Re: [pfSense Support] Load Balancer + Failover
Hi Bill, Same here, I even have the same thing working on 1.1 PFsense for another customer. Is there a way to down grade from 1.2 RC2 to 1.1? Thanks, Lee Bill Marquette wrote: Strange, other than the sticky address (which should be more a nuisance than anything) not getting set on the secondary, I'm not seeing anything obvious that would prevent the connection from working. The only other thing I can think to look at is whether the rulesets (/tmp/rules.debug) are the same between the two machines (with exception to a few subtle differences they should be). You can try tcpdump'ing on the secondary and making sure the tcp traffic is making it to the external interface. If it is, check the inside and see what's actually getting passed through. Lastly, double check the firewall logs, you might be seeing blocks for some reason. FWIW, I have similar setups working just fine (minus pfsense as the frontend), so this is likely a pfsense bug or a config issue of some sort. --Bill On 10/10/07, Lee Hetherington [EMAIL PROTECTED] wrote: Hi Bill, All is carp, when the primary is off, I can ping the address still. Primary: # pfctl -sn -aslb rdr inet proto tcp from any to 10.2.48.1 port = smtp - { 10.5.49.1, 10.5.49.2 } port 25 round-robin sticky-address rdr inet proto tcp from any to 10.2.48.1 port = http - { 10.5.49.1, 10.5.49.2 } port 80 round-robin sticky-address Secondary: # pfctl -sn -aslb rdr inet proto tcp from any to 10.2.48.1 port = smtp - { 10.5.49.1, 10.5.49.2 } port 25 round-robin rdr inet proto tcp from any to 10.2.48.1 port = http - { 10.5.49.1, 10.5.49.2 } port 80 round-robin Thanks, Lee Bill Marquette wrote: Hmm, what does the output of pfctl -sn -aslb look like on both boxes? The other obvious question is, are the virtual addresses that front end your load balance pool CARP addresses? If they aren't, then the secondary won't take them over on failover regardless of the load balance config. --Bill On 10/10/07, Lee Hetherington [EMAIL PROTECTED] wrote: Hi Bill, The config was sync'd ok, I can see it on both boxes. Below is a ps -ax from the secondary machine: # ps -ax |grep slb 60083 ?? Ss 0:00.51 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 65097 p0 RV 0:00.00 grep slb (tcsh) Looks to me like its running? I tried editing the config and saving it like you suggest, and the ps -ax was then: # ps -ax | grep slb 65407 ?? Ss 0:00.00 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 Still nothing however when I reboot the primary... Lee Bill Marquette wrote: Can you confirm that the load balancer config sync'd over to the secondary? Also, assuming it did, can you do a 'ps -ax |grep slb' from the shell? I suspect it never started slbd after sync (as an interim workaround, you could try going to the load balancer page on the secondary and editing/saving the config). --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Bill, Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we are load balancing 443 and 80 TCP Lee On Tue, 9 Oct 2007 08:47:27 -0500, Bill Marquette [EMAIL PROTECTED] wrote: Inbound or outbound load balancing? --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and working, the two machines are syncing settings and the carp is working properly. However, if I reboot the primary firewall the secondary takes over pings, but the load balancing doesnt work again until the primary is back online. Everything seems to be ok, when the primary disappears, the ping drops 1 packet, then the secondary carries on and everything runs ok. The servers on the lan interface of the firewall can route out to the internet fine whilst running with only the secondary firewall. The only thing not to work is the load balancer. Anyone have any ideas? I have it wired as: INTERNET -- PIX 515 PAIR -- 2X CISCO 3550-EMI -- PFSENSE PAIR -- 2X CISCO 3550-EMI -- LAN Each of the pix/pfsense are connected to seperate switches, which are in turn linked together. Thanks in advance, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional
Re: [pfSense Support] Load Balancer + Failover
Hi Chris, Its two different systems, in the 1.1 system I have the hosts behind the balancer being natted by the pfsense box, where as on the 1.2 they are direct routed, and natted upstream using a PIX 515e. Ive tried tcp dump on the secondary as discussed with Bill, I can see the packets hitting both interfaces, but tcpdump produces so much crap i cant really see whats going on, however its an issue that when the primary balancer isnt available the whole thing bar pings and routing dies... Thanks, Lee Chris Buechler wrote: Lee Hetherington wrote: Hi Bill, Same here, I even have the same thing working on 1.1 PFsense for another customer. Is there a way to down grade from 1.2 RC2 to 1.1? It would be MUCH better to help us figure out if there is indeed a regression in this from 1.2 to 1.0.1. Going back to 1.0.1 is strongly discouraged, there are serious problems with it under some circumstances. can you try the exact same config (restore a backup) that's working on 1.0.1 on a 1.2 system in a test environment? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancer + Failover
Hi Bill, The config was sync'd ok, I can see it on both boxes. Below is a ps -ax from the secondary machine: # ps -ax |grep slb 60083 ?? Ss 0:00.51 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 65097 p0 RV 0:00.00 grep slb (tcsh) Looks to me like its running? I tried editing the config and saving it like you suggest, and the ps -ax was then: # ps -ax | grep slb 65407 ?? Ss 0:00.00 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 Still nothing however when I reboot the primary... Lee Bill Marquette wrote: Can you confirm that the load balancer config sync'd over to the secondary? Also, assuming it did, can you do a 'ps -ax |grep slb' from the shell? I suspect it never started slbd after sync (as an interim workaround, you could try going to the load balancer page on the secondary and editing/saving the config). --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Bill, Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we are load balancing 443 and 80 TCP Lee On Tue, 9 Oct 2007 08:47:27 -0500, Bill Marquette [EMAIL PROTECTED] wrote: Inbound or outbound load balancing? --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and working, the two machines are syncing settings and the carp is working properly. However, if I reboot the primary firewall the secondary takes over pings, but the load balancing doesnt work again until the primary is back online. Everything seems to be ok, when the primary disappears, the ping drops 1 packet, then the secondary carries on and everything runs ok. The servers on the lan interface of the firewall can route out to the internet fine whilst running with only the secondary firewall. The only thing not to work is the load balancer. Anyone have any ideas? I have it wired as: INTERNET -- PIX 515 PAIR -- 2X CISCO 3550-EMI -- PFSENSE PAIR -- 2X CISCO 3550-EMI -- LAN Each of the pix/pfsense are connected to seperate switches, which are in turn linked together. Thanks in advance, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancer + Failover
Hi Bill, All is carp, when the primary is off, I can ping the address still. Primary: # pfctl -sn -aslb rdr inet proto tcp from any to 10.2.48.1 port = smtp - { 10.5.49.1, 10.5.49.2 } port 25 round-robin sticky-address rdr inet proto tcp from any to 10.2.48.1 port = http - { 10.5.49.1, 10.5.49.2 } port 80 round-robin sticky-address Secondary: # pfctl -sn -aslb rdr inet proto tcp from any to 10.2.48.1 port = smtp - { 10.5.49.1, 10.5.49.2 } port 25 round-robin rdr inet proto tcp from any to 10.2.48.1 port = http - { 10.5.49.1, 10.5.49.2 } port 80 round-robin Thanks, Lee Bill Marquette wrote: Hmm, what does the output of pfctl -sn -aslb look like on both boxes? The other obvious question is, are the virtual addresses that front end your load balance pool CARP addresses? If they aren't, then the secondary won't take them over on failover regardless of the load balance config. --Bill On 10/10/07, Lee Hetherington [EMAIL PROTECTED] wrote: Hi Bill, The config was sync'd ok, I can see it on both boxes. Below is a ps -ax from the secondary machine: # ps -ax |grep slb 60083 ?? Ss 0:00.51 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 65097 p0 RV 0:00.00 grep slb (tcsh) Looks to me like its running? I tried editing the config and saving it like you suggest, and the ps -ax was then: # ps -ax | grep slb 65407 ?? Ss 0:00.00 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 Still nothing however when I reboot the primary... Lee Bill Marquette wrote: Can you confirm that the load balancer config sync'd over to the secondary? Also, assuming it did, can you do a 'ps -ax |grep slb' from the shell? I suspect it never started slbd after sync (as an interim workaround, you could try going to the load balancer page on the secondary and editing/saving the config). --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Bill, Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we are load balancing 443 and 80 TCP Lee On Tue, 9 Oct 2007 08:47:27 -0500, Bill Marquette [EMAIL PROTECTED] wrote: Inbound or outbound load balancing? --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and working, the two machines are syncing settings and the carp is working properly. However, if I reboot the primary firewall the secondary takes over pings, but the load balancing doesnt work again until the primary is back online. Everything seems to be ok, when the primary disappears, the ping drops 1 packet, then the secondary carries on and everything runs ok. The servers on the lan interface of the firewall can route out to the internet fine whilst running with only the secondary firewall. The only thing not to work is the load balancer. Anyone have any ideas? I have it wired as: INTERNET -- PIX 515 PAIR -- 2X CISCO 3550-EMI -- PFSENSE PAIR -- 2X CISCO 3550-EMI -- LAN Each of the pix/pfsense are connected to seperate switches, which are in turn linked together. Thanks in advance, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] VLAN/Subnet Question
Hi Folks, I have a quick question about vlans and subnets. For example on my opt1 I currently have an a.b.c.d/24 subnet. I wish to split this into VLANs and give each of my colo customers a /29. I cannot see how todo this so that the pfsense falls into this equation: for example lets say the customer is assigned 192.168.0.0/29 192.168.0.1 virtual gateway between left.pfsense and right.pfsense 192.168.0.2 left.pfsense 192.168.0.3 right.pfsense 192.168.0.4 first customer ip I cannot see anyway to add multiple ip's to the interfaces. Other than carp addresses which isnt what I need to add is it? the gateway would be a carp but I wanted to assign the left.pfsense and right.pfsense ip's directly to the box. Many Thanks, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VLAN/Subnet Question
Thats fantastic. Works like a charm!! Thanks John Lee John Cianfarani wrote: There are a couple steps that need to be done. First you will probably lose access if this is your only interface, so have access via another interface. I recommend you use a 3rd interface to bring in your trunks incase there are problems with your trunk. Also as a security precaution if you are running a colo. Make sure your switch is configured with 802.1q trunking to the pfsense interface and those specific new customer vlans are allowed on that trunk. Goto Interfaces - Assign - VLANs --- Now here you add in the pfsense interface which is connected to your switches trunk port and the vlan numbers. Next Goto Interfaces - Assign - Interfaces --- Now add new interfaces and assign them to the VLANs you just created. Last step would be to go into each new interface to enable set an ip and build rules for it. I found I needed to reboot pfsense once to get it to take all the vlans, but that might just have been me. Hope that helps John -Original Message- From: Lee Hetherington [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 31, 2006 2:24 AM To: support@pfsense.com Subject: [pfSense Support] VLAN/Subnet Question Hi Folks, I have a quick question about vlans and subnets. For example on my opt1 I currently have an a.b.c.d/24 subnet. I wish to split this into VLANs and give each of my colo customers a /29. I cannot see how todo this so that the pfsense falls into this equation: for example lets say the customer is assigned 192.168.0.0/29 192.168.0.1 virtual gateway between left.pfsense and right.pfsense 192.168.0.2 left.pfsense 192.168.0.3 right.pfsense 192.168.0.4 first customer ip I cannot see anyway to add multiple ip's to the interfaces. Other than carp addresses which isnt what I need to add is it? the gateway would be a carp but I wanted to assign the left.pfsense and right.pfsense ip's directly to the box. Many Thanks, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] PfSense + IPSEC onto Netgear FWAG114
Hi, Has anyone managed to create an IPSEC tunnel between a PFSense box and a Netgear FWAG114 router? Im having no joy getting the router to talk to my PFSense box from a remote office. Anyone any idea of the settings needed on the netgear? Cheers, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] PFSense + Poweredge
Hi Guys, Im having issues with my current PFSense box in that everytime the power is lost (Our Colo provider had a poweroutage last week) PFSense needs to be re-installed to work. The latest one meant I had to drive 200 miles in order to fix it. Is there anything I can do to stop this happening other than putting a UPS onto the machine (Its a Poweredge 1850, 2.8Ghz Xeon, 1Gb Ram, Single 72Gb SCSI Disk). This time the machine booted, but I couldnt ping anything from it nor ping the machine (It did hang for a while bringing up CARP interfaces). Im tempted to buy 2x Poweredge 850's with SATA, are their any known issues installing onto this, im not sure if SATA on these is supported under FreeBSD... Cheers for the heads up Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFSense + Poweredge
Holger Bauer wrote: What's the exact error when the machine doesn't come up again after failure? I usually just power down my testmachines by unplugging the psu just to see how it will survive such a condition and I never had such a breakdown yet. You mention CARP? So there is a second machine? Or are you only using the CARP as VIP for the one machine? In case you have a CARP-cluster and sync over the config.xml make sure you don't have build a syncing loop. This way the config.xml is moved from master to backup to master to backup... and it's most likely that you hit a write cycle of the config.xml then when the poweroutage appears. This will end up in a broken config file. Holger Hi Holger, I used to have two machines doing this, but its now not configured to sync to the 2nd machine. Basically the first time it all happened it was giving errors where it couldnt find a file (Wasnt the config tho), not sure now of the exact error. But this time, it booted as normal. Everything seemed fine, I just couldnt ping nor could I ping it. Although now you mention the sync thing, that could have been it :( Just was very strange, as before I had 2 boxes, and the 2nd just died on a reboot. Now im using this 1850 as primary, id definitly like to get a backup of some description running... I lost a couple of customers this weekend after the Redbus Power failure in London :( Cheers, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFSense + Poweredge
Anders D. Hansen wrote: On Jun 27, 2006, at 11:22 , Lee Hetherington wrote: Im having issues with my current PFSense box in that everytime the power is lost (Our Colo provider had a poweroutage last week) PFSense needs to be re-installed to work. The latest one meant I had to drive 200 miles in order to fix it. I have a poweredge 1850 running pfsense 1.0b4 which a month ago survived a power loss. The server is using the internal scsi controller with the RAID reiser card option. (PERC 4e/Si) Im tempted to buy 2x Poweredge 850's with SATA, are their any known issues installing onto this, im not sure if SATA on these is supported under FreeBSD... The 850 works pretty well with FreeBSD though I'm not sure about the SATA controller. Found this: http://lists.freebsd.org/pipermail/freebsd-bugs/2006-January/016615.html You can alway install a cheap promise TX2200 og TX2300 controller after delivery... Cheers for the heads up Good luck Thanks Anders. My current 1850 has a single disk, as I had always planned to use CARP to sync to another box, but it doesnt really warrant buying a 2nd 1850 todo this. I may look at a SCSI 850 as the 2nd box. Cheers, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Routing Issue
Hi, I have a pfsense box at home. I have 3 interfaces. I have been assigned a 81.174.xxx.8/29 network by my ISP and wish to route some hosts behind a DMZ. Basically how I have it is: 81.174.xxx.9 is router which has a x-over cable to 81.174.xxx.10 which is WAN. DMZ (Opt1) has 81.174.xxx.11 and my vonage voip router is in the DMZ on 81.174.xxx.12 I cannot for the life of me, ping the vonage router nor can it see the internet. Help. My old firewall (Astaro) allowed me to create static routes and use proxy arp. When I create a static route in pfsense, it needs a gateway, not just an interface. Im using beta 1 Thanks Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Routing Issue
Ah, excellent... So i could have 85.116.xxx.1/29 on pfsense.left 85.116.xxx.2/29 on pfsense.right then 85.116.xxx.3/29 as virtual Great guns Lee alan walters wrote: Use vlans and then allocate each vlan to an interface. We use this a lot. Create the vlans Ie vlan 100 192.168.1.0/28 Vlan 200 192.168.1.16/28 Etc Assign vlan 100 to lan Assign vlan200 to opt1 And so on and so forth -Original Message- From: Lee Hetherington [mailto:[EMAIL PROTECTED] Sent: 22 February 2006 09:21 To: support@pfsense.com Subject: Re: [pfSense Support] Routing Issue Yea thats what im thinking. Shame really. Ill have to static nat it :( Also another thing I have 2 pfsense boxes on my live network with a /24 behind it. I want to chop up the /24 into multiple segments, each in its own vlan (Per customer) with its own gateway carp address and address per pfsense... I cant see a way of adding multiple networks to a interface, just virtual ip's. Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] I love my WRAP
I use Intel Dual Port 10/100 Server adaptors with great success. I wouldn't use any non-server-class NIC in my firewall e.g. RealTek, Netgear etc. Look at the hardware compatability on the FAQ. Lee Mojo Jojo wrote: Because? Are you saying that both brands are bad or bad to use in the same machine? What card would you recommend? --Todd PS My WRAP with PfSense is still rock solid almost a month (I think). - Original Message - From: Scott Ullrich [EMAIL PROTECTED] To: support@pfsense.com Sent: Wednesday, November 16, 2005 7:50 AM Subject: Re: [pfSense Support] I love my WRAP Linksys and Netgear NICS. Problem solved. Scott On 11/16/05, Mojo Jojo [EMAIL PROTECTED] wrote: Two were Dells with a mix of Linksys and Netgear NICS. 1 with 128 mb ram and 1 with 256. Both had 1ghz processors approx.. Other was a generic board with a via chipset, same NICS mentioned and 512 mb of ram and AMD 1.4 or somewhere close. I have lots of post about my problems I am sure folks can find. Lots of help was offered, it was just too hard to wait while it was going down constantly on our production network. We had TONS of issues. Our setup was and still is this: LAN Unused WAN T1 Router Opt1 Server DMZ Network bridged to the WAN interface No traffic shaping or anything else really in use. Hope this helps.. - Original Message - From: Holger Bauer [EMAIL PROTECTED] To: support@pfsense.com Sent: Wednesday, November 16, 2005 1:30 AM Subject: AW: [pfSense Support] I love my WRAP Thanks for the info, but pfSense should run fine on other hardware than WRAPS as well AND it actually DOES run stable on other hardware as well. The WRAP is a very fine device, I agree, but if it comes to pushing larger loads you need something with more power under the hood (a WRAP does 28+ mbit/s with maxed out CPU). Can you provide info about the 3 other systems that caused all these troubles? Maybe someone might find it useful for avoiding some components or replacing some parts to get stability? Holger -Ursprüngliche Nachricht- Von: Mojo Jojo [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 16. November 2005 06:51 An: PfSense Support List Betreff: [pfSense Support] I love my WRAP Just wanted to report that after many miserable weeks/months of trying to get PfSense to run in any sort of stable/production situation on 3 different PC's, I finally bought a WRAP a few weeks ago and I couldn't be happier! While on any of the three PC's my PfSense box would go down anywhere between 0-8 times a night. Sometimes it would last 2 or 3 days without going down but sometimes it would go into fits where it would go down over and over ever 10 minutes, it would do this 10-12 times in a row before staying up. I was about to give up on the product when I purchased a WRAP, since putting PfSense on the WRAP with basically the same config as before, I have had nothing but sheer joy! I am going on 17 days of straight uptime without so much as a hiccup. I don't know what was up with my three different pieces of hardware and PfSense but I do know that all is well now running 0.88 on the WRAP. So, the purpose of my post is to let you folks know if you are have stability issues in a production environment and really want to get to a better place quickly, BUY A WRAP! No I do not get anything out of this, just trying to save others from going through the pain I did and go straight to the Joy of a stable PfSense solution. Hope this helps some of you. --Todd - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail has been scanned for viruses by Mailsauce. For further information visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Load Balancing
Hi, Im new to pfsense and have two machines running 0.92 both with 2x Dual Port 100+ Intel Management adaptors. I cannot for the life of me get load balancing working. Here is how I have them setup: left.pfsense fxp1 Lan fxp2 Cross Over cable to right.pfsense for sync fxp3 DMZ Servers fxp4 WAN right.pfsense fxp1 Lan fxp2 Cross Over cable to right.pfsense for sync fxp3 DMZ Servers fxp4 WAN On my internal lan and wan I have carp's setup with virtual ip's. I wish to use one of my virtual ip's to load balance mail to 2 servers on my internal lan. I have it all setup as per on the wiki but I cannot get anything through to the mailservers on the internal lan. I have a firewall rule which allows * to connect to the virtual ip on port 25. Any ideas? please help. Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancing
Hi Scott, I followed those exactly. And yet I still have no Joy :( Can anyone suggest anything which I may need to tick or the such which may prevent this from working? Regards Lee Scott Ullrich wrote: Try visiting these docs: http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing http://wiki.pfsense.com/wikka.php?wakka=IncomingLoadBalancing Scott On 11/10/05, Lee Hetherington [EMAIL PROTECTED] wrote: Hi, Im new to pfsense and have two machines running 0.92 both with 2x Dual Port 100+ Intel Management adaptors. I cannot for the life of me get load balancing working. Here is how I have them setup: left.pfsense fxp1 Lan fxp2 Cross Over cable to right.pfsense for sync fxp3 DMZ Servers fxp4 WAN right.pfsense fxp1 Lan fxp2 Cross Over cable to right.pfsense for sync fxp3 DMZ Servers fxp4 WAN On my internal lan and wan I have carp's setup with virtual ip's. I wish to use one of my virtual ip's to load balance mail to 2 servers on my internal lan. I have it all setup as per on the wiki but I cannot get anything through to the mailservers on the internal lan. I have a firewall rule which allows * to connect to the virtual ip on port 25. Any ideas? please help. Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail has been scanned for viruses by Mailsauce. For further information visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancing
Bill Yes Im outside of that physical network Scott No errors no... Im just rebooting now actually. Im going to login and try telnet from firewall to private ip in a sec... Scott Ullrich wrote: Well if your no longer logging errors your headed in the right direction. Have you rebooted?Have you telnetted from the firewall to the private ip port 25? Scott On 11/10/05, Lee Hetherington [EMAIL PROTECTED] wrote: Nope. Doesnt even log any errors in the firewall log either... Scott Ullrich wrote: I dont know you tell us. Did it work? On 11/10/05, Lee Hetherington [EMAIL PROTECTED] wrote: Ok here is what I have WAN interface Allow anything to connect to vip address on port 25 Allow anything to connect to internal /24 on port 25 LAN Interface Allow anything to connect to internal/24 on port 25 Surely that covers it off? Lee Bill Marquette wrote: NAT occurs before filtering. You need a rule on the WAN interface allowing connections to the physical server IPs. --Bill On 11/10/05, Lee Hetherington [EMAIL PROTECTED] wrote: I have. On the wan interface, im allowing anything to connect to the vip 85.116.30.1 address on port 25 Do I need any others? Scott Ullrich wrote: Perhaps you need firewall rules!? On 11/10/05, Lee Hetherington [EMAIL PROTECTED] wrote: 0.92 Latest For some reason left is master for the carp of the smtp and right is master of the carp for the external (routing)... On the machine which is the inbound carp I have: DENIED: Aug 13 16:12:12 WAN 81.174.235.11.34623 85.116.30.1.25 TCP On the machine which is the smtp carp I have: DENIED: Nov 10 16:20:48 WAN 81.174.235.11.34683 192.168.7.1.25 TCP Looks like one of them has the wrong date too :) Scott Ullrich wrote: 1. What version 2. What do you see in the firewall filter logs regarding these connections On 11/10/05, Lee Hetherington [EMAIL PROTECTED] wrote: Ok, I have left and right pfsense boxes. On my opt1 interface I have a carp setup: 85.116.x.1/27 is the network im using. My internal network is then 192.168.x.0/24 I have 85.116.x.1 assigned as the virtual I have 85.116.x.2 on left 85.116.x.3 on right I want to load balance 85.116.x.1 inbound on port 25 to a pool i have setup which contains: 192.168.x.1 192.168.x.4 The left and right also have 192.168.x.254 as virtual 192.168.x.252 on left 192.168.x.253 on right I have a firewall rule which allows * to connect on port 25 to the carp address which is 85.116.x.1 The tcp connection just times out. At one point it was in the log saying bad gateway 85.116.x.1 Other than this, its exactly as described in the IncomingLoadBalancing example on the wiki. Lee Scott Ullrich wrote: Many people have followed these and they work. You'll need to provide more information of how its all setup and what doesn't work. On 11/10/05, Lee Hetherington [EMAIL PROTECTED] wrote: Hi Scott, I followed those exactly. And yet I still have no Joy :( Can anyone suggest anything which I may need to tick or the such which may prevent this from working? Regards Lee Scott Ullrich wrote: Try visiting these docs: http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing http://wiki.pfsense.com/wikka.php?wakka=IncomingLoadBalancing Scott On 11/10/05, Lee Hetherington [EMAIL PROTECTED] wrote: Hi, Im new to pfsense and have two machines running 0.92 both with 2x Dual Port 100+ Intel Management adaptors. I cannot for the life of me get load balancing working. Here is how I have them setup: left.pfsense fxp1 Lan fxp2 Cross Over cable to right.pfsense for sync fxp3 DMZ Servers fxp4 WAN right.pfsense fxp1 Lan fxp2 Cross Over cable to right.pfsense for sync fxp3 DMZ Servers fxp4 WAN On my internal lan and wan I have carp's setup with virtual ip's. I wish to use one of my virtual ip's to load balance mail to 2 servers on my internal lan. I have it all setup as per on the wiki but I cannot get anything through to the mailservers on the internal lan. I have a firewall rule which allows * to connect to the virtual ip on port 25. Any ideas? please help. Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail has been scanned for viruses by Mailsauce. For further information visit http://www.mailsauce.com
Re: [pfSense Support] Load Balancing
Damn things. Now my external carp has gone to INIT and the right firewall wont let me connect. But I can telnet from left onto the actual lan server on port 25 Lee Lee Hetherington wrote: Bill Yes Im outside of that physical network Scott No errors no... Im just rebooting now actually. Im going to login and try telnet from firewall to private ip in a sec... Scott Ullrich wrote: Well if your no longer logging errors your headed in the right direction. Have you rebooted?Have you telnetted from the firewall to the private ip port 25? Scott On 11/10/05, Lee Hetherington [EMAIL PROTECTED] wrote: Nope. Doesnt even log any errors in the firewall log either... Scott Ullrich wrote: I dont know you tell us. Did it work? On 11/10/05, Lee Hetherington [EMAIL PROTECTED] wrote: Ok here is what I have WAN interface Allow anything to connect to vip address on port 25 Allow anything to connect to internal /24 on port 25 LAN Interface Allow anything to connect to internal/24 on port 25 Surely that covers it off? Lee Bill Marquette wrote: NAT occurs before filtering. You need a rule on the WAN interface allowing connections to the physical server IPs. --Bill On 11/10/05, Lee Hetherington [EMAIL PROTECTED] wrote: I have. On the wan interface, im allowing anything to connect to the vip 85.116.30.1 address on port 25 Do I need any others? Scott Ullrich wrote: Perhaps you need firewall rules!? On 11/10/05, Lee Hetherington [EMAIL PROTECTED] wrote: 0.92 Latest For some reason left is master for the carp of the smtp and right is master of the carp for the external (routing)... On the machine which is the inbound carp I have: DENIED: Aug 13 16:12:12 WAN 81.174.235.11.34623 85.116.30.1.25 TCP On the machine which is the smtp carp I have: DENIED: Nov 10 16:20:48 WAN 81.174.235.11.34683 192.168.7.1.25 TCP Looks like one of them has the wrong date too :) Scott Ullrich wrote: 1. What version 2. What do you see in the firewall filter logs regarding these connections On 11/10/05, Lee Hetherington [EMAIL PROTECTED] wrote: Ok, I have left and right pfsense boxes. On my opt1 interface I have a carp setup: 85.116.x.1/27 is the network im using. My internal network is then 192.168.x.0/24 I have 85.116.x.1 assigned as the virtual I have 85.116.x.2 on left 85.116.x.3 on right I want to load balance 85.116.x.1 inbound on port 25 to a pool i have setup which contains: 192.168.x.1 192.168.x.4 The left and right also have 192.168.x.254 as virtual 192.168.x.252 on left 192.168.x.253 on right I have a firewall rule which allows * to connect on port 25 to the carp address which is 85.116.x.1 The tcp connection just times out. At one point it was in the log saying bad gateway 85.116.x.1 Other than this, its exactly as described in the IncomingLoadBalancing example on the wiki. Lee Scott Ullrich wrote: Many people have followed these and they work. You'll need to provide more information of how its all setup and what doesn't work. On 11/10/05, Lee Hetherington [EMAIL PROTECTED] wrote: Hi Scott, I followed those exactly. And yet I still have no Joy :( Can anyone suggest anything which I may need to tick or the such which may prevent this from working? Regards Lee Scott Ullrich wrote: Try visiting these docs: http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing http://wiki.pfsense.com/wikka.php?wakka=IncomingLoadBalancing Scott On 11/10/05, Lee Hetherington [EMAIL PROTECTED] wrote: Hi, Im new to pfsense and have two machines running 0.92 both with 2x Dual Port 100+ Intel Management adaptors. I cannot for the life of me get load balancing working. Here is how I have them setup: left.pfsense fxp1 Lan fxp2 Cross Over cable to right.pfsense for sync fxp3 DMZ Servers fxp4 WAN right.pfsense fxp1 Lan fxp2 Cross Over cable to right.pfsense for sync fxp3 DMZ Servers fxp4 WAN On my internal lan and wan I have carp's setup with virtual ip's. I wish to use one of my virtual ip's to load balance mail to 2 servers on my internal lan. I have it all setup as per on the wiki but I cannot get anything through to the mailservers on the internal lan. I have a firewall rule which allows * to connect to the virtual ip on port 25. Any ideas? please help. Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL