Re: [pfSense-discussion] fully redundant dual-WAN setup

[Holger Bauer]

You are wrong. It IS working, if you set it up correctly. Please don't
make such untrue statements. If you need help in setting it up the
supportlist or forum is for you but don't tell people it is not
working just because YOU were not able to get it running.

Holger

2009/8/11 Veiko Kukk :
> Eugen Leitl wrote:
>>
>> Can any of you point me to a network diagram illustrating such
>> a setup, with two pfSense instances (how many NICs?) and two or
>> three switches? I presume it needs carp+pfsync in order for it
>> to work.
>
> I have tried dual wan and dual machine setup with no success. Dual wan
> pfsense only works with single machine. carp also works, but both carp
> *and* dual wan together does not work!
> And seems there are very few who care about pfsense failover ability,
> probably most people use single machine and single wan setups.
>
> --
> Veiko
>
> -
> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
> For additional commands, e-mail: discussion-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense-discussion] euroBSDcon

[Holger Bauer]

I checked the date with my company and I can get some days off during
that time. So I'll be joining you :-)

Holger

2009/7/10 Chris Buechler :
> On Wed, May 27, 2009 at 8:26 AM, Paul
> Mansfield wrote:
>> http://www.ukuug.org/events/eurobsdcon2009/
>>
>> anyone going? and more to the point, anyone interested in a beer :-)
>>
>
> I am now officially going to be at EuroBSDCon. The schedule isn't
> finished yet, but my talk on pfSense has been accepted.
>
> Anyone else?
>
> I haven't been to EuroBSDCon before, but if it's anything like BSDCan
> and DCBSDCon there will be ample opportunities for drinking.  :)
> Usually official social events at bars, but if there aren't any such
> things we can setup a pfSense meetup somewhere.
>
> -
> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
> For additional commands, e-mail: discussion-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense-discussion] VLANs on dumb switches

[Holger Bauer]

Usually they should be forwarded as is but I have seen some switches
also dropping them. I have used this kind of setup several times
already successfully. for example I had a completely dumb unmanaged
netgear poe switch that was connected to a pfSense interface with
several vlans and some netgear accesspoints with multiple ssids where
each ssid was assigned to a seperate vlan. That worked/works
beautifully but like I said, probably depends on the switch. You'll
have to evaluate it with the specific model that you want to use.

VLAN APVLAN AP
   | |
pfSense(VLANs)dumb netgear switchVLAN AP
   | |
VLAN APVLAN AP

Holger

2009/6/27 Eugen Leitl :
>
> I have a somewhat off-topic question. This involves pfSense
> as the firewall, though.
>
> If I use a dumb switch as a poor man's VLAN, will the
> Ethernet frame tagging get propagated to smart switches further
> downstream?
>
> --WAN-pfsense-LAN(dumb switch)-LAN(smart switch)-LAN(smart switch)
>               |                |                 |
>              dumb systems     smart systems     smart systems
>
> Or is this undefined, depending on whether the dumb switch can pass
> on 1522 Byte Ethernet frames downstream, which are 4 Bytes larger
> than the standard allows?
>
> --
> Eugen* Leitl http://leitl.org";>leitl http://leitl.org
> __
> ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
> 8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
>
> -
> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
> For additional commands, e-mail: discussion-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense-discussion] pfsense freezes after dhcpd on alix

[Holger Bauer]

Make sure you are running the latest bios on that board. I think I have
seen this with a specific biosversion as well. You can find the latest
bioses at http://pcengines.ch/alix2.htm .

Holger

> -Original Message-
> From: Johan Gunnarsson [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, January 17, 2008 4:26 PM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] pfsense freezes after dhcpd on alix
> 
> I'm trying to boot pfsense 1.2-rc4 on an alix 2c1 board. 
> Everything seems to be running well until the dhcpd is 
> starting, this seems to freeze the entire system and I also 
> loose network connectivity at this time.
> Is this a known problem? Am I possibly doing anything wrong?
> 
> --
> Johan Gunnarsson
> 
> 
> 

RE: [pfSense-discussion] WRAP Support & Images

[Holger Bauer]

Seth benched a soekris 55xx and got around wirespeed. alix should be the
same as the cpu and nics are the same. There are no benches for
ipsecencapsulation yet though.

Holger

> -Original Message-
> From: Eugen Leitl [mailto:[EMAIL PROTECTED] 
> Sent: Friday, September 14, 2007 1:31 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] WRAP Support & Images
> 
> On Fri, Sep 14, 2007 at 12:14:30PM +0200, Holger Bauer wrote:
> > fyi: http://blog.pfsense.org/?p=139
> 
> How much throughput do the new Geode LX boards have?
> RNG and AES integrated sound really good, in the same 
> physical and power footprint.
> 
> --
> Eugen* Leitl http://leitl.org";>leitl 
> http://leitl.org 
> __
> ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
> 8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
> 
> 

RE: [pfSense-discussion] WRAP Support & Images

[Holger Bauer]

fyi: http://blog.pfsense.org/?p=139

Holger

> -Original Message-
> From: Holger Bauer 
> Sent: Thursday, September 13, 2007 4:46 PM
> To: discussion@pfsense.com
> Subject: RE: [pfSense-discussion] WRAP Support & Images
> 
> We offer embedded images which most likely will stay 
> compatible to the end-of-life-systems like wraps or soekris 
> 48xx. These images will run on other systems as well like 
> nexcoms, linitx system, lex light systems or even ordinary 
> PCs with cf to IDE adaptors. 
> 
> As we now have some of the new soekris 55xx and since some 
> days pcengines alix boards (the "new" wraps) we can confirm 
> that even these new platforms run with our embedded builds 
> (alix only work with recent snapshots, not the original 
> 1.2RC2, so you have to grab builds from out snapshotserver).
> 
> Unless the minimum requirements (like RAM for example) of 
> pfSense don't change there should be support for older 
> platforms as well.
> 
> Holger
> 
> > -Original Message-
> > From: Jonathan GF [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, September 13, 2007 11:23 AM
> > To: discussion@pfsense.com
> > Subject: [pfSense-discussion] WRAP Support & Images
> > 
> > Hi,
> > 
> > i realized Wrap entered the End-Of-Life cycle while i was trying to 
> > buy a PCEngines WRAP for pfSense.
> > 
> > Bearing this in mind, will pfSense keep on providing images 
> for WRAP 
> > or will leave that arm?
> > 
> > Thanks in advance.
> > 
> > Regards,
> > 
> > Jonathan GF
> > 
> > 
> 
> 

RE: [pfSense-discussion] WRAP Support & Images

[Holger Bauer]

We offer embedded images which most likely will stay compatible to the
end-of-life-systems like wraps or soekris 48xx. These images will run on
other systems as well like nexcoms, linitx system, lex light systems or
even ordinary PCs with cf to IDE adaptors. 

As we now have some of the new soekris 55xx and since some days
pcengines alix boards (the "new" wraps) we can confirm that even these
new platforms run with our embedded builds (alix only work with recent
snapshots, not the original 1.2RC2, so you have to grab builds from out
snapshotserver).

Unless the minimum requirements (like RAM for example) of pfSense don't
change there should be support for older platforms as well.

Holger

> -Original Message-
> From: Jonathan GF [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, September 13, 2007 11:23 AM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] WRAP Support & Images
> 
> Hi,
> 
> i realized Wrap entered the End-Of-Life cycle while i was 
> trying to buy a PCEngines WRAP for pfSense.
> 
> Bearing this in mind, will pfSense keep on providing images 
> for WRAP or will leave that arm?
> 
> Thanks in advance.
> 
> Regards,
> 
> Jonathan GF
> 
> 

RE: [pfSense-discussion] FreeBSD IPv6 Security Patch

[Holger Bauer]

Already doable with the latest snapshots. See
http://snapshots.pfsense.com/FreeBSD6/RELENG_1_2/updates/
>
pfSense-Full-And-Embedded-Update-1.2-BETA-1-TESTING-SNAPSHOT-XX-XX-.
tgz 

Upgrading a 1.0.1 to that snanpshot via webgui on embeddeds works fine.

Holger

> -Original Message-
> From: Eugen Leitl [mailto:[EMAIL PROTECTED] 
> Sent: Friday, May 11, 2007 9:12 AM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] FreeBSD IPv6 Security Patch
> 
> On Thu, May 10, 2007 at 09:57:32PM -0500, Bill Marquette wrote:
> 
> > The latest snaps already have this included (all snaps built after
> > 2007-04-26 23:42:23 UTC have this patch included as we pull source 
> > from freebsd.org at the time of the build).  There are currently no 
> > plans to release a 1.0.2 to address this as we're in the 
> middle of the 
> > release cycle for 1.2.  I would recommend upgrading to the latest
> 
> Will there be a way to remotely upgrade embedded from 1.x to 1.2?
> It's one thing unscrewing the WRAPs from their aluminum 
> coffin, but something else entirely to having to spend half a 
> day in the car to have your production firewalls upgraded.
> 
> If it's not planned, perhaps a few of us could pony up a bounty.
> 
> > snapshots if you are utilizing the ipv6 tunneling feature 
> in pfSense, 
> > otherwise, I leave it to you to read the pdf link to in the 
> advisory 
> > and determine if this is a risk you are willing to accept.
> 
> --
> Eugen* Leitl http://leitl.org";>leitl 
> http://leitl.org 
> __
> ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
> 8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
> 
> 

RE: [pfSense-discussion] pfsync+carp cluster (XV)

[Holger Bauer]

Make sure you are not using the same public IPs as VIPs and at the real
interfaces with the public Ips of the machines. This indeed can cause
some issues (IP-Conflicts).

Holger

-Original Message-
From: sai [mailto:[EMAIL PROTECTED] 
Sent: Sunday, March 25, 2007 5:06 PM
To: discussion@pfsense.com
Subject: Re: [pfSense-discussion] pfsync+carp cluster (XV)

On 3/24/07, Eugen Leitl <[EMAIL PROTECTED]> wrote:
>
> It's this time of the year again: I'm trying to get carp+pfsync 2-node

> cluster going.
>
> (To recap: last time, I downed a network segment with an ARP storm, 
> and couldn't reclaim one firewall node due to absence of a second
crossover serial in place.
> I'm going to try again coming Monday).
>
> I didn't like the 1:1 NAT issue and private addresses originally, but 
> a few days ago I realized that my hosts already have two interfaces, 
> one with public IP addresses, and one a private (10.0.0.x/24) network.
> The NICs on different networks are also connected to different 
> switches, both of which are VLAN-capable. The switches are also
interconnected.
>
> If I see this correctly (Holger?) with this setup I should be able 
> experiment safely (provided, I stay away from another ARP storm), 
> because I don't need to reconfigure the host addresses. The public 
> addresses remain as is, and the private addresses can be made 
> reachable (the only change required is adding a gateway on each host, 
> because right now there is none). The only plumbing required is 
> defining a VLAN with the gateway port and the two WAN interfaces of 
> the firewall. This is always possible to recover from, because the 
> switches are in front of the firewall.
>
> Does this make sense, or is there something I'm overlooking?
>
> Thanks.
>
> --
> Eugen* Leitl

Sounds like you might get loops in that network - be careful about that.

I would not use the Public IP address, just the private ip addresses
when putting in the firewall.

A network diagram of what you are proposing would be much easier to
understand - fewer misunderstandings.

sai

RE: [pfSense-discussion] Forcing a DynDNS update

[Holger Bauer]

It already does that every 25 days (iirc) even if the IP has not
changed.

Holger



From: Adam Van Ornum [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 20, 2007 5:14 AM
To: discussion@pfsense.com
Subject: [pfSense-discussion] Forcing a DynDNS update


Hi, I just got an email today about my DynDNS hostname expiring but I've
been running the pfSense DynDNS client for a while now.  I don't think
my IP address has changed but DynDNS needs to have an update forced at
least once a month for the account to remain in "active" status.  It
would be nice to have a way to force an update at specific intervals.




It's tax season, make sure to follow these few simple tips Check it out!
  

AW: [pfSense-discussion] multiple WAN address on one nic

[Holger Bauer]

This is correct. If all public Ips are in the same subnet you should  prefer 
natting if you want to have a failover setup. Brdging won't work with having a 
failover cluster (besides that it's missing some other features like 
trafficshaping too). Theoretically 2 bidged pfSenses in parallel config should 
be no problem due to the spanningtreeprotocol support but I have not tested 
this yet. One of the systems should start blocking (you should be able to see 
this at status/interfaces).

Holger

-Ursprüngliche Nachricht-
Von: Eugen Leitl [mailto:[EMAIL PROTECTED] 
Gesendet: Donnerstag, 15. März 2007 08:55
An: discussion@pfsense.com
Betreff: Re: [pfSense-discussion] multiple WAN address on one nic

On Wed, Mar 14, 2007 at 11:53:00PM +0100, Holger Bauer wrote:
> It is possible with pfSense but depends on the public Ips/subnets. If they 
> are all in the same subnet you either have to use a bridging setup or you 
> have to use virtual Ips at the pfSense and then nat them to your internal 
> hosts (which then have a prvate IP).

With a carp+pfsync cluster the latter is the only option, correct?

It troubles me at the gut level. Both because I need to switch the addresses of 
the hosts (which is impossible to recover from
remotely) and because one has learned to associate NAT with a kludge.
But in this case there is one virtual IP (of the public subnet) mapped 1:1 to 
the private internal IP (from 10.0.0.0/24 or 192.168.1.0/24 or somesuch). Does 
this have any unanticipated side effects?

With a filtering bridge I can switch over to a second system manually, and 
restore from the backup configuration. This is even less acceptable.

Is above more or less correct?
 
--
Eugen* Leitl http://leitl.org";>leitl http://leitl.org 
__
ICBM: 48.07100, 11.36820http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

AW: [pfSense-discussion] multiple WAN address on one nic

[Holger Bauer]

It is possible with pfSense but depends on the public Ips/subnets. If they are 
all in the same subnet you either have to use a bridging setup or you have to 
use virtual Ips at the pfSense and then nat them to your internal hosts (which 
then have a prvate IP).

Holger

-Ursprüngliche Nachricht-
Von: Kelly Martin [mailto:[EMAIL PROTECTED] 
Gesendet: Mittwoch, 14. März 2007 23:45
An: discussion@pfsense.com
Betreff: [pfSense-discussion] multiple WAN address on one nic

Just about to try out pfSense for the first time. I have one environment where 
the ISP provides three public IP addresses. Today I use an OpenBSD box as a 
firewall/nat/webserver and the external nic has one public address (plus two 
public aliases), plus NAT for an internal network using a second nic.

What I'd like to do is install pfSense and use it like a router...
forward two of the public IP addresses (static) to a single box in a DMZ for 
web serving (http and https), and then send traffic for the third public 
address to an internal network. Before I go down this path, is this possible to 
do with pfSense? I suspect a machine with three interfaces would be ideal. 
Specifying the outgoing address for the LAN is not important.

AW: [pfSense-discussion] FTP Problems and IIS

[Holger Bauer]

pfSense's integrated ftp helper DOES solve this problem if configured correctly:
- enable the ftphelper at Interfaces/WAN
- add a portforward for just port 21 to your IIS server at firewall/nat, 
portforward (keep the autocreate firewallrule enabled; it will generate one 
more rule for the ftphelper too)
- save and apply 

Now everything should work like expected. Active and passive ftp should not be 
a problem now.

Holger

-Ursprüngliche Nachricht-
Von: Chris Godwin [mailto:[EMAIL PROTECTED] 
Gesendet: Mittwoch, 14. März 2007 13:52
An: discussion@pfsense.com
Betreff: [pfSense-discussion] FTP Problems and IIS

I just wanted to get a good opinion about my issue. I have this issue with 
several routers including pfsense and monowall. When natting ftp to a windows 
machine running IIS, passive ftp doesn't work. I think it doesn't work for two 
reasons. The first is that the passive ports need to be forwarded, but even on 
a 1:1 nat it doesn't seem to work either.
Secondly, because when initiate a passive connection and receive a host and 
port from the server, that host is of the local ip flavor and cannot be routed 
to. Am I correct in blaming this on the ftp service and not the router/natting 
platform? I wonder if pfsense's ftp help can proxy that connections. I've used 
freeBSD's ftpproxy port to solve this on a full machine.

Thank you,

Chris Godwin
Linux/Unix Consultant
Network Logistic, Inc.
[EMAIL PROTECTED]

RE: [pfSense-discussion] SVG realtime grapher

[Holger Bauer]

This feature is a 1:1 copy of a m0n0 feature. Nobody of the pfSenseteam
has worked on this yet or even considered changing something. However,
if you get something nice together that's showing additional information
make sure to send in your work so we can consider including it ;-)

Holger

> -Original Message-
> From: Dominik Zalewski [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, February 21, 2007 4:55 PM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] SVG realtime grapher
> 
> Hi All,
> 
> I'm using OpenBSD 4.0 as my main firewall. I was wondering 
> how I can implement SVG realtime grapher for interfaces and 
> is it possbile to have realtime graphs for users (per IP) in my LAN.
> 
> Thank you in advance,
> 
> Dominik
> 
> 

RE: [pfSense-discussion] Can pfSense be ported to Intel IXP425?

[Holger Bauer]

32MB RAM is by far not enough to run pfSense. You at least need 128 MB.
Also the CPU is not yet supported.

Holger 

-Original Message-
From: ryn jackson [mailto:[EMAIL PROTECTED] 
Sent: Saturday, February 03, 2007 12:31 AM
To: discussion@pfsense.com
Subject: [pfSense-discussion] Can pfSense be ported to Intel IXP425?

Having been running pfsense for a week now, i have to say i trule enjoy
it, and i have qos that works!
I had been using the Linksys RV082 in several of our offices and the
only thing i don't like about them is their flexibility and weak QoS.
The specs and performance on these boxes are pretty amazing for the
price:
Intel IXP425 533MHz
32 Meg RAM
16 Meg Flash
Dual Wan
8 LAN ports that can supposedly be separated into VLAN's (fake, they
still use the same subnet but traffic doesn't pass between them) Too bad
the existing firmware doesn't harness the power of the hardware. I've
clocked a consistent 27Mbps of 3DES IPsec with these.
These linksys boxes are running Linux 2.4 with openswan and iptables i
believe.

There is a Firmware project to update the Linksys RV seres to the 2.6
kernel and tweak some other stuff. One is called OpenWRV
http://www.phj.hu/wrv54g/ which seems to be focused on the wireless
version and the other one is OpenIXP which is tied to this project
focusing on the IXP platform. Neither of them seem to have gone
anywhere, maybe the members are too busy? I think pfSense would be much
better than modifying the crappy firmware that linksys provides anyways.

I am under the impression that Free BSD is not only lighter, but more
efficient with networking (network stack)  than Linux is so i was
wondering if it would be possible to port to this platform. there's more
info on its little brother here:
http://www.linksysinfo.org/forums/showthread.php?t=34276
That thread is about the RV042 [EMAIL PROTECTED], 32Meg ram but it's
interesting that these boxes have 2 serial ports, mini pci and even HDD
capability built in.
I cannot, for the life of me find this but there's a project going on
now to hack and rewrite the existing firmware but why start with crap if
you could port over something like pfSense, even it has some features
stripped out.

What do you guys think? Is it feasible/possible? I would really like to
have an appliance using this platform and pfSense. It's got way more
power than the Soekris/wrap the only thing i'm concerned about is the
32meg of ram, but i think it would be possible.

I think the best way to actually make the VLANs function on this device
(i don't think it would support 802.1q) would be to assign subnet
interfaces to vlans (up to 8) and then assign vlan's to lan ports. All
traffic on ports with the same vlan assigned is bridged. That's the way
routing assignments work on the Adtran Netvanta 1224R's i work with and
it's very intuitive.

=
Buy Your Aromatic Vaporizer For Less
All major brands in stock. Find Volcano, Vapir, VaporWarez, and Aromed
vaporizers at great prices. Same-day free shipping and cool freebies
with all orders. 75,000 positive feedbacks.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=5a645f954582396c441f
2a7301d3ac8a

RE: [pfSense-discussion] can't easy connect to pptp vpn SINGLE:NO_TRAFFIC

[Holger Bauer]

RC1 is completely unsupported by now. It's way too old. You really
should upgrade to a recent version.

Holger 

> -Original Message-
> From: Sjaak Nabuurs [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 10, 2007 10:58 AM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] can't easy connect to pptp vpn 
> SINGLE:NO_TRAFFIC
> 
> Hello
> 
> 
> I have a problem to setup a PPTP vpn connection When I try to 
> connect is see in te Diagnostics state
> grepfsenseWanIP -> MyIP  SINGLE:NO_TRAFFIC
> 
> When I reset states i'm sucsefull to get a VPN connection.
> grepfsenseWanIP -> MyIP MULTIPLE:MULTIPLE
> Does anybody know's what i'm doing wrong or what's wrong.
> 
> My firewall now is set to allow all any to any I'm not a 
> firewall gurru.
> 
> Using pfsense version 1.0-RC1 with 2 nics wan and lan 
> (win2003 terminal
> server)
> 
> 
> Thanks
> 
> 
> 
> Sjaak
> 
> 

RE: [pfSense-discussion] VideoConference problems

[Holger Bauer]

Go to diagnostics>states, reset states and perform a reset to make the 
connections reestablishing with the new rules. Also have a look at 
diagnostics>states after this and show us the states that apply to the video 
and sound traffic.

Holger 

-Original Message-
From: Carlos Julio Sánchez [ACC-SIS] [mailto:[EMAIL PROTECTED] 
Sent: Monday, January 08, 2007 11:38 PM
To: discussion@pfsense.com
Subject: RE: [pfSense-discussion] VideoConference problems

I changed source port to destination port and I dont have video and sound yet

-Original Message-
From: Scott Ullrich [mailto:[EMAIL PROTECTED]
Sent: Monday, January 08, 2007 4:33 PM
To: discussion@pfsense.com
Subject: Re: [pfSense-discussion] VideoConference problems

No, you do not want source port, you want destination port.


On 1/8/07, Carlos Julio Sánchez [ACC-SIS] <[EMAIL PROTECTED]> wrote:
> Hi, i send the screen shots with the port 1720 of netmeeting
>
> -Original Message-
> From: Scott Ullrich [mailto:[EMAIL PROTECTED]
> Sent: Monday, January 08, 2007 3:59 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] VideoConference problems
>
> You need to define the port in question as well.
>
> Scott
>
>
> On 1/8/07, Carlos Julio Sánchez [ACC-SIS] 
> <[EMAIL PROTECTED]> wrote:
> > Here I send the screenshots, please inform me if I have configured
> anything
> > wrong
> >
> >
> > Thansks!
> >
> > -Original Message-
> > From: Scott Ullrich [mailto:[EMAIL PROTECTED]
> > Sent: Monday, January 08, 2007 3:24 PM
> > To: discussion@pfsense.com
> > Subject: Re: [pfSense-discussion] VideoConference problems
> >
> > Show a screen shot of the rules summary page (the page where you can
> > add/edit/delete advanced outbound nat items).   Also show a screenshot
> > of the actual items setting as well.
> >
> > On 1/8/07, Carlos Julio Sánchez [ACC-SIS] 
> > <[EMAIL PROTECTED]> wrote:
> > > Hi!
> > >
> > > I created the advanced outbound NAT, but my netmeeting machine 
> > > behind Pfsense don't have video and sound yet.
> > >
> > > I was reading the forum but said the same below
> > >
> > >
> > > -Original Message-
> > > From: Scott Ullrich [mailto:[EMAIL PROTECTED]
> > > Sent: Monday, January 08, 2007 12:19 PM
> > > To: discussion@pfsense.com
> > > Subject: Re: [pfSense-discussion] VideoConference problems
> > >
> > > Same situation that VOIP folks run into.   Create an advanced outbound
> > > NAT rule for this particular port, move it to the top and be sure 
> > > to enable the static pot option for the rule in question.
> > >
> > > Also search the forum for static port, it's discussed about once a 
> > > week at least.
> > >
> > > Scott
> > >
> > > On 1/8/07, Carlos Julio Sánchez [ACC-SIS] 
> > > <[EMAIL PROTECTED]> wrote:
> > > >
> > > >
> > > >
> > > >
> > > > Hi!
> > > >
> > > >
> > > >
> > > > Anybody can help me, I connect from my home without pfsense to
> > > videoconference device, but when I try connect at work with 
> > > pfsense
> > firewall
> > > I don't have video and sound
> > > >
> > > >
> > > >
> > > > Anybody knows why?
> > > >
> > > >
> > > >
> > > >
> > > > Carlos J. Sánchez
> > > >
> > > > Redes y Telecomunicaciones
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > [EMAIL PROTECTED]
> > > >
> > > > www.americancallcenter.com
> > > >
> > > >
> > > >
> > > > Av. Fco. de Orellana 111 Edif. WTC Torre B Of. 812
> > > >Guayaquil, Ecuador
> > > >
> > > >
> > > > Tel.   +593 (4) 263-0750 - Ext. 5140
> > > >Fax.  +593 (4) 263-0764
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
> >
>
>
>

RE: [pfSense-discussion] snapshots?

[Holger Bauer]

There is a snapshotserver now that constantly builds images. You'll find
the snaps at http://snapshots.pfsense.com/FreeBSD6/RELENG_1/ .
 
Holger




From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] 
Sent: Monday, January 08, 2007 4:11 PM
To: discussion@pfsense.com
Subject: [pfSense-discussion] snapshots?



I lost my bookmarks during a re-image and can't seem to find the
snapshots anymore...I thought they would be at
www.pfsense.com/~sullrich ? But can't seem to find them

RE: [pfSense-discussion] Windows shares across the firewall

[Holger Bauer]

It's all a question of firewallrules. Also keep in mind that
firewallrules are always applied for incoming traffic at an interface
and first match wins. For nameresolution across the subnets you should
enable the "register dhcp leases in dns forwarder" option at
services>dns forwarder.

Holger 

> -Original Message-
> From: David Brown [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, January 04, 2007 9:10 AM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] Windows shares across the firewall
> 
> I'm planning to set up a new firewall/router at our company, 
> and am leaning towards using pfSense because I want several 
> green networks (either using multiple ports on the firewall 
> machine, or using a managed switch and VLANs - as far as I 
> understand it, they can work the same way).
> 
> There are going to be a couple of server machines on 
> different branches of the LANs, but I need access to them 
> from the other branches.  The setup I've planned looks like this:
> 
> 
> /---\
> |   |-red1internet
> |  pfSense  |-red2(second internet connection, optional)
> |   |
> |   |-orange--DMZ---web server, mail server, squid, etc.
> |   |
> |   |-blue---(wireless for laptops, including visitors)
> |   |   |   ||
> |   |   LinkSys WRT54GLLinkSys  LinkSys
> |   |/   \  /   \/   \
> |   | laptops, etc.
> |   |
> |   |-green1---LAN (192.168.1.x)---server1.1, pc1.1, 
> pc1.2, etc.
> |   |
> |   |-green2---LAN (192.168.2.x)---server2.1, pc2.1, 
> pc2.2, etc.
> |   |
> |   |-green3---LAN (192.168.3.x)---server3.1, pc3.1, 
> pc3.2, etc.
> |   |
> \---/
> 
> 
> Making appropriate firewall and routing rules for access to 
> the DMZ servers from the green LANs is easy enough, as are 
> things like allowing ssh access on different LANs for 
> administrative purposes.  But it is also important that I can 
> get windows share access in some way across the LANs.  For 
> example, pc1.2 (say, 192.168.1.102) should be able to mount a 
> share on server2.1 (192.168.2.1), while the reverse is not 
> true (i.e., no machine on LAN2 should see the pc's on LAN1).  
> Is it sufficient, and safe, to simply open a pinhole for 
> traffic on port 139 towards 192.168.2.1 from 192.168.1.x ?  I 
> suppose I could set up VPNs somewhere to tunnel traffic 
> around, but I can't see that this would actually improve 
> matters (I have no need to encrypt traffic passing between 
> greens) - I would need similar rules to limit the VPN traffic. 
> In fact, I'm assuming that once I've got things figured for 
> cross-green routing, I can use the same sorts of rules for 
> VPN's from laptops on the blue zone or attaching via the internet.
> 
> As far as I can tell, it is only the share access that I need 
> from the SMB/CIFS protocols.  pfSense's DNS server should be 
> able to handle naming, and I am not running a windows domain 
> (it's all set up as a workgroup).
> 
> If I can't get a stable and secure arrangement for SMB 
> sharing, what are my other options?  At the moment, we have a 
> couple of linux file servers and one old windows one, which 
> can be replaced if it is not flexible enough.  I've heard of 
> using WebDAV as a protocol - W2K and XP (and linux, and 
> presumably FreeBSD :-) can mount WebDAV paths, and use them 
> directly.  If the WebDAV access is over https, then it could 
> be used directly from outside the LANs without needing a VPN. 
>  Another idea I have read about is using a SFTP server along 
> with WebDrive software.
> 
> Any hints, tips, website pointers, or comments about how only 
> an idiot would arrange things like that, would be much appreciated.
> 
> mvh.,
> 
> David
> 
> 
> 
> 
> 

RE: [pfSense-discussion] SIP client registration issues with asterisk

[Holger Bauer]

Not an answer to the original question but I think supporting this bounty might 
solve the issues too and even other issues that come along with sip behind nat: 
http://forum.pfsense.org/index.php/topic,2824.0.html

Holger 

> -Original Message-
> From: Abel Martín [mailto:[EMAIL PROTECTED] 
> Sent: Friday, December 29, 2006 12:59 PM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] SIP client registration issues 
> with asterisk
> 
> Hi,
> 
> We have been recently experiencing problems with SIP clients 
> registration. We have an asterisk box working as SIP server 
> behind a NAT and some SIP clients behind a pfSense box.
> 
> After a lot of troubles we discovered that the problem was 
> that SIP OPTIONS packets are sent to asterisk every 1 minute, 
> which coincidentally is the state timeout for UDP traffic. 
> There's no way of tweaking this parameter in our asterisk. 
> So, when a SIP client got SNATed the state created was kept 
> only for 1 minute, too. The consequence was that SIP clients 
> were randomly unregistered, because when asterisk tried to 
> contact them the state timeout might have expired. We solved 
> the problem increasing udp.first, udp.single and udp.multiple 
> values higher than 120 seconds by hand (actually we set 240 
> s, to be more conservative).
> 
> We are not using static ports, since there are several SIP 
> clients behind the pfSense box, so the port needs to be 
> changed when SNAT is applied. Every extension is set in 
> asterisk to have nat=yes, externip=x.x.x.x, and qualify=yes, 
> which is correct.
> 
> Related to this, I've seen on the forum that you recommend to 
> change the to conservative:
> http://forum.pfsense.org/index.php/topic,2684.msg15914.html#msg15914
> 
> The problem is that UDP timeouts are not changed when setting 
> on this option, and since SIP usually goes inside UDP payload 
> it doesn't do the job.
> 
> - Normal -
> # pfctl -s t
> tcp.first   120s
> tcp.opening  30s
> tcp.established   86400s
> tcp.closing 900s
> tcp.finwait  45s
> tcp.closed   90s
> tcp.tsdiff   30s
> udp.first60s
> udp.single   30s
> udp.multiple 60s
> icmp.first   20s
> icmp.error   10s
> other.first  60s
> other.single 30s
> other.multiple   60s
> frag 30s
> interval 10s
> adaptive.start0 states
> adaptive.end  0 states
> src.track 0s
> 
> - Conservative -
> # pfctl -s t
> tcp.first  3600s
> tcp.opening 900s
> tcp.established  432000s
> tcp.closing3600s
> tcp.finwait 600s
> tcp.closed  180s
> tcp.tsdiff   60s
> udp.first60s
> udp.single   30s
> udp.multiple 60s
> icmp.first   20s
> icmp.error   10s
> other.first  60s
> other.single 30s
> other.multiple   60s
> frag 30s
> interval 10s
> adaptive.start0 states
> adaptive.end  0 states
> src.track 0s
> 
> Shouldn't this option also modify non-TCP traffic timeouts?
> 
> Regards,
> Abel
> 
> 

RE: [pfSense-discussion] Memory issue

[Holger Bauer]

I recommend a reinstall. Backup your config.xml without package settings
(it's an option at diagnostics>backup/restore.

Holger 

-Original Message-
From: Mike Johnson- Southwestech Computers
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 28, 2006 5:49 PM
To: discussion@pfsense.com
Subject: Re: [pfSense-discussion] Memory issue





> Removal from the shell? Not sure how to go about that using pfsense 
> (since pfsense is a hacked freebsd system), but you may want to 
> disable snort and then remove it via the webgui.
> 
> Not sure what the bpf state is (can't find any documents off-hand 
> about it), but I'll inquire on the freebsd-net list to see if anyone 
> else knows what it is.
> - -Garrett


Yeah, I can't find anything either, and I already had removed it from
using the GUI ages ago. It just kind of resurfaced for no apparent
reason.
Kinda stumped.

Mike

RE: [pfSense-discussion] 2-node pfSense cluster failover

[Holger Bauer]

No way to get additional PCI nics in there. I have actually the same
case (see http://pfsense.com/~hoba/Bild001.jpg ; the machine at the
bottom). You either can use vlans and do the syncing on a seperate vlan
or even do the syncing on LAN. CARP sends out heartbeats at all
interfaces that have a CARP IP, so it's doing heartbeat at WAN and at
LAN. The dedicated SYNC interface is meant for syncing states between
cluster members with pfsync, however, as already mentioned it can be set
to sync on LAN too.

CF-Cards and embedded image will work fine with these boxes (depending
on the board you use of course but I didn't have issues with my C3s so
far).

Holger

-Original Message-
From: Eugen Leitl [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, December 20, 2006 6:00 PM
To: discussion@pfsense.com
Subject: Re: [pfSense-discussion] 2-node pfSense cluster failover

On Wed, Dec 20, 2006 at 05:11:42PM +0100, Peter Allgeyer wrote:

> Seems that there is the possibility for two PCI-Slots in that case. So

> you're able to use dual- or even quad-port ethernet cards with it.

It's a mechanical fit issue (NICs colliding with motherboard heatsinks?
or drives? I forget). It might also require special PCI slot risers --
unfortunately,

http://lib.store.yahoo.net/lib/directron/C147600TOP.jpg

no way to check save of actually plugging things in. It certainly didn't
work with the original 3.5" hard drives, which is why I didn't install
them in the last place (by the way, don't run 3.5" hard drives in that
Travla C147 case, since there is not enough airflow -- I'm pretty sure
those PATA Maxtors rated for 24/365 use died one after another due to
overheating). 

At worst I can just configure the firewalls identically, and use VLANs
on the main switch to switch over manually, should one fail.
Not exactly zero downtime, but much better than just relying on soft
firewalls as now.
 
> Besides that, I can't recommend a HA design with two machines in the 
> same case. In case of a failure, you want to change hardware without 
> shutting down both firewalls, don't you? Go out and buy two separate

I can actually pull it out and do brain surgery on the other machine
without disturbing another. In case the node actually dies I will
probably switch to a backup firewall, which will be in place by then.

> machines and you're well prepared.

Sorry, not enough money so far. Hardware keeps dying, not enough
customers.
Apropos of dead hardware, if anyone is looking for a reasonable Level 2
24-port GBit Ethernet switch,
http://www.netgear.com/Products/Switches/SmartSwitches/GS724T.aspx
is a good value for the money. Can handle jumbo frames, has some bugs
fixed in recent firmware, so be sure to upgrade (make sure your model is
a v2). Netgear is usually consumer crap, but this particular switch
seems to be usable (don't blame me if it doesn't work for you, though).

--
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

RE: [pfSense-discussion] help me

[Holger Bauer]

If things like this happen yes. It usually *should* work but between RC2 and 
1.0.1 are several month of developement. It might break under certain 
circumstances.

Holger 

> -Original Message-
> From: Carlos Julio Sánchez [ACC-SIS] 
> [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, November 23, 2006 11:06 AM
> To: discussion@pfsense.com
> Subject: RE: [pfSense-discussion] help me
> 
> Always when I upgrade from RC2 to 1.0.1 I need to reinstall?
> 
> -Original Message-
> From: Scott Ullrich [mailto:[EMAIL PROTECTED]
> Sent: Thursday, November 23, 2006 2:40 AM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] help me
> 
> You need to reinstall.
> 
> Scott
> 
> 
> On 11/23/06, Carlos Julio Sánchez [ACC-SIS] 
> <[EMAIL PROTECTED]> wrote:
> > Hi!
> >
> > I upgrades pfsense RC2 to Release 1.0.1 and i have an error in the 
> > banner that say "[filter load]" there were error(s) loading 
> the rules: pfctl:
> > DIOCSETSTATUSIF the line in question reads [DIOCSTATUSIF]
> >
> > Anybody knows why?
> >
> >
> 
> 
> 

RE: [pfSense-discussion] PPTP VPN Documentation

[Holger Bauer]

See http://doc.m0n0.ch/handbook-single/#PPTP , it's the same for
pfSense.
 
Holger




From: Jason Tyler [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 16, 2006 8:01 PM
To: discussion@pfsense.com
Subject: [pfSense-discussion] PPTP VPN Documentation



I was looking for Documentation on setting up the PPTP VPN but
was only able to find a blank page.  Does anyone know of a good source
for PPTP howto information?  The link I found was:

 


http://doc.pfsense.org/index.php/Setting_up_a_PPTP_VPN_with_pfSense

 

Thanks,

 

Jason

RE: [pfSense-discussion] Writing on pfsense.

[Holger Bauer]

Most people might prepare pdf as it is very common and can store Images
and Screenshots as well. Some of the tutorials in our tutorialsection
are PDFs. You can use OpenOffice to produce a PDF file. If you want to
have it as movietutorial have a look at WINK. You will find some info
and a theme for WINK at http://pfsense.com/index.php?id=36 . You also
could add your stuff to http://doc.pfsense.com , however then it should
cover all aspects of Loadbalancing/Multiwan in a more technical way than
a walkthrough tutorial.

Any help on documentation/turials is welcome :-)

Holger

> -Original Message-
> From: Sanjay Arora [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, November 09, 2006 10:36 AM
> To: pfsense-Discuss Mailing List
> Subject: [pfSense-discussion] Writing on pfsense.
> 
> Hello all
> 
> I just implemented a dual WAN pfsense box. I find that 
> pfsense write-ups need more clarity. I wish to write about 
> implementing pfsense for a non- power user like myself..to 
> whom many issues are unclear.
> 
> Will someone please advise me regarding the best format for 
> doing this.
> Target is to create a document and revise it again & 
> again...I will maintain it myself, as the time permits but 
> want to plan it so that work will be minimal and instant 
> modified document is available in one or more formats.
> 
> Have never done this sort of thing before, so please guide.
> 
> With regards.
> Sanjay.
> 
> 
> 
> 

RE: [pfSense-discussion] possible bug in interfaces_opt|wan.php

[Holger Bauer]

Either this IP is still used in one of the firewallrules as gateway or
it is in one of the gatewaypools. Delete all reference to this IP before
you change the OPTWAN-settings.

Holger 

> -Original Message-
> From: Mahabub Basha [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, November 08, 2006 11:16 AM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] possible bug in interfaces_opt|wan.php
> 
> Hi ,
> 
> I have two OPT interfaces:
> OPT1: 10.0.1.2/24, gateway: 10.0.1.1
> OPT2: 10.0.2.2/24, gateway: 10.0.2.1
> 
> If I configure new OPT3 interface with IP 10.0.3.2/24, 
> gateway 10.0.3.1, pfSense
> 1.0.1 throws the following error when I click the "Save" 
> button.  The gateway for OPT3 is not getting set.
> 
> ---
> The following input errors were detected:
> 
> * Cannot change 10.0.2.1 gateway. It is currently 
> referenced by the filter rules via policy based routing.
> ---
> 
> Please note that I have never directly used the 10.0.2.1 
> gateway directly in any of my filter rules.  I have defined 
> only one single pass all filter rule that uses OPT1 and OPT2 
> (slbd load balanced gateways), and have never explicitly used 
> policy based routing to specify 10.0.2.1 as my gateway.
> 
> Digging through interfaces_opt.php show that the "if" 
> condition in line 101 does not check for empty ("") gateways:
> 
> Changing:
> 101: if($rule['gateway'] == $pconfig['gateway']) { to
> 101: if($pconfig['gateway'] != "" and $rule['gateway'] ==
> $pconfig['gateway']) {
> 
> fixes my problem.
> 
> The same bug also exists in interfaces_wan.php.
> 
> Regards
> Mahabub Basha
> 
> 

[pfSense-discussion] pfSense Version 1.0.1 available - Upgrade recommended

[Holger Bauer]

For a full list of changes see: 
http://pfsense.blogspot.com/2006/10/101-released.html

Holger

RE: [pfSense-discussion] CARP not failing back

[Holger Bauer]

First upgrade and retest. RC2 is way too old.

Holger
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, October 20, 2006 12:06 AM
To: discussion@pfsense.com
Subject: [pfSense-discussion] CARP not failing back



I ahve 2 wrap boxes running RC2 (yeh, upgrade is coming) 

they have 2 CARP addresses each (1 for LAN default route, and 1 for WAN) 

it does detect failover, but does failback when the main server comes back. 

I have my main server as advertising =0, and the other server as 
advertising=100 

any ideas?
 
SCOTT FARRELL 
IBM CERTIFIED Consultant

m 0412 927 156 
p 02 9411 3622 
f 02 8214 6426 
a IBM Building, The Atrium 
601 Pacific Highway, St Leonards NSW 2065 
w www.icconsulting.com.au

RE: [pfSense-discussion] PPTP VPN on OPT1/WAN2

[Holger Bauer]

We tested this already pretty much in detail earlier and the answer is: no, 
pptp won't work at an OPT-WAN (unless you are coming directly from the OPT-WAN 
subnet with proper firewallrules). Looks like the PPTP server can't handle this 
situation correctly. Nothing that we can fix at our end.

Holger



> -Original Message-
> From: Heath Henderson [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 18, 2006 6:23 AM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] PPTP VPN on OPT1/WAN2
> 
> 
> I am not certain I explained it correctly.
> 
> The pfsense built in PPTP server answers correctly on the WAN 
> address.  But
> it doesn't answer at all on the WAN2 address, regardless of 
> rules in the FW
> for that interface.  I just wondered if it was a limitation 
> of that PPTP
> server/setup. I am using a load balanced/failover setup and 
> just wanted to
> make sure that was not an option if I have people asking me about it.
> 
> Thanks
> 
> 
> -- 
> Heath Henderson
> [EMAIL PROTECTED]
> 1800 288 7750
> --
> 
> 
> > From: DarkFoon <[EMAIL PROTECTED]>
> > Reply-To: 
> > Date: Tue, 17 Oct 2006 20:19:31 -0700
> > To: 
> > Subject: Re: [pfSense-discussion] PPTP VPN on OPT1/WAN2
> > 
> > Seems to me that with PPTP (and other protocols) if the 
> source IP address of
> > packets sent to the client differs from the IP the client 
> sends packets to,
> > the PPTP software discards (as it should) the packets 
> because they could be
> > coming from an untrusted third-party.
> > 
> > - Original Message -
> > From: "Heath Henderson" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Tuesday, October 17, 2006 7:51 PM
> > Subject: [pfSense-discussion] PPTP VPN on OPT1/WAN2
> > 
> > 
> >> Does anyone know if there is a limitation to the PPTP VPN 
> connection to
> > only
> >> connect via WAN connection and not vai OPT1 or WAN2?
> >> 
> >> I have a successful server running and can connect via WAN 
> but times out
> >> whenever I try and hit the WAN2/OPT1 connection with the 
> same setup.  I
> >> checked all of my rules and they are identical.
> >> 
> >> Thanks
> >> 
> >> -- 
> >> Heath Henderson
> >> [EMAIL PROTECTED]
> >> 1800 288 7750
> >> --
> >> 
> >> 
> >> 
> > 
> 
> 
> 

RE: [pfSense-discussion] IPSEC with wildcard for pre-shared keys

[Holger Bauer]

Not really getting the problem. Where do you try to set the wildcard IP? at the 
mobile clients tab or at the preshared keys tab? Usually the identifier is just 
to identify the client (just like the name says) and shouldn't have anything to 
do with routing.

Holger

> -Original Message-
> From: Mikael Syska [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 17, 2006 4:08 PM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] IPSEC with wildcard for pre-shared keys
> 
> 
> Hi, 
> 
> This concerns mobile clients 
> 
> I have multiple VPN users running agains a OpenBSD atm, but I want to
> convert it into a pfsense box, they all use the same 
> preshared key right
> now, and I dont want to change them. 
>  
> In the other setup I could specify a wildcard ip as 0.0.0.0 that they
> use as the identifier, but that does not work here, here I 
> need to enter
> the LAN ip address of the client like: 192.168.32.200 then the client
> connects just fine  and I dont want to enter all possible IP
> addresses that the clients could get :-) ? are there anything I'm
> missing here?
> 
> how can I specify that all ip's can use this preshared with ipsec vpn?
> 0.0.0.0 does not work, but as mentioned above it works when I 
> enter they
> LAN ip address
> 
> I will happely supply any additional information if needed 
> 
> kind regards
> Mikael Syska
> 

RE: [pfSense-discussion] Dynamic DNS

[Holger Bauer]

It only supports reporting it's interface IP (which is in your setup already a 
natted IP behind another device). Either connect the pfSense directly to WAN or 
use dyndns at the host in front of you that is connected to the real wan or use 
a dyndns update client on LAN that frequently checks for the changed IP and 
send it's request out the appropriate wan by utilizing policybased routing.

Holger

> -Original Message-
> From: Rainer Duffner [mailto:[EMAIL PROTECTED]
> Sent: Monday, October 16, 2006 5:41 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] Dynamic DNS
> 
> 
> Stefan Tunsch wrote:
> > I'm talking about the integrated dyndns client.
> >
> > Luckily I installed the ADSL with the dynamic ip address on the WAN
> > interface...
> >
> > How can I report an IP other than the WAN IP? 
> >   
> 
> 
> I think he said "next version".
> Or did I misread that?
> 
> Bear with them - they're probably going to have to take a 
> vacation, now 
> that the release is actually out
> ;-)
> 
> 
> 
> 
> cheers,
> Rainer
> 

RE: [pfSense-discussion] Dynamic DNS

[Holger Bauer]

The dyndns client only works at WAN interface and is always reporting the WAN 
interface IP. We have code in the next version do dyndns per interface.

Are you talking about  the integrated dyndns client or a client that is running 
inside your LAN on a workstation or server?

Holger
-Original Message-
From: Stefan Tunsch [mailto:[EMAIL PROTECTED]
Sent: Monday, October 16, 2006 4:26 PM
To: discussion@pfsense.com
Subject: [pfSense-discussion] Dynamic DNS


Hi there!

I recently set up my first pfSense firewall into production.

I am using the load balancing feature. One of the two ADSL connections I'm 
using has a dynamic IP address. The loadbalancing itself is working fine, but 
I'm having trouble with the Dynamic DNS client set up.

I have created an account with DynDNS and set up pfSense accordingly.

The problem is that pfSense reports the IP address of the WAN interface instead 
of providing the public IP of my router.

The second issue is that I don't want to "balance" this url from one interface 
to the other. I want to use just one of the WAN interfaces I've set up. 
Curiously, pfSense always checks the same interface, which is the one where I 
have dhcp set up between WAN and the router.


Any comments on this would be appreciated.

regards.




--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.408 / Virus Database: 268.13.4/476 - Release Date: 14/10/2006

RE: [pfSense-discussion] IDS yet?

[Holger Bauer]

Just to make this clear (besides the technical differences between IDS/IPS), 
the snort package optionally can block (it's a checkbox). 

Holger

> -Original Message-
> From: Scott Ullrich [mailto:[EMAIL PROTECTED]
> Sent: Thursday, October 05, 2006 10:23 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] IDS yet?
> 
> 
> On 10/5/06, Chris Godwin <[EMAIL PROTECTED]> wrote:
> > Am I correct about Snort being able to block as well as 
> detect? Isn't
> > this IDS/IPS, not just IDS.
> 
> It is a delayed IDS.   Generally an IPS hooks into the network stack
> directly and does not allow the traffic to pass through until its
> scanned.
> 
> This is the counter of that, where a packet may be let through and
> then a block rule is added 50ms later, etc.
> 
> Scott
> 

RE: [pfSense-discussion] IDS yet?

[Holger Bauer]

A WRAP (266MHz Geode) is maxed out at 32 mbit/s (with optimum packetsize). 
However with enabled trafficshaper and lots of traffic (bittorrent for example) 
it's not able to keep up at my 16/1 mbit/s adsl2+ connection. Depending on your 
WAN speed or if you need LAN to OPT traffic these devices reach thier limits 
sooner or later.

Holger



> -Original Message-
> From: Donald Pulsipher [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 04, 2006 8:03 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] IDS yet?
> 
> 
> 
> Its a 4801 with the fastest processor I could get (266). 
> We'll see what I can do with it, I don't plan on using a 
> default config with snort. I know I'm going to have to tweak 
> it. With the right setup, I believe running snort on the 
> embedded image _is_ fea
> sable. If I do manage to pull it off, I'll share what I did.
> 
> -Don
> 
> On Wed, 4 Oct 2006 13:01:44 -0500, "Bill Marquette" 
> <[EMAIL PROTECTED]> wrote:
> > On 10/4/06, Donald Pulsipher <[EMAIL PROTECTED]> wrote:
> >>
> >> According to my rough calculations, I can do maybe 40mbps 
> throughput
> > before I peg the cpu. Or maybe I'm just dreaming, but I 
> plan on testing
> > it.
> > 
> > With a 4801 or wrap???  Try again :)  We peg the CPU on those boards
> > well before 40mbit...I think the last benchmark I saw was 30+mbit.
> > 
> > --Bill
> 
> 

RE: [pfSense-discussion] IDS yet?

[Holger Bauer]

No, it sees everything. For example running at my WAN though nearly everything 
is blocked it detects portscans too and will block this IP (if enabled) so it 
can't start a bruteforce against my open ports. If you are lucky it will even 
block the intruder before it reaches open ports on your system for example :-)

Holger

> -Original Message-
> From: Jason J. Ellingson [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 04, 2006 3:58 PM
> To: discussion@pfsense.com
> Subject: RE: [pfSense-discussion] IDS yet?
> 
> 
> So far, I like the new Snort package.  Very nice and easy to set up.
> You have my praises!
> 
> If I am correct, the Snort package only sees traffic that was not
> blocked by firewall rules?
> 
> - Jason
> 

RE: [pfSense-discussion] IDS yet?

[Holger Bauer]

I suggest just trying the snort package in the way it is now before discussinng 
new features so everybody in this discussion knows what we are talking about. 
It's easy to setup and configure. You have to be at RC3 for it to work.

Holger

-Original Message-
From: Tommaso Di Donato [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 04, 2006 8:33 AM
To: discussion@pfsense.com
Subject: Re: [pfSense-discussion] IDS yet?


Sorry do you plan to use snort as IDS or as IPS? 
I think that the former should be easier to implement as a package, but the 
latter is the direction to follow, in a long term project. Few days ago I saw 
StillSecure Strataguard, and I found that th eir interface/approach to IPS is 
very good... 
If you like to go in that direction, I'll be pleased to help..at least for what 
I can do...


On 10/3/06, Scott Ullrich < [EMAIL PROTECTED]> wrote:
On 9/20/06, Scott Ullrich < [EMAIL PROTECTED]> wrote:
> There is no IDS package with no intention on creating one.  We are
> waiting for you all to step up to the plate.

I somewhat lied about this.  For some reason after seeing your pos t 
something clicked in my head and I spent a good 35 hours on a IDS
package.

Upgrade to 1.0-RC3a and you will now find Snort in our packages area.

Scott
PS: it appears that I also have a sponsor for the package.  Will post 
more information once I secure the funds.

RE: [pfSense-discussion] Proper setting for traffic shaping

[Holger Bauer]

No. Your line has upstream and downstream. 384 kbit is most likely only one 
way, eihter up or down. You have to put both in at the first page of the 
trafficshaperwizard. As you are on DSL you have to substract a bit for the 
pppoe overhead. I recommend doing some up and downloads to/from a fast server 
if you don't know your bandwidth and watch status>trafficgraph to find your 
limits for both directions.

Holger

-Original Message-
From: Kim C. Callis [mailto:[EMAIL PROTECTED]
Sent: Monday, September 18, 2006 11:59 PM
To: discussion@pfsense.com
Subject: [pfSense-discussion] Proper setting for traffic shaping


I have a 384K DSL connection, and I don't understand what I should be adding 
for traffic shapping... I put down 1kbit for the LAN (IN) side and 256Kbit 
for the WAN (Out)... Was that the correct entries for the shapper? 

-- 
Kim C. Callis
[EMAIL PROTECTED]
_
"A human being should be able to change a diaper, plan an invasion, butcher a 
hog, conn a ship, des ign a building, write a sonnet, balance accounts, build a 
wall, set a bone, comfort the dying, take orders, give orders, cooperate, act 
alone, solve equations, analyze a new problem, pitch manure, program a 
computer, cook a tasty meal, fight efficiently a nd die gallantly. 
Specialization is for insects!"
-- Robert A. Heinlein 

RE: [pfSense-discussion] ftp dont connect

[Holger Bauer]

That will affect ftp connections going to wan btw. so this is just a workaround 
for now. We'll have to come up with a proper fix for this.

Holger

> -Original Message-
> From: Carlos Julio Sánchez [ACC-SIS]
> [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, September 06, 2006 4:57 PM
> To: discussion@pfsense.com
> Subject: RE: [pfSense-discussion] ftp dont connect
> 
> 
> Thanks, my problem was corrected
> 
>  
> -Original Message-
> From: Holger Bauer [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, September 06, 2006 9:43 AM
> To: discussion@pfsense.com
> Subject: RE: [pfSense-discussion] ftp dont connect
> 
> That is most probably an ftp helper problem. It needs to be 
> excluded for
> remote destinations via VPN. We have code in place to prevent 
> this from
> happening on IPSEC tunnels. Guess we have to do something similiar for
> OpenVPN-Tunnel. Try to disable the ftp-helper at the LAN 
> interfaces at both
> ends. does that solve the issue? Setting is at interfaces>LAN 
> in the webgui.
> 
> Holger
> 
> > -Original Message-
> > From: Carlos Julio Sánchez [ACC-SIS]
> > [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, September 06, 2006 4:23 PM
> > To: discussion@pfsense.com
> > Subject: [pfSense-discussion] ftp dont connect
> > 
> > 
> > Hi!
> > 
> > I have a tunnel with openvpn 
> > side1===GW1=Internet =GW2===side2
> > 
> > when I do "ftp ip_side1" from side2, the ip of side2 is 
> > changed with the ip
> > of the GW2 and the ftp don't connect because the side1 
> > responds to the GW2
> > and not to the side2
> > 
> > Anybody Knows why?   
> > 
> > 
> 
> __ NOD32 1.1741 (20060906) Information __
> 
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
> 
> 
> 

RE: [pfSense-discussion] ftp dont connect

[Holger Bauer]

That is most probably an ftp helper problem. It needs to be excluded for remote 
destinations via VPN. We have code in place to prevent this from happening on 
IPSEC tunnels. Guess we have to do something similiar for OpenVPN-Tunnel. Try 
to disable the ftp-helper at the LAN interfaces at both ends. does that solve 
the issue? Setting is at interfaces>LAN in the webgui.

Holger

> -Original Message-
> From: Carlos Julio Sánchez [ACC-SIS]
> [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, September 06, 2006 4:23 PM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] ftp dont connect
> 
> 
> Hi!
> 
> I have a tunnel with openvpn 
> side1===GW1=Internet =GW2===side2
> 
> when I do "ftp ip_side1" from side2, the ip of side2 is 
> changed with the ip
> of the GW2 and the ftp don't connect because the side1 
> responds to the GW2
> and not to the side2
> 
> Anybody Knows why?   
> 
> 

RE: [pfSense-discussion] pfSense and TTL (time to live) = 1

[Holger Bauer]

Are you trying to tell all the people working on pfSense to go out, play 
tennis, walk in the mountain, drive their new car, ... ;-)

Holger

> -Original Message-
> From: Georgi Petrov [mailto:[EMAIL PROTECTED]
> Sent: Monday, September 04, 2006 12:51 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] pfSense and TTL (time to live) = 1
> 
> 
> Yap - it's better given the need to know and understand more. But
> sometimes you have plans to go out and play tennis, walk in the
> mountain or drive your new ('88) car ;)
> 
> May be this is the scary thing around everything that "just doesn't
> work" (TM) - the lost time which can be spent for something else ;)
> 
> Greetings,
> gogothebee
> 

RE: [pfSense-discussion] pfSense and TTL (time to live) = 1

[Holger Bauer]

Finding out the hard way is not always a bad thing. I think you got a better 
way of understanding than just "finding the answer" without having to search 
for it.

Holger

> -Original Message-
> From: Georgi Petrov [mailto:[EMAIL PROTECTED]
> Sent: Monday, September 04, 2006 11:19 AM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] pfSense and TTL (time to live) = 1
> 
> 
> Wow!
> 
> I'm stupid :(
> 
> 2 days lost in researching how to do it my way with m0n0wall :( Well,
> may be not - these were my first steps in BSD :)
> 
> On 9/4/06, Scott Ullrich <[EMAIL PROTECTED]> wrote:
> > On 9/4/06, Georgi Petrov <[EMAIL PROTECTED]> wrote:
> > > Hello everybody,
> > >
> > > I've sent this feature request to the m0n0wall mailing 
> list, so it's a
> > > copy-paste. Everything written can be applied to pfSense as well!
> > >
> > >
> > >
> > > Here in Bulgaria we love m0n0wall and many people use it for home
> > > routing purposes. Our internet is delivered by LAN cables (insane,
> > > isn't it?) and some of my smarter friends split the service to the
> > > neighbours. This is pretty cool because you have to pay 
> 2-3 times less
> > > and believe me - Bulgaria isn't the cheapest place to live in ;)
> > >
> > > Ok, you would say - you put one m0n0wall router under 
> your bed and pay
> > > 2 times less for internet (as well as your neighbours). What's the
> > > problem? Here comes the problem: Almost all ISPs in 
> Bulgaria modify
> > > the TTL (time to live) value of all incoming packets to 1, so when
> > > they enter the m0n0wall router, it decrements the TTL to 
> 0 and being
> > > zero, the packet gets dropped (and doesn't reach any of 
> the computers
> > > in the local network).
> > >
> > > There is a very simple way to work around that. The FreeBSD kernel
> > > should be compiled with IPSTEALTH option enabled. This is 
> absolutely
> > > harmless and does the following:
> > >
> > > When the kernel is compiled with this option, later you 
> can set one
> > > sysctl variable to "1" (enabled), which will turn on the IPSTEALTH
> > > mode. In this mode the router "hides" itself, becomes 
> intraceable with
> > > tracert and the most important thing is that it doesn't 
> decrement the
> > > TTL, so the little trick played by most ISP becomes irrelevant.
> > >
> > > This is completely harmless to m0n0wall - it won't be enabled by
> > > default, nothing will change for the default install, but this
> > > functionality will be present for whoever need it! May be later a
> > > "checkbox" could be added in the webGUI for easier accessibility.
> > >
> > > I already run m0n0wall's FreeBSD IPSTEALTH enabled kernel 
> and enabling
> > > IPSTEALTH in running m0n0wall is as easy as adding
> > >
> > > sysctl net.inet.ip.stealth=1
> > >
> > > just before
> > >
> > > 
> > >
> > > The whole procedure is explained by another smart 
> bulgarian on this
> > > page (bulgarian language):
> > > http://hardwarebg.com/forum/showthread.php?t=76480&highlight=TTL
> > >
> > > So - this way the whole problem is solved and the day - saved ;)
> > >
> > > I ask for one simple thing - could you please enable 
> IPSTEALTH in the
> > > next m0n0wall release, please! It's a great 
> router/firewall - make it
> > > even better!
> > >
> >
> > # sysctl -a | grep stealth
> > net.inet.ip.stealth: 0
> > net.inet6.ip6.stealth: 0
> >
> > It's already compiled in.
> >
> > Have fun!
> >
> > Scott
> >
> 

RE: [pfSense-discussion] Multiple IP on WAN

[Holger Bauer]

You can add additional IPs at firewall>Virtual IP. After you added them there 
you can use these for NAT. Make sure you add appropriate firewallrules for this 
additional traffic (let them autocreate when using protforwarding, it sets up 
the right rules for you).

Holger

> -Original Message-
> From: Robert Mortimer [mailto:[EMAIL PROTECTED]
> Sent: Friday, August 18, 2006 10:55 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] Multiple IP on WAN
> 
> 
> Try
> 
> Interfaces > Assign > VLAN
> 
> I think this is what you want
> 
> ---Robert
> 
> - Original Message - 
> From: "Chris Noble" <[EMAIL PROTECTED]>
> To: 
> Sent: Friday, August 18, 2006 7:27 PM
> Subject: [pfSense-discussion] Multiple IP on WAN
> 
> 
> > 
> > Hi there,
> > 
> > I have 8 ips with my isp and would like to use PPPoE on my
> > linksys router.. I can do this but for 1 ip.
> > 
> > Is there anywhere that I can set a local ip eg 10.0.0.1/8 and then
> > my isp ip range which is say 123.123.123.1/29. One IP is a dedicated
> > router IP and I would like that ip on the pfsense router. It can be
> > done manually if I ssh into the machine, but cannot find anywhere to
> > add another ip to the WAN interface.
> > 
> > I hope I explained it clearly.
> > 
> > Any ideas?
> > 
> > Many thanks,
> > Chris
> > 
> >
> 

RE: [pfSense-discussion] Problem with ipsec

[Holger Bauer]

It's the remote LAN that you want to reach through the tunnel at the other end.

HOlger

> -Original Message-
> From: Carlos Julio Sánchez [ACC-SIS]
> [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 09, 2006 11:57 PM
> To: discussion@pfsense.com
> Subject: RE: [pfSense-discussion] Problem with ipsec
> 
> 
> If i dont have remote subnet but in the pfsense i must to 
> write something in
> the textbox REMOTE SUBNET in the configuration of ipsec vpn.
> 
> What I have to write in?
> 
> -Original Message-
> From: Scott Ullrich [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, August 09, 2006 4:31 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] Problem with ipsec
> 
> On 8/9/06, Carlos Julio Sánchez [ACC-SIS]
> <[EMAIL PROTECTED]> wrote:
> >
> >
> >
> >
> > Hello!
> >
> > anybody can help me please?
> >
> >
> >
> > I have an error when I set up vpn with ipsec, my computer A 
> have pfsense
> and
> > my computer B have Centos(Linux)
> >
> >
> >
> > In the ipsec logs I have:
> >
> > racoon: ERROR: failed to get sainfo.
> >
> > racoon: ERROR: failed to get sainfo.
> >
> > racoon: ERROR: failed to pre-process packet.
> >
> > racoon: INFO: purging ISAKMP-SA
> > spi=00bc15f02e56a4a5:69e1cebf2efd8757.
> >
> > racoon: INFO: purged ISAKMP-SA
> > spi=00bc15f02e56a4a5:69e1cebf2efd8757.
> >
> > racoon: INFO: ISAKMP-SA deleted xxx.xxx.xxx.xxx [500]- 
> xxx.xxx.xxx.xxx
> [500]
> > spi:00bc15f02e56a4a5:69e1cebf2efd8757
> >
> >
> >
> > in the logs of computer B I have:
> >
> >
> >
> > Aug  9 16:15:08 actibts1 racoon: NOTIFY: couldn't find the 
> proper pskey,
> try
> > to get one by the peer's address.
> >
> > Aug  9 16:15:08 actibts1 racoon: INFO: ISAKMP-SA established
> > xxx.xxx.xxx.xxx[500]-xxx.xxx.xxx.xxx[500]
> > spi:00bc15f02e56a4a5:69e1cebf2efd8757
> >
> > Aug  9 16:15:09 actibts1 racoon: INFO: initiate new phase 2 
> negotiation:
> > xxx.xxx.xxx.xxx [0]<=> xxx.xxx.xxx.xxx [0]
> >
> > Aug  9 16:15:39 actibts1 racoon: INFO: IPsec-SA expired: 
> AH/Transport
> > xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx spi=35812955(0x222765b)
> >
> > Aug  9 16:15:39 actibts1 racoon: WARNING: the expire 
> message is received
> but
> > the handler has not been established.
> >
> > Aug  9 16:15:39 actibts1 racoon: ERROR: xxx.xxx.xxx.xxx 
> give up to get
> > IPsec-SA due to time up to wait.
> 
> Double check your phase 2 settings on both hosts.  There is a mismatch
> somewhere.
> 
> Scott
> 
> 

AW: [pfSense-discussion] Benchmarking

[Holger Bauer]

I'm using netio usually to do banchmarking the factory defaults with a netio 
server sitting at wan and a netio client at lan connecting to it. A wrap 266MHz 
128MB benches at up to 32 mbit/s with latest release fyi.
 
Holger

-Ursprüngliche Nachricht- 
Von: DarkFoon [mailto:[EMAIL PROTECTED] 
Gesendet: Fr 28.07.2006 00:42 
An: discussion@pfsense.com 
Cc: 
Betreff: [pfSense-discussion] Benchmarking


 



Virus checked by G DATA AntiVirusKit

<>

RE: [pfSense-discussion] Multiwan and openvpn problems

[Holger Bauer]

You need a rule at LAN to exclude destinationsubnets behind the openvpn tunnel 
to not be balanced. Create a rule that uses the default gateway for this.

Holger

> -Original Message-
> From: Carlos Julio Sánchez [ACC-SIS]
> [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, July 18, 2006 4:28 PM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] Multiwan and openvpn problems
> 
> 
>  Hello!
> 
> Anybody can help me!
> 
> When I set up the load balancer my openvpn crash down.  Why???
> 
> 
> 
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] load balancing - fail over

[Holger Bauer]

Use policybased routing to send out VPN traffic only at one WAN. Haven't had 
the issue with my dual WAN setup yet but try if this resolves the problem. Some 
services are not very compatible with multiwan.

Holger

> -Original Message-
> From: Allen Laymon [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 27, 2006 7:10 PM
> To: discussion@pfsense.com
> Subject: RE: [pfSense-discussion] load balancing - fail over
> 
> 
> I'm having an issue using load balancing/failover and using a 
> Cisco VPN
> client to connect to a remote machine.  It's hit and miss 
> whether or not the
> Cisco VPN client works.  It appears to go out one of my internet
> connections, but can return on the second internet 
> connection?  I'm not sure
> how to resolve this.  Anyone have a similar instance?
> 
> Allen 
> -Original Message-
> From: Holger Bauer [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, June 27, 2006 8:06 AM
> To: discussion@pfsense.com
> Subject: RE: [pfSense-discussion] load balancing - fail over
> 
> In case both WANs are available the connections will be 
> distributed to the
> WANs roundrobin. This waya you can hit the full bandwidth of 
> both WANs even
> with a single client as long as you use multiple connections 
> (like with
> downloadmanagers for example or if you open a HTTP Webpage 
> with images from
> different sites).
> In case one of the WANs fails you'll end up with "(total 
> bandwidth of all
> WANs) - (WANs that are down)" (You can have as much WANs in a 
> pool like your
> hardware can handle). The monitor IPs of the WANs are polled every 5
> seconds, so downtime of a WAN is detected rather quick.
> 
> Holger
> 
> -Original Message-
> From: Nelu Sofrone [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 27, 2006 2:36 PM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] load balancing - fail over
> 
> 
> Hi all!
> 
> 
> 
> I have a question about load balancing - fail over.
> 
> 
> 
> I have 2 Internet connections and I made some tests about 
> fail over. I set
> the firewall rules with gateway on pooling interface and fail 
> over worked
> ok. I don't understood how work load balancing.
> 
> My scenario is:
> 
> 2 Internet connection - work normally
> 
> 1 pool for Internet connections
> 
> The firewall's rules have the gateway on pool interface.
> 
> 
> 
> In this case, is my bandwidth of internet the sun of 
> bandwidth of internets
> connection or is only one internet connection use and second internet
> connection is use only in case of fail the first internet connection?
> 
> 
> 
> Thank you.
> 
> 
> Nelu SOFRONE
> System Engineer
> Aker Braila SA 
> tel: +40 239 60 70 55
> 
>  
> 
> 
> Virus checked by G DATA AntiVirusKit
> 
> 
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] load balancing - fail over

[Holger Bauer]

In case both WANs are available the connections will be distributed to the WANs 
roundrobin. This waya you can hit the full bandwidth of both WANs even with a 
single client as long as you use multiple connections (like with 
downloadmanagers for example or if you open a HTTP Webpage with images from 
different sites).
In case one of the WANs fails you'll end up with "(total bandwidth of all WANs) 
- (WANs that are down)" (You can have as much WANs in a pool like your hardware 
can handle). The monitor IPs of the WANs are polled every 5 seconds, so 
downtime of a WAN is detected rather quick.

Holger

-Original Message-
From: Nelu Sofrone [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 27, 2006 2:36 PM
To: discussion@pfsense.com
Subject: [pfSense-discussion] load balancing - fail over


Hi all!



I have a question about load balancing - fail over.



I have 2 Internet connections and I made some tests about fail over. I set
the firewall rules with gateway on pooling interface and fail over worked
ok. I don't understood how work load balancing.

My scenario is:

2 Internet connection - work normally

1 pool for Internet connections

The firewall's rules have the gateway on pool interface.



In this case, is my bandwidth of internet the sun of bandwidth of internets
connection or is only one internet connection use and second internet
connection is use only in case of fail the first internet connection?



Thank you.


Nelu SOFRONE
System Engineer
Aker Braila SA 
tel: +40 239 60 70 55

 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Multi-wan downloading

[Holger Bauer]

Just view the realtime trafficgraphs of both WAN interfaces. I have attached a 
frame http page (assuming your 2nd WAN is OPT1 and your pfSense IP is 
192.168.1.1, if that doesn't match just edit the file).

Holger

> -Original Message-
> From: Rudi Potgieter [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 07, 2006 12:33 PM
> To: discussion@pfsense.com
> Subject: RE: [pfSense-discussion] Multi-wan downloading
> 
> 
> So what you saying is that it does support multi-wan 
> downloading.  So if
> I have two 512 adsl lines connected and setup using the load 
> balancer, I
> could in theory get download speeds of 1024 using a download manager.
> 
> Is there any way of seeing this work on pfSense ... Maybe a log or
> something.
> 
> Thanx
> 
> 
> -Original Message-
> From: Holger Bauer [mailto:[EMAIL PROTECTED] 
> Sent: 07 June 2006 12:27 PM
> To: discussion@pfsense.com
> Subject: [SPAM] - RE: [pfSense-discussion] Multi-wan 
> downloading - Email
> found in subject
> 
> Each new connection will be thrown at the next WAN (roundrobin). Only
> single connections are limited to use one WAN only.
> 
> Holger
> -Original Message-
> From: Rudi Potgieter [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 07, 2006 11:47 AM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] Multi-wan downloading
> 
> 
> Hi
> 
> I was wondering if pfSense support multi-wan downloading when 
> using the
> load balancer.  For example if I use a download manager like flashget
> and start up 10 download threads, will pfSense make all connections
> through 1 wan or split them between multiple wans?
> 
> Thanx
> 
> 
> Virus checked by G DATA AntiVirusKit
> 
> 
> 
> 
> Hierdie boodskap (en aanhangsels) is onderhewig aan 
> beperkings en 'n vrywaringsklousule. Volledige besonderhede 
> beskikbaar by http://www.crs.co.za/Disclaimer.htm, of by 
> [EMAIL PROTECTED]
> 
> This message (and attachments) is subject to restrictions and 
> a disclaimer. Please refer to 
http://www.crs.co.za/Disclaimer.htm for full details, or at [EMAIL PROTECTED]




Virus checked by G DATA AntiVirusKit
Title: Monitoring



  
  

RE: [pfSense-discussion] Multi-wan downloading

[Holger Bauer]

Each new connection will be thrown at the next WAN (roundrobin). Only single 
connections are limited to use one WAN only.

Holger
-Original Message-
From: Rudi Potgieter [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 07, 2006 11:47 AM
To: discussion@pfsense.com
Subject: [pfSense-discussion] Multi-wan downloading


Hi

I was wondering if pfSense support multi-wan downloading when using the load 
balancer.  For example if I use a download manager like flashget
and start up 10 download threads, will pfSense make all connections through 1 
wan or split them between multiple wans?

Thanx


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] packet A/V?

[Holger Bauer]

There are some interesting packages coming up providing antivir functions:

- clamav
- clamsmtp
- havp
- p3scan
- viralator

Most of them are not usable yet as they are under developement but are making 
progress. Check the packagesection in the webgui of your pfSense.

Holger

-Original Message-
From: DarkFoon [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 06, 2006 11:20 PM
To: discussion@pfsense.com
Subject: [pfSense-discussion] packet A/V?


Is there anybody working on a package that does anti-vir scanning on incoming 
internet packets? I get the impression that SonicWalls do it, and it'd be 
killer if PfSense (becaouse sonicWalls do not look cheap) www.sonicwall.com

I remember some time ago somebody was working on this with squid and squidclam, 
but I haven't heard anything about it since. Any progress? Or was it given up 
upon? (it does sound very difficult, indeed)


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Known PFsense Limits?

[Holger Bauer]

There are some limitations of pfSense 1.0 that maybe don't apply to your setup 
(also just a quick shot from what comes to my mind at once):

- The ftp-helper will only work at WAN when using multiwan/loadbalancing
- loadbalancing only works for connections running through pfSense (services 
that run at the firewall directly like the squid package can't use 
loadbalancing or multiwan)
- NAT reflection only works for portranges with less than 500 ports and not for 
1:1 NATs
- not all services work well with loadbalancing. this however is NOT a pfSense 
problem but poor protocol design or poor application code at the clientside.
- you need static gateways to use the loadbalancing pool for outgoing 
loadblancing
- trafficshaping only works for 2 interfaces correctly (at least from what you 
can do with the webgui)
- if you run CARP (which is something that you should consider for an install 
of that size) each node needs a dedicated IP that can't be shared/handed over, 
however they still can be forwarded or used on the single node.
- after CARP failover all already established connections will be in the 
default queues
- IPSEC only will work with at least one static IP at one end
- Routing via IPSEC needs parallel tunnels to work
- shaping and filtering inside IPSEC tunnels doesn't work (however you can 
filter traffic incoming at the end before the traffic goes into the tunnel if 
you control both ends)
- you only can bridge wireless interfaces to another interface if the interface 
is in hostap mode
- you only can have a bridge group with 2 interfaces
- traffic shaping won't work on a bridge
- captive portal can only be enabled at one interface
- DynDNS can only be used for the original WAN interface

Several of these limitations are already fixed in the head release or seem to 
be fixable but need time to be implemented/tested. Keep in mind this is Version 
1.0 and it's feature frozen for several month already while developement to the 
head codetree continued. We absolutley don't recommend to run HEAD atm and we 
don't support it either just in case you want to ask why not run HEAD ;-)


Concerning Hardware:

- You should consider using some highend machines with a fast PCI bus as all 
traffic has to pass the bus and the CPU and you plan to run several IPSEC 
tunnels
- like Bill said, each state takes a bit of RAM. You should consider this when 
calculating your hardware

Holger

> -Original Message-
> From: Odette [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 06, 2006 4:20 PM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] Known PFsense Limits?
> 
> 
> Hi all,
> 
>   I need to substitute our production firewall, and I'd like 
> to use PFsense 
> which I've already successfully used for home or small office 
> environments.
> 
> The solution I'm going to substitute is based on 
> Linux-iptables which requires 
> more than 1000 rules. I need more than 25 static routes, and 5 VPNs.
> 
> Furthermore, in the next future we are migrating 2 of 3 
> network branches on 
> Gbit.
> 
> I'd like to try with PFsense, but my boss (I'm sure) will 
> kill me in the event 
> I spend half a week in setting up the new PFsense and writing 
> down all the 
> rules to see that PFsense is not the right solution.
> 
> Is there a rules number limit or a session number limit 
> implemented in 
> PFsense? 
> 
> Does somebody have some expertize in similar situations?
> 
> Anybody able to supply info or suggenstions?
> 
> Tanks in advance
> 
>    Odette
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] FTP from LAN to WAN

[Holger Bauer]

There is a ftp proxy listening at LAN by default to help ftp connections. 
Disable it at interfaces>lan (it's called ftp-helper). Then add a firewall rule 
that blocks or rejects protocol tcp, source IP any, sourceport any, destination 
IP any, destinationport 21.

Holger

> -Original Message-
> From: Marcel Mutter [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 06, 2006 9:14 AM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] FTP from LAN to WAN
> 
> 
> I am using the 1.0 beta 4 version and I want to block 
> outgoing FTP from 
> the LAN to the WAN.
> 
> I don't succeed in blocking FTP and can anyone tell me why it 
> is working 
> for other protocols to be blocked and not the FTP protocol.
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] VPN howto?

[Holger Bauer]

If the pfSense doesn't show anything in the logs your pptp-client most likely 
doesn't get to the pfSense. In case you are using a dyndns-account check if it 
resolves to your real WAN IP. Also check status>systemlogs, firewall if there 
are blocks for the pptp traffic from the client (I doubt it if it's configured 
like you say but checking that won't hurt).

Last but not least, please provide even more info:
What's your LAN subnet and pfSense LAN IP?
What did you put into the pptp server fields in the webgui?
What kind of WAN connection do you have and what's your WAN IP (PPPoE, Static, 
another Router in front of the pfSense, pfSense WAN is in a private subnetrange 
for some reason,...)?

Holger

> -Original Message-
> From: Terri Zahniser [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, May 31, 2006 6:23 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] VPN howto?
> 
> 
> The VPN is setup as follows:
> 
> - Enable PPTP server is selected
> - Server address and Remote address range fields are populated
> - WINS Server field is populated
> - Require 128-bit encryption is selected
> - There is a firewall rule allowing PPTP connections
> - Users have been created
> 
> When attempting to to connect, the machine will just sit 
> there trying to
> connect and then timeout. It does not get to an authentication stage.
> 
> On Wed, 2006-05-31 at 11:58 -0400, Chris Buechler wrote:
> > Terri Zahniser wrote:
> > > Thanks for the link. After reading it and setting up the 
> PPTP VPN again
> > > I was still not able to get it to work.
> > 
> > 
> > Define "doesn't work".  With "doesn't work", the best we 
> can offer is 
> > "you configured it wrong".  With some details on what's 
> going on, what 
> > you have configured, what it's doing, not doing, etc. maybe 
> someone can 
> > offer specific suggestions. 
> > 
> > 
> 
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Manual Key VPN

[Holger Bauer]

http://doc.m0n0.ch/handbook/examplevpn-sonicwall.html

-Original Message-
From: John Bohman [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 31, 2006 12:46 PM
To: discussion@pfsense.com
Subject: RE: [pfSense-discussion] Manual Key VPN


While I haven't yet attacked my VPN issue yet, I would love some direction in 
how you accomplished the sonicwall <--> pfsense VPN link ??
Thanks in advance...
John B.
 



From: sonythedog [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 31, 2006 3:52 AM
To: [EMAIL PROTECTED]
Subject: [pfSense-discussion] Manual Key VPN
 
Hi,

I am wondering if there is a way to configure manual key VPN with other ipsec 
firewall, specifically sonicwall.

I need to configure SPI, Encryption Method, Encryption Key, Authentication Key. 

I have already learned how to setup IKE between sonicwall and pfsense but due 
to compatibility reasons I need to support manual key ipsec..

Thanks 

Lawrence


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] DNS server

[Holger Bauer]

Set the orsn dns servers at system>general and disable the "Allow DNS server 
list to be overridden by DHCP/PPP on WAN" checkbox. The internal clients will 
still use the pfSense as DNS as long as the dns forwarder is enabled but the 
forwarder will use the orsn servers. 

There is also a DNS field at services>dhcp where you can assign other DNS to 
the clients if needed.

Holger

> -Original Message-
> From: Fridtjof Busse [mailto:[EMAIL PROTECTED]
> Sent: Sunday, May 28, 2006 7:04 AM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] DNS server
> 
> 
> Hi
> Currently, my pfsense uses the DNS that it gets from my ISP.
> But I'd like to use a ORSN [1] (my ISP DNS is sometimes quite slow as
> well).
> But the webinterface tells me, that if I manually set the DNS server,
> it will also use that server for DHCP, which obviously won't work.
> Any workaround for this?
> 
> [1] http://www.orsn.de/
> -- 
> Fridtjof Busse
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] can pfsense support Auto Shutdown via UPS?

[Holger Bauer]

Unless someone writes a package no. There has been some discussion at the forum 
concerning that and someone promised to work on a package but it hasn't 
happened yet.

Holger
-Original Message-
From: My List Mail [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 23, 2006 3:21 PM
To: discussion@pfsense.com
Subject: [pfSense-discussion] can pfsense support Auto Shutdown via UPS?


HI

jsut a question
will pfsense be able to shutdown itself properly via UPS if electricity is out?


thanks

-- 

"mailing lists is my personal knowledgebase" 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Dual WAN - Thank You!

[Holger Bauer]

Title: Message



It's 
linked at http://pfsense.com/index.php?id=36 (it's 
last one in the list).
 
Holger

  -Original Message-From: Craig FALCONER 
  [mailto:[EMAIL PROTECTED]Sent: Friday, May 19, 2006 
  4:48 AMTo: discussion@pfsense.comSubject: RE: 
  [pfSense-discussion] Dual WAN - Thank You!
  Do 
  you have a link to that howto please?
   
   
  
  -- 
  
  C. 
  Falconer
  http://www.avonside.school.nz/
  http://criggie.dyndns.org/
  

-Original Message-From: Allen Laymon 
[mailto:[EMAIL PROTECTED] Sent: Friday, 19 May 2006 12:25 
a.m.To: discussion@pfsense.comSubject: 
[pfSense-discussion] Dual WAN - Thank You!

I just had to take an 
opportunity to let everyone know that Dual WAN does in fact work.  I 
posted a discussion a couple of weeks ago and got a response from Craig Roy 
who had developed a new ‘howto’ document.  I did have a few questions 
concerning the document and contacted Craig Roy.  I have to say that I 
went to a customers site that was needing dual WAN and Craig stayed up till 
4:30am to work with me every step of the way to ensure I was 
successful.  Craig, you’re the man.  And pfSense is a rocking 
project that I am starting to use more and more  because of it’s 
flexibility.  Thanks so much to everyone at pfSense and to Craig 
Roy!
 
Allen
Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] CF-IDE install help

[Holger Bauer]

RRD graphs will be stored on scheduled reboots (if you trigger them by hitting 
either reboot from the webgui or shellmenu) even for embedded systems or 
systems that act like embeddeds.

Holger

> -Original Message-
> From: Craig FALCONER [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, May 16, 2006 11:36 PM
> To: discussion@pfsense.com
> Subject: RE: [pfSense-discussion] CF-IDE install help
> 
> 
> Yes - it works fine.
> 
> However you will loose your RRD graphs at reboot, and to do a firmware
> update you need to change /etc/platform back to pfSense, then 
> reboot, then
> upgrade, then reboot, then change /etc/platform back to embedded, then
> reboot.
> 
> Also while the machine is in the embedded state, you cannot 
> install packages
> (however you can use already-installed packages)
> 
> Doing it this way means the VA console and PS/2 keyboard will 
> work fine.
> You can enable a serial console too by editing /etc/ttys and 
> changing off to
> on for the ttyd0 line.
> 
> 
> 
> -Original Message-
> From: Angelo Turetta [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, 17 May 2006 5:22 a.m.
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] CF-IDE install help
> 
> 
> Scott Ullrich wrote:
> 
> > On 5/16/06, Angelo Turetta <[EMAIL PROTECTED]> wrote:
> > 
> >> I think you have to change the 'platform' type to 
> 'embedded' if you 
> >> use a CF as boot media.  The 'pfsense' type is mounting 
> the hard disk 
> >> RW, and you risk burning your CF. I don't know if the 
> embedded config 
> >> can be run with a real VGA on a real PC, though.
> > 
> > 
> > Embedded images lack keyboard and VGA.   This is how we get 
> around the
> > fact that the WRAP bios is brain-dead and crashes if they 
> are present.
> 
> And what about the case in original post?
> He has installed the full version from CD-ROM to a CF (used as a hard 
> disk). I'm confident that such a setup results in a platform 
> setting of 
> 'pfsense'. If I later change the platform to 'embedded', can 
> I use it on 
> a 'Real PC'? (for example, using an ATA-to-CF adapter). Of 
> course I'll 
> lose the package manager, but will the VGA work as usual?
> 
> Thanks,
> Angelo.
> 
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Package projects, network monitoring

[Holger Bauer]

Check out http://pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/ (it's the place 
where the packages live). Atm there is no real developement information on the 
packagesystem and most of what can be found is outdated. Try the "reverse 
engineering" approach by reviewing the sourcecode of other packages. Also the 
forum might help with some already answered questions: 
http://forum.pfsense.org/index.php?board=32.0 .

Good luck and submit if you get anything done! ;-)

Holger


> -Original Message-
> From: Aaron Stone [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, May 02, 2006 11:00 AM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] Package projects, network monitoring
> 
> 
> Feedback would be most graciously appreciated. According to 
> this page on
> the wiki: http://wiki.pfsense.com/wikka.php?wakka=ExtensionsSystem
> 
> Well, there's not much according to that page :-| Some 
> pointers on where
> to start digging into the pfSense package build process would help.
> 
> On Sun, 2006-04-30 at 22:53 -0700, Aaron Stone wrote:
> > Hi,
> > 
> > I am working on the remote nodes of a network monitoring 
> project, and
> > looking into some of the highly self-contained systems out 
> there such as
> > m0n0wall, pfSense, and a few generic "here's how to highly embed
> > FreeBSD" project pages.
> > 
> > I'm just now digging into pfSense, because of its package 
> system, and
> > please forgive me for speaking before digging into the code, but I'd
> > like to feel out the possibility of whether or not pfSense will
> > accommodate my applications before blowing too much time shoehorning
> > them into the system.
> > 
> > I'd like to build packages for SmokePing, NetDisco,  AMP 
> and ourmon -- 
> > http://oss.oetiker.ch/smokeping/
> > http://netdisco.org/
> > http://amp.nlanr.net/
> > http://ourmon.sourceforge.net/
> > 
> > Since I'm on a 128MB flash drive, I'm curious if there's 
> been any work
> > on write-leveling, or if most people find that it's not an issue,
> > or... ???  For sure I'll need to transfer data back to some master
> > server for long term storage; I assume that will be a 
> simple cron job
> > (uh, is there cron?)
> > 
> > Also, are there any projects that you might be looking for 
> someone to
> > dig into? I'm putting together a Summer of Code application 
> regarding
> > the network monitoring tools above, and if there's 
> something I can work
> > on along the way, I'm all ears!
> > 
> > Thanks,
> > Aaron
> > 
> 
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Dual WAN

[Holger Bauer]

It should be possible. Just use the advanced outbound NAT with your carp
IPs (create NATs for all your WANs).

Holger

> -Original Message-
> From: Ispanovits Imre [mailto:[EMAIL PROTECTED]
> Sent: Monday, May 01, 2006 7:20 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] Dual WAN
> 
> 
> On Mon, 1 May 2006 18:05:43 +0200
> "Holger Bauer" <[EMAIL PROTECTED]> wrote:
> 
> > I have updated the wiki a little bit. Hope it's less confusing now:
> > http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing
> > 
> > Holger
> > 
> Hi,
> 
> I have one more question.
> Is it possible to set up a dual wan load balanced configuration
> combined with CARP fail over cluster?
> Does anybody have a working configuration of such kind?
> 
> Best regards
> Imre
> -- 
> This is Linux Land.
> In silent nights you can hear the windows machines rebooting
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Dual WAN

[Holger Bauer]

I have updated the wiki a little bit. Hope it's less confusing now:
http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing

Holger

> -Original Message-
> From: Ispanovits Imre [mailto:[EMAIL PROTECTED]
> Sent: Monday, May 01, 2006 1:38 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] Dual WAN
> 
> 
> On Sun, 30 Apr 2006 23:07:22 +0200
> "Holger Bauer" <[EMAIL PROTECTED]> wrote:
> 
> > We have several reports about 
> loadbalancer/multiwan/policybased routing usage. You can find 
> a short howto at the wiki:
> > http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing
> > 
> > Holger
> > 
> Hi Holger,
> 
> Sorry, but in the above mentioned wiki I don't understand this line:
> "7. in the IP box type in the lan IP address of the router"
> The "lan" IP? not the wan?
> 
> Best regards
> Imre
> 
> 
> -- 
> This is Linux Land.
> In silent nights you can hear the windows machines rebooting
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Dual WAN

[Holger Bauer]

Thank you for doing the tutorial. I'll review it shortly. This was just my 
first sighting of it but that might have been due to a mailservercrash that 
took me offline for some days. The wiki steps actually do work given that you 
have static IPs at your gateways. It doesn't cover transforming dynamic ADSL to 
"fake" statics which might be a problem in some cases. However I know several 
people using it successfully with this "fake" static setup. This link might be 
helpful too: http://www.netlife.co.za/content/view/34/34/ though you don't need 
the advanced outbound NAT part (pfSense adds the needed outbound NATs behind 
the scenes if an interface has a gateway set). It also adds some routes behind 
the scenes to send out the monitoring IPs over the correct link. However, you 
might have to set some routes to your dns servers to make them work when one of 
the WANs fail. This is covered on the forum 
http://forum.pfsense.org/index.php?topic=756.msg5114#msg5114 .

Holger

> -Original Message-
> From: Craig Roy [mailto:[EMAIL PROTECTED]
> Sent: Monday, May 01, 2006 4:50 AM
> To: discussion@pfsense.com
> Subject: RE: [pfSense-discussion] Dual WAN
> 
> 
> HI Allen,
> 
> Please find attached a copy of the tutorial. Please let me 
> know if it was of
> assistance for you, as if I need to make any changes to the 
> doc, then I have
> some additional feedback.
> 
> Thanks.
> 
> Kindest Regards,
>  
> Craig Roy
> Horizon IT Consultants
> [EMAIL PROTECTED]
>  
> AUSTRALIAN RESELLER
>  FOR
> 
> -Original Message-
> From: Alex Neuman van der Hans [mailto:[EMAIL PROTECTED] 
> Sent: Monday, 1 May 2006 11:59 AM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] Dual WAN
> 
> I'd love a copy... :) Thanks!
> 
> Craig Roy wrote:
> > Hi Allen,
> >
> > I currently have DUAL WAN with Failover working and working 
> well. I did
> not
> > use the wiki as it did it not work as a setup config for 
> me. I basically
> > only know about 3 or 4 others who have successfully set this up.
> >
> > The reason why I say that the wiki does not work is because 
> the wiki was
> > done prior to anyone actually successful configuring a Dual 
> Wan PFSense
> Box,
> > No offence intended to those who dev PFSense.
> >
> > I have spoken directly to one other person who has 
> successfully configured
> > Dual Wan also who found that the wiki did not work for him as well.
> >
> > I do have a tutorial that I have done that gives detailed 
> setup help. I
> > submitted it to the PFSense team for approval and or 
> editing before final
> > submission. That was 3 weeks ago and I have not heard back 
> as yet to their
> > decision. I have seen however a link now that goes to 
> another website on
> > PFSense.com that gives a basic overview of a Dual Wan 
> PFSense box, but
> they
> > spend more time talking about Hardware than actually setting it up.
> >
> > I am willing to send a copy of the tutorial that I did, if 
> you would like
> > it, but ***PLEASE BE AWARE*** that it has not yet been 
> approved by the
> > PFSense team. The tutorial is for Outbound Dual Wan with 
> Failover, which
> is
> > Internet access for LAN users.
> >
> > Kindest Regards,
> >  
> > Craig Roy
> > Horizon IT Consultants
> > [EMAIL PROTECTED]
> >  
> > AUSTRALIAN RESELLER
> >  FOR
> >
> > -Original Message-
> > From: Allen Laymon [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, 1 May 2006 6:55 AM
> > To: discussion@pfsense.com
> > Subject: [pfSense-discussion] Dual WAN
> >
> > Has anyone successfully got pfSense to work with Dual WAN?  
> I am trying 
> > to implement the pfSense box with ISP failover using Cable 
> broadband and 
> > DSL broadband internet connections.  If anyone has a howto 
> or any other 
> > documentation, I would very much appreciate any assistance. '
> >
> > allen
> >
> >   
> 
> -- 
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.1.392 / Virus Database: 268.5.1/327 - Release 
> Date: 28/04/2006
>  
> 
> -- 
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.1.392 / Virus Database: 268.5.1/327 - Release 
> Date: 28/04/2006
>  
>   
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Dual WAN

[Holger Bauer]

We have several reports about loadbalancer/multiwan/policybased routing usage. 
You can find a short howto at the wiki:
http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing

Holger

> -Original Message-
> From: Allen Laymon [mailto:[EMAIL PROTECTED]
> Sent: Sunday, April 30, 2006 10:55 PM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] Dual WAN
> 
> 
> Has anyone successfully got pfSense to work with Dual WAN?  I 
> am trying 
> to implement the pfSense box with ISP failover using Cable 
> broadband and 
> DSL broadband internet connections.  If anyone has a howto or 
> any other 
> documentation, I would very much appreciate any assistance. '
> 
> allen
> 


Virus checked by G DATA AntiVirusKit

[pfSense-discussion] pfSense Beta3 available!

[Holger Bauer]

Hi community,

we just got some reports that Beta3 was spotted at the mirrors! Get it while 
it's hot and check http://pfsense.blogspot.com/2006/04/beta-3-is-here.html for 
releaseinfo.

Cheers,
Holger


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Bridge wired <-> Wifi. ! use HostAP

[Holger Bauer]

Sorry, I'm not sure what you are asking for. Can you try to rephrase?

Holger

> -Original Message-
> From: William Armstrong [mailto:[EMAIL PROTECTED]
> Sent: Friday, April 07, 2006 1:32 PM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] Bridge wired <-> Wifi. ! use HostAP
> 
> 
> Is  possible  configure a Wired and Wifi  in Bridge mode on
> infrastructure mode  not a  Access Point on Wifi NIC  
> 
> 
> --
> -=-=-=-=-=-=-=-=-=-
> William David Armstrong
> Bio Systems Security.Networking
> Hinodeinfo Soluções em Informática
> ICQ 27550645
> MSN / GT ? biosystems ? gmail . com ?
> --
> <. Of course it runs
> <|
> <' NetBSD, OpenBSD or FreeBSD
> --
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Manual synchronization

[Holger Bauer]

Title: Manual synchronization



Just 
remove the sync to IP at your carpsettings before changing things at node1 if 
you are unsure and enable it again after you are sure your configuration of 
node 1 is ok. This way you can just power down node 1 if you have badly 
missconfigured/totally destroyed it and the node 2 will take over with the old 
configuration. Syncing should be (and stay) automatic imo.
 
Holger

  -Original Message-From: Amorim, Nuno Alexandre (ext) 
  [mailto:[EMAIL PROTECTED]Sent: Friday, April 07, 2006 
  12:43 PMTo: discussion@pfsense.comSubject: 
  [pfSense-discussion] Manual synchronization
  I've made an error while creating a rule that made 
  me lost web connection to the node 1 of the firewall. Then, because of the 
  automatic sync, I lost the connection to node 2. :)
  So, I think that one could choose if the sync is 
  manual or automatic. Create some rules on one node, test them, and if they 
  work, sync to the other node. This could be done by a "Sync now" 
  event.
  What do you think? 

Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Nokia IP330

[Holger Bauer]

http://forum.pfsense.org/index.php?topic=603.0

> -Original Message-
> From: Craig FALCONER [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, April 05, 2006 11:40 PM
> To: discussion@pfsense.com
> Subject: RE: [pfSense-discussion] Nokia IP330
> 
> 
> Give me a couple days and I'll be able to tell you :)
> 
> 
> -Original Message-
> From: Chris Buechler [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, 6 April 2006 9:34 a.m.
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] Nokia IP330
> 
> 
> Craig FALCONER wrote:
> > Anyone in New Zealand want to acquire some Nokia IP 330 boxes?
> >
> >   
> 
> anyone know if the 330's run pfsense (or anything FreeBSD 5.x 
> or 6.x?) 
> 
> The IP1xx's kernel panic at boot with 5.x or 6.x. 
> 
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] RRD graphs

[Holger Bauer]

Thanks go to Seth Mos alias databeestje for that feature :-)

> -Original Message-
> From: Randy B [mailto:[EMAIL PROTECTED]
> Sent: Thursday, March 30, 2006 1:39 AM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] RRD graphs
> 
> 
> I like! I like!
> 
> Never knew how much I liked historical graphs on my firewall until I
> saw these; it makes sense, since I stare at a 40" plasma running
> ArcSight all day.  Bravo!
> 
> I know there's a thread somewhere that Scott names the author, but I'm
> too lazy to go pick it out.  Kudos!
> 
> 
> RB
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Embedded hardware

[Holger Bauer]

everything depends on needs...and probably the price. the switchcard I have in 
my router was only 30 euros (not ebay or something, regular price). we all can 
only give suggestions. I didn't say your option is bad either but I guess more 
expensive.

Holger

> -Original Message-
> From: Jim Thompson [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 14, 2006 11:17 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] Embedded hardware
> 
> 
> 
> Understood, but a 1GHz c3 (on the box I showed) is a bit more 
> CPU than 
> the 233/266MHz Geode on the Soekris & WRAP boards.
> 
> You'll probably get something approaching similar performance with 
> either solution.   I don't know if you've got the software written to 
> control VLAN framing, packet filtering, etc with the 4-port 
> switch card 
> or not.  If not, then pfSense is going to see this as a 
> single Ethernet 
> port, and all the traffic that stays "on" the switch will be 
> invisible 
> to pfSense.
> 
> By bridging multiple NICs together, you can gain visibility (and 
> control) off all the traffic that passes through the box.
> 
>  I'm not saying that the 4-port switch card is "bad", or that 
> bridging 
> multiple NICs together is "better".  Each application is different.
> 
> I think a variant of pfSense that supported the 8 port GigE 
> switch card 
> that I pointed to would be really cool.
> 
> Holger Bauer wrote:
> 
> >If you bridge NICs and create a switch this way your 
> throughput will be limited by the bus and the CPU. If you use 
> a switchcard like I suggested the switch will take care of 
> the networktraffic between these ports. I get 90 mbit/s with 
> this card between t
> he switchports though the firewall itself is only driven by a 
> pentium 233MMX. Of course, traffic going to other interfaces 
> will be limited by cpu speed and bus capacity. The card that 
> I suggested has 5 autouplink ports. So if a soekris 4801 is 
> fast enough
>  for your needs and you only want to have the switch 
> integrated this is an option to consider.
> >
> >Holger
> >
> >  
> >
> >>-Original Message-
> >>From: Jim Thompson [mailto:[EMAIL PROTECTED]
> >>Sent: Tuesday, March 14, 2006 10:57 PM
> >>To: discussion@pfsense.com
> >>Subject: Re: [pfSense-discussion] Embedded hardware
> >>
> >>
> >>Holger Bauer wrote:
> >>
> >>
> >>
> >>>Sorry, the link is in german but you should get the facts: 
> >>>  
> >>>
> >>http://www.level-one.de/products3.php?sklop=14&id=520056
> >>
> >>
> >>>it's a NIC with integrated 5 port switch. If you use a 
> >>>  
> >>>
> >>soekris 4801 you could add such a card to the PCI slot. I use 
> >>a similiar card with one of my routers ( 
> >>http://routerdesign.com/routers/36/pic02.jpg , 
> >>http://routerdesign.com/routers/36/pic04.jpg ).
> >>
> >>
> >>>Holger
> >>> 
> >>>
> >>>  
> >>>
> >>OK, my error.
> >>
> >>here is something similar (if not identical, I can't tell if 
> >>it has the 
> >>Kendin chip on it or not): http://www.outletpc.com/c3442.html
> >>
> >>But you could still potentially bridge the 5 (or 6) individual 
> >>interfaces in pfSense, and get something fairly 'switch 
> >>like', too.  No?
> >>
> >>Also, using the card you describe, the forwarding rate is 
> going to be 
> >>limited when the packets have to pass through over the PCI bus. 
> >>
> >>This is more interesting (especially in light of the recent 
> >>discussions):
> >>http://www.dssnetworks.com/v3/gigabit_pcie_6468.asp
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> >Virus checked by G DATA AntiVirusKit
> >  
> >
> 
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Embedded hardware

[Holger Bauer]

If you bridge NICs and create a switch this way your throughput will be limited 
by the bus and the CPU. If you use a switchcard like I suggested the switch 
will take care of the networktraffic between these ports. I get 90 mbit/s with 
this card between the switchports though the firewall itself is only driven by 
a pentium 233MMX. Of course, traffic going to other interfaces will be limited 
by cpu speed and bus capacity. The card that I suggested has 5 autouplink 
ports. So if a soekris 4801 is fast enough for your needs and you only want to 
have the switch integrated this is an option to consider.

Holger

> -Original Message-
> From: Jim Thompson [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 14, 2006 10:57 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] Embedded hardware
> 
> 
> Holger Bauer wrote:
> 
> >Sorry, the link is in german but you should get the facts: 
> http://www.level-one.de/products3.php?sklop=14&id=520056
> >it's a NIC with integrated 5 port switch. If you use a 
> soekris 4801 you could add such a card to the PCI slot. I use 
> a similiar card with one of my routers ( 
> http://routerdesign.com/routers/36/pic02.jpg , 
> http://routerdesign.com/routers/36/pic04.jpg ).
> >
> >Holger
> >  
> >
> OK, my error.
> 
> here is something similar (if not identical, I can't tell if 
> it has the 
> Kendin chip on it or not): http://www.outletpc.com/c3442.html
> 
> But you could still potentially bridge the 5 (or 6) individual 
> interfaces in pfSense, and get something fairly 'switch 
> like', too.  No?
> 
> Also, using the card you describe, the forwarding rate is going to be 
> limited when the packets have to pass through over the PCI bus. 
> 
> This is more interesting (especially in light of the recent 
> discussions):
> http://www.dssnetworks.com/v3/gigabit_pcie_6468.asp
> 
> 
> 
> 
> 
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Embedded hardware

[Holger Bauer]

Sorry, the link is in german but you should get the facts: 
http://www.level-one.de/products3.php?sklop=14&id=520056
it's a NIC with integrated 5 port switch. If you use a soekris 4801 you could 
add such a card to the PCI slot. I use a similiar card with one of my routers ( 
http://routerdesign.com/routers/36/pic02.jpg , 
http://routerdesign.com/routers/36/pic04.jpg ).

Holger

> -Original Message-
> From: news [mailto:[EMAIL PROTECTED] Behalf Of Gil Freund
> Sent: Tuesday, March 14, 2006 9:31 PM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] Embedded hardware
> 
> 
> Hi,
> 
> I had a look at the Checkpoint [EMAIL PROTECTED] device and I am 
> looking for a similar
> platform for pfsense. I currently use Wraps, but I am looking 
> for something with
> more interfaces (5 or 6, of which 4 are a lan switch) and one 
> or (preferably)
> two MiniPCI.
> Soekris has a similar model but the PCI quadport lacks MDI/X 
> auto sensing.
> I can add a small 5 port switch, but this would require an 
> additional power
> outlet and would not look nice.
> 
> This os to avoid getting the Checkpoint which are being 
> considered as a VPN
> gateway for executives at home.
> 
> Thanks
> 
> Gil
> 
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] pfSense merge with freebsd?

[Holger Bauer]

I doubt that a bios flash will make that drive usable at that old machine. And 
for these utilities... I don't like them too much. I have used such a utility a 
very long time ago to bypass bios limitations. It actually went in the 
bootsector to get loaded before anything else (like the old evil 
masterbootrecord viruses ;-). It worked fine for some time until I needed to 
reinstall my OS as it was broken. The OS replaced the tool in the bootrecord 
and all my data stored at all partitions was gone with that. There was no way 
to reinstall the tool without doing a full preperation of the disk again 
whiping everything that existed there. In business environments things like 
these are really the worst ideas one can come up with.

However I might have a solution for you to try. First find out what the max 
size limit is that box is natively supporting for hdds. Then get a bunch of 
these and run them with http://www.freenas.org/ . You even can build RAIDs with 
this (stripes and mirrors should be supported afaik), however I haven't tried 
it out personally. Just a suggestion.

Holger

> -Original Message-
> From: DarkFoon [mailto:[EMAIL PROTECTED]
> Sent: Friday, March 10, 2006 6:24 AM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] pfSense merge with freebsd?
> 
> 
> > The "god box" is always a bad idea.
> 
> Yeah, I told him the "God Box" idea was a bad one. Figured I 
> should look
> into it anyways. Right now his pfSense box is a Dell pentium 
> III 866Mhz
> (same as the box I'm using right now to make this email) with 256Mb
> SD-100 ram and 5 added in Nics (plus the integrated, for a 
> total of 6).
> I had a similar box running a SAMBA domain server and it was 
> alright, so
> I thought I'd try to combine the two. But I digress. The God 
> Box is out.
> Got that.
> 
> As a matter of fact (this is probably a generic BSD question) he wants
> me to do the impossible again: He has an old K6-2 box laying 
> around and
> he wants me to put in a 300GB seagate drive to do a network 
> back up to.
> I told him the tech is too old to support 300GB (its ATA/UDMA66 or
> whatever; too many titles for the same thing)
> But he read some tidbit on Seagate's site that a mobo BIOS flash or
> using the seagate software will make it so the drive can be used, and
> apparently that means I can do it (completely ignoring the 
> fact that the
> hardware came years before even 100 GB drives) and I'm a 
> slacker for not
> making it happen.
> So the question is, if I jumper the drive to limit it to 32GB so the
> darn computer will actually boot (the BIOS freezes detecting 
> the drive),
> can I get FreeBSD to recognize all 300GB? I probably should check the
> FreeBSD man pages, but being as ill as I am right now, I feel like
> asking you guys first (ya'll seem nice enough ;) )
> 
> thanks for the help!
> Anthony
> (stupid flu!)
> 
> - Original Message - 
> From: "Andrew Burnette" <[EMAIL PROTECTED]>
> To: 
> Sent: Thursday, March 09, 2006 6:49 PM
> Subject: Re: [pfSense-discussion] pfSense merge with freebsd?
> 
> 
> > DarkFoon wrote:
> > > I am curious if it is possible to "merge"-for want of a better
> > > word-pfSense with a FreeBSD install. Why? Well, I have a 
> client who
> > > wants to integrate everything into 1 box if possible. I 
> told him its
> not
> > > possible, but I wouldn't be doing my job if I didn't 
> check to see if
> I
> > > am wrong.
> >
> > You could of course snag the pf rules out of a pfsense box 
> and put in
> a
> > *bsd box if absolutely required.
> >
> > The "god box" is always a bad idea. Generally does everything poorly
> > (think of what a fantastic pair of scissors are included in a swiss
> army
> > knife).  I have very very large clients that think the same 
> of optical
> > long haul gear, routers, and switches and how they all belong in one
> > box. Invariably, they get burned by lousy functionality and cost
> > overruns. (yes, think US DoD...)
> >
> > boxen sufficient for a pfsense firewall are $100 or so from many
> sources
> > (I paid $109 on ebay for the first one, then $100 for a 
> rack mount job
> > that fit in my cabinet better).  Same size/capacity box 
> should do for
> an
> > SMB server (sans Big Fantastic Disks of course).
> >
> > if that's too much $$, then the client likely can't afford you ;-)
> But,
> > isn't that what they pay you for in the first place?
> >
> > Good luck,
> > andy
> >
> >
> >
> > -- 
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date:
> 3/9/2006
> >
> >
> 
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Small suggestion

[Holger Bauer]

The question is rather "where" you hover over the interface name...

> -Original Message-
> From: Matthew Lenz [mailto:[EMAIL PROTECTED]
> Sent: Monday, March 06, 2006 9:44 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] Small suggestion
> 
> 
> could probably do it with a tool tip.  think thats provided by some
> standard html tag if I remember right.  something with alt text or
> something.
> 
> On Sun, 2006-03-05 at 10:04 -0600, Bill Marquette wrote:
> > On 3/5/06, Lawrence Farr <[EMAIL PROTECTED]> wrote:
> > > How about having the ip's pop up if you hover over the
> > > interface name?
> > 
> > Where?  Care to do a mockup of what you are envisioning?  Thanks
> > 
> > --Bill
> 
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Synchronization scenario

[Holger Bauer]

If you expect that the master is down for some time you can switch 
master/backup role simply by deleting the sync to IP at the old master and add 
one to the old slave with the same options. however, you should edit the 
advskews of the old slave too then.

Holger

> -Original Message-
> From: Scott Ullrich [mailto:[EMAIL PROTECTED]
> Sent: Monday, March 06, 2006 9:12 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] Synchronization scenario
> 
> 
> No, its not smart enough to do that.
> 
> If you loose a master node, its in your best interest to get it back
> up and running ASAP as it is the master of the configuration.
> 
> Furthermore, if you tell a slave to sync back to the master you will
> end up in a never ending sync loop.
> 
> On 3/6/06, Amorim, Nuno Alexandre (ext) 
> <[EMAIL PROTECTED]> wrote:
> >
> >
> >
> > Does the synchronization work both ways? From master to 
> slave and slave to
> > master?
> >
> > The scenario I'm thinking is the master goes down, and one 
> changes some
> > rules on the slave node. When the master comes up, slave 
> sends the new
> > configuration.
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Wierd display problem in IE

[Holger Bauer]

No Problem here. Check your Fontsize settings of the browser. You probably have 
modified them.

Holger

-Original Message-
From: DarkFoon [mailto:[EMAIL PROTECTED]
Sent: Sunday, March 05, 2006 10:19 AM
To: discussion@pfsense.com
Subject: [pfSense-discussion] Wierd display problem in IE


I probably should have posted this bug before the beta2 release. but oops on my 
part. (sorry!)

In IE all the pfsense text is way too small (like 6 font or smaller) using the 
pfsense-pulldown "skin".

I have a screenshot, but I don't know how to show it to ya guys.
do I send it as an attachment?


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] embedded upgrades

[Holger Bauer]

Yes, embedded versions will be upgradeable too with the final 1.0 version.

Holger

> -Original Message-
> From: Anders D. Hansen [mailto:[EMAIL PROTECTED]
> Sent: Sunday, March 05, 2006 11:34 AM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] embedded upgrades
> 
> 
> On Mar 5, 2006, at 00:53 , Holger Bauer wrote:
> 
> > You can du this with the non embedded version. Download the Full- 
> > Upgrade-File and feed it at system>firmware to the manual tab. For  
> > embeddeds you have to reflash atm.
> >
> > Holger
> >>
> >> Q: as with m0n0wall, is there any way to do in-place upgrades ?
> >>
> >
> 
> Just a quick question - Is it a planned feature for 1.0 to be 
> able to  
> upgrade embedded system(Soekris) like the non-embedded ones?
> Thank you.
> 
>   ~Anders
> 
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] pfSense Beta 2 released!

[Holger Bauer]

You can du this with the non embedded version. Download the Full-Upgrade-File 
and feed it at system>firmware to the manual tab. For embeddeds you have to 
reflash atm.

Holger

> -Original Message-
> From: John Bohman [mailto:[EMAIL PROTECTED]
> Sent: Sunday, March 05, 2006 12:52 AM
> To: discussion@pfsense.com
> Subject: RE: [pfSense-discussion] pfSense Beta 2 released!
> 
> 
> Q: as with m0n0wall, is there any way to do in-place upgrades ?
> 
> 
> -Original Message-
> From: Chris Buechler [mailto:[EMAIL PROTECTED] 
> Sent: Friday, March 03, 2006 10:42 AM
> To: [EMAIL PROTECTED]; support@pfsense.com; discussion@pfsense.com
> Subject: [pfSense-discussion] pfSense Beta 2 released!
> 
> pfSense Beta 2 was released to the mirrors last night, and is 
> currently 
> available for download.  Scott will be posting the change log 
> and other 
> related information on the release on our blog some time today.  He 
> tried last night, but blogger was down.  Please watch 
> http://pfsense.blogspot.com for updates, and in the mean time you can 
> grab the beta 2 downloads from your favorite mirror. 
> 
> have fun,
> -Chris
> 
> 
> 
> 
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] PANIC! problems with OPTx interfaces

[Holger Bauer]

If you want to use the uplink ports you need crossovercables between them and 
the pfsense. An uplink Port basically is just a "normal" switchport with 
crossed RX/TX. 
The problem you encountered can be described as "ear to ear and mouth to mouth" 
problem. In order to communicate you have to get your devices talking "mouth to 
ear" and "ear to mouth". 
Most older Soho hardwarerouters have Switchports so you can plug them to an 
uplink port. Your pfSense is a "Clientcomputer" that now does 
routing/firewalling and you can't connect a clientcomputer to the uplink with a 
straight cable. 
However, depending on the device (thinking of embedded systems) you are running 
pfSense on you still might be able to use an uplink switchport and most newer 
switches do autodiscovery anyway and do the crossing if needed like Bill 
already said.
Conclusion: always be prepared that you might need a crossovercable. Most of 
"link doesn't go up" issues are cable related.

(I just wanted to get this explained a bit more as I have seen this problem 
several times, especially with the wrap where people tried to connect a client 
with a straight cable directly to one of the ports as they had some kind of 
soho router before)

Holger

> -Original Message-
> From: Bill Marquette [mailto:[EMAIL PROTECTED]
> Sent: Saturday, March 04, 2006 7:07 AM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] PANIC! problems with OPTx interfaces
> 
> 
> So called "uplink" ports are meant to plug a switch into another
> switch, not a router.  Some newer switches also do cable autosense and
> will cross the RX/TX pairs if needed (your Linksys probably does
> this).
> 
> --Bill
> 
> On 3/3/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > Well, I have seemed to have fixed it, but the solution 
> makes no sense to me. Perhaps it will make more sense to 
> those of you with more networking knowledge than I.
> >
> > All of the cables leaving the PfSense box went to switches. 
> The one hooked up to the LAN had the cable plug into a 
> regular port on the LAN switch, all the others were plugged 
> into the "uplink" port on those switches.
> >
> > So, when I moved all of the cables from the "uplink" port 
> on the switches, to a regular port on those switches, all of 
> a sudden things worked just fine.
> >
> > Why? I thought the purpose of the uplink was to connect to 
> a higher "switch" (in this case, the PfSense box a.k.a 
> router). The former router (a commercial speedstream that the 
> pfsense box replaces) worked just fine with all the switches 
> hooked up with the uplink port. Heck, even my pfsense box at 
> home worked just fine with my linksys switch using the uplink port.
> > what is with this ambiguity?!
> >
> > Anyways, thanks to you all for help. I'm sorry if I may 
> have caused any problems.
> > If anybody knows why what I did works (why the uplink port 
> seems to be a curse/miracle) please explain, I would love to 
> know. And besides, if somebody ever has the same problem, and 
> they search the mailing lists, they'll find the answer.
> > Thanks again!
> > Anthony
> >
> >
> >  -- Original message --
> > From: "Bill Marquette" <[EMAIL PROTECTED]>
> > > So let me get this straight.
> > >
> > > The cable that's plugged into the LAN nic if unplugged 
> from LAN and
> > > plugged into each of the OPT nics works?  Sounds like a switch or
> > > cable issue.  Have you tried the reverse?  Plug the 
> cables that are in
> > > the non-working OPT interfaces into the known working 
> interface (LAN)?
> > >  And for that matter, plugging the known working cable 
> and the known
> > > working interface into the switch ports that you are 
> trying to plug
> > > the OPT interfaces in?
> > >
> > > --Bill
> > >
> > > On 3/3/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > > > nope, doesn't fix it. Just upgraded. Still as broke as 
> it was an hour ago.
> > > > The system is a Dell Optiplex (I can't find the model 
> number at this time) It
> > > has a Pentium 3 and a 10 GB harddrive, if that helps at all.
> > > >
> > > >
> > > >  -- Original message --
> > > > From: "Scott Ullrich" <[EMAIL PROTECTED]>
> > > > > On 3/3/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > > > > [snip]
> > > > > > I'm using Beta 1 right now, because I don't think 
> that upgrading to Beta2
> > > > > would
> > > > > > fix this.
> > > > >
> > > > > Upgrade.  There was only 91+ fixes between beta1 and beta2 and
> > > > > countless FreeBSD fixes.
> > > > >
> > > > > Scott
> > > >
> > > >
> >
> >
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Configuration /restore /portability

[Holger Bauer]

Uploading a m0n0 config works for the parts that are identical. It will do it's 
best to import the config but due to some things being completely different 
some parts will be skipped (like traffic shaper). 
For the wrap board you can use the embedded image version. I suggest using the 
latest snapshot from 
http://pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-19-06/pfSense.img.gz 
. The procedure to get it on your wrap is the same like for m0n0. For more help 
see http://doc.pfsense.org/index.php/Chapter_3:_Installing_pfSense#Embedded or 
the tutorial at http://pfsense.com/index.php?id=36 .

Holger

> -Original Message-
> From: John Bohman [mailto:[EMAIL PROTECTED]
> Sent: Thursday, February 23, 2006 3:54 AM
> To: discussion@pfsense.com
> Subject: [pfSense-discussion] Configuration /restore /portability
> 
> 
> Just found pfsense and have a real quick question..
> I'm running a wrap board with monowall 1.2b7
> And see they are very similar..
> The question: can I backup my current monowall setup and 
> restore it to a
> pfSense install ??
> 
> Also where would I locate a CF image for my wrap board..
> Thanks in advance
> 
> 
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] download cvs

[Holger Bauer]

http://pfsense.com/cvs.tgz (updated every 30 minutes)

> -Original Message-
> From: Rajkumar S [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, February 08, 2006 10:27 AM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] download cvs
> 
> 
> Gregory Machin wrote:
> > hi
> > Is is posible to download the pfsense repository ?
> > If so how do I do this.
> 
> Use the following sup file to get it via cvsup
> 
> # cat pfsense-supfile
> *default host=cvs.pfsense.com
> *default base=/home/pfsense/cvsroot
> *default release=cvs
> *default delete use-rel-suffix
> pfSense
> *default compress
> 
> This is the exact command if you are not familiar with it.
> 
> # cvsup -g -L 2 pfsense-supfile
> 
> Now checkout the CVS:
> 
> # cvs -d /home/pfsense/cvsroot co pfSense
> 
> raj
> 


Virus checked by G DATA AntiVirusKit

RE: [pfSense-discussion] Benchmarks (was Re: Clients... ugh)

[Holger Bauer]

I got 15mbit/s with my ath card going to wan. That benchmark was with a lot 
older version though.

Holger

> -Original Message-
> From: Chris Buechler [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 07, 2006 12:04 AM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] Benchmarks (was Re: Clients... ugh)
> 
> 
> Jim Thompson wrote:
> > Chris Buechler wrote:
> >
> >> Alex DiMarco wrote:
> >>
> >>> Does anyone have benchmarks on the WRAP running fpsense?
> >>>
> >>
> >> about 25 Mb is the most you can expect.  I wouldn't use one if you 
> >> need constant throughput of over 15 Mb for extended periods.
> >
> > I assume this is Ethernet<->Ethernet.
> >
> 
> yes.  Though I would assume wireless would perform about 
> equally (i.e. 
> it could just barely hit 100% of a .11g connection).  I 
> haven't had the 
> chance to test that just yet though. 
> 
> 
> > About the only thing I've noticed thusfar is that the webgui is 
> > 'pokey' compared to m0n0wall on the same hardware.  
> 
> as Scott said, that's really changed dramatically.  In some 
> instances, 
> post-beta 1 releases take 20% of the time to load pages that b1 does. 
> 
> the latest testing snapshot can be found here:  
> http://pfsense.org/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-5-06/
> 
> 


Virus checked by G DATA AntiVirusKit

AW: [pfSense-discussion] Problems with package installations

[Holger Bauer]

http://wiki.pfsense.com/wikka.php?wakka=UpgradingViaShell

Holger

> -Ursprüngliche Nachricht-
> Von: Kim C. Callis [mailto:[EMAIL PROTECTED]
> Gesendet: Samstag, 4. Februar 2006 08:52
> An: discussion@pfsense.com
> Betreff: Re: [pfSense-discussion] Problems with package installations
> 
> 
> I understand how to do this via the web interface... I am
> interesting in loading to the server and installing from
> the server. I would have to upload remotely, and because of
> the wireless connection, there are potential problem.
> 
> It is a heck of a lot easier to download the firmware via
> the E-1 and install as opposed to trying to load remotely at
> 128kb.
> 
> K.
> 
> 
> On Sat, Feb 04, 2006 at 01:54:21AM -0500, Scott Ullrich wrote:
> >Use the web interface to manually upgrade the image with the 
> full upgrade.
> >
> >On 2/3/06, Kim C. Callis <[EMAIL PROTECTED]> wrote:
> >> Thanks for the quick response. If I wanted to wget that file
> >> directly to my pfsense box, what commands would I need to
> >> enter to load the new firmware?
> >>
> >> K.
> >>
> >>
> >> On Fri, Feb 03, 2006 at 10:52:59PM -0500, Scott Ullrich wrote:
> >> >Update to a newer snapshot version.
> >> >
> >> 
>http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-2-06/
>> >
>> >On 2/3/06, Kim C. Callis <[EMAIL PROTECTED]> wrote:
>> >> Every package that I attempt in install fails. I am running
>> >> 1.0 beta1. I also have tried to do the auto updater try and
>> >> get the beta firmware and that seems to fail as well. Is
>> >> there something that I am not enabling?
>> >>
>> >> K.
>> >>
>> >>
>>


Virus checked by G DATA AntiVirusKit

AW: [pfSense-discussion] Clients... ugh

[Holger Bauer]

oops: you can access the bios at the front com port, not usb. sorry for 
confusion ;-)

> -Ursprüngliche Nachricht-
> Von: Holger Bauer 
> Gesendet: Mittwoch, 1. Februar 2006 08:24
> An: discussion@pfsense.com
> Betreff: AW: [pfSense-discussion] Clients... ugh
> 
> 
> Take a look at the Hardware links at 
> http://pfsense.com/index.php?id=33 . I personally have made 
> good experiences with the nexcom 1041c and have already 
> deployed systems in production with pfSense. The nexcom 
> offers an onboard cf-slot to boot from and you even can 
> access the bios at the front usb and it comes in a shortneck 
> 1U 19" rackmountable case with front networkports. You get 
> the nexcoms ranging from celeron 650 up to dual xeon and with 
> up to 12 interfaces. Gigabit nics are available for them as well.
> Btw, you might wonder what is inside of most 
> "hardwareappliances" once you open them.
> A nice story about a watchguard firebox2 for example can be 
> found here: http://www.ls-net.com/m0n0wall-watchguard/
> 
> Holger
> 
> 
> > -Ursprüngliche Nachricht-
> > Von: Dmitry Sorokin [mailto:[EMAIL PROTECTED]
> > Gesendet: Mittwoch, 1. Februar 2006 07:40
> > An: discussion@pfsense.com
> > Betreff: Re: [pfSense-discussion] Clients... ugh
> > 
> > 
> > Quoting DarkFoon <[EMAIL PROTECTED]>:
> > 
> > > and Secondly, does anybody know of any "hardware" 
> > firewall/routers (man, I'm
> > > tired of typing that) that have the above features?
> > > 
> > > I'm not trying to snub pfSense; I'd love to use it, but I 
> > can't convince him
> > > (well, possibly, but he wants me to first look for a 
> > "hardware" solution) I
> > > am asking here first because I have been watching the 
> > mailing list for
> > > several months now, and I trust the opinions and 
> > information of (most) of the
> > > people here. ;)
> > 
> > I think your client means "not regular pc/linux or 
> > unix/command line solution", 
> > but rather an appliance, which is "plug, go to web interface, 
> > click, click, 
> > click and it works". Also from technical point there should 
> > be no hard disk 
> > drive (no file system, that can become inconsistent in case 
> > of crash or power 
> > failure), no peripherial (monitor, keybord, mouse(?).
> > Then pfSense/m0n0wall + WRAP platform is your choice.
> > look at http://www.m0n0.ch/wall/gallery.php
> > your firewall cn be an i386 compatible 1u or 2u 19" rack 
> > mountable server, or 
> > as small as smallest linksys or D-link or netgear box with no 
> > moving parts.
> > 
> > Hope that helps,
> > Dmitry
> > 
> > 
> 
> 
> Virus checked by G DATA AntiVirusKit
> 
> 


Virus checked by G DATA AntiVirusKit

AW: [pfSense-discussion] Clients... ugh

[Holger Bauer]

Take a look at the Hardware links at http://pfsense.com/index.php?id=33 . I 
personally have made good experiences with the nexcom 1041c and have already 
deployed systems in production with pfSense. The nexcom offers an onboard 
cf-slot to boot from and you even can access the bios at the front usb and it 
comes in a shortneck 1U 19" rackmountable case with front networkports. You get 
the nexcoms ranging from celeron 650 up to dual xeon and with up to 12 
interfaces. Gigabit nics are available for them as well.
Btw, you might wonder what is inside of most "hardwareappliances" once you open 
them.
A nice story about a watchguard firebox2 for example can be found here: 
http://www.ls-net.com/m0n0wall-watchguard/

Holger


> -Ursprüngliche Nachricht-
> Von: Dmitry Sorokin [mailto:[EMAIL PROTECTED]
> Gesendet: Mittwoch, 1. Februar 2006 07:40
> An: discussion@pfsense.com
> Betreff: Re: [pfSense-discussion] Clients... ugh
> 
> 
> Quoting DarkFoon <[EMAIL PROTECTED]>:
> 
> > and Secondly, does anybody know of any "hardware" 
> firewall/routers (man, I'm
> > tired of typing that) that have the above features?
> > 
> > I'm not trying to snub pfSense; I'd love to use it, but I 
> can't convince him
> > (well, possibly, but he wants me to first look for a 
> "hardware" solution) I
> > am asking here first because I have been watching the 
> mailing list for
> > several months now, and I trust the opinions and 
> information of (most) of the
> > people here. ;)
> 
> I think your client means "not regular pc/linux or 
> unix/command line solution", 
> but rather an appliance, which is "plug, go to web interface, 
> click, click, 
> click and it works". Also from technical point there should 
> be no hard disk 
> drive (no file system, that can become inconsistent in case 
> of crash or power 
> failure), no peripherial (monitor, keybord, mouse(?).
> Then pfSense/m0n0wall + WRAP platform is your choice.
> look at http://www.m0n0.ch/wall/gallery.php
> your firewall cn be an i386 compatible 1u or 2u 19" rack 
> mountable server, or 
> as small as smallest linksys or D-link or netgear box with no 
> moving parts.
> 
> Hope that helps,
> Dmitry
> 
> 


Virus checked by G DATA AntiVirusKit

AW: [pfSense-discussion] Newbie here.

[Holger Bauer]

If you want to make a clean approach on that you should consider making the 
application(s) you need a package. This way it can be used "on demand" and it 
will be compatible with future versions. Reinstallation is easier as well and 
the configutarion can be stored in the configfile.

Holger

> -Ursprüngliche Nachricht-
> Von: Steve Rieger [mailto:[EMAIL PROTECTED]
> Gesendet: Mittwoch, 1. Februar 2006 06:42
> An: discussion@pfsense.com
> Cc: Steve Rieger
> Betreff: [pfSense-discussion] Newbie here.
> 
> 
> Have some general questions.  so bear with me
> 
> 
> Can i install Fbsd 6.0 and the pfsense, and use this a both a server  
> (for nothing very important, and my firewall in the inside ?
> i read the docs and didnt quite get a clear answer, (here is my  
> scenario in more detail)
> the "FW" is connected to WAN, the FW itself will be considered DMZ,  
> anything behind is considered Trusted. therefore i would like to  
> utilize a server i have already running, (and is in the DMZ) as an  
> actual Firewall.
> 
> When installing from the Live cd i turned debugging on, and saw the  
> Boot process atrt but nor complete. will try it again tomorrow and  
> will post the exact message. i saw that this was not uncommon.
> 
> Pending the answer to question 1 i would like to become part 
> of this,  
> project, so far i like what i read.
> 
> 
> --
> Steve Rieger
> [EMAIL PROTECTED]
> 310-339-4355
> yahoo  = riegersteve
> icq= 53956607
> Ride Free, Ride On, Ride Safe
> 
> 
> I had the blues because I had no shoes until upon the street, 
> I met a  
> man who had no feet.
> 
> Biker Blue
> 
> 
> 


Virus checked by G DATA AntiVirusKit

AW: AW: [pfSense-discussion] Bonding incoming interfaces

[Holger Bauer]

Yes. atm only one pppoe connection is supported at the original WAN interface. 
You can fake this by using a simple pppoe dialin-router and use that one as 
gateway however at an OPT-WAN. Keep in mind that you need static gateway 
adresses for the loadbalancer to work. policybased routing can be done with 
dynamic gateways.

Holger

> -Ursprüngliche Nachricht-
> Von: Alex DiMarco [mailto:[EMAIL PROTECTED]
> Gesendet: Dienstag, 24. Januar 2006 14:07
> An: discussion@pfsense.com
> Betreff: Re: AW: [pfSense-discussion] Bonding incoming interfaces
> 
> 
> Holger Bauer wrote:
> 
> >Bonding has to be supported by both ends (ISP end and your 
> end; making 1 Link with 2 or more physical links). However 
> pfSense is offering loadbalancing to ultilize more than one WAN link.
> >
> To change the subject slightly...I seem to remember I could only 
> activate one WAN connection per type. Ex: outgoing PPPoe and a second 
> DHCP (for Cable), but not dual PPPoe. Is this true or did I miss 
> something...
> 
> > A single connection can't make use of the sum of all 
> interfaces bandwidth this way as one connection can only use 
> one link but a bunch of connections (even from the same host) 
> together can use all the links and thus all the bandwidth of 
> all the links. A
> nother option is policy based routing like sending traffic 
> type a via WANa and type b via WANb. Balancing and policy 
> based routing can be used at the same time.
> >
> >Holger
> >
> >  
> >
> >>-Ursprüngliche Nachricht-
> >>Von: Kim C. Callis [mailto:[EMAIL PROTECTED]
> >>Gesendet: Dienstag, 24. Januar 2006 08:27
> >>An: PfSense Mailing List
> >>Betreff: [pfSense-discussion] Bonding incoming interfaces
> >>
> >>
> >>With pfSense, is it possible to bond together several
> >>incoming media (for instance several DSL circuits), to
> >>provide create larger bandwidth to the LAN? And if so, could
> >>one effectively creates create greater outgoing bandwidth? 
> >>
> >>K.
> >>
> >>
> >>
> >>
> >
> >
> >Virus checked by G DATA AntiVirusKit
> >
> >
> >  
> >
> 
> 


Virus checked by G DATA AntiVirusKit

AW: [pfSense-discussion] Bonding incoming interfaces

[Holger Bauer]

Bonding has to be supported by both ends (ISP end and your end; making 1 Link 
with 2 or more physical links). However pfSense is offering loadbalancing to 
ultilize more than one WAN link. A single connection can't make use of the sum 
of all interfaces bandwidth this way as one connection can only use one link 
but a bunch of connections (even from the same host) together can use all the 
links and thus all the bandwidth of all the links. Another option is policy 
based routing like sending traffic type a via WANa and type b via WANb. 
Balancing and policy based routing can be used at the same time.

Holger

> -Ursprüngliche Nachricht-
> Von: Kim C. Callis [mailto:[EMAIL PROTECTED]
> Gesendet: Dienstag, 24. Januar 2006 08:27
> An: PfSense Mailing List
> Betreff: [pfSense-discussion] Bonding incoming interfaces
> 
> 
> With pfSense, is it possible to bond together several
> incoming media (for instance several DSL circuits), to
> provide create larger bandwidth to the LAN? And if so, could
> one effectively creates create greater outgoing bandwidth? 
> 
> K.
> 
> 


Virus checked by G DATA AntiVirusKit

AW: [pfSense-discussion] PPTP VPN problem

[Holger Bauer]

Try disableing the pptp server on the machine that your client is trying to nat 
through to the remote pptp server. Also make sure you use 
http://pfsense.com/~sullrich/BETA2-BUGVALIDATION3/ as we have reimported m0n0s 
pptp 1.21 first, before you make this test with shutdown pptp at the natting 
pfsense.

Holger

> -Ursprüngliche Nachricht-
> Von: Dmitry Sorokin [mailto:[EMAIL PROTECTED]
> Gesendet: Freitag, 13. Januar 2006 06:09
> An: discussion@pfsense.com
> Betreff: [pfSense-discussion] PPTP VPN problem
> 
> 
> Hello,
> 
> I'm having problem connecting to PPTP VPN from one network to 
> another with 
> pfSense boxes on both sides. If I'm connecting from the 
> network behind any 
> other firewall (linksys, d-link, m0n0wall, ) or from 
> public IP directly, 
> everything works just fine. I have multiple pfSense 
> installations and it's all 
> the same. It's connecting and works just to the point where 
> it says "Verifying 
> username and password" and hangs right there. Then, after a 
> few seconds it 
> gives an error. Is this a known bug or limitation?
> I can provide all details, config files, syslog messages, 
> etc. if kind 
> developers have time and willing to troubleshoot that issue.
> 
> Best regards,
> Dmitry
> 
> 


Virus checked by G DATA AntiVirusKit

AW: [pfSense-discussion] Headless boot

[Holger Bauer]

If you don't need packagesupport try the embedded version. It has the output at 
com1 at 9600 baud. Assign Interfaces there and do the rest in the webgui.

Holger

> -Ursprüngliche Nachricht-
> Von: Scott Ullrich [mailto:[EMAIL PROTECTED]
> Gesendet: Donnerstag, 5. Januar 2006 22:40
> An: discussion@pfsense.com
> Betreff: Re: [pfSense-discussion] Headless boot
> 
> 
> This is somehwat not true.   PFI allows one to setup a pre
> installation environment, ssh enabled, root password change, etc.
> 
> On 1/5/06, Craig FALCONER <[EMAIL PROTECTED]> wrote:
> > No.  You need a monitor to begin with, but once config is 
> done you should
> > never need it again.
> >
> >
> > -Original Message-
> > From: news [mailto:[EMAIL PROTECTED] On Behalf Of ihavenoname
> > Sent: Friday, 30 December 2005 9:53 a.m.
> > To: discussion@pfsense.com
> > Subject: [pfSense-discussion] Headless boot
> >
> >
> > I have an old Pentium II without a monitor. Is it possible 
> for pfSense to
> > automatically detect networks cards and get itself into a 
> state where I can
> > do the manual configuration remotely (ssh, web, ... etc)?
> >
> > Thanks
> >
> >
> 


Virus checked by G DATA AntiVirusKit

AW: [pfSense-discussion] block port 25

[Holger Bauer]

At WAN (Incoming) everything is blocked by default. If you want to send this 
port through to a mailserver just create a NAT for this port to this machine at 
portforward. make sure the "autocreate firewall rule is checked". If you only 
want to block port 25 outgoing create a block rule at your LAN interface that 
blocks proto tcp, source "not mailserver ip" with any port, destination any  
with port 25. This rule has to go above the default alow lan to any rule.
Another option would be to redirect the port 25 "silently" to your mailserver 
like done in this example: 
http://www.pfsense.com/screens/redirect_lan_to_another_mail_server.PNG

(btw, this belongs to support@pfsense.com and not [EMAIL PROTECTED] please use 
the appropriate list next time)

Holger


> -Ursprüngliche Nachricht-
> Von: dny [mailto:[EMAIL PROTECTED]
> Gesendet: Donnerstag, 22. Dezember 2005 08:54
> An: discussion@pfsense.com
> Betreff: [pfSense-discussion] block port 25
> 
> 
> is there a way to block all incoming and outgoing access to port 25,
> with only one exception if it is going through a legitimate 
> mail server.
> 
> how can i accomplish this?
> 
> tnx&rgds,
> dny
> www.ngobrol.com
> 
> ... but that which cometh out of the mouth,
> this defileth a man.   Mat 15:11
> 


Virus checked by G DATA AntiVirusKit

AW: [pfSense-discussion] PPTP / IP Range

[Holger Bauer]

Configure your pptp-subnet to be part of your lan subnet (example):
LAN: 192.168.50.1/24
PPTP-Server: 192.168.50.2
PPTP-Range: 192.168.50.208/29
 
This way your PPTP users are native members of your LAN-subnet and you don't 
need any routes. Just beware that ranges should not conflict, 
so make sure 192.168.50.2 is not used by anything else, same with 
192.168.50.208/29 (check dhcp ranges too).
 
Holger

-Ursprüngliche Nachricht- 
Von: Nate Davis [mailto:[EMAIL PROTECTED] 
Gesendet: Di 13.12.2005 22:20 
An: pfsense 
Cc: 
Betreff: [pfSense-discussion] PPTP / IP Range



Howdy,

Let me give you some preface to what my environment is.  I have a 
PPTP Server setup with pfSense.  Users are able to log in great.  
Clients are using Microsoft's PPTP Client Built into Windows XP.  I 
am not using the PPTP Network as the Default Gateway.  PPTP Network 
is: 192.168.25.192 /28
Real Network (LAN) is: 192.168.50.1/24

My Problem is, unless I add a static route on the individual 
computers, I am not able to ping the 192.168.50.0 network.  I 
completely understand why I can't ping it.  My question to the list 
is:  In the PPTP Config page in pfSense, can I make the PPTP server 
address be something like 192.168.50.250 and the PPTP clients be 
something like: 192.168.50.192 /28?  If this will not work, is there 
some way I can put these PPTP clients on the same subnet as my LAN 
network so I don't have to setup Static routes on the individual 
computers?  We are talking about maybe 15 people total that would be 
in at one given time.  Or is there some better way to do what I am 
trying to accomplish?

Thanks so much,
Nate






Virus checked by G DATA AntiVirusKit

AW: [pfSense-discussion] WRAP and WAP

[Holger Bauer]

Yes, 108 mbit/s is a theoretical not real life value. Just wanted to make this 
clear ;-)

Holger

> -Ursprüngliche Nachricht-
> Von: Marc A. Volovic [mailto:[EMAIL PROTECTED]
> Gesendet: Freitag, 2. Dezember 2005 11:21
> An: discussion@pfsense.com
> Betreff: Re: [pfSense-discussion] WRAP and WAP
> 
> 
> Quoth Holger Bauer:
> 
> > Works great. I have several of these in use. However you 
> won't get 108
> 
> You almost never get 108Mbit with anything, in my experience. 
> Rarely can
> one obtain something approaching 40Mbit...
> 
> But the WRAP itself works great.
> 
> 
> -- 
> ---MAV
> Marc A. Volovic 
> [EMAIL PROTECTED]
> Swiftouch, LTD 
> +972-544-676764
> 


Virus checked by G DATA AntiVirusKit

AW: [pfSense-discussion] WRAP and WAP

[Holger Bauer]

Works great. I have several of these in use. However you won't get 108 mbit/s 
wifi to lan for example as the throughput of the wrap is limited. Expect 
something between 15-28 mbit/s with wifi.

Holger

> -Ursprüngliche Nachricht-
> Von: Henk Wieland [mailto:[EMAIL PROTECTED]
> Gesendet: Freitag, 2. Dezember 2005 11:07
> An: discussion@pfsense.com
> Betreff: [pfSense-discussion] WRAP and WAP
> 
> 
> Hi,
> 
> I've just finished ordering a Wrap board (WRAP.1E-2 (3 LAN)), with a 
> wireless card (Wriston CM9 IEE 802.11a/b/g 108Mbps WLAN Mini-PCI).
> 
> I'd like to use pfSense with this combi.
> 
> Is there anybody out there who can share his experience on this combi?
> 
> Rgds,
> Henk
> 
> 
> 


Virus checked by G DATA AntiVirusKit