Re: [pfSense] creating a 1:1 NAT WAN to DMZ
On 17/02/2012 04:59, Jason T. Slack-Moehrle wrote: Hi Guys, I changed to IP Alias rather than ARP. I put each of my static IP's on the WAN Interface, 1 at a time, saved and reloaded and pinged it from the LAN (which is where this server is I want to hit as well) I still cannot seem to get this working. attached is a pic of the IPAlias change. -Jason I think you have to change the subnet mask used on your VIP. When configuring an IP Alias, it says about the netmask "This must be the network's subnet mask" so it cannot be a /32. Make it a the same as your WAN IP (ie: /27 or whatever it is). Also on your previous screenshots (http://6colors.net/interfaces.png), it clearly shows that your WAN interface is down. I doubt you can get answer even from the LAN side if it's DOWN. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] creating a 1:1 NAT WAN to DMZ
On Thu, Feb 16, 2012 at 10:59 PM, Jason T. Slack-Moehrle wrote: > Hi Guys, > > I changed to IP Alias rather than ARP. > > I put each of my static IP's on the WAN Interface, 1 at a time, saved > and reloaded and pinged it from the LAN (which is where this server is > I want to hit as well) > > I still cannot seem to get this working. > Since you mentioned you're using those IPs elsewhere, you're likely creating issues with an upstream ARP cache and will have to power cycle the upstream router (or clear the ARP if you have access to it, or may have to call your ISP to have them do it if you have no physical or administrative access). Make sure you take the IPs off the servers first or you have an IP conflict. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] creating a 1:1 NAT WAN to DMZ
Hi Guys, I changed to IP Alias rather than ARP. I put each of my static IP's on the WAN Interface, 1 at a time, saved and reloaded and pinged it from the LAN (which is where this server is I want to hit as well) I still cannot seem to get this working. attached is a pic of the IPAlias change. -Jason On Thu, Feb 16, 2012 at 1:44 AM, Andy Friar wrote: > I would also change your alias's to be IPAlias rather than proxy ARP. > > > > > -Original Message- > From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] > On Behalf Of Jason T. Slack-Moehrle > Sent: 16 February 2012 01:04 > To: list@lists.pfsense.org > Subject: [pfSense] creating a 1:1 NAT WAN to DMZ > > Hi All, > > My struggle continues. > > So basically: > 1. I have 5 IP's from Comcast in a /29. > 2. I want my firewall assigned 75.149.xx.25 but want it to answer for my > entire /29. > 3. Create a 1:1 NAT for each public IP except .25. (so .26, .27, .28, .29, > etc) 4. Open Port 80 (and a few others) to .27 (the only IP I am using as of > today) > > Here are screen shots of what I have so far: > > http://6colors.net/1-to-1_nat.png > http://6colors.net/alias_list.png > > > http://6colors.net/interfaces.png > > > http://6colors.net/outbound_nat.png > > > http://6colors.net/virtual_ips.png > > > http://6colors.net/wan_rules.png > > > > Can anyone shed some light on what is going on? I just cannot simply get to > the server after doing this. > > -Jason > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list <>___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Alerts by Email
On 16/2/12 9:32 pm, bsd wrote: Use the zabbix package and configure some checks in your conf file seems the most straightforward way to answer your request. I must admit the existence of this had completely passed me by. What extra 'stuff' does it allow to be monitored/graphed over and above setting up pfSense as a standard SNMPv2 device (which is how we have pfSense set in Zabbix at the moment, with a custom template to pick up the interfaces etc.)? Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Soekris 6501 installation question
On Jan 25, 2012, at 8:42 PM, Jim Pingle wrote: >>> On 1/23/2012 2:33 PM, David Miller wrote: On 1/23/12 1:52 PM, Jim Pingle wrote: Can memsticks be used as the flash drive to run a pfsense instance on a soekris, or do I need to use that to install to another type of flash on the system? >>> Yes, but you should really be using NanoBSD if you choose that path. >>> Flash is way too short-lived to survive long with a full install for >>> extended periods. >> >> Whiteboard level overview: Is there an easy way to install the nano image on >> the internal flash card in a soekris? I don't have the right pieces to dd >> to the internal flash outside of the soekris; Can I boot off the memstick >> and scp a nano image onto flash? > > You can boot the serial memstick (I updated it today for a customer so > it's actually even more geared toward running on the 6501), let it boot > all the way so it's on the network, then fetch the nanobsd image and > write it out from there (may take some fiddling, don't have the syntax > handy) > > The serial memstick is now also set to still use the serial console > post-install, and it also defaults to em0 for wan, em1 for lan. Still > best to pick the embedded kernel during install. It's still SMP-capable, > but also set for the serial console. So here's what I did: downloaded serial memstick image (works fine, btw, thanks) installed from memstick to a second USB flash drive so I can boot and get a console booted on the second flash drive, went to command line, scp'd pfSense-2.0.1-RELEASE-2g-i386-nanobsd.img.gz to /root gzcat pfSense-2.0.1-RELEASE-4g-amd64-nanobsd.img.gz | dd of=/dev/ad6 bs=512 (also tried pfSense-2.0.1-RELEASE-4g-amd64-nanobsd.img.gz) I thought that would give me a nice, bootable, nanobsd (embedded, RO) setup. However, trying to boot on it gives me: 1 Seconds to automatic boot. Press Ctrl-P for entering Monitor. /boot.config: -h \ And it stops doing anything. Does the image size (2/4 GB) have to match the flash size (16 GB) ? I'm sure I'm doing something st00pid, but can't see what. Pointers welcome! --- David ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Alerts by Email
Le 16 févr. 2012 à 20:26, Tom S a écrit : > Hi Everyone, > > I have 2 servers installed with PFsense 2.0.1, running Active/Passive with > Carp. > I would like to have the ability to send alerts by mail, all kinds of alerts, > like Failover, problem with VIP, problem with Carp etc. > > Has someone found a solution for this issue ? > > Thanks, > Tom. > Use the zabbix package and configure some checks in your conf file seems the most straightforward way to answer your request. Unless you want to transform your firewall into a monitoring tool ;-) –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] rc.filter_configure_sync - Lots of them
Hi Ermal, I don`t have any packages installed, only the base system. Maybe a lot of events... i even tried to send all syslog to a remote machine to see if i catch something unusual... I`ll try to disable all log from my firewall rules and see what happen. Thank you! Diego - Original Message - From: "Ermal Luçi" To: "pfSense support and discussion" Sent: Thursday, February 16, 2012 6:33:58 PM Subject: Re: [pfSense] rc.filter_configure_sync - Lots of them On Thu, Feb 16, 2012 at 6:19 PM, Diego Barrios wrote: > Hello list, > > I have a PFsense box (2.0.1) wich from time to time runs out of memory (it > has 2GB). > > Looking at the console, i can see lots of this script (more than 500 last > time) eating all available RAM: > > 47487 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 47785 ?? SN 0:00.27 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 48643 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 50647 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 51960 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 53324 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 53396 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 54010 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 54261 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 54731 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > > How can i debug this? what is the function of this script? You have either too many events on your system: changing ip? Or you have some stupid package calling filter_configure_sync directly and pile them up. Usually they stay like that either because there are too many or because the locking used has been messed up. First check the packages installed. > > It's a pretty simple setup, with NAT and a few firewall rules, some gateways > and gateway group for redundancy. > > Can someone explain this behavior? > > Thank You very much! > > > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > -- Ermal ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] rc.filter_configure_sync - Lots of them
On Thu, Feb 16, 2012 at 6:19 PM, Diego Barrios wrote: > Hello list, > > I have a PFsense box (2.0.1) wich from time to time runs out of memory (it > has 2GB). > > Looking at the console, i can see lots of this script (more than 500 last > time) eating all available RAM: > > 47487 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 47785 ?? SN 0:00.27 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 48643 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 50647 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 51960 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 53324 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 53396 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 54010 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 54261 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > 54731 ?? IWN 0:00.00 /usr/local/bin/php -f > /etc/rc.filter_configure_sync > > How can i debug this? what is the function of this script? You have either too many events on your system: changing ip? Or you have some stupid package calling filter_configure_sync directly and pile them up. Usually they stay like that either because there are too many or because the locking used has been messed up. First check the packages installed. > > It's a pretty simple setup, with NAT and a few firewall rules, some gateways > and gateway group for redundancy. > > Can someone explain this behavior? > > Thank You very much! > > > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > -- Ermal ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Question: less noise in the logs
Hi, I''ve tweaked my rule sets to lower the amount of noise in the firewall logs. Mostly that works. I'm seeing a fair number of entries looking like this: Feb 16 08:32:27 LAN 192.168.21.134:56385 173.194.XX.XX:443 TCP:FA It looks like a browser is trying to close a stale connection which has already timed out in PF. I've tried to create a rule that matches the TCP FA flags, but that does not seem to work. Whatever you set in the Advanced section for the TCP flags: the rule I get is this: block return in log quick on bridge0 inet proto tcp from 192.168.21.0/24 to any flags S/SA label "USER_RULE: Reject stale FA/FA packets" I'd expect FA/FA, which is what I specified. This is 2.0.1, BTW. -- Gé ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Alerts by Email
Hi Everyone, I have 2 servers installed with PFsense 2.0.1, running Active/Passive with Carp. I would like to have the ability to send alerts by mail, all kinds of alerts, like Failover, problem with VIP, problem with Carp etc. Has someone found a solution for this issue ? Thanks, Tom. -- This message has been scanned for viruses and dangerous content by YTS MailScanner system, and is believed to be clean. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] rc.filter_configure_sync - Lots of them
Hello list, I have a PFsense box (2.0.1) wich from time to time runs out of memory (it has 2GB). Looking at the console, i can see lots of this script (more than 500 last time) eating all available RAM: 47487 ?? IWN 0:00.00 /usr/local/bin/php -f /etc/rc.filter_configure_sync 47785 ?? SN 0:00.27 /usr/local/bin/php -f /etc/rc.filter_configure_sync 48643 ?? IWN 0:00.00 /usr/local/bin/php -f /etc/rc.filter_configure_sync 50647 ?? IWN 0:00.00 /usr/local/bin/php -f /etc/rc.filter_configure_sync 51960 ?? IWN 0:00.00 /usr/local/bin/php -f /etc/rc.filter_configure_sync 53324 ?? IWN 0:00.00 /usr/local/bin/php -f /etc/rc.filter_configure_sync 53396 ?? IWN 0:00.00 /usr/local/bin/php -f /etc/rc.filter_configure_sync 54010 ?? IWN 0:00.00 /usr/local/bin/php -f /etc/rc.filter_configure_sync 54261 ?? IWN 0:00.00 /usr/local/bin/php -f /etc/rc.filter_configure_sync 54731 ?? IWN 0:00.00 /usr/local/bin/php -f /etc/rc.filter_configure_sync How can i debug this? what is the function of this script? It's a pretty simple setup, with NAT and a few firewall rules, some gateways and gateway group for redundancy. Can someone explain this behavior? Thank You very much! ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] creating a 1:1 NAT WAN to DMZ
I would also change your alias's to be IPAlias rather than proxy ARP. -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jason T. Slack-Moehrle Sent: 16 February 2012 01:04 To: list@lists.pfsense.org Subject: [pfSense] creating a 1:1 NAT WAN to DMZ Hi All, My struggle continues. So basically: 1. I have 5 IP's from Comcast in a /29. 2. I want my firewall assigned 75.149.xx.25 but want it to answer for my entire /29. 3. Create a 1:1 NAT for each public IP except .25. (so .26, .27, .28, .29, etc) 4. Open Port 80 (and a few others) to .27 (the only IP I am using as of today) Here are screen shots of what I have so far: http://6colors.net/1-to-1_nat.png http://6colors.net/alias_list.png http://6colors.net/interfaces.png http://6colors.net/outbound_nat.png http://6colors.net/virtual_ips.png http://6colors.net/wan_rules.png Can anyone shed some light on what is going on? I just cannot simply get to the server after doing this. -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] creating a 1:1 NAT WAN to DMZ
Creating a MIP or 1to1 NAT alone does not automatically make it pingable. you'd also need to create rules to forward ICMP and have a device alive behind it to return the packets. or did I miss something here? On Wed, Feb 15, 2012 at 10:32 PM, Jason T. Slack-Moehrle < slackmoeh...@gmail.com> wrote: > ah, I see. I will try this in the morning and report back. > > > -- > Jason T. Slack-Moehrle > > > On Wednesday, February 15, 2012 at 6:12 PM, Yehuda Katz wrote: > > > On Wed, Feb 15, 2012 at 8:57 PM, Jason T. Slack-Moehrle < > slackmoeh...@gmail.com (mailto:slackmoeh...@gmail.com)> wrote: > > > > > Can anyone shed some light on what is going on? I just cannot > simply get to the server after doing this. > > > > > > > > We had a similar issue on Verizon. We allowed all ICMP PINGas > through the firewall and tried to ping each address. The primary (assigned > to the pfsense) responded and the others did not. It seems that the pfSense > was not properly picking up the ARP requests unless is was the primary IP. > (We did some other testing by connecting a computer to act as a packet > sniffer in between the NOC and the pfSense. We never got around to figuring > out why it did not work, since we found a workaround.) > > > > We "solved" the problem by setting the primary interface IP to each > of our IPs in turn and pinged it and then fixing the Virtual IP > configuration. > > > > We only had to do that once and it has run fine ever since. > > > > > > > > > I dont follow what this means exactly and how to test this on my setup > to see if it solves my problem. > > > > Change the WAN IP to one of you other assigned addresses, save, apply, > repeat until you have returned to your original address. > > I would give you screenshots, but I am using my development pfSense VM > for trying to fix a different bug, so it is unusable right now. > > > > - Y > > ___ > > List mailing list > > List@lists.pfsense.org (mailto:List@lists.pfsense.org) > > http://lists.pfsense.org/mailman/listinfo/list > > > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list