Re: [pfSense] particular site not working
It's not squid, I don't have it installed. Look at this: http://www.downforeveryoneorjustme.com/bsnl.co.in Seems the site is simply down. Ryan On 12/16/2011 10:19 PM, Guruprasad R wrote: > Hi > > my setup: > i have pfsense 2.0 amd64 bit installed in amd 64 based system. > i have configured squid in transparent mode and installed / enabled > squidguard too. > > problem: > from my network, i am able to get all other websites > except http://bsnl.co.in . it gives "time out error" after searching for > some time. > > action taken: > - i disabled transparent proxy and configured 3128 as my proxy port in > browser as well as pfsense > - i stopped the squid/squidguard services > - i tried different browsers from different systems behind the firewall. > but all in vain > > observation: > - i could ping bsnl.co.in which responds back with its static ip. > > any clue/help is appreciated. > > thanks > -guru > > > > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Installing on Dell R310 / Perc H200
Hello, I got around a similar issue by making some changes in the bios. try these: set the Processor to use only 1 core, C state disable,turn off all power saving options (max performance), disable PXE, and USB back ports only. After I did this I was able to install on both a R310 and a R510. I found this info via google at the time.If the above doesn't work for you, try google as I think there may of been more BIOS tweaks. take care, greg ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] WAN DHCP change of default GW ...
> are you using Canal Digital as ISP by any chance? No this was on a local San Francisco ISP. It's not something they do on a regular basis, so chances are I will never see the problem again - but I would like to understand what happened! Regards, -Jeppe ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] bug reports closed on this but I still see it on current version: ipfw-classifyd: unable to write to divert socket: No buffer space available
Hello, re: ipfw-classifyd: unable to write to divert socket: No buffer space available I'm seeing thousands of these errors in the logs every day, when i did a search (using google and the bugtracker at pfsence.org) I found several folks having the same issues going back a year or so. 2 bugs were opened which mention this error in the logs, one rejected(1331) and the other marked as resolved (636). The were opened on layer7 classifiers not working. I too am using layer7 to help block bit-torrent traffic. I couldn't find a resolution, but I did notice one or two of the folks were also using Dell hardware (ours is on a R310), doubt it has anything to do with it but i do recall others having unrelated issues with pfsence and dell hardware. I have opened a bug ticket (#2055), but thought I'd mention the issue here in case others are search for a resolution. thanks again, greg ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ipsec tunnel closes
one thing to check is what IP that ping ends up getting sourced from, and making sure it's in the right subnet. tcpdump should work I'm thinking one reason it can get closed is if IP/50, UDP/500, and/or UDP/4500 arent allowed in both directions on the other end. when requesting VPN ports from your source to your peer from some firewall admins, they allow the ports inbound but forget to do the same outbound. It's surprisingly typical and shows a lack of knowledge for what they're dealing with. The problem this creates is during the rekey sequence of the VPN. Most IPSec stacks will take the VPN lifetime, subtract a random value, and rekey at that time. So either end can end up initiating the re-key sequence. If the remote end initiates the re-key, and the proper ports haven't been allowed outbound, the requests will get dropped. This means your remote end thinks the re-key is in progress but the local end doesn't know. in a little bit the local end will hit its timer, and initiate a re-key. The remote end will say "I'm already doing this" and drop the request. So neither end will be able to successfully re-key the tunnel, and it will go down. On Mon, Dec 19, 2011 at 10:03 AM, Nick Upson wrote: > > Nick Upson > > > > On 19 December 2011 15:00, Ian Bowers wrote: > >> >> >> On Mon, Dec 19, 2011 at 9:49 AM, Nick Upson wrote: >> >>> I'm running 1.2.3 >>> >>> I have an IPsec tunnel to another site, which closes unless there is >>> traffic I want it up 24/7 so I put a remote IP in the "keep alive, >>> automatically ping host" section of the setup. >>> It still behaves the same way. Is this to be expected (known bug or >>> something) or have I done something wrong? >>> >>> Nick Upson >>> >>> >>> ___ >>> List mailing list >>> List@lists.pfsense.org >>> http://lists.pfsense.org/mailman/listinfo/list >>> >>> >> >> Please post your encryption domain (which networks are encrypted on both >> sides) and which IP you are pinging. Also, what type of device does the VPN >> terminate on the other end? I have a couple ideas >> >> ___ >> List mailing list >> List@lists.pfsense.org >> http://lists.pfsense.org/mailman/listinfo/list >> >> > > local subnet 10.0.0.0/8 > remote subnet 192.168.118.0/24 > ping 192.168.118.6 > > no idea what device is on the other end, sorry > > > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ipsec tunnel closes
Nick Upson On 19 December 2011 15:00, Ian Bowers wrote: > > > On Mon, Dec 19, 2011 at 9:49 AM, Nick Upson wrote: > >> I'm running 1.2.3 >> >> I have an IPsec tunnel to another site, which closes unless there is >> traffic I want it up 24/7 so I put a remote IP in the "keep alive, >> automatically ping host" section of the setup. >> It still behaves the same way. Is this to be expected (known bug or >> something) or have I done something wrong? >> >> Nick Upson >> >> >> ___ >> List mailing list >> List@lists.pfsense.org >> http://lists.pfsense.org/mailman/listinfo/list >> >> > > Please post your encryption domain (which networks are encrypted on both > sides) and which IP you are pinging. Also, what type of device does the VPN > terminate on the other end? I have a couple ideas > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > > local subnet 10.0.0.0/8 remote subnet 192.168.118.0/24 ping 192.168.118.6 no idea what device is on the other end, sorry ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ipsec tunnel closes
On Mon, Dec 19, 2011 at 9:49 AM, Nick Upson wrote: > I'm running 1.2.3 > > I have an IPsec tunnel to another site, which closes unless there is > traffic I want it up 24/7 so I put a remote IP in the "keep alive, > automatically ping host" section of the setup. > It still behaves the same way. Is this to be expected (known bug or > something) or have I done something wrong? > > Nick Upson > > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > > Please post your encryption domain (which networks are encrypted on both sides) and which IP you are pinging. Also, what type of device does the VPN terminate on the other end? I have a couple ideas ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ipsec tunnel closes
Nick Upson On 19 December 2011 14:55, Jochem de Waal wrote: > ** ** > > ** ** > > I'm running 1.2.3 > > I have an IPsec tunnel to another site, which closes unless there is > traffic I want it up 24/7 so I put a remote IP in the "keep alive, > automatically ping host" section of the setup. > It still behaves the same way. Is this to be expected (known bug or > something) or have I done something wrong? > > Nick Upson > > ** ** > > *Van:* list-boun...@lists.pfsense.org [mailto: > list-boun...@lists.pfsense.org] *Namens *Nick Upson > *Verzonden:* maandag 19 december 2011 15:49 > *Aan:* pfSense support and discussion > *Onderwerp:* [pfSense] ipsec tunnel closes > > ** ** > > Hi Nick, > > ** ** > > We have many IPSEC tunnels to our customers using pfSense 1.2.3 and also > on 2.0 without any problems. > > What could be the problem in your case is the lifetime of phase 1 and 2*** > * > > Try setting phase 1 to 28800 and phase 2 to 3600. This should be the same > on both sides. > > ** ** > > Cheers, > > Jochem > > ** ** > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > > Hi, my settings are the other way round, I'm not sure about the other end ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ipsec tunnel closes
On Mon, Dec 19, 2011 at 9:49 AM, Nick Upson wrote: > I'm running 1.2.3 > > I have an IPsec tunnel to another site, which closes unless there is traffic > I want it up 24/7 so I put a remote IP in the "keep alive, automatically > ping host" section of the setup. > It still behaves the same way. Is this to be expected (known bug or > something) or have I done something wrong? > Only scenario where that won't work is where there isn't a local IP on the firewall within the local subnet of the IPsec. Or if you don't put in an IP that's within the remote subnet. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ipsec tunnel closes
I'm running 1.2.3 I have an IPsec tunnel to another site, which closes unless there is traffic I want it up 24/7 so I put a remote IP in the "keep alive, automatically ping host" section of the setup. It still behaves the same way. Is this to be expected (known bug or something) or have I done something wrong? Nick Upson Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] Namens Nick Upson Verzonden: maandag 19 december 2011 15:49 Aan: pfSense support and discussion Onderwerp: [pfSense] ipsec tunnel closes Hi Nick, We have many IPSEC tunnels to our customers using pfSense 1.2.3 and also on 2.0 without any problems. What could be the problem in your case is the lifetime of phase 1 and 2 Try setting phase 1 to 28800 and phase 2 to 3600. This should be the same on both sides. Cheers, Jochem ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] ipsec tunnel closes
I'm running 1.2.3 I have an IPsec tunnel to another site, which closes unless there is traffic I want it up 24/7 so I put a remote IP in the "keep alive, automatically ping host" section of the setup. It still behaves the same way. Is this to be expected (known bug or something) or have I done something wrong? Nick Upson ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] WAN DHCP change of default GW ...
I have seen this before as well, are you using Canal Digital as ISP by any chance? What I saw in shell was that I got a default GW pointing to my WLAN IP. In the GUI everything seemed fine. I didn't investigate this a lot (didn't have time to debug propperly) but something weird surely happend. -lsf On Sat, Dec 17, 2011 at 12:41 AM, Jeppe Øland wrote: > Hi all, > > The other day I got bitten by a change my ISP did. > Basically they changed some networking around, and as part of doing > that, they changed the default gateway. > > My box got its IP and GW from the DHCP server. > Then they changed the DHCP server to serve the exact same information > - except the GW was changed (x.x.x.1 -> x.x.x.2). > The old GW continued working for a good long while, and so I didn't > notice anything adverse at first. > Finally some time later (several days I believe), they killed the > x.x.x.1 GW ... and all my traffic ground to a halt. > > I could ping the (new) GW they delivered to me since it was on the > same subnet as my WAN ... but DNS and any routed data was broken. > I could release the DHCP lease, and get a new one ... but routing > continued to be broken. > Clearing the state table had no effect either. > > Not knowing what the cause of the problem was, I ended up rebooting > pfSense box - and that fixed the problem. > > Now my question is: Why might pfSense have failed to work after the GW > changed? > > Regards, > -Jeppe > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Encryption domain?
Thank you for your well detailed answer. Really appreciate it :) 2011/12/16 Ian Bowers > > > On Fri, Dec 16, 2011 at 8:35 AM, Jim Pingle wrote: > >> On 12/16/2011 8:06 AM, Ståle Johnsen wrote: >> > 2011/12/16 Jim Pingle mailto:li...@pingle.org>> >> > On 12/16/2011 5:43 AM, Ståle Johnsen wrote: >> > > We have an ipsec between pfsense 2.0 and a cisco system. The >> ipsec has >> > > the following addresses: /24 subnet (pfsense) <-> /32 single >> address >> > > (cisco). This is working fine but now the cisco side which is an >> > > customer asks us to add an another single address on their side >> > > (different subnet) to the "encryption domain". So from our /24 >> > subnet we >> > > should be able to reach single address A and single address B >> over the >> > > tunnel. I can't find anything regarding this on pfsense. Is >> encryption >> > > domain Cisco only? Is this possible without adding another tunnel? >> > >> > Just add a second phase 2 entry, this one between your /24 and their >> > second /32. Easy as that. >> > >> > So this means that we get two tunnels, right? I don't think that is what >> > the cisco side has, hence the "encryption domain". Your solution >> > requires another tunnel on their side also doesn't it? >> >> No, one phase 1 with two phase 2's is exactly what their side has in >> this situation. It's only supported on pfSense 2.0 and newer. >> >> It's a single tunnel that has multiple sets of networks allowed to use >> the tunnel. >> >> Jim >> ___ >> List mailing list >> List@lists.pfsense.org >> http://lists.pfsense.org/mailman/listinfo/list >> > > Jim hit the nail on the head. > > "encryption domain" is just network security engineer vernacular for "the > groups of hosts/networks allowed to talk on a given tunnel". I think only > Checkpoint uses the term officially (since they supernet everything into > one bidirectional flow if I remember right), but it's a common term that > people throw around with VPNs since different vendors use different methods > to classify what traffic is going to go through a given tunnel on their > devices. > > In your case you're right, you would get two tunnels. sort of. it's a > little funky since the term "tunnel" describes a number of things that are > also refered to as "tunnels". so right now you essentially have this as > your encryption domain for this tunnel: > > x.x.x.x/24 <---> y.y.y.y/32 > > This is a simple case. your gear brings up a single phase 1 Security > Association (or commonly "tunnel") to negotiate phase 2, then a single > phase 2 Security Association (also commonly "tunnel") to pass traffic. > > In the next case you'll have this configured as your "encryption domain" > for this tunnel: > > x.x.x.x/24 <> y.y.y.y/32 > x.x.x.x/24 <--> z.z.z.z/32 > > In this case you get a single phase 1 SA, and two phase 2 SAs. So you > have a tunnel that's configured to have two tunnels riding over a tunnel. > The term "tunnel" is just used for pretty much anything VPN related by > most people, and it ends up getting confusing. > > The way I and most of my technical peers tend to refer to it all is like > this: We only use tunnel as a "meta" term. "the tunnel to such and such > customer". it's used in a non-technical sense, just meaning "that thar > virtual connection". Phase 1 SAs and Phase 2 SAs are refered to exactly > like that. Because it tends to be the most correct term, and avoids > confusion when talking about "tunnels". > > So to wrap all my rambling up, your "tunnel" is the whole of your > connection to the other side, whatever ends up going over it. the > "encryption domain" is the set of networks that are allowed to talk to > eachother, however your chosen software vendor chooses to classify the > traffic (typically it's listed as one network/host to one other > network/host at a time). Each line in your encryption domain defines one > Phase 2 SA in your "tunnel". > > I really hope that's clear. I do so much with this stuff every day that I > sometimes lose scope of how to describe it. > > -Ian > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
