Re: [pfSense] DHCP client on WAN flapping
[2.3.2-RELEASE][admin@pfbox.local]/root: cat /opt/all.log Sep 9 13:25:36 pfbox syslogd: kernel boot file is /boot/kernel/kernel Sep 9 13:25:45 pfbox pfbox.local nginx: 2016/09/09 13:25:45 [error] 19932#100170: send() failed (54: Connection reset by peer) Sep 9 13:26:31 pfbox check_reload_status: Syncing firewall Sep 9 13:26:35 pfbox check_reload_status: Linkup starting igb1 Sep 9 13:26:35 pfbox kernel: igb1: link state changed to DOWN Sep 9 13:26:36 pfbox php-fpm[75081]: /rc.linkup: DEVD Ethernet detached event for wan Sep 9 13:26:36 pfbox check_reload_status: Reloading filter Sep 9 13:26:37 pfbox xinetd[10864]: Starting reconfiguration Sep 9 13:26:37 pfbox xinetd[10864]: Swapping defaults Sep 9 13:26:37 pfbox xinetd[10864]: readjusting service 6969-udp Sep 9 13:26:37 pfbox xinetd[10864]: Reconfigured: new=0 old=1 dropped=0 (services) Sep 9 13:26:40 pfbox kernel: igb1: link state changed to UP Sep 9 13:26:40 pfbox check_reload_status: Linkup starting igb1 Sep 9 13:26:40 pfbox check_reload_status: rc.newwanip starting igb1 Sep 9 13:26:40 pfbox php-fpm[69947]: /interfaces.php: ROUTING: setting default route to 73.241.114.1 Sep 9 13:26:40 pfbox check_reload_status: Restarting ipsec tunnels Sep 9 13:26:41 pfbox php-fpm[75081]: /rc.linkup: DEVD Ethernet attached event for wan Sep 9 13:26:41 pfbox php-fpm[75081]: /rc.linkup: HOTPLUG: Configuring interface wan Sep 9 13:26:41 pfbox kernel: igb1: link state changed to DOWN Sep 9 13:26:41 pfbox check_reload_status: Linkup starting igb1 Sep 9 13:26:41 pfbox php-fpm[90271]: /rc.newwanip: rc.newwanip: Info: starting on igb1. Sep 9 13:26:41 pfbox php-fpm[90271]: /rc.newwanip: rc.newwanip: on (IP address: ) (interface: WAN[wan]) (real interface: igb1). Sep 9 13:26:41 pfbox php-fpm[90271]: /rc.newwanip: rc.newwanip: Failed to update wan IP, restarting... Sep 9 13:26:41 pfbox check_reload_status: Configuring interface wan Sep 9 13:26:42 pfbox check_reload_status: updating dyndns wan Sep 9 13:26:42 pfbox php-fpm[92780]: /rc.interfaces_wan_configure: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf igb1 > /tmp/igb1_output 2> /tmp/igb1_error_output' returned exit code '1', the output was '' Sep 9 13:26:44 pfbox check_reload_status: Reloading filter Sep 9 13:26:44 pfbox php-fpm[69947]: /interfaces.php: Creating rrd update script Sep 9 13:26:45 pfbox xinetd[10864]: Starting reconfiguration Sep 9 13:26:45 pfbox xinetd[10864]: Swapping defaults Sep 9 13:26:45 pfbox xinetd[10864]: readjusting service 6969-udp Sep 9 13:26:45 pfbox xinetd[10864]: Reconfigured: new=0 old=1 dropped=0 (services) Sep 9 13:26:46 pfbox kernel: igb1: link state changed to UP Sep 9 13:26:46 pfbox check_reload_status: Linkup starting igb1 Sep 9 13:26:46 pfbox check_reload_status: rc.newwanip starting igb1 Sep 9 13:26:46 pfbox php-fpm[75081]: /rc.linkup: ROUTING: setting default route to 73.241.114.1 Sep 9 13:26:46 pfbox check_reload_status: Restarting ipsec tunnels Sep 9 13:26:47 pfbox php-fpm[22042]: /rc.newwanip: rc.newwanip: Info: starting on igb1. Sep 9 13:26:47 pfbox php-fpm[22042]: /rc.newwanip: rc.newwanip: on (IP address: 73.241.XXX.XXX) (interface: WAN[wan]) (real interface: igb1). Sep 9 13:26:47 pfbox xinetd[10864]: Starting reconfiguration Sep 9 13:26:47 pfbox xinetd[10864]: Swapping defaults Sep 9 13:26:47 pfbox xinetd[10864]: readjusting service 6969-udp Sep 9 13:26:47 pfbox xinetd[10864]: Reconfigured: new=0 old=1 dropped=0 (services) Sep 9 13:26:48 pfbox php-fpm[22042]: /rc.newwanip: ROUTING: setting default route to 73.241.114.1 Sep 9 13:26:49 pfbox check_reload_status: updating dyndns wan Sep 9 13:26:49 pfbox check_reload_status: Reloading filter Sep 9 13:26:49 pfbox php-fpm[90271]: /rc.linkup: DEVD Ethernet detached event for wan Sep 9 13:26:49 pfbox php-fpm[22042]: /rc.newwanip: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1473452809] unbound[35411:0] error: bind: address already in use [1473452809] unbound[35411:0] fatal error: could not open ports' Sep 9 13:26:50 pfbox check_reload_status: Reloading filter Sep 9 13:26:50 pfbox php-fpm[92780]: /rc.linkup: DEVD Ethernet attached event for wan Sep 9 13:26:50 pfbox php-fpm[92780]: /rc.linkup: HOTPLUG: Configuring interface wan Sep 9 13:26:50 pfbox check_reload_status: Linkup starting igb1 Sep 9 13:26:50 pfbox kernel: igb1: link state changed to DOWN Sep 9 13:26:50 pfbox xinetd[10864]: Starting reconfiguration Sep 9 13:26:50 pfbox xinetd[10864]: Swapping defaults Sep 9 13:26:50 pfbox xinetd[10864]: readjusting service 6969-udp Sep 9 13:26:50 pfbox xinetd[10864]: Reconfigured: new=0 old=1 dropped=0 (services) Sep 9 13:26:50 pfbox php-fpm[22042]: /rc.newwanip: Resyncing OpenVPN instances for interface WAN. Sep 9 13:26:50 pfbox php-fpm[22042]: /rc.newwanip: Creating rrd update script Sep 9 13:26:50 pfbox kernel: arpresolve: can't allocate llinfo for 73.241.114.1 on igb1 Sep 9 13:26:50 pfbox kernel: arpresolve:
[pfSense] DHCP client on WAN flapping
I can't enable dhcp on my WAN interface, or it starts flapping. From the logs it looks like different services are stepping on each other, causing the connection to flap, but I can't make heads or tails of any of it. Been trying to figure this out for months, so my eyes go crosseyed everytime i have to deal with it at this point. All I can do is copy the addresses from the lease file into a static config, which only works as long as Comcast (w/ Moto 6141 modem) sees fit to let me keep an IP. I appreciate any help anybody can give. I've attached a log file combined from system.log and dhcpd.log. The log starts at the point where I select DHCP in the WAN interface page and hit apply, and ends when I disable the interface. Thanks again -- Jason E Belich ja...@belich.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] New feature in ISC DHCP server v.4.3+ ( pfSense feature request )
Touché. > On Sep 9, 2016, at 9:48 AM, Jim Thompsonwrote: > > > >> On Sep 9, 2016, at 8:49 AM, Ryan Coleman wrote: >> >> >>> On Sep 8, 2016, at 10:37 PM, Jim Thompson wrote: >>> >>> On Sep 8, 2016, at 10:30 PM, Ryan Coleman wrote: > On Sep 8, 2016, at 9:14 PM, Jim Thompson wrote: > > On Thu, Sep 8, 2016 at 7:36 PM, Karl Fife wrote: > >> There is a brand new feature/option in ISC dhcpd 4.3.0 (the DHCP server >> version in pfSense 2.3+). > > you could say, "Thank you". I drove the old crud out. You could say “you’re welcome” but… I know you’re not capable :) >>> >>> Thank you, Ryan. >>> >>> It was a bit of a tussle with some of the other team members. I still >>> believe it was the correct decision. >>> >>> And, "you're welcome", for whatever I've done that might have been useful >>> to you. >> >> At least I know we can laugh at each other, right? :) > > > "With" is one thing. > "At" is quite another. > > > Jim > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] nat or routing?
:-| I'm so sorry Moshe and Steve :-( an old route config on server was the problem many thanks for help!!! Pol ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] nat or routing?
From your traceroute results, this looks like it might be related to your switch(es). it's a simple 10/100 switch unmanaged LAN1 rules protocolsource portdestportgw * * * LAN1 addr. 80 * ipv4lan1 net* lan2 net* * ipv4lan1 net* * * * LAN2 rules protocolsource portdestportgw ipv4LAN2 net* lan1 net* * /sbin/ifconfig wlan0: flags=4163mtu 1500 inet 192.168.10.15 netmask 255.255.255.0 broadcast 192.168.10.255 route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 0.0.0.0 192.168.10.250 0.0.0.0 UG60000 wlan0 192.168.10.00.0.0.0 255.255.255.0 U 60000 wlan0 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] nat or routing?
In Status/System Logs/Settings check the "Log packets matched from the default block rules in the ruleset" option and see if the firewall log shows blocked packets. Are the interfaces set to block private networks, since you are using those on all interfaces? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Pol Hallen Sent: Friday, September 9, 2016 10:53 AM To: pfSense Support and Discussion Mailing List; mo...@ymkatz.net Subject: Re: [pfSense] nat or routing? Hi Moshe, thanks for all your advices about security :-) Very kind! > All you need to do is create rules on each LAN interface that allow > incoming traffic from the other LAN. > >- Rule on LAN1 interface: > - Action: "Pass" > - Source: "LAN1 net" > - Destination: "LAN2 net" >- Rule on LAN2 interface: > - Action: "Pass" > - Source: "LAN2 net" > - Destination: "LAN1 net" some problem: I can ping lan1 from lan2 (and vice-versa) but traceroute doesn't work and if I try to connect to local webserver no reply. Any idea to solve the problem? thanks for help! Pol ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] nat or routing?
Hi Moshe, thanks for all your advices about security :-) Very kind! All you need to do is create rules on each LAN interface that allow incoming traffic from the other LAN. - Rule on LAN1 interface: - Action: "Pass" - Source: "LAN1 net" - Destination: "LAN2 net" - Rule on LAN2 interface: - Action: "Pass" - Source: "LAN2 net" - Destination: "LAN1 net" some problem: I can ping lan1 from lan2 (and vice-versa) but traceroute doesn't work and if I try to connect to local webserver no reply. Any idea to solve the problem? thanks for help! Pol ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] New feature in ISC DHCP server v.4.3+ ( pfSense feature request )
> On Sep 9, 2016, at 8:49 AM, Ryan Colemanwrote: > > >> On Sep 8, 2016, at 10:37 PM, Jim Thompson wrote: >> >> >>> On Sep 8, 2016, at 10:30 PM, Ryan Coleman wrote: >>> >>> On Sep 8, 2016, at 9:14 PM, Jim Thompson wrote: On Thu, Sep 8, 2016 at 7:36 PM, Karl Fife wrote: > There is a brand new feature/option in ISC dhcpd 4.3.0 (the DHCP server > version in pfSense 2.3+). you could say, "Thank you". I drove the old crud out. >>> >>> You could say “you’re welcome” but… I know you’re not capable :) >> >> Thank you, Ryan. >> >> It was a bit of a tussle with some of the other team members. I still >> believe it was the correct decision. >> >> And, "you're welcome", for whatever I've done that might have been useful to >> you. > > At least I know we can laugh at each other, right? :) "With" is one thing. "At" is quite another. Jim ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] nat or routing?
Pol, In this case, all you should need is the appropriate firewall rules (and simple routing). NAT is not required, and would actually complicate your setup. If you pfSense is already set up as the gateway for each LAN, then no additional routing setup is required. All you need to do is create rules on each LAN interface that allow incoming traffic from the other LAN. Here are some example rules that permit all traffic between the two LANs. *If you want to keep your LANs separate for security reasons, you should not use these rules. You should use rules that only allow the services that you need.* - Rule on LAN1 interface: - Action: "Pass" - Source: "LAN1 net" - Destination: "LAN2 net" - Rule on LAN2 interface: - Action: "Pass" - Source: "LAN2 net" - Destination: "LAN1 net" If you know that you only need certain IP addresses (i.e. just the servers) and/or certain ports (e.g. web, ftp, ssh, etc.) to be open, you should limit to those ports. If you have multiple servers that should have the same rules, you can create aliases to make the rules easier to manage. Here is an example of a portion of the rules we use on our guest WiFi network (our LAN3) to allow users of that WiFi to access services on our servers: - IP alias named "HostsWebAllowedFromWifi": - Server IPs on LAN1 - Ports alias named "PortsWebAllowedFromWifi" - 80 - 443 - IP alias named "HostsSSHAllowedFromWifi" - Server IPs on LAN1 - Ports alias named "PortsSSHAllowedFromWifi" - 22 - (A secret alternate SSH port that most of our servers use) - Rule on LAN3 interface (our guest WiFi): - Action: "Pass" - Source: "LAN3 net" - Destination: "HostsWebAllowedFromWifi" - Destination Port Range: "PortsWebAllowedFromWifi" - Rule on LAN3 interface (our guest WiFi): - Action: "Pass" - Source: "LAN3 net" - Destination: "HostsSSHAllowedFromWifi" - Destination Port Range: "PortsSSHAllowedFromWifi" Hope that helps, Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Fri, Sep 9, 2016 at 9:01 AM, Pol Hallenwrote: > Hi all :-) > > I need to allow traffic from lan1 and lan2 and vice-versa > > wan has 192.168.5.0/30 > lan1 has 192.168.10.0/24 > lan2 has 192.168.1.0/24 > > wan <---> lan1 <---> switch <---> server <---> clients (same network) > lan2 <---> switch <---> server <---> clients (same network) > > do I need to use NAT (which one?) or only PF rules? > > How allow lan1 and lan2 to communicate? > > ping between lan1 and lan2 works but traceroute no :-/ > > thanks for help! > > Pol > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] New feature in ISC DHCP server v.4.3+ ( pfSense feature request )
> On Sep 8, 2016, at 10:37 PM, Jim Thompsonwrote: > > >> On Sep 8, 2016, at 10:30 PM, Ryan Coleman wrote: >> >> >>> On Sep 8, 2016, at 9:14 PM, Jim Thompson wrote: >>> >>> On Thu, Sep 8, 2016 at 7:36 PM, Karl Fife wrote: >>> There is a brand new feature/option in ISC dhcpd 4.3.0 (the DHCP server version in pfSense 2.3+). >>> >>> you could say, "Thank you". I drove the old crud out. >> >> You could say “you’re welcome” but… I know you’re not capable :) > > Thank you, Ryan. > > It was a bit of a tussle with some of the other team members. I still believe > it was the correct decision. > > And, "you're welcome", for whatever I've done that might have been useful to > you. At least I know we can laugh at each other, right? :) ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold