Re: [pfSense] 2.2.6 HA to 2.3 Upgrade Advice
On Tue, May 10, 2016 at 4:55 PM, Mike Montgomery wrote: > I have two servers, setup in high availability that are currently running > 2.2.6. I have been running 2.3 at home and my test servers and am ready to > upgrade the office to 2.3 as well. I have been reading several upgrade > guides, as to which one to upgrade first, but would like to see if anyone > has upgraded a HA setup yet successfully? > Here is how I upgrade mine, whatever the upgrade versions: 1) upgrade the backup firewall 2) on primary, in CARP Status, enter persistent backup mode (the button on the right side of the top row) 3) wait a moment or two to let the VPNs and traffic move from the primary to the backup (usually a few seconds at most) 4) upgrade primary at your leisure 5) on primary, un-click the persistent backup mode button. This usually works really well. However, when I did this 2.2 -> 2.3 upgrade Monday at my data center, my terminal window into my management server had its ssh connection severed right when the primary was booted. I suspect there is some race between the networking starting and the thing that sets the persistent backup mode, but this only happened to me once. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2.6 HA to 2.3 Upgrade Advice
Thanks, I am now update to date. Guess I was just trying to over complicate things, everything upgraded without any quirks at all. On Wed, May 11, 2016 at 8:22 AM, Vick Khera wrote: > On Tue, May 10, 2016 at 4:55 PM, Mike Montgomery > > wrote: > > > I have two servers, setup in high availability that are currently running > > 2.2.6. I have been running 2.3 at home and my test servers and am ready > to > > upgrade the office to 2.3 as well. I have been reading several upgrade > > guides, as to which one to upgrade first, but would like to see if anyone > > has upgraded a HA setup yet successfully? > > > > Here is how I upgrade mine, whatever the upgrade versions: > > 1) upgrade the backup firewall > 2) on primary, in CARP Status, enter persistent backup mode (the button on > the right side of the top row) > 3) wait a moment or two to let the VPNs and traffic move from the primary > to the backup (usually a few seconds at most) > 4) upgrade primary at your leisure > 5) on primary, un-click the persistent backup mode button. > > This usually works really well. However, when I did this 2.2 -> 2.3 upgrade > Monday at my data center, my terminal window into my management server had > its ssh connection severed right when the primary was booted. I suspect > there is some race between the networking starting and the thing that sets > the persistent backup mode, but this only happened to me once. > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port mapping like reverse proxy
> > On 2016, May 11, at 1:48 AM, FrancisM wrote: > > Is there any plugins from pfsense to do this kind of configuration just > like reverse proxy. this is the scenario. I only have 1 public IP address... > I know I can achieve this using other ports (higher ports) to mapped to my > internal local server however I want to do it like this to mapped 1 to 1 in > the same port. Is this possible in pfsense? > ... > Support the project with Gold! https://pfsense.org/gold Nope, I don’t think so. http specifically sends the URL as part of the request so routing can then be done based on host name for virtual hosts on a single server. I’m not aware of any such mechanism for ssh or RDP, the information just isn’t presented. You’d need to separate by some network parameter like port or source address … If you really want inside your network, you probably want to do VPN or ssh tunneling. SSH is not PFSense specific, but it’s part of the package, and it does afford key based encryption around the RDP connections to arbitrary machines so you don’t have to worry about weak RDP encryption. It’s not a microsoft branded RD gateway if that’s what you were looking for. And there are VPN options. The book is worth the price of gold. ED. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Fwd: [Openvpn-announce] New OpenVPN 2.3.10 Windows installers (I604/I003) released
On 05/09/2016 11:45 AM, WebDawg wrote: > How do we get an update for the export util? They just released OpenVPN 2.3.11 yesterday, I've pushed out an update for the export package on pfSense 2.3, might take a bit to sync around but it'll show up soon. Jim ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] 2.3-REL check_reload_status high cpu load
This is dual core and CARP HA setup.
Having issues and found out that check_reload_status uses 100%.
last pid: 20560; load averages: 1.07, 1.01, 0.72 up 0+00:21:3823:10:20
122 processes: 4 running, 100 sleeping, 18 waiting
Mem: 51M Active, 53M Inact, 112M Wired, 75M Buf, 1745M Free
Swap: 2048M Total, 2048M Free
PID USERNAME PRI NICE SIZERES STATE C TIMEWCPU COMMAND
299 root 123 20 1K 2504K CPU00 15:25 100.00%
/usr/local/sbin/check_reload_status
11 root 155 ki31 0K32K RUN 0 14:15 60.99% [idle{idle:
cpu0}]
11 root 155 ki31 0K32K RUN 1 13:08 42.97% [idle{idle:
cpu1}]
0 root -16- 0K 192K swapin 0 0:25 0.00% [kernel{swapper}]
4 root -16- 0K32K - 0 0:01 0.00% [cam{scanner}]
12 root -60- 0K 288K WAIT1 0:00 0.00% [intr{swi4:
clock}]
35889 root 200 101M 8312K select 0 0:00 0.00%
/usr/local/bin/vmtoolsd -c /usr/local/shar
12 root -92- 0K 288K WAIT0 0:00 0.00% [intr{irq256:
vmx0}]
41215 root 210 262M 36564K piperd 0 0:00 0.00% php-fpm: pool
nginx (php-fpm)
7 root -16- 0K16K pftm0 0:00 0.00% [pf purge]
15 root -16- 0K16K - 1 0:00 0.00% [rand_harvestq]
82176 root 200 46196K 8284K kqread 1 0:00 0.00% nginx: worker
process (nginx)
4 root -16- 0K32K - 0 0:00 0.00% [cam{doneq0}]
82987 root 52 20 17000K 2592K wait1 0:00 0.00% /bin/sh
/var/db/rrd/updaterrd.sh
12 root -92- 0K 288K WAIT1 0:00 0.00% [intr{irq257:
vmx1}]
52990 unbound 200 43084K 18676K kqread 1 0:00 0.00%
/usr/local/sbin/unbound -c /var/unbound/un
54788 root 200 30140K 17968K select 1 0:00 0.00%
/usr/local/sbin/ntpd -g -c /var/etc/ntpd.c
41400 root 200 15012K 2220K nanslp 0 0:00 0.00%
[dpinger{dpinger}]
See ps uxawww belog sig.
What to look for?
What to test?
What to dump or log to narrow the issue?
--
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om
ps uxawww
USER PID %CPU %MEMVSZ RSS TT STAT STARTED TIME COMMAND
root 11 101.0 0.0 032 - RL 10:48PM 22:34.31 [idle]
root 299 100.0 0.1 1 2504 - RNs 10:48PM 10:36.06
/usr/local/sbin/check_reload_status
root0 0.0 0.0 0 192 - DLs 10:48PM 0:00.00 [kernel]
root1 0.0 0.0 9136 788 - ILs 10:48PM 0:00.00 /sbin/init --
root2 0.0 0.0 016 - DL 10:48PM 0:00.00 [crypto]
root3 0.0 0.0 016 - DL 10:48PM 0:00.00 [crypto returns]
root4 0.0 0.0 032 - DL 10:48PM 0:00.06 [cam]
root5 0.0 0.0 016 - DL 10:48PM 0:00.00 [mpt_recovery0]
root6 0.0 0.0 016 - DL 10:48PM 0:00.00 [fdc0]
root7 0.0 0.0 016 - DL 10:48PM 0:00.17 [pf purge]
root8 0.0 0.0 016 - DL 10:48PM 0:00.00 [sctp_iterator]
root9 0.0 0.0 032 - DL 10:48PM 0:00.01 [pagedaemon]
root 10 0.0 0.0 016 - DL 10:48PM 0:00.00 [audit]
root 12 0.0 0.0 0 288 - WL 10:48PM 0:00.78 [intr]
root 13 0.0 0.0 032 - DL 10:48PM 0:00.00 [ng_queue]
root 14 0.0 0.0 048 - DL 10:48PM 0:00.01 [geom]
root 15 0.0 0.0 016 - DL 10:48PM 0:00.11 [rand_harvestq]
root 16 0.0 0.0 016 - DL 10:48PM 0:00.00 [vmdaemon]
root 17 0.0 0.0 016 - DL 10:48PM 0:00.00 [pagezero]
root 18 0.0 0.0 016 - DL 10:48PM 0:00.00 [idlepoll]
root 19 0.0 0.0 032 - DL 10:48PM 0:00.01 [bufdaemon]
root 20 0.0 0.0 016 - DL 10:48PM 0:00.04 [syncer]
root 21 0.0 0.0 016 - DL 10:48PM 0:00.00 [vnlru]
root 51 0.0 0.0 016 - DL 10:48PM 0:00.02 [md0]
root 301 0.0 0.1 1 2288 - IN 10:48PM 0:00.00
check_reload_status: Monitoring daemon of check_reload_status
root 311 0.0 0.2 13624 4836 - Is 10:48PM 0:00.01 /sbin/devd -q
root12668 0.0 0.3 59068 6340 - Is 10:48PM 0:00.00 /usr/sbin/sshd
root12740 0.0 0.1 14612 2108 - Is 10:48PM 0:00.00
/usr/local/sbin/sshlockout_pf 15
root23356 0.0 0.1 14400 2124 - S10:48PM 0:00.01
/usr/local/sbin/radvd -p /var/run/radvd.pid -C /var/etc/radvd.conf -m syslog
root23972 0.0 0.1 14516 2316 - Ss 10:48PM 0:00.04
/usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f
/var/etc/syslog.conf
root25962 0.0 0.1 12268 1872 - Is 10:48PM 0:00.00
/usr/local/bin/minicron 240 /var/run/ping_hosts.pid /usr/local/bin/ping_hosts.sh
root26226 0.0 0.1 12268 1884 - I10:48PM 0:00.00 minic
Re: [pfSense] Port mapping like reverse proxy
On 2016-05-11 06:27, ED Fochler wrote: Nope, I don’t think so. http specifically sends the URL as part of the request so routing can then be done based on host name for virtual hosts on a single server. I’m not aware of any such mechanism for ssh or RDP, the information just isn’t presented. You’d need to separate by some network parameter like port or source address … RDP has a "Gateway" functionality which can accomplish this, but I don't know of a way to do this type of task with SSH. On the other hand, one could create a SSH daemon that would parse out the username and proxy the session forward if needed, or use a SSH tunnel to tunnel through to the eventual destination. This would obviously involve a lot more complexity than is available from pfSense. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
