses some random port.

There are some sample VoIP captures here:

http://techtraces.com/sample_captures/

dn

*Caveat: "VoIP" is a very broad term, covering lots of different
signaling and media transport methods. The example I gave above is a
simple and very commonly used case, but there are lots of others.




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Maximum New Connections Per Second

[David Newman]

On 6/18/10 1:58 PM, Code Ghar wrote:
> You both are right that VoIP is a very broad term. So let me clarify. I
> am running Asterisk behind pfSense with multiple endpoints, such as ATAs
> and softphones, registering to this Asterisk server. Then I have some
> trunks with carriers and such. On the carrier side I am not too worried
> because I know their IPs and can create rules to allow traffic from them
> unhindered. However, on the other side are registered endpoints, for
> which there is not definitive IP. Users could plug it in their home,
> office, hotel, etc. Then there are some malicious users who try to brute
> force their way into the Asterisk server sending a flood of registration
> attempts. To allow legitimate use and to mitigate fraudulent
> registrations, one way would be to have a reasonable upper limit to
> connections per second. This way unusually large attempts can be blocked
> at the firewall level instead of letting Asterisk deal with it.
> 
> In this scenario if I set, say 5 max connections per second, then from
> one IP there can be 5 different states. In this case if a malicious user
> sends 6 registration attempts in one second then the first five would be
> allowed and the sixth would be dropped.
> 
> On the flip side, if a legitimate user has two SIP endpoints coming from
> the same IP, then they can still establish two calls, one from each
> endpoint, as there would be four states: in and out for both endpoints.
> This still leaves a third connection or state for some breathing space.
> 
> Did I understand this correctly?

Yes. My experience with the rate-limiting stuff is that pf can take a
little while (seconds) to recognize and respond to brute-force  attacks.
This may be due to high attack rates or less-than-studly hardware or
both. Either way, blocking might not be instantaneous, but ultimately
pfSense will drop further connection attempts.

dn


> 
> 
> On Fri, Jun 18, 2010 at 3:33 PM, Chris Buechler  > wrote:
> 
> On Fri, Jun 18, 2010 at 4:08 PM, Code Ghar  > wrote:
> > In the pfSense book, there's a section (6.6.9.3) titled "Maximum New
> > Connections / Per Second". It says that "Any IP address exceeding that
> > number of connections within the given time frame will be blocked
> for one
> > hour." When using VoIP, which uses UDP, if one IP sends calls to
> your VoIP
> > switch with pfSense in the middle, there's one state established.
> Within
> > that state if that same IP sends, say 5 messages in a second, are
> these
> > messages considered 5 connections in one state or 1 connection in
> one state?
> 
> With the typical SIP, one connection is one state, regardless of how
> many packets come over that state, it's one connection. If there are
> 50 SIP phones NATed to one public IP connecting to you, that's going
> to be 50 simultaneous SIP connections, plus RTP for calls. In cases
> like an Internet outage at that location, you'll see a bunch of
> connections opened quickly.
> 
> That could more accurately read "Maximum new states / per second".
> 
> As David noted, with a wide variety of things that "VoIP" can cover,
> it's hard to say. Generally you have up to two connections/states per
> SIP endpoint.
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> 
> For additional commands, e-mail: support-h...@pfsense.com
> 
> 
> Commercial support available - https://portal.pfsense.org
> 
> 


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] multi-wan, multi-lan security

[David Newman]

On 8/5/10 8:13 AM, David Burgess wrote:
> Paul,
> 
> I understand your post up to this point:
> 
>> if the switch's port are set so that connected devices can't cause them
>> to flip from untagged to tagged mode (in cisco speak from access to
>> trunk - "switchport nonegotiate"
> 
> I'm looking at the help file for my switch, and thinking this section
> is saying what you're saying:
> 
> "Ingress Filtering - When enabled, the frame is discarded if this port
> is not a member of the VLAN with which this frame is associated. In a
> tagged frame, the VLAN is identified by the VLAN ID in the tag. In an
> untagged frame, the VLAN is the Port VLAN ID specified for the port
> that received this frame. When disabled, all frames are forwarded in
> accordance with the 802.1Q VLAN bridge specification. The factory
> default is disabled."

The "switchport nonegotiate" command has a different meaning in the
context of Cisco Catalyst switches: It disables the use of Dynamic
Trunking Protocol, a proprietary means of determining whether two
switches will use trunking (tagged frames) to carry traffic between
them. There may be exceptions, but DTP generally won't work between a
Cisco and a non-Cisco device, or between two non-Cisco devices.

Here's an sample reference from the Catlyst 3560 docs:

http://is.gd/e4mFq

dn


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Desperately Need Help With Wan

[David Newman]

Either both sides should bond at layer 2 (and thus there's only one IP
address on either end, and thus one gateway for your pfSense box) or
both should bond at layer 3 and use something like a routing protocol
with ECMP to load-share across multiple IP addresses on each side.

I don't know the particulars for the latter on pfSense, but at first
glance getting the L2/L3 mismatch sorted out seems a higher priority.

dn



On 11/22/10 1:39 PM, James Bensley wrote:
> Hello List,
> 
> I have gotten my self in a pickle trying to get my WAN links working
> and I'm desperate now to get things up an running :)
> 
> Scenario: My ISP offer line bonding on their ADSL lines. So I have two
> lines with them to get things going, then I will add more over time. I
> have two ADSL lines with them and they split the packets down the
> lines 50/50 (if I had 3 lines it would be 33/33/33 and so on..) this
> is done at layer 3, evenly dividing the packets over the active lines
> for true up and down balancing (so if a line goes down the packet
> distribution is recalculated over the remaining lines). How can I use
> pfSense to merge the packets my end, and of course, balance them out
> on the outbound journey?
> 
> This is my set up:
> http://i51.tinypic.com/2qaqyqs.png
> 
> The 2 ZyXel P-660r ADSL modems are in bridged mode passing all ADSL
> traffic out their Ethernet interface (my ISP has given me a /29 so the
> first usable address is assigned to the first modem, the second
> address to the second modem, the last usable address to the lagg0
> interface [say 1.0.0.6], obviously fake IPs used here!). Testing this,
> it didn't work. Thinking about it now I'm home, that makes sense. The
> lagg0 interface can only be assigned 1 gateway, not both, so it cant
> balance across both lines. I guess it thought it would balance across
> both lines thinking they both terminated at say 1.0.0.1 for example.
> 
> What options exist in pfSense for this (if any?).
> 
> Many thanks for your time, sorry for such a long post everyone :)
> 

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???

[David Newman]

On 2/9/11 1:12 PM, Vaughn L. Reid III wrote:
> According to page 15 of the reference manual "address learning" is:
> 
> Enable or disable MAC address learning for the selected ports. When
> Enabled, destination and
> source MAC addresses are automatically listed in the forwarding table.
> When address learning
> is Disabled, MAC addresses must be manually entered into the forwarding
> table. This is
> sometimes done for reasons of security or efficiency. See the section on
> Forwarding/Filtering
> for information on entering MAC addresses into the forwarding table. The
> default setting is
> Enabled.
> 

This just means the switch dynamically learns the source MAC of each
attached device. 99.999 percent of all switches on the market have
dynamic MAC learning enabled. This isn't the problem.


> 
> 
> One other thing.  I need to note that I have dedicated a CARP interface
> on each Pfsense box connected to each over via a cross-over cable.

Sorry, I don't completely understand your CARP setup. I too use a
crossover cable between pairs of boxes but that's for pfsync, not CARP.
pfsync migrates table state between pf boxes; CARP is for redundant
sharing of a virtual IP address among multiple pf boxes, and would be of
little use on a network consisting of a crossover cable.

IIRC CARP uses multicast addressing for its keepalive messages. You
might also want to verify that the switch is configured to forward
multicast.

dn






> 
> 
> 
> On 2/9/2011 2:35 PM, e...@tm-k.com wrote:
>> [snip]
>>> Address Learning enabled on the Switch (default setting):
>> [snip]
>> Can you briefly explain what 'address learning' is according to D-Link?
>>
>>
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>> For additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Blocking a MAC id through squid

[David Newman]

On 2/17/11 9:43 PM, Shali K.R. wrote:
> Dear all,
> 
> is there any way to block a MAC id using squid in pfSense.

I don't know the answer but I doubt this would be useful, since every
router rewrites the source MAC. So, unless you're trying to block some
host on your local subnet, the host's MAC gets rewritten by every router
between it and your pfSense box.

dn


> 
> -- 
> Thanks & Regards
> 
> Shali K R
> Server Administrator
> Vidya Academy of Science & Technology
> Thrissur,Kerala.
> Mob:9846303531
> 
> 

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org