Re: [pfSense] DHCP client on WAN flapping

2016-09-09 Thread Jason Belich 
[2.3.2-RELEASE][admin@pfbox.local]/root: cat /opt/all.log
Sep  9 13:25:36 pfbox syslogd: kernel boot file is /boot/kernel/kernel
Sep  9 13:25:45 pfbox pfbox.local nginx: 2016/09/09 13:25:45 [error]
19932#100170: send() failed (54: Connection reset by peer)
Sep  9 13:26:31 pfbox check_reload_status: Syncing firewall
Sep  9 13:26:35 pfbox check_reload_status: Linkup starting igb1
Sep  9 13:26:35 pfbox kernel: igb1: link state changed to DOWN
Sep  9 13:26:36 pfbox php-fpm[75081]: /rc.linkup: DEVD Ethernet detached
event for wan
Sep  9 13:26:36 pfbox check_reload_status: Reloading filter
Sep  9 13:26:37 pfbox xinetd[10864]: Starting reconfiguration
Sep  9 13:26:37 pfbox xinetd[10864]: Swapping defaults
Sep  9 13:26:37 pfbox xinetd[10864]: readjusting service 6969-udp
Sep  9 13:26:37 pfbox xinetd[10864]: Reconfigured: new=0 old=1 dropped=0
(services)
Sep  9 13:26:40 pfbox kernel: igb1: link state changed to UP
Sep  9 13:26:40 pfbox check_reload_status: Linkup starting igb1
Sep  9 13:26:40 pfbox check_reload_status: rc.newwanip starting igb1
Sep  9 13:26:40 pfbox php-fpm[69947]: /interfaces.php: ROUTING: setting
default route to 73.241.114.1
Sep  9 13:26:40 pfbox check_reload_status: Restarting ipsec tunnels
Sep  9 13:26:41 pfbox php-fpm[75081]: /rc.linkup: DEVD Ethernet attached
event for wan
Sep  9 13:26:41 pfbox php-fpm[75081]: /rc.linkup: HOTPLUG: Configuring
interface wan
Sep  9 13:26:41 pfbox kernel: igb1: link state changed to DOWN
Sep  9 13:26:41 pfbox check_reload_status: Linkup starting igb1
Sep  9 13:26:41 pfbox php-fpm[90271]: /rc.newwanip: rc.newwanip: Info:
starting on igb1.
Sep  9 13:26:41 pfbox php-fpm[90271]: /rc.newwanip: rc.newwanip: on (IP
address: ) (interface: WAN[wan]) (real interface: igb1).
Sep  9 13:26:41 pfbox php-fpm[90271]: /rc.newwanip: rc.newwanip: Failed to
update wan IP, restarting...
Sep  9 13:26:41 pfbox check_reload_status: Configuring interface wan
Sep  9 13:26:42 pfbox check_reload_status: updating dyndns wan
Sep  9 13:26:42 pfbox php-fpm[92780]: /rc.interfaces_wan_configure: The
command '/sbin/dhclient -c /var/etc/dhclient_wan.conf igb1 >
/tmp/igb1_output 2> /tmp/igb1_error_output' returned exit code '1', the
output was ''
Sep  9 13:26:44 pfbox check_reload_status: Reloading filter
Sep  9 13:26:44 pfbox php-fpm[69947]: /interfaces.php: Creating rrd update
script
Sep  9 13:26:45 pfbox xinetd[10864]: Starting reconfiguration
Sep  9 13:26:45 pfbox xinetd[10864]: Swapping defaults
Sep  9 13:26:45 pfbox xinetd[10864]: readjusting service 6969-udp
Sep  9 13:26:45 pfbox xinetd[10864]: Reconfigured: new=0 old=1 dropped=0
(services)
Sep  9 13:26:46 pfbox kernel: igb1: link state changed to UP
Sep  9 13:26:46 pfbox check_reload_status: Linkup starting igb1
Sep  9 13:26:46 pfbox check_reload_status: rc.newwanip starting igb1
Sep  9 13:26:46 pfbox php-fpm[75081]: /rc.linkup: ROUTING: setting default
route to 73.241.114.1
Sep  9 13:26:46 pfbox check_reload_status: Restarting ipsec tunnels
Sep  9 13:26:47 pfbox php-fpm[22042]: /rc.newwanip: rc.newwanip: Info:
starting on igb1.
Sep  9 13:26:47 pfbox php-fpm[22042]: /rc.newwanip: rc.newwanip: on (IP
address: 73.241.XXX.XXX) (interface: WAN[wan]) (real interface: igb1).
Sep  9 13:26:47 pfbox xinetd[10864]: Starting reconfiguration
Sep  9 13:26:47 pfbox xinetd[10864]: Swapping defaults
Sep  9 13:26:47 pfbox xinetd[10864]: readjusting service 6969-udp
Sep  9 13:26:47 pfbox xinetd[10864]: Reconfigured: new=0 old=1 dropped=0
(services)
Sep  9 13:26:48 pfbox php-fpm[22042]: /rc.newwanip: ROUTING: setting
default route to 73.241.114.1
Sep  9 13:26:49 pfbox check_reload_status: updating dyndns wan
Sep  9 13:26:49 pfbox check_reload_status: Reloading filter
Sep  9 13:26:49 pfbox php-fpm[90271]: /rc.linkup: DEVD Ethernet detached
event for wan
Sep  9 13:26:49 pfbox php-fpm[22042]: /rc.newwanip: The command
'/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code
'1', the output was '[1473452809] unbound[35411:0] error: bind: address
already in use [1473452809] unbound[35411:0] fatal error: could not open
ports'
Sep  9 13:26:50 pfbox check_reload_status: Reloading filter
Sep  9 13:26:50 pfbox php-fpm[92780]: /rc.linkup: DEVD Ethernet attached
event for wan
Sep  9 13:26:50 pfbox php-fpm[92780]: /rc.linkup: HOTPLUG: Configuring
interface wan
Sep  9 13:26:50 pfbox check_reload_status: Linkup starting igb1
Sep  9 13:26:50 pfbox kernel: igb1: link state changed to DOWN
Sep  9 13:26:50 pfbox xinetd[10864]: Starting reconfiguration
Sep  9 13:26:50 pfbox xinetd[10864]: Swapping defaults
Sep  9 13:26:50 pfbox xinetd[10864]: readjusting service 6969-udp
Sep  9 13:26:50 pfbox xinetd[10864]: Reconfigured: new=0 old=1 dropped=0
(services)
Sep  9 13:26:50 pfbox php-fpm[22042]: /rc.newwanip: Resyncing OpenVPN
instances for interface WAN.
Sep  9 13:26:50 pfbox php-fpm[22042]: /rc.newwanip: Creating rrd update
script
Sep  9 13:26:50 pfbox kernel: arpresolve: can't allocate llinfo for
73.241.114.1 on igb1
Sep  9 13:26:50 pfbox kernel: arpresolve:

[pfSense] DHCP client on WAN flapping

2016-09-09 Thread Jason Belich 
I can't enable dhcp on my WAN interface, or it starts flapping.  From the
logs it looks like different services are stepping on each other, causing
the connection to flap, but I can't make heads or tails of any of it.  Been
trying to figure this out for months, so my eyes go crosseyed everytime i
have to deal with it at this point. All I can do is copy the addresses from
the lease file into a static config, which only works as long as Comcast
(w/ Moto 6141 modem) sees fit to let me keep an IP.

I appreciate any help anybody can give. I've attached a log file combined
from system.log and dhcpd.log. The log starts at the point where I select
DHCP in the WAN interface page and hit apply, and ends when I disable the
interface.

Thanks again

--
Jason E Belich
ja...@belich.com
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] New feature in ISC DHCP server v.4.3+ ( pfSense feature request )

2016-09-09 Thread Ryan Coleman 
Touché.


> On Sep 9, 2016, at 9:48 AM, Jim Thompson  wrote:
> 
> 
> 
>> On Sep 9, 2016, at 8:49 AM, Ryan Coleman  wrote:
>> 
>> 
>>> On Sep 8, 2016, at 10:37 PM, Jim Thompson  wrote:
>>> 
>>> 
 On Sep 8, 2016, at 10:30 PM, Ryan Coleman  wrote:
 
 
> On Sep 8, 2016, at 9:14 PM, Jim Thompson  wrote:
> 
> On Thu, Sep 8, 2016 at 7:36 PM, Karl Fife  wrote:
> 
>> There is a brand new feature/option in ISC dhcpd 4.3.0 (the DHCP server
>> version in pfSense 2.3+).
> 
> you could say, "Thank you".  I drove the old crud out.
 
 You could say “you’re welcome” but… I know you’re not capable :)
>>> 
>>> Thank you, Ryan. 
>>> 
>>> It was a bit of a tussle with some of the other team members. I still 
>>> believe it was the correct decision. 
>>> 
>>> And, "you're welcome", for whatever I've done that might have been useful 
>>> to you.
>> 
>> At least I know we can laugh at each other, right? :)
> 
> 
> "With" is one thing. 
> "At" is quite another. 
> 
> 
> Jim
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] nat or routing?

2016-09-09 Thread Pol Hallen 

:-| I'm so sorry Moshe and Steve :-(

an old route config on server was the problem

many thanks for help!!!

Pol
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] nat or routing?

2016-09-09 Thread Pol Hallen 

From your traceroute results, this looks like it might be related to your
switch(es).


it's a simple 10/100 switch unmanaged

LAN1 rules

protocolsource  portdestportgw
*   *   *   LAN1 addr.  80  *
ipv4lan1 net*   lan2 net*   *
ipv4lan1 net*   *   *   *

LAN2 rules
protocolsource  portdestportgw
ipv4LAN2 net*   lan1 net*   *

/sbin/ifconfig
wlan0: flags=4163  mtu 1500
inet 192.168.10.15  netmask 255.255.255.0  broadcast 192.168.10.255

route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse 
Iface
0.0.0.0 192.168.10.250  0.0.0.0 UG60000 
wlan0
192.168.10.00.0.0.0 255.255.255.0   U 60000 
wlan0


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] nat or routing?

2016-09-09 Thread Steve Yates 
In Status/System Logs/Settings check the "Log packets matched from the default 
block rules in the ruleset" option and see if the firewall log shows blocked 
packets.

Are the interfaces set to block private networks, since you are using those on 
all interfaces?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Pol Hallen
Sent: Friday, September 9, 2016 10:53 AM
To: pfSense Support and Discussion Mailing List ; 
mo...@ymkatz.net
Subject: Re: [pfSense] nat or routing?

Hi Moshe,
thanks for all your advices about security :-) Very kind!

> All you need to do is create rules on each LAN interface that allow 
> incoming traffic from the other LAN.
>
>- Rule on LAN1 interface:
>   - Action: "Pass"
>   - Source: "LAN1 net"
>   - Destination: "LAN2 net"
>- Rule on LAN2 interface:
>   - Action: "Pass"
>   - Source: "LAN2 net"
>   - Destination: "LAN1 net"

some problem: I can ping lan1 from lan2 (and vice-versa) but traceroute doesn't 
work and if I try to connect to local webserver no reply.

Any idea to solve the problem?

thanks for help!

Pol
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] nat or routing?

2016-09-09 Thread Pol Hallen 

Hi Moshe,
thanks for all your advices about security :-) Very kind!


All you need to do is create rules on each LAN interface that allow
incoming traffic from the other LAN.

   - Rule on LAN1 interface:
  - Action: "Pass"
  - Source: "LAN1 net"
  - Destination: "LAN2 net"
   - Rule on LAN2 interface:
  - Action: "Pass"
  - Source: "LAN2 net"
  - Destination: "LAN1 net"


some problem: I can ping lan1 from lan2 (and vice-versa) but traceroute 
doesn't work and if I try to connect to local webserver no reply.


Any idea to solve the problem?

thanks for help!

Pol
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] New feature in ISC DHCP server v.4.3+ ( pfSense feature request )

2016-09-09 Thread Jim Thompson 


> On Sep 9, 2016, at 8:49 AM, Ryan Coleman  wrote:
> 
> 
>> On Sep 8, 2016, at 10:37 PM, Jim Thompson  wrote:
>> 
>> 
>>> On Sep 8, 2016, at 10:30 PM, Ryan Coleman  wrote:
>>> 
>>> 
 On Sep 8, 2016, at 9:14 PM, Jim Thompson  wrote:
 
 On Thu, Sep 8, 2016 at 7:36 PM, Karl Fife  wrote:
 
> There is a brand new feature/option in ISC dhcpd 4.3.0 (the DHCP server
> version in pfSense 2.3+).
 
 you could say, "Thank you".  I drove the old crud out.
>>> 
>>> You could say “you’re welcome” but… I know you’re not capable :)
>> 
>> Thank you, Ryan. 
>> 
>> It was a bit of a tussle with some of the other team members. I still 
>> believe it was the correct decision. 
>> 
>> And, "you're welcome", for whatever I've done that might have been useful to 
>> you.
> 
> At least I know we can laugh at each other, right? :)


"With" is one thing. 
"At" is quite another. 


Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] nat or routing?

2016-09-09 Thread Moshe Katz 
Pol,

In this case, all you should need is the appropriate firewall rules (and
simple routing). NAT is not required, and would actually complicate your
setup.

If you pfSense is already set up as the gateway for each LAN, then no
additional routing setup is required.

All you need to do is create rules on each LAN interface that allow
incoming traffic from the other LAN.

Here are some example rules that permit all traffic between the two LANs. *If
you want to keep your LANs separate for security reasons, you should not
use these rules. You should use rules that only allow the services that you
need.*


   - Rule on LAN1 interface:
  - Action: "Pass"
  - Source: "LAN1 net"
  - Destination: "LAN2 net"
   - Rule on LAN2 interface:
  - Action: "Pass"
  - Source: "LAN2 net"
  - Destination: "LAN1 net"

If you know that you only need certain IP addresses (i.e. just the servers)
and/or certain ports (e.g. web, ftp, ssh, etc.) to be open, you should
limit to those ports. If you have multiple servers that should have the
same rules, you can create aliases to make the rules easier to manage.

Here is an example of a portion of the rules we use on our guest WiFi
network (our LAN3) to allow users of that WiFi to access services on our
servers:

   - IP alias named "HostsWebAllowedFromWifi":
  - Server IPs on LAN1
   - Ports alias named "PortsWebAllowedFromWifi"
  - 80
  - 443
   - IP alias named "HostsSSHAllowedFromWifi"
   - Server IPs on LAN1
   - Ports alias named "PortsSSHAllowedFromWifi"
  - 22
  - (A secret alternate SSH port that most of our servers use)


   - Rule on LAN3 interface (our guest WiFi):
  - Action: "Pass"
  - Source: "LAN3 net"
  - Destination: "HostsWebAllowedFromWifi"
  - Destination Port Range: "PortsWebAllowedFromWifi"
   - Rule on LAN3 interface (our guest WiFi):
  - Action: "Pass"
  - Source: "LAN3 net"
  - Destination: "HostsSSHAllowedFromWifi"
  - Destination Port Range: "PortsSSHAllowedFromWifi"


Hope that helps,

Moshe

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732

On Fri, Sep 9, 2016 at 9:01 AM, Pol Hallen  wrote:

> Hi all :-)
>
> I need to allow traffic from lan1 and lan2 and vice-versa
>
> wan has 192.168.5.0/30
> lan1 has 192.168.10.0/24
> lan2 has 192.168.1.0/24
>
> wan <---> lan1 <---> switch <---> server <---> clients (same network)
>   lan2 <---> switch <---> server <---> clients (same network)
>
> do I need to use NAT (which one?) or only PF rules?
>
> How allow lan1 and lan2 to communicate?
>
> ping between lan1 and lan2 works but traceroute no :-/
>
> thanks for help!
>
> Pol
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] New feature in ISC DHCP server v.4.3+ ( pfSense feature request )

2016-09-09 Thread Ryan Coleman 

> On Sep 8, 2016, at 10:37 PM, Jim Thompson  wrote:
> 
> 
>> On Sep 8, 2016, at 10:30 PM, Ryan Coleman  wrote:
>> 
>> 
>>> On Sep 8, 2016, at 9:14 PM, Jim Thompson  wrote:
>>> 
>>> On Thu, Sep 8, 2016 at 7:36 PM, Karl Fife  wrote:
>>> 
 There is a brand new feature/option in ISC dhcpd 4.3.0 (the DHCP server
 version in pfSense 2.3+).
>>> 
>>> you could say, "Thank you".  I drove the old crud out.
>> 
>> You could say “you’re welcome” but… I know you’re not capable :)
> 
> Thank you, Ryan. 
> 
> It was a bit of a tussle with some of the other team members. I still believe 
> it was the correct decision. 
> 
> And, "you're welcome", for whatever I've done that might have been useful to 
> you. 


At least I know we can laugh at each other, right? :)


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold