[pfSense] Why no dnssec in dnsmasq by default?
Adding the three lines dnssec dnssec-check-unsigned trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 to dnsmasq in pfSense makes dnsmasq dnsssec aware. Is there a reason why there is no tickable box to enable this in the GUI or why it is not enabled by default? Thanks, Adrian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
On Fri 26 Jun 2015 14:54:38 NZST +1200, Brian Caouette wrote: > Anyone else notice the clock is broke on 2.2.3? Anything time related > is seriously off. Agreed. It's broken in 2.2.4 too. At least the upgrade to 2.2.4 did not change the time zone (Pacific/Auckland) for me. I can no longer tell for the upgrade to 2.2.3. Time synchronisation does not happen. I configured 2 time servers, both reachable, and the system time is wrong. pfsense # ntpdate -qu 0.pfsense.pool.ntp.org time.paradise.net.nz server 130.217.226.50, stratum 1, offset -11.124288, delay 0.05031 server 103.239.8.22, stratum 1, offset -11.124315, delay 0.03931 server 203.96.152.12, stratum 3, offset -11.120111, delay 0.04111 24 Aug 12:13:24 ntpdate[95005]: step time server 103.239.8.22 offset -11.124315 sec 11 seconds difference does not happen if NTP is working. uptime 23 days. Hardware is PCEngines APU1. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
Hello, Le 2015-08-24 10:33, Volker Kuhlmann a écrit : On Fri 26 Jun 2015 14:54:38 NZST +1200, Brian Caouette wrote: Time synchronisation does not happen. I configured 2 time servers, both reachable, and the system time is wrong. pfsense # ntpdate -qu 0.pfsense.pool.ntp.org time.paradise.net.nz server 130.217.226.50, stratum 1, offset -11.124288, delay 0.05031 server 103.239.8.22, stratum 1, offset -11.124315, delay 0.03931 server 203.96.152.12, stratum 3, offset -11.120111, delay 0.04111 24 Aug 12:13:24 ntpdate[95005]: step time server 103.239.8.22 offset -11.124315 sec 11 seconds difference does not happen if NTP is working. Here NTP works only on the master. Doesn't work on the slave. pfSense 2.1.5 on amd64. bye -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
On 2015-08-24 11:33, Volker Kuhlmann wrote: On Fri 26 Jun 2015 14:54:38 NZST +1200, Brian Caouette wrote: Anyone else notice the clock is broke on 2.2.3? Anything time related is seriously off. Agreed. It's broken in 2.2.4 too. At least the upgrade to 2.2.4 did not change the time zone (Pacific/Auckland) for me. I can no longer tell for the upgrade to 2.2.3. Time synchronisation does not happen. I configured 2 time servers, both reachable, and the system time is wrong. pfsense # ntpdate -qu 0.pfsense.pool.ntp.org time.paradise.net.nz server 130.217.226.50, stratum 1, offset -11.124288, delay 0.05031 server 103.239.8.22, stratum 1, offset -11.124315, delay 0.03931 server 203.96.152.12, stratum 3, offset -11.120111, delay 0.04111 24 Aug 12:13:24 ntpdate[95005]: step time server 103.239.8.22 offset -11.124315 sec 11 seconds difference does not happen if NTP is working. uptime 23 days. Hardware is PCEngines APU1. Volker No issues here (also Pacific/Auckland) with any 2.2 release. I have about a dozen 2.2.x systems (plus some older ones that I really must get upgraded) that are a mixture of physical and virtual, none of which have any time problems that I am aware of. I have just logged into all of them and checked to make sure. The physical ones are mostly current model pfSense store hardware. All the virtuals are KVM. This is off a 2.2.4 that is a KVM guest and the one with the largest offset. # ntpdate -qu 0.pfsense.pool.ntp.org time.paradise.net.nz server 103.242.68.68, stratum 2, offset -0.003817, delay 0.05771 server 103.242.68.69, stratum 2, offset -0.003988, delay 0.05685 server 203.96.152.12, stratum 0, offset 0.00, delay 0.0 24 Aug 11:53:45 ntpdate[9217]: adjust time server 103.242.68.69 offset -0.003988 sec Regards Mike ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
On Mon 24 Aug 2015 12:16:28 NZST +1200, Brady, Mike wrote: > No issues here (also Pacific/Auckland) with any 2.2 release. Well, mine is a stock 2.2.x install, about 12 months old, upgraded a few times to minor point releases. I hacked the php of squid, squidguard and ssh (out of necessity, no BUI support), which doesn't affect ntp. There is nothing unusual in the log, except maybe this warning: Aug 24 ...: restrict: 'monitor' cannot be disabled while 'limited' is enabled After enabling ntpq queries under advanced, ntpd does not sync within a minute: # ntpq -c peer -n remote refid st t when poll reach delay offset jitter == 103.242.70.5.INIT. 16 u- 6400.0000.000 0.000 203.96.152.12 .INIT. 16 u- 6400.0000.000 0.000 On Linux, restarting (stop, start) ntpd gives the stratum info immediately, and syncs to these servers in under 5 minutes. pfsense has done nothing after 15 minutes. There is a problem here. What could it be? Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
On 2015-08-24 13:32, Volker Kuhlmann wrote: On Mon 24 Aug 2015 12:16:28 NZST +1200, Brady, Mike wrote: No issues here (also Pacific/Auckland) with any 2.2 release. Well, mine is a stock 2.2.x install, about 12 months old, upgraded a few times to minor point releases. I hacked the php of squid, squidguard and ssh (out of necessity, no BUI support), which doesn't affect ntp. There is nothing unusual in the log, except maybe this warning: Aug 24 ...: restrict: 'monitor' cannot be disabled while 'limited' is enabled After enabling ntpq queries under advanced, ntpd does not sync within a minute: # ntpq -c peer -n remote refid st t when poll reach delay offset jitter == 103.242.70.5.INIT. 16 u- 6400.0000.000 0.000 203.96.152.12 .INIT. 16 u- 6400.0000.000 0.000 On Linux, restarting (stop, start) ntpd gives the stratum info immediately, and syncs to these servers in under 5 minutes. pfsense has done nothing after 15 minutes. There is a problem here. What could it be? Thanks, Volker Volker I think that the INIT states indicate that you are not in fact synced. What does ntpq -n -c peers show? I would also suggest that you have at least 3 servers configured to sync against. Regards Mike ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
On Mon 24 Aug 2015 14:11:22 NZST +1200, Brady, Mike wrote: > I think that the INIT states indicate that you are not in fact > synced. Yes, I took that for granted. But why? ntpdate to the same servers connects fine. Default pfsense config - well I added one time server and enabled ntpq. It looks like ntpd can't talk to the servers, but why, when ntpdate works fine? Both running on pfsense. OK found it. Under access restrictions, the option "Disable all except ntpq and ntpdc queries (default: disabled)." must NOT be ticked! The default is ticked. This seems to prevent ntpd altogether from talking to the time servers. That looks like a bug. Could you compare your config, please? > What does ntpq -n -c peers show? Same. You can shorten "peers" all the way to "pe". > I would also suggest that you have at least 3 servers configured to > sync against. Point taken, but it depends on how important it is (have another time server), and it's not the issue here. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access Point Recommendations?
Does anyone have any recommendations for a/ac models, AP only, as is only radio, no router/switch stuff? Dumb is good, I use pfsense already and don't need more complexity in closed-source buggy devices. Single-RJ45 perfect, as soon as there are LAN and WAN ports the problems start (like everyone thinking the only secure way to configure the AP is over the wifi!). Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access Point Recommendations?
Oh, god, not again... Search the list archives from about a month ago. The consensus was, roughly, that the Ubiquity UniFi products were pretty good but had some quirks. As i recall, everything else discussed was either: -insanely expensive, or -crap (or both), or -only works well for one or two people on the list. (Note that the UniFi controller does *not* need to be running 24x7, or ever again for that matter, for basic single AP setups.) -Adam On August 23, 2015 10:36:57 PM CDT, Volker Kuhlmann wrote: >Does anyone have any recommendations for a/ac models, AP only, as is >only radio, no router/switch stuff? Dumb is good, I use pfsense already >and don't need more complexity in closed-source buggy devices. >Single-RJ45 perfect, as soon as there are LAN and WAN ports the >problems >start (like everyone thinking the only secure way to configure the AP >is >over the wifi!). > >Thanks, > >Volker > >-- >Volker Kuhlmannis list0570 with the domain in header. >http://volker.top.geek.nz/ Please do not CC list postings to me. >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
On 2015-08-24 15:25, Volker Kuhlmann wrote: OK found it. Under access restrictions, the option "Disable all except ntpq and ntpdc queries (default: disabled)." must NOT be ticked! The default is ticked. This seems to prevent ntpd altogether from talking to the time servers. That looks like a bug. Could you compare your config, please? It is not ticked on any (three) of the machines that I have just looked at. This is not something that I would have ever changed. Two of the machines are upgrades from releases prior to 2.2 but the third was a clean 2.2 install. What does ntpq -n -c peers show? Same. You can shorten "peers" all the way to "pe". Sorry, I meant ntpq -n -c ass. The condition column will tell you if they are talking or not. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
On Mon 24 Aug 2015 16:22:04 NZST +1200, Brady, Mike wrote: > It is not ticked on any (three) of the machines that I have just > looked at. This is not something that I would have ever changed. Perhaps my memory is wrong and I did change mine. Why have an advanced option that stops the whole thing from working? Perhaps it's for locally connected clock sources. > Sorry, I meant ntpq -n -c ass. ind assid status conf reach auth condition last_event cnt === 1 40532 8011 yesno nonerejectmobilize 1 2 40533 8011 yesno nonerejectmobilize 1 Yes, thanks muchly. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
On 8/23/15 10:44 PM, Volker Kuhlmann wrote: > On Mon 24 Aug 2015 16:22:04 NZST +1200, Brady, Mike wrote: > >> It is not ticked on any (three) of the machines that I have just >> looked at. This is not something that I would have ever changed. > > Perhaps my memory is wrong and I did change mine. Why have an advanced > option that stops the whole thing from working? Perhaps it's for locally > connected clock sources. > >> Sorry, I meant ntpq -n -c ass. > > ind assid status conf reach auth condition last_event cnt > === > 1 40532 8011 yesno nonerejectmobilize 1 > 2 40533 8011 yesno nonerejectmobilize 1 > > Yes, thanks muchly. If you're running a new enough NTP installation, additionally see the output of: ntpq -c apeers H ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold